// API callback
related_results_labels_thumbs({"version":"1.0","encoding":"UTF-8","feed":{"xmlns":"http://www.w3.org/2005/Atom","xmlns$openSearch":"http://a9.com/-/spec/opensearchrss/1.0/","xmlns$blogger":"http://schemas.google.com/blogger/2008","xmlns$georss":"http://www.georss.org/georss","xmlns$gd":"http://schemas.google.com/g/2005","xmlns$thr":"http://purl.org/syndication/thread/1.0","id":{"$t":"tag:blogger.com,1999:blog-8539880144347728238"},"updated":{"$t":"2025-01-05T17:25:28.521-05:00"},"category":[{"term":"Pentesting"},{"term":"Metasploit"},{"term":"cktricky"},{"term":"hacking"},{"term":"Book Reviews"},{"term":"Security Conferences"},{"term":"news"},{"term":"devoops"},{"term":"Chris Gates"},{"term":"client side attacks"},{"term":"devops"},{"term":"rant"},{"term":"web application testing"},{"term":"oracle"},{"term":"low2pwned"},{"term":"information Gathering"},{"term":"pwnage"},{"term":"auxiliary modules"},{"term":"carnal0wnage"},{"term":"cloud"},{"term":"enumeration"},{"term":"EthicalHacker.net"},{"term":"Learn Security Online"},{"term":"chicagocon"},{"term":"Kubernetes"},{"term":"Wireless"},{"term":"day in the life"},{"term":"jenkins"},{"term":"Maltego"},{"term":"certification"},{"term":"meterpreter"},{"term":"mimikatz"},{"term":"pass the hash"},{"term":"phishing"},{"term":"politics"},{"term":"Security"},{"term":"malware"},{"term":"password cracking"},{"term":"post-exploitation"},{"term":"powershell"},{"term":"Incident Response"},{"term":"android"},{"term":"automation"},{"term":"blackhat DC"},{"term":"exploits"},{"term":"linux"},{"term":"press"},{"term":"privacy"},{"term":"token impersonation"},{"term":"toorcon"},{"term":"SQL  Injection"},{"term":"incognito"},{"term":"mubix"},{"term":"scanning"},{"term":"shmoocon 09"},{"term":"webcasts"},{"term":"wrap-up"},{"term":"DNS"},{"term":"HackerDefender"},{"term":"Security Metrics"},{"term":"VNC"},{"term":"aircrack-ng"},{"term":"chris nickerson"},{"term":"fail"},{"term":"mike murray"},{"term":"nmap"},{"term":"rootkit"},{"term":"shmoocon 08"},{"term":"shotgun posts"},{"term":"token kidnaping"},{"term":"Crash Course in Penetration Testing"},{"term":"Full Scope Security"},{"term":"IPv6"},{"term":"Paterva"},{"term":"Physical Security"},{"term":"Research"},{"term":"SOURCE Boston 2009"},{"term":"Scapy"},{"term":"antivirus"},{"term":"coldfusion"},{"term":"hack tools"},{"term":"hakin9"},{"term":"http options"},{"term":"identity theft"},{"term":"interviews"},{"term":"jboss"},{"term":"karma"},{"term":"nessus"},{"term":"passthehash toolkit"},{"term":"podcasts"},{"term":"privacy is dead"},{"term":"rpcclient"},{"term":"snmp"},{"term":"social engineering"},{"term":"ubuntu"},{"term":"webdav"},{"term":"AttackResearch"},{"term":"Botnets"},{"term":"Dan Hoffman"},{"term":"GoogleAds"},{"term":"Joe McCray"},{"term":"MAME"},{"term":"NTP"},{"term":"Network Mapping"},{"term":"OMG Python"},{"term":"Packet Analysis"},{"term":"Programming"},{"term":"RetroPie"},{"term":"SCADA"},{"term":"Security Data Visualization"},{"term":"Traceroute"},{"term":"Traceroute Visulization"},{"term":"airodump-ng"},{"term":"attack analysis"},{"term":"aws"},{"term":"backtrack2"},{"term":"backtrack3"},{"term":"blue teaming"},{"term":"cadaver"},{"term":"citrix hacking"},{"term":"conspiracy"},{"term":"coolest Dad ever"},{"term":"defcon"},{"term":"defense"},{"term":"digging into the chewy center"},{"term":"elasticsearch"},{"term":"emulators"},{"term":"foursquare"},{"term":"ike-scan"},{"term":"install your own linux distro"},{"term":"java"},{"term":"javascript"},{"term":"jeremiah grossman"},{"term":"john the ripper"},{"term":"kanoOS kano computers"},{"term":"karmasploit"},{"term":"karmetasploit"},{"term":"lotus domino"},{"term":"mentoring"},{"term":"mssql"},{"term":"mssql_login"},{"term":"mssql_ping"},{"term":"msvctl"},{"term":"null-session"},{"term":"paranoia"},{"term":"privilege escalation"},{"term":"purple teaming"},{"term":"raspberry pi"},{"term":"risk management"},{"term":"ruby"},{"term":"scripting"},{"term":"sensepost"},{"term":"sqlmap"},{"term":"ssl"},{"term":"stupid users"},{"term":"tempest"},{"term":"twitter"},{"term":"windows vista"},{"term":"8570.1"},{"term":"AFP"},{"term":"DNS Fingerprinting"},{"term":"DNS exploit"},{"term":"Dr-crack"},{"term":"EFF NSA Shirt"},{"term":"Endpoint Security"},{"term":"Fabric"},{"term":"Fresh New Look"},{"term":"Full Scope Testing"},{"term":"Fuzzing: Brute Force Vulnerability Discovery"},{"term":"GCP"},{"term":"Geek Mafia"},{"term":"HE Windows"},{"term":"HR Geeks"},{"term":"Hacking Exposed Windows"},{"term":"IE7 Exploit"},{"term":"Information Security Day"},{"term":"Joe Klein"},{"term":"Johnny Long"},{"term":"LG voyager"},{"term":"MAC addresses"},{"term":"Mail"},{"term":"Metasploit Pro"},{"term":"No Place To Hide"},{"term":"No Tech Hacking"},{"term":"NoVA Sec"},{"term":"P2P"},{"term":"Programming Book Review Criteria"},{"term":"QEMU"},{"term":"SOURCE Boston 2008"},{"term":"The Art of Software Security Testing"},{"term":"The Craft of System Security"},{"term":"Traceroute Aggregation"},{"term":"Val Smith"},{"term":"WTF"},{"term":"XSS"},{"term":"amplification attacks"},{"term":"apple filing protocol"},{"term":"brute forcing"},{"term":"bugbounty"},{"term":"burp suite"},{"term":"bypassuac"},{"term":"chef"},{"term":"cisco"},{"term":"cisco asa"},{"term":"conti"},{"term":"cve"},{"term":"databases"},{"term":"deauth attack"},{"term":"defeating AV"},{"term":"dhcp script injection"},{"term":"digital signatures"},{"term":"dll"},{"term":"docker"},{"term":"domo kun video"},{"term":"ec2"},{"term":"education"},{"term":"eeepc"},{"term":"enum4linux"},{"term":"espionage"},{"term":"excel macro"},{"term":"exotic liability"},{"term":"exploit dev course"},{"term":"fckeditor"},{"term":"file format"},{"term":"firewire"},{"term":"forenics"},{"term":"full disclosure"},{"term":"github"},{"term":"google dorks"},{"term":"gsecdump"},{"term":"hack minecraft"},{"term":"hadoop"},{"term":"hijacking"},{"term":"http-dir-enum"},{"term":"ida pro"},{"term":"impacket"},{"term":"infosecwriters.com"},{"term":"irc"},{"term":"java decompile"},{"term":"kerberos"},{"term":"kickstart files"},{"term":"kismet"},{"term":"layer2"},{"term":"lft"},{"term":"life"},{"term":"linkedin"},{"term":"local root"},{"term":"local to domain account"},{"term":"metacab"},{"term":"metagoofil"},{"term":"motorola xoom root"},{"term":"mwr InfoSecurity"},{"term":"ncrack"},{"term":"netapp"},{"term":"non-english"},{"term":"notes"},{"term":"null sa"},{"term":"offtopic"},{"term":"opinion"},{"term":"osx"},{"term":"password filters"},{"term":"pentoo"},{"term":"persistence"},{"term":"pidgin"},{"term":"portqry"},{"term":"printer hacking"},{"term":"procdump"},{"term":"process injection"},{"term":"proxychains"},{"term":"puttyhijack"},{"term":"pwn plug elite"},{"term":"quotes"},{"term":"rainbow tables"},{"term":"reDuh"},{"term":"red team"},{"term":"red teaming"},{"term":"redis"},{"term":"resource scripts"},{"term":"rfid"},{"term":"richard bejtlich"},{"term":"roomwizard"},{"term":"scams"},{"term":"scp"},{"term":"sensitive data leakage"},{"term":"server-status"},{"term":"sharepoint"},{"term":"shmoocon 15"},{"term":"silc"},{"term":"slicehost"},{"term":"smbshell"},{"term":"sqid"},{"term":"sqlite3"},{"term":"sticky keys"},{"term":"sticky ports"},{"term":"sunday comics"},{"term":"swfscan"},{"term":"talks"},{"term":"thin client hacking"},{"term":"timestomp"},{"term":"tnscmd"},{"term":"tsa"},{"term":"unicornscan"},{"term":"upload.asp"},{"term":"usernames"},{"term":"vagrant"},{"term":"volatility"},{"term":"volreg"},{"term":"vulnerability"},{"term":"w3af"},{"term":"webgoat"},{"term":"webshells"},{"term":"weridAAL"},{"term":"wmap"},{"term":"wmic"},{"term":"wordpress"},{"term":"xml"},{"term":"yersinia"},{"term":"youtube"},{"term":"zone transfers"}],"title":{"type":"text","$t":"Carnal0wnage Blog"},"subtitle":{"type":"html","$t":""},"link":[{"rel":"http://schemas.google.com/g/2005#feed","type":"application/atom+xml","href":"https:\/\/blog.carnal0wnage.com\/feeds\/posts\/default"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/-\/low2pwned?alt=json-in-script\u0026max-results=6"},{"rel":"alternate","type":"text/html","href":"https:\/\/blog.carnal0wnage.com\/search\/label\/low2pwned"},{"rel":"hub","href":"http://pubsubhubbub.appspot.com/"},{"rel":"next","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/-\/low2pwned\/-\/low2pwned?alt=json-in-script\u0026start-index=7\u0026max-results=6"}],"author":[{"name":{"$t":"Unknown"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"generator":{"version":"7.00","uri":"http://www.blogger.com","$t":"Blogger"},"openSearch$totalResults":{"$t":"14"},"openSearch$startIndex":{"$t":"1"},"openSearch$itemsPerPage":{"$t":"6"},"entry":[{"id":{"$t":"tag:blogger.com,1999:blog-8539880144347728238.post-2999055163633250558"},"published":{"$t":"2012-10-22T09:00:00.000-04:00"},"updated":{"$t":"2012-10-22T09:00:12.982-04:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"low2pwned"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Pentesting"}],"title":{"type":"text","$t":".git you some with DVCS-Pillage"},"content":{"type":"html","$t":"Ron over at SkullSecurity put out a post on \u0026nbsp;\u003Ca href=\"http:\/\/www.skullsecurity.org\/blog\/2012\/using-git-clone-to-get-pwn3d\" rel=\"bookmark\" title=\"Permanent Link to Using \u0026quot;Git Clone\u0026quot; to get Pwn3D\"\u003EUsing \"Git Clone\" to get Pwn3D\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nWorth a read if you havent. \u0026nbsp;Unfortunately\u0026nbsp;the key to his post relied on wget and directory listings making it possible to download everything in the \/.git\/* folders.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nunfortunately(?) I dont run into this too often. What i do see is the presence of the \/.git\/ folder sometimes the config or index files it there but certainly no way to know what's in the object folders (where the good stuff lives)[or so i thought].\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nSo i posed the following to twitter\u003C!--3--\u003E\u003C!--3--\u003E\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjiX153UTGGHuNfaQQvz_YJOlp5k-J980qK1TVRCrp6pQe2zzv6qqk5fQZKxGIcs8w75Deti4awP5rcVbfwDJj0YMDfn-0mRhkJgTPyePrP7QExUuFI_ZluNHMEr4ZHYsVlNI6M9MK0tRE\/s1600\/twit-git1.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"60\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjiX153UTGGHuNfaQQvz_YJOlp5k-J980qK1TVRCrp6pQe2zzv6qqk5fQZKxGIcs8w75Deti4awP5rcVbfwDJj0YMDfn-0mRhkJgTPyePrP7QExUuFI_ZluNHMEr4ZHYsVlNI6M9MK0tRE\/s320\/twit-git1.PNG\" width=\"320\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\nto which i got two great replies.\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEizjnrtQZt_rVNYNhWyiwtDA3VhfwHZTiXELRDLlodFrVDxG5Lc74qlNPAjZCSvsOlMgRDaxdetefXarjKJpGER6hIaSh3ltK5hgCqugRBrwLX5ef7kujGaHTnjcC0QHcnWya71vkeP6fs\/s1600\/twit-git2.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"63\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEizjnrtQZt_rVNYNhWyiwtDA3VhfwHZTiXELRDLlodFrVDxG5Lc74qlNPAjZCSvsOlMgRDaxdetefXarjKJpGER6hIaSh3ltK5hgCqugRBrwLX5ef7kujGaHTnjcC0QHcnWya71vkeP6fs\/s320\/twit-git2.PNG\" width=\"320\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhbkOPfUgiFcE8kihRibp4MQ8Kip4XCNbomWC6uYYvIGNQG8Da4v0xqtOQ5cdcvWs01ujO-e6cnuBOZRjU5R9bYdg2evne0Neua33GMQ5o4_NHzOntnD683ak0S6fa3Z9CVTf8Hv80qpdY\/s1600\/twit-git3.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"54\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhbkOPfUgiFcE8kihRibp4MQ8Kip4XCNbomWC6uYYvIGNQG8Da4v0xqtOQ5cdcvWs01ujO-e6cnuBOZRjU5R9bYdg2evne0Neua33GMQ5o4_NHzOntnD683ak0S6fa3Z9CVTf8Hv80qpdY\/s320\/twit-git3.PNG\" width=\"320\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\nThe first one pointed me to:\u003Cbr \/\u003E\n\u003Ca href=\"https:\/\/github.com\/evilpacket\/DVCS-Pillage\"\u003Ehttps:\/\/github.com\/evilpacket\/DVCS-Pillage\u003C\/a\u003E\u003Cbr \/\u003E\n(thanks Kos)\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nand the second was a shortcut to using the tool by the author (thanks Adam)\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nDVCS is pretty handy. \u0026nbsp;With it you can pillage\u0026nbsp;accessible\u0026nbsp;GIT, GS and BZR repos. \u0026nbsp;Similar\u0026nbsp;functionality\u0026nbsp;for svn already exists in \u003Ca href=\"http:\/\/www.metasploit.com\/modules\/auxiliary\/scanner\/http\/svn_scanner\" target=\"_blank\"\u003Emetasploit\u0026nbsp;\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nDoes it work? \u0026nbsp;yes mostly...an example:\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Ccode\u003E\nuser@ubuntu:~\/pentest\/DVCS-Pillage$ .\/gitpillage.sh www.site.com\/.git\/\u003C\/code\u003E\u003Cbr \/\u003E\n\u003Ccode\u003EInitialized empty Git repository in \/home\/user\/pentest\/DVCS-Pillage\/www.site.com\/.git\/\u003Cbr \/\u003E\nGetting refs\/heads\/master\u003Cbr \/\u003E\nGetting objects\/ef\/72174d7a5d893XXXXXXXXXXXXXXXXXXXX\u003Cbr \/\u003E\nGetting index\u003Cbr \/\u003E\nGetting .gitignore\u003Cbr \/\u003E\ncurl: (22) The requested URL returned error: 404\u003Cbr \/\u003E\nAbout to make 245 requests to www.site.com; This could take a while\u003Cbr \/\u003E\nDo you want to continue? (y\/n)y\u003Cbr \/\u003E\nGetting objects\/01\/f0d130adf04d66XXXXXXXXXXXXXXXX9e4ddb41\u003Cbr \/\u003E\nGetting objects\/49\/403ecc2d8a343da9XXXXXXXXXXXXXXX3f094d9\u003Cbr \/\u003E\nGetting objects\/d3\/1195ab0e695f8b89XXXXXXXXXXXXXXXXXa3af5\u003Cbr \/\u003E\nGetting objects\/f9\/b926f07XXXXXXXXXXXXXXXXXXXX567cf438c6a\u003Cbr \/\u003E\nGetting objects\/57\/78a12e2edebXXXXXXXXXXXXXXXXXXX3f3a0e8d\u003Cbr \/\u003E\n---snip---\u003Cbr \/\u003E\ntrying to checkout files\u003Cbr \/\u003E\nerror: git checkout-index: unable to read sha1 file of wp-register.php (caad4f2b21c37bXXXXXXXXXXXXXXX81c7949ec4f74e)\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n#### Potentially Interesting Files ####\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nwp-admin\/export.php - [CHECKED OUT]\u003Cbr \/\u003E\nwp-admin\/includes\/export.php - [CHECKED OUT]\u003Cbr \/\u003E\nwp-admin\/setup-config.php - [CHECKED OUT]\u003Cbr \/\u003E\nwp-config-sample.php - [CHECKED OUT]\u003Cbr \/\u003E\nwp-config.php - [CHECKED OUT]\u003Cbr \/\u003E\nwp-settings.php - [CHECKED OUT]\u003Cbr \/\u003E\n\u003C\/code\u003E\u003C!--3--\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nanything useful in there?\n\n\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Ccode\u003E\nuser@ubuntu:~\/pentest\/DVCS-Pillage\/www.site.com$ more wp-config.php\u003Cbr \/\u003E\n\/**\u003Cbr \/\u003E\n\u0026nbsp;* The base configurations of the WordPress.\u003Cbr \/\u003E\n\u0026nbsp;*\u003Cbr \/\u003E\n\u0026nbsp;* This file has the following configurations: MySQL settings, Table Prefix,\u003Cbr \/\u003E\n\u0026nbsp;* Secret Keys, WordPress Language, and ABSPATH. You can find more information b\u003Cbr \/\u003E\ny\u003Cbr \/\u003E\n\u0026nbsp;* visiting {@link http:\/\/codex.wordpress.org\/Editing_wp-config.php Editing\u003Cbr \/\u003E\n\u0026nbsp;* wp-config.php} Codex page. You can get the MySQL settings from your web host.\u003Cbr \/\u003E\n\u0026nbsp;*\u003Cbr \/\u003E\n\u0026nbsp;* This file is used by the wp-config.php creation script during the\u003Cbr \/\u003E\n\u0026nbsp;* installation. You don't have to use the web site, you can just copy this file\u003Cbr \/\u003E\n\u0026nbsp;* to \"wp-config.php\" and fill in the values.\u003Cbr \/\u003E\n\u0026nbsp;*\u003Cbr \/\u003E\n\u0026nbsp;* @package WordPress\u003Cbr \/\u003E\n\u0026nbsp;*\/\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\/\/ ** MySQL settings - You can get this info from your web host ** \/\/\u003Cbr \/\u003E\n\/** The name of the database for WordPress *\/\u003Cbr \/\u003E\ndefine('DB_NAME', 'site_wordpress');\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\/** MySQL database username *\/\u003Cbr \/\u003E\ndefine('DB_USER', 'site_wp');\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\/** MySQL database password *\/\u003Cbr \/\u003E\ndefine('DB_PASSWORD', 'XXXXXXXX');\u003Cbr \/\u003E\n\u003C\/code\u003E\u003Cbr \/\u003E\n\u003Ccode\u003E\u003Cbr \/\u003E\u003C\/code\u003E\nanother way to turn a low to pwned :-)"},"link":[{"rel":"replies","type":"application/atom+xml","href":"https:\/\/blog.carnal0wnage.com\/feeds\/2999055163633250558\/comments\/default","title":"Post Comments"},{"rel":"replies","type":"text/html","href":"https:\/\/www.blogger.com\/comment\/fullpage\/post\/8539880144347728238\/2999055163633250558","title":"3 Comments"},{"rel":"edit","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/2999055163633250558"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/2999055163633250558"},{"rel":"alternate","type":"text/html","href":"https:\/\/blog.carnal0wnage.com\/2012\/10\/git-you-some-with-dvcs-pillage.html","title":".git you some with DVCS-Pillage"}],"author":[{"name":{"$t":"Unknown"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjiX153UTGGHuNfaQQvz_YJOlp5k-J980qK1TVRCrp6pQe2zzv6qqk5fQZKxGIcs8w75Deti4awP5rcVbfwDJj0YMDfn-0mRhkJgTPyePrP7QExUuFI_ZluNHMEr4ZHYsVlNI6M9MK0tRE\/s72-c\/twit-git1.PNG","height":"72","width":"72"},"thr$total":{"$t":"3"}},{"id":{"$t":"tag:blogger.com,1999:blog-8539880144347728238.post-3341514091030616196"},"published":{"$t":"2012-05-29T08:30:00.000-04:00"},"updated":{"$t":"2012-06-05T11:10:37.032-04:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"low2pwned"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Pentesting"},{"scheme":"http://www.blogger.com/atom/ns#","term":"web application testing"}],"title":{"type":"text","$t":"From LOW to PWNED [12] Trace.axd"},"content":{"type":"html","$t":"Post [12] Trace.axd\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\"Trace.axd is an Http Handler for .Net \u0026nbsp;that can be used to view the trace details for an application. This file resides in the application’s root directory. A request to this file through a browser displays the trace log of the last n requests in time-order, where n is an integer determined by the value set by requestLimit=”[n]” in the application’s configuration file.\"\u003Cbr \/\u003E\n\u003Ca href=\"http:\/\/www.ucertify.com\/article\/what-is-traceaxd.html\"\u003Ehttp:\/\/www.ucertify.com\/article\/what-is-traceaxd.html\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nIt is a separate file to store tracing messages. If you have pageOutput set to true, your webpage will acquire a large table at the bottom. That will list lots of information—the trace information. trace.axd allows you to see traces on a separate page, which is always named trace.axd.\u003Cbr \/\u003E\n\u003Ca href=\"http:\/\/www.dotnetperls.com\/trace\"\u003Ehttp:\/\/www.dotnetperls.com\/trace\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nLOW? Actually a Medium.\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEig07pxw0lxgKgWQ0Lda6KKflC7KPWXglpDIW7W0qNBDLk9-tVUhOChS-06o5igIVRZ6FPQLT9mLgQlbNY_lNGg1uSxDU03eLpYMSZkG3c7hyphenhypheneEhskagq2uo6NEn7bKqys9vRNtxIeu0wE\/s1600\/trace-axd-16.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"32\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEig07pxw0lxgKgWQ0Lda6KKflC7KPWXglpDIW7W0qNBDLk9-tVUhOChS-06o5igIVRZ6FPQLT9mLgQlbNY_lNGg1uSxDU03eLpYMSZkG3c7hyphenhypheneEhskagq2uo6NEn7bKqys9vRNtxIeu0wE\/s400\/trace-axd-16.PNG\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEij9BiamSZZV5W9EGc1q3LSFAcrfUeKKTeAvAuxz29JBD-qhwbkjLWR729NhaKPbth7E0eie0zUoUxD8J-Yi5kHpD2LIcDHwRxvoSuHudkyeUhwhwaTZqW3rnNy6Zr9hBjUzwTJvLWQnWU\/s1600\/nessus-traceaxd-screenie.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"319\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEij9BiamSZZV5W9EGc1q3LSFAcrfUeKKTeAvAuxz29JBD-qhwbkjLWR729NhaKPbth7E0eie0zUoUxD8J-Yi5kHpD2LIcDHwRxvoSuHudkyeUhwhwaTZqW3rnNy6Zr9hBjUzwTJvLWQnWU\/s320\/nessus-traceaxd-screenie.PNG\" width=\"320\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\nWhat can I do with it?\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cul\u003E\n\u003Cli\u003ERead ALL variables and data from HTTP requests\u003C\/li\u003E\n\u003Cli\u003EPOST requests rock! ?\u003C\/li\u003E\n\u003C\/ul\u003E\n\u003Cbr \/\u003E\nDiscovery?\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cul\u003E\n\u003Cli\u003EMetasploit\u003C\/li\u003E\n\u003Cli\u003EVuln Scanners\u003C\/li\u003E\n\u003C\/ul\u003E\n\u003Cdiv\u003E\nMetasploit\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhJnTeoe9Z8ZqevytSuGdYRlVyluKrrPYVxlPkVn5FHXbIitkqNogk-dqHN47LDImKPUYHIPedftDvAqPKVI3netiQAtvAC4hwGnETBN86ral-aJFB15jglMDwYdd9wCsvJyeieGq8iJ34\/s1600\/msf-trace-sani.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"130\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhJnTeoe9Z8ZqevytSuGdYRlVyluKrrPYVxlPkVn5FHXbIitkqNogk-dqHN47LDImKPUYHIPedftDvAqPKVI3netiQAtvAC4hwGnETBN86ral-aJFB15jglMDwYdd9wCsvJyeieGq8iJ34\/s400\/msf-trace-sani.PNG\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv\u003E\nExample\u003C\/div\u003E\n\u003Cdiv\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhOzYdFsXdBtkAcbfRFYI6etzaBBLGJdQ_08X4fhKJsyR5y2Ts-5pm_XCLHSr2i0Qom9lR7G2stwMrk5IN3R0YzKH64_a0PE6WPYPYxi-IVl-uGsKrUNhPQ-4UbbFHyGRiViFRLfZQMDfU\/s1600\/trace-example1-sani.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"146\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhOzYdFsXdBtkAcbfRFYI6etzaBBLGJdQ_08X4fhKJsyR5y2Ts-5pm_XCLHSr2i0Qom9lR7G2stwMrk5IN3R0YzKH64_a0PE6WPYPYxi-IVl-uGsKrUNhPQ-4UbbFHyGRiViFRLfZQMDfU\/s400\/trace-example1-sani.PNG\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\nMain trace.axd page\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiE6-nSYKdvCwzs6kz4Aaw1VdyD_ua4MpmNYX4-kPeVWqFFBXl0FhxZq49AVR6XOsrlf3qglKBTg_Fv-8BxNLpTnJd51_k3cxuiHjCIHvhMFPWTkUA9Q9WZTjndekaFnD0pKE43T0Tcp6I\/s1600\/trace-example2-sani.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"252\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiE6-nSYKdvCwzs6kz4Aaw1VdyD_ua4MpmNYX4-kPeVWqFFBXl0FhxZq49AVR6XOsrlf3qglKBTg_Fv-8BxNLpTnJd51_k3cxuiHjCIHvhMFPWTkUA9Q9WZTjndekaFnD0pKE43T0Tcp6I\/s400\/trace-example2-sani.PNG\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\nViewing a request\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj2MCXTuhSwgNUZFqZj07UsN9KP0G2z_ngS4ehy7sreEtgkdqUHdB99oeCeg_m5SpUtJ76qDDUch4wAmXiWAY5CbeY8yluNCba9j2Hmg7i6Z_ZrLkceiXjtp7DOAF6nur21ylDPBY6td9k\/s1600\/trace-example3-sani.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"72\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj2MCXTuhSwgNUZFqZj07UsN9KP0G2z_ngS4ehy7sreEtgkdqUHdB99oeCeg_m5SpUtJ76qDDUch4wAmXiWAY5CbeY8yluNCba9j2Hmg7i6Z_ZrLkceiXjtp7DOAF6nur21ylDPBY6td9k\/s400\/trace-example3-sani.PNG\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\nPost request with creds\u003C\/div\u003E\n\u003Cdiv\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv\u003E\n-CG\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cbr \/\u003E"},"link":[{"rel":"replies","type":"application/atom+xml","href":"https:\/\/blog.carnal0wnage.com\/feeds\/3341514091030616196\/comments\/default","title":"Post Comments"},{"rel":"replies","type":"text/html","href":"https:\/\/www.blogger.com\/comment\/fullpage\/post\/8539880144347728238\/3341514091030616196","title":"0 Comments"},{"rel":"edit","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/3341514091030616196"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/3341514091030616196"},{"rel":"alternate","type":"text/html","href":"https:\/\/blog.carnal0wnage.com\/2012\/05\/from-low-to-pwned-12-traceaxd.html","title":"From LOW to PWNED [12] Trace.axd"}],"author":[{"name":{"$t":"Unknown"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEig07pxw0lxgKgWQ0Lda6KKflC7KPWXglpDIW7W0qNBDLk9-tVUhOChS-06o5igIVRZ6FPQLT9mLgQlbNY_lNGg1uSxDU03eLpYMSZkG3c7hyphenhypheneEhskagq2uo6NEn7bKqys9vRNtxIeu0wE\/s72-c\/trace-axd-16.PNG","height":"72","width":"72"},"thr$total":{"$t":"0"}},{"id":{"$t":"tag:blogger.com,1999:blog-8539880144347728238.post-7987604730973865241"},"published":{"$t":"2012-05-25T08:00:00.000-04:00"},"updated":{"$t":"2012-06-05T11:10:53.080-04:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"low2pwned"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Pentesting"}],"title":{"type":"text","$t":"From LOW to PWNED [11] Honorable Mention: Open NFS"},"content":{"type":"html","$t":"Post [11] Honorable Mention: Open NFS\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nOpen NFS mounts\/shares are awesome. \u0026nbsp;talk about sometimes finding \"The Goods\". \u0026nbsp;More than once an organization has been backing up everyone's home directories to an NFS share with bad permissions. \u0026nbsp;so checking to see whats shared and what you can access is important.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nLow? currently an \"info\" with Nessus 5\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiaHIJEa6I1tsqJLITmFocysnuF6ulYF7OwFi4grtA3diXSf79LYlRaq-9oB5WC-RnWnNQwFQ31_JMWgGVz0TRz81umRJSHQrWlmyZtQc2gd4X36U9asYSVr_orQ3GpCiqGBHqHdVRLHVQ\/s1600\/nfs-nessus.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"211\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiaHIJEa6I1tsqJLITmFocysnuF6ulYF7OwFi4grtA3diXSf79LYlRaq-9oB5WC-RnWnNQwFQ31_JMWgGVz0TRz81umRJSHQrWlmyZtQc2gd4X36U9asYSVr_orQ3GpCiqGBHqHdVRLHVQ\/s400\/nfs-nessus.PNG\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\nAnyway, you probably want to know about finding it. You have a few options.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nstandard portscanning (of course)\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n1. scan for port 111\/2049\u003Cbr \/\u003E\n2. do showmount -e \/ showmount -a\u003Cbr \/\u003E\n3. metasploit module\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nexample:\u003Cbr \/\u003E\n\u003Cspan style=\"font-family: 'Courier New', Courier, monospace;\"\u003Eroot@attacker]# showmount -e 192.168.0.1\u003Cbr \/\u003E\nExport list for 192.168.0.1:\u003Cbr \/\u003E\n\/export\/home\/\u0026nbsp; (everyone)\u003Cbr \/\u003E\n\/export\/mnt\/\u0026nbsp;\u0026nbsp; (everyone)\u003Cbr \/\u003E\n\/export\/share\/ (everyone)\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n3. look to see what's exported and who is mounting (\"everyone\" FTW)\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"p1\"\u003E\nTo mount an NFS share use the following after first creating a directory on your local machine:\u003C\/div\u003E\n\u003Cdiv class=\"p1\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"p1\"\u003E\n\u003Cspan style=\"font-family: 'Courier New', Courier, monospace;\"\u003E[root@attacker~]#mount -t nfs 192.168.0.1:\/export\/home \/tmp\/badperms\u003C\/span\u003E\u003C\/div\u003E\n\u003Cdiv class=\"p1\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"p1\"\u003E\nchange directories to \/tmp\/badperms and you should see the contents of \/export\/home on 192.168.0.1\u003C\/div\u003E\n\u003Cdiv class=\"p1\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"p1\"\u003E\nto abuse NFS you can check out the rest from\u0026nbsp;\u003Ca href=\"http:\/\/www.vulnerabilityassessment.co.uk\/nfs.htm\"\u003Ehttp:\/\/www.vulnerabilityassessment.co.uk\/nfs.htm\u003C\/a\u003E it talks about tricking NFS to become users. \u0026nbsp;I'm going to put it here in case it goes missing later:\u003C\/div\u003E\n\u003Cdiv class=\"p1\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"p1\"\u003E\n\u003Cblockquote class=\"tr_bq\"\u003E\n\"You ask now, how do you circumvent file \n        permissions and the use of the sticky bit, this is done with a little \n        prior planning and slight of hand to confuse the remote machine.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nIf we have a \/export\/home\/dave \n        directory that we have gone into, we will see a number of files \n        belonging to dave, some or all of which you may be able to read.\u0026nbsp; \n        The one thing the system will give you is the owners UID on the remote \n        system after issuing an ls -al command i.e.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n-rwxr----- 517 wheel 898 daves_secret_doc\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nThe permissions at the moment do not let \n        you do anything with the file as you are not the owner (yet) and not a \n        member of the group wheel.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nMove away from the mount point and unmount \n        the share\u003Cbr \/\u003E\numount \/local_dir\u003Cbr \/\u003E\n\u003Cbr \/\u003E\ncreate a user called dave\u003Cbr \/\u003E\nuseradd dave\u003Cbr \/\u003E\npasswd dave\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nEdit \/etc\/passwd \n        and change the UID to 517\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nRemount the share as local root\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nGo into daves directory\u003Cbr \/\u003E\ncd dave\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nissue the command\u003Cbr \/\u003E\nsu dave\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nAs you are local root you can do this and \n        as you have an account called dave you will not need a password\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nNow the quirky stuff - As the UID for your \n        local account dave matches the username and UID of the remote, the \n        remote system now thinks your his dave, hey presto you can now do \n        whatever you want with daves_secret_doc.\"\u003C\/blockquote\u003E\n\u003C\/div\u003E\nNfSpy is supposed to\u0026nbsp;assist\u0026nbsp;with the above: \u003Ca href=\"https:\/\/github.com\/bonsaiviking\/NfSpy\"\u003Ehttps:\/\/github.com\/bonsaiviking\/NfSpy\u003C\/a\u003E\n\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nnmap scripts to do additional info gathering\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Ca href=\"http:\/\/nmap.org\/nsedoc\/scripts\/nfs-ls.html\" target=\"_blank\"\u003Enfs-ls\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Ca href=\"http:\/\/nmap.org\/nsedoc\/scripts\/nfs-showmount.html\" target=\"_blank\"\u003Enfs-showmount\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Ca href=\"http:\/\/nmap.org\/nsedoc\/scripts\/nfs-statfs.html\" target=\"_blank\"\u003Enfs-statfs\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nValsmith and hdmoore gave their tactical exploitation talk at defcon 15 and talked about NFS (file services section of the\u0026nbsp;\u003Ca href=\"http:\/\/www.defcon.org\/images\/defcon-15\/dc15-presentations\/dc-15-moore_and_valsmith.pdf\" target=\"_blank\"\u003Eslides\u003C\/a\u003E)\u0026nbsp;\u003Ca href=\"http:\/\/video.google.com\/videoplay?docid=8220256903673801959\" target=\"_blank\"\u003Evideo\u003C\/a\u003E\u0026nbsp;\u0026nbsp;\u003Ca href=\"http:\/\/www.sysroot.eu\/library\/papers\/Tactical%20Exploitation.pdf\" target=\"_blank\"\u003Ewhite paper\u003C\/a\u003E\u0026nbsp;they also gave it at blackhat in a much longer format,\u0026nbsp;unfortunately\u0026nbsp;the video is broken into multiple 14 minute parts, so go\u0026nbsp;Google\u0026nbsp;for it (lazy)\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nFun Reading:\u003Cbr \/\u003E\nSwiss Cyber Storm II Case: NFS Hacking:\u0026nbsp;\u003Ca href=\"http:\/\/www.csnc.ch\/misc\/files\/publications\/2009_scsII_axel_neumann_NFS.pdf\"\u003Ehttp:\/\/www.csnc.ch\/misc\/files\/publications\/2009_scsII_axel_neumann_NFS.pdf\u003C\/a\u003E"},"link":[{"rel":"replies","type":"application/atom+xml","href":"https:\/\/blog.carnal0wnage.com\/feeds\/7987604730973865241\/comments\/default","title":"Post Comments"},{"rel":"replies","type":"text/html","href":"https:\/\/www.blogger.com\/comment\/fullpage\/post\/8539880144347728238\/7987604730973865241","title":"1 Comments"},{"rel":"edit","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/7987604730973865241"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/7987604730973865241"},{"rel":"alternate","type":"text/html","href":"https:\/\/blog.carnal0wnage.com\/2012\/05\/from-low-to-pwned-11-honorable-mention.html","title":"From LOW to PWNED [11] Honorable Mention: Open NFS"}],"author":[{"name":{"$t":"Unknown"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiaHIJEa6I1tsqJLITmFocysnuF6ulYF7OwFi4grtA3diXSf79LYlRaq-9oB5WC-RnWnNQwFQ31_JMWgGVz0TRz81umRJSHQrWlmyZtQc2gd4X36U9asYSVr_orQ3GpCiqGBHqHdVRLHVQ\/s72-c\/nfs-nessus.PNG","height":"72","width":"72"},"thr$total":{"$t":"1"}},{"id":{"$t":"tag:blogger.com,1999:blog-8539880144347728238.post-2933461969464523400"},"published":{"$t":"2012-05-21T08:00:00.000-04:00"},"updated":{"$t":"2012-06-05T11:11:05.370-04:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"fckeditor"},{"scheme":"http://www.blogger.com/atom/ns#","term":"low2pwned"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Pentesting"},{"scheme":"http://www.blogger.com/atom/ns#","term":"web application testing"}],"title":{"type":"text","$t":"From LOW to PWNED [10] Honorable Mention: FCKeditor"},"content":{"type":"html","$t":"Post [10] Honorable Mention: FCKeditor\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nFCKeditor is bundled with\u0026nbsp;seems-like\u0026nbsp;everything (ColdFusion, Drupal plugins,\u0026nbsp;WordPress\u0026nbsp;plugins, other random CMSs) and has probably been responsible for countless hacks via file upload issues.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nExamples:\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Ca href=\"http:\/\/www.exploit-db.com\/exploits\/12697\/\"\u003Ehttp:\/\/www.exploit-db.com\/exploits\/12697\/\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Ca href=\"http:\/\/www.exploit-db.com\/exploits\/15484\/\"\u003Ehttp:\/\/www.exploit-db.com\/exploits\/15484\/\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Ca href=\"http:\/\/www.exploit-db.com\/exploits\/17644\/\"\u003Ehttp:\/\/www.exploit-db.com\/exploits\/17644\/\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Ca href=\"http:\/\/www.exploit-db.com\/search\/?action=search\u0026amp;filter_page=1\u0026amp;filter_description=FCKeditor\u0026amp;filter_exploit_text=\u0026amp;filter_author=\u0026amp;filter_platform=0\u0026amp;filter_type=0\u0026amp;filter_lang_id=0\u0026amp;filter_port=\u0026amp;filter_osvdb=\u0026amp;filter_cve=\" target=\"_blank\"\u003EBig O'l list on Exploit-DB\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Ca href=\"http:\/\/www.cvedetails.com\/vulnerability-list\/vendor_id-2724\/Fckeditor.html\" target=\"_blank\"\u003ECVEdetails\u003C\/a\u003E on FCKeditor. \u003Cbr \/\u003E\n\u003Cbr \/\u003E\nLOW?\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nActually most FCKeditors checks in Nessus I found were either Medium or High (hence honorable mention and not in the talk).\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEigClN62MxJmfOPSPps8M6ueBqNe8ogrrF4cEPw5NDNcFzkSUfm-19KXh1RQmlLIv6JgTURT8jSf-8EmEYouySsrilO73MWvwSvP9uoGv9wcYHRO9vFx19G9hq8Nwwru2NUsnXbXBuGRhE\/s1600\/fckeditor-blog1-nessus.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"320\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEigClN62MxJmfOPSPps8M6ueBqNe8ogrrF4cEPw5NDNcFzkSUfm-19KXh1RQmlLIv6JgTURT8jSf-8EmEYouySsrilO73MWvwSvP9uoGv9wcYHRO9vFx19G9hq8Nwwru2NUsnXbXBuGRhE\/s320\/fckeditor-blog1-nessus.PNG\" width=\"264\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhhs-ZfYz1hKSLa4GACBvgmXG30G5-5Qv-dKCUdjj2rqx6qo8DFqbl62qmGYpfiIogWdi_7-P45Y-_D9NsAoWBG9pnl0reSpEUfCE5xfGNgu_7MeWV_ECPpCJmntzMuTqPf24FEPEwORQw\/s1600\/fckeditor-blog2-nessus.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"320\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhhs-ZfYz1hKSLa4GACBvgmXG30G5-5Qv-dKCUdjj2rqx6qo8DFqbl62qmGYpfiIogWdi_7-P45Y-_D9NsAoWBG9pnl0reSpEUfCE5xfGNgu_7MeWV_ECPpCJmntzMuTqPf24FEPEwORQw\/s320\/fckeditor-blog2-nessus.PNG\" width=\"241\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nThere is a good write-up of a classic case of FCKEditor abuse here:\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Ca href=\"http:\/\/secureyes.net\/nw\/assets\/File-Upload-Vulnerability-in-FCKEditor.pdf\"\u003Ehttp:\/\/secureyes.net\/nw\/assets\/File-Upload-Vulnerability-in-FCKEditor.pdf\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nGoogle Dorks\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cbr \/\u003E\ninurl:\/editor\/filemanager\/browser\/default\/connectors\/[LANGUAGE]\/connector.php\u003Cbr \/\u003E\n\u003Cbr \/\u003E"},"link":[{"rel":"replies","type":"application/atom+xml","href":"https:\/\/blog.carnal0wnage.com\/feeds\/2933461969464523400\/comments\/default","title":"Post Comments"},{"rel":"replies","type":"text/html","href":"https:\/\/www.blogger.com\/comment\/fullpage\/post\/8539880144347728238\/2933461969464523400","title":"0 Comments"},{"rel":"edit","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/2933461969464523400"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/2933461969464523400"},{"rel":"alternate","type":"text/html","href":"https:\/\/blog.carnal0wnage.com\/2012\/05\/from-low-to-pwned-10-honorable-mention.html","title":"From LOW to PWNED [10] Honorable Mention: FCKeditor"}],"author":[{"name":{"$t":"Unknown"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEigClN62MxJmfOPSPps8M6ueBqNe8ogrrF4cEPw5NDNcFzkSUfm-19KXh1RQmlLIv6JgTURT8jSf-8EmEYouySsrilO73MWvwSvP9uoGv9wcYHRO9vFx19G9hq8Nwwru2NUsnXbXBuGRhE\/s72-c\/fckeditor-blog1-nessus.PNG","height":"72","width":"72"},"thr$total":{"$t":"0"}},{"id":{"$t":"tag:blogger.com,1999:blog-8539880144347728238.post-4336904076886945787"},"published":{"$t":"2012-05-18T08:00:00.001-04:00"},"updated":{"$t":"2012-06-05T11:11:19.346-04:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"AFP"},{"scheme":"http://www.blogger.com/atom/ns#","term":"apple filing protocol"},{"scheme":"http://www.blogger.com/atom/ns#","term":"low2pwned"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Pentesting"}],"title":{"type":"text","$t":"From LOW to PWNED [9] Apple Filing Protocol (AFP)"},"content":{"type":"html","$t":"Post [9] Apple Filing Protocol (AFP)\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cblockquote class=\"tr_bq\"\u003E\nThe Apple Filing Protocol (AFP) is a network protocol that offers file services for Mac OS X and original Mac OS. In Mac OS X, AFP is one of several file services supported including Server Message Block (SMB), Network File System (NFS), File Transfer Protocol (FTP), and WebDAV.\u003C\/blockquote\u003E\n\u003Ca href=\"http:\/\/en.wikipedia.org\/wiki\/Apple_Filing_Protocol\"\u003Ehttp:\/\/en.wikipedia.org\/wiki\/Apple_Filing_Protocol\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nLives on TCP port 548\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nLOW?\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgdbptd0omPFjWj_hBs2itupp4XIyJu7NlMuTpoFO1Ui4YZGLHCQ4_UVvMQPPnUhP2xqxjlfOBw_96qaD1LxflVyKMgb74hRDJ3oxMiZL4nk02tc-g98qYiUEJmBcWfA0g-H8s2XUJQfVc\/s1600\/afp-blog1.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"68\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgdbptd0omPFjWj_hBs2itupp4XIyJu7NlMuTpoFO1Ui4YZGLHCQ4_UVvMQPPnUhP2xqxjlfOBw_96qaD1LxflVyKMgb74hRDJ3oxMiZL4nk02tc-g98qYiUEJmBcWfA0g-H8s2XUJQfVc\/s640\/afp-blog1.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjlThoemGsVYhI44tVYzwpvBy57052ZBAmnNXp3k49XU-4DMavz9iKllpSr0j03S5mPkryhLH38PM6xcIziBghuOaFR7aAbJ1Mm-iHoSjn_uMFZoLzDSUAHPnKSwUJfKNXj9VqbPH79Gvo\/s1600\/afp-blog2.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"400\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjlThoemGsVYhI44tVYzwpvBy57052ZBAmnNXp3k49XU-4DMavz9iKllpSr0j03S5mPkryhLH38PM6xcIziBghuOaFR7aAbJ1Mm-iHoSjn_uMFZoLzDSUAHPnKSwUJfKNXj9VqbPH79Gvo\/s400\/afp-blog2.png\" width=\"397\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgksgq0W9XB63GsswKcSFCB4TMy4ysaGX7xFqCvc9xaFbmav58I16n_8mahHNjhKcUvdb5QGyMb69d-pEt1hm01p-YeGLEuCH1ioU8dKaQhM0wWCxOINbhSGegA9nocXNsmNFuDCgwxQQE\/s1600\/afp-blog3.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"400\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgksgq0W9XB63GsswKcSFCB4TMy4ysaGX7xFqCvc9xaFbmav58I16n_8mahHNjhKcUvdb5QGyMb69d-pEt1hm01p-YeGLEuCH1ioU8dKaQhM0wWCxOINbhSGegA9nocXNsmNFuDCgwxQQE\/s400\/afp-blog3.png\" width=\"363\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cb\u003EWhat can I do with it?\u003C\/b\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cul\u003E\n\u003Cli\u003ERead access to files\/folders (always fun)\u003C\/li\u003E\n\u003Cli\u003EWrite access (sometimes)\u003C\/li\u003E\n\u003C\/ul\u003E\n\u003Cdiv\u003E\n\u003Cdiv\u003E\n\u003Cb\u003EDiscovery?\u003C\/b\u003E\u003C\/div\u003E\n\u003Cdiv\u003E\n\u003Cul\u003E\n\u003Cli\u003EVuln scanners (duh)\u003C\/li\u003E\n\u003Cli\u003ENmap scripts\u003C\/li\u003E\n\u003Cul\u003E\n\u003Cli\u003Eafp-showmount\u003C\/li\u003E\n\u003Cli\u003Eafp-serverinfo\u003C\/li\u003E\n\u003Cli\u003Eafp-ls\u003C\/li\u003E\n\u003Cli\u003Eafp-brute\u003C\/li\u003E\n\u003Cli\u003Eafp-path-vuln (directory traversal exploit)\u003C\/li\u003E\n\u003C\/ul\u003E\n\u003C\/ul\u003E\n\u003Cdiv\u003E\n\u003Cb\u003ENmap examples\u003C\/b\u003E\u003C\/div\u003E\n\u003C\/div\u003E\n\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgpAumrOcq2SC_XFwXYns2zmgJ8nzQv80f0ip1K_bTpXDdqosVgkoWW0k7idfmKEo60MqejigdQEC0m7qcCIGDv5mqio6L7xAUvyJLiZus3mTsn_Wy7M6OyA7caBQytakq85iFc1k1A4Hk\/s1600\/afp-blog4.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"213\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgpAumrOcq2SC_XFwXYns2zmgJ8nzQv80f0ip1K_bTpXDdqosVgkoWW0k7idfmKEo60MqejigdQEC0m7qcCIGDv5mqio6L7xAUvyJLiZus3mTsn_Wy7M6OyA7caBQytakq85iFc1k1A4Hk\/s320\/afp-blog4.PNG\" width=\"320\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh1jB7TjB3BqSv-bWZhc6foHm9CX7VhyztsyLDXkETnFUxYzTAlhXjiwHRurdRLRGYPHBYRVzfvyWi7pnRmC-OuiHTpPBJZpjMYknh3byLulYjPHi7qVWCvWi_vQy90fBnXiondZaifMY4\/s1600\/afp-blog5.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"231\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh1jB7TjB3BqSv-bWZhc6foHm9CX7VhyztsyLDXkETnFUxYzTAlhXjiwHRurdRLRGYPHBYRVzfvyWi7pnRmC-OuiHTpPBJZpjMYknh3byLulYjPHi7qVWCvWi_vQy90fBnXiondZaifMY4\/s320\/afp-blog5.PNG\" width=\"320\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv\u003E\n\u003Cb\u003EConnecting to AFP servers\u003C\/b\u003E\u003C\/div\u003E\n\u003Cdiv\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv\u003E\nSuper easy if you have a Mac\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgBTFX5jRnGtB_OZ8VnBQOToAzFx8vWOcaxOxD_RaLVxCawQm5W0H5MH3rsNctgLjwkcvzLaeObx-pNqdxmkdth9LeXkmvU3eSETbL2NuSqLj5bAbBKQCss1RouBD5bu1tsbCU4lcYoKUw\/s1600\/afp-blog6.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"260\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgBTFX5jRnGtB_OZ8VnBQOToAzFx8vWOcaxOxD_RaLVxCawQm5W0H5MH3rsNctgLjwkcvzLaeObx-pNqdxmkdth9LeXkmvU3eSETbL2NuSqLj5bAbBKQCss1RouBD5bu1tsbCU4lcYoKUw\/s320\/afp-blog6.PNG\" width=\"320\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh1HHwQOL55CqI1BdI_Pq2vRMR-QNUvcto__Oou0dJK6nVmt3JVAIa7GNq8KGIsDOYE4FLcde8QWuO-M9w7Gg5uJYZfBrWDbEl52ky4Q6mDESMjHPcwwTuVc1GiTMkioigEsiBwU9rcvWM\/s1600\/afp-blog7.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"128\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh1HHwQOL55CqI1BdI_Pq2vRMR-QNUvcto__Oou0dJK6nVmt3JVAIa7GNq8KGIsDOYE4FLcde8QWuO-M9w7Gg5uJYZfBrWDbEl52ky4Q6mDESMjHPcwwTuVc1GiTMkioigEsiBwU9rcvWM\/s320\/afp-blog7.PNG\" width=\"320\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv\u003E\nLinux you can use \u003Ca href=\"http:\/\/sourceforge.net\/projects\/afpfs-ng\/\" target=\"_blank\"\u003EAfpfs-ng\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEje3tS0LZYQigq5RgaoAvh70ytj3c4hrDQ2a-24fwuwXiYtF5y9-vdMq7OIyioxhfEosrlIMxizIBiCXWi7nP-cISHOeqY-YhAbjRdSXwHihpgYD_eNkdJzFPAgrJpgNgaYEMouAFatYBA\/s1600\/afp-blog8.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"168\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEje3tS0LZYQigq5RgaoAvh70ytj3c4hrDQ2a-24fwuwXiYtF5y9-vdMq7OIyioxhfEosrlIMxizIBiCXWi7nP-cISHOeqY-YhAbjRdSXwHihpgYD_eNkdJzFPAgrJpgNgaYEMouAFatYBA\/s320\/afp-blog8.PNG\" width=\"320\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjZEozZP1L8_t1YTtbyM61XJDbgoEAuCSBvAtKbXG_1CLiRul58k9hlxfArv12TjuPKTCriwlmw3RJmOESwHq7q-wxCrx85o1HN1giFe4OPFxW3L5zBXLEn50P1z20r4VaIl7fYVPFiIsQ\/s1600\/afp-blog10.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"223\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjZEozZP1L8_t1YTtbyM61XJDbgoEAuCSBvAtKbXG_1CLiRul58k9hlxfArv12TjuPKTCriwlmw3RJmOESwHq7q-wxCrx85o1HN1giFe4OPFxW3L5zBXLEn50P1z20r4VaIl7fYVPFiIsQ\/s320\/afp-blog10.PNG\" width=\"320\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjqdjxl5xJhyphenhyphen47qF_np3GkR46APCpfdLYud7UJAsW0uj4fqXRLplHhAh8qBoGm-8D8tpG_eG-Ixlya__VNGzbEhVvSPuElSwg_1Dexty6srpRGtoRB1hP8klVnpRNmZLHmQeHGDaeL4_1I\/s1600\/afp-blog11.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"202\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjqdjxl5xJhyphenhyphen47qF_np3GkR46APCpfdLYud7UJAsW0uj4fqXRLplHhAh8qBoGm-8D8tpG_eG-Ixlya__VNGzbEhVvSPuElSwg_1Dexty6srpRGtoRB1hP8klVnpRNmZLHmQeHGDaeL4_1I\/s320\/afp-blog11.PNG\" width=\"320\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlNor2_ZRjh2TegT-uv9d4Zuif6BJOPvFThQoA6ITJPOtJvM0PR9njxa016uzOaXMUOoT1K3RuDuSYIRI0terRjBlbXAQBDiql-DjVJ2Um1X_YSLGujZZxCqbNO2yTJymNC8M0H3lubcQ\/s1600\/afp-blog9.PNG\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"202\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlNor2_ZRjh2TegT-uv9d4Zuif6BJOPvFThQoA6ITJPOtJvM0PR9njxa016uzOaXMUOoT1K3RuDuSYIRI0terRjBlbXAQBDiql-DjVJ2Um1X_YSLGujZZxCqbNO2yTJymNC8M0H3lubcQ\/s320\/afp-blog9.PNG\" width=\"320\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv\u003E\nWindow? dunno. Don't\u0026nbsp;think so...\u003C\/div\u003E\n\u003Cdiv\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cbr \/\u003E"},"link":[{"rel":"replies","type":"application/atom+xml","href":"https:\/\/blog.carnal0wnage.com\/feeds\/4336904076886945787\/comments\/default","title":"Post Comments"},{"rel":"replies","type":"text/html","href":"https:\/\/www.blogger.com\/comment\/fullpage\/post\/8539880144347728238\/4336904076886945787","title":"1 Comments"},{"rel":"edit","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/4336904076886945787"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/4336904076886945787"},{"rel":"alternate","type":"text/html","href":"https:\/\/blog.carnal0wnage.com\/2012\/05\/from-low-to-pwned-9-apple-filing.html","title":"From LOW to PWNED [9] Apple Filing Protocol (AFP)"}],"author":[{"name":{"$t":"Unknown"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgdbptd0omPFjWj_hBs2itupp4XIyJu7NlMuTpoFO1Ui4YZGLHCQ4_UVvMQPPnUhP2xqxjlfOBw_96qaD1LxflVyKMgb74hRDJ3oxMiZL4nk02tc-g98qYiUEJmBcWfA0g-H8s2XUJQfVc\/s72-c\/afp-blog1.png","height":"72","width":"72"},"thr$total":{"$t":"1"}},{"id":{"$t":"tag:blogger.com,1999:blog-8539880144347728238.post-2938946519415661838"},"published":{"$t":"2012-05-14T08:00:00.000-04:00"},"updated":{"$t":"2012-06-05T11:11:34.604-04:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"low2pwned"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Pentesting"},{"scheme":"http://www.blogger.com/atom/ns#","term":"web application testing"}],"title":{"type":"text","$t":"From LOW to PWNED [8] Honorable Mention: Log File Injection"},"content":{"type":"html","$t":"Post [8] Honorable Mention: Log File Injection\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nSo this\u0026nbsp;didn't\u0026nbsp;make it into the talk, but was in the hidden slides...\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nnot positive this is a \"low\" but a friend suggested it, so here you go.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nGoes like this:\u003Cbr \/\u003E\nRequest gets logged\u003Cbr \/\u003E\nSomething malicious gets written commonly something like a one line PHP backdoor\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Col\u003E\n\u003Cli\u003E1. \u0026nbsp;Use an LFI vulnerability to browse to page get shell\u003C\/li\u003E\n\u003Col\u003E\n\u003Cli\u003EExample 1:\u0026nbsp;\nPhp Shell Injection On A Website Through Log Poisoning\u0026nbsp;\u003Ca href=\"http:\/\/www.securitytube.net\/video\/167\"\u003Ehttp:\/\/www.securitytube.net\/video\/167\u003C\/a\u003E\u003C\/li\u003E\n\u003Cli\u003ERails 3.0.5 Log File Injection\u0026nbsp;\u003Ca href=\"http:\/\/packetstormsecurity.org\/files\/99282\/Rails-3.0.5-Log-File-Injection-Proof-Of-Concept.html\"\u003Ehttp:\/\/packetstormsecurity.org\/files\/99282\/Rails-3.0.5-Log-File-Injection-Proof-Of-Concept.html\u003C\/a\u003E\u003C\/li\u003E\n\u003Cli\u003E\u003Ca href=\"http:\/\/websec.wordpress.com\/2010\/02\/22\/exploiting-php-file-inclusion-overview\/\"\u003Ehttp:\/\/websec.wordpress.com\/2010\/02\/22\/exploiting-php-file-inclusion-overview\/\u003C\/a\u003E\u003C\/li\u003E\n\u003Cli\u003EExample 2:\u0026nbsp;BURP SUITE - PART IV: LFI EXPLOIT via LOG INJECTION\u0026nbsp;\u0026nbsp;\u003Ca href=\"http:\/\/kaoticcreations.blogspot.com\/2011\/12\/burp-suite-part-iv-lfi-exploit-via-log_20.html\"\u003Ehttp:\/\/kaoticcreations.blogspot.com\/2011\/12\/burp-suite-part-iv-lfi-exploit-via-log_20.htm\u003C\/a\u003El\u003C\/li\u003E\n\u003C\/ol\u003E\n\u003Cli\u003E2. Wait for an admin to view logs and do whatever you did (XSS)\u003C\/li\u003E\n\u003Col\u003E\n\u003Cli\u003EExample 1:\u0026nbsp;h\u003Ca href=\"ttp:\/\/xforce.iss.net\/xforce\/xfdb\/50170\"\u003Ettp:\/\/xforce.iss.net\/xforce\/xfdb\/50170\u003C\/a\u003E\u003C\/li\u003E\n\u003Cli\u003EExample 2:\u0026nbsp;\u003Ca href=\"http:\/\/www.securityfocus.com\/archive\/1\/464471\"\u003Ehttp:\/\/www.securityfocus.com\/archive\/1\/464471\u003C\/a\u003E\u003C\/li\u003E\n\u003C\/ol\u003E\n\u003C\/ol\u003E\n\u003Cbr \/\u003E\nCan also do fun stuff like this (TNS Logfile injection in Oracle)\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Ciframe allowfullscreen=\"\" frameborder=\"0\" height=\"315\" src=\"http:\/\/www.youtube.com\/embed\/EE6SNPgeOps\" width=\"420\"\u003E\u003C\/iframe\u003E\n\u003Cbr \/\u003E\n\u003Cbr \/\u003E"},"link":[{"rel":"replies","type":"application/atom+xml","href":"https:\/\/blog.carnal0wnage.com\/feeds\/2938946519415661838\/comments\/default","title":"Post Comments"},{"rel":"replies","type":"text/html","href":"https:\/\/www.blogger.com\/comment\/fullpage\/post\/8539880144347728238\/2938946519415661838","title":"1 Comments"},{"rel":"edit","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/2938946519415661838"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/2938946519415661838"},{"rel":"alternate","type":"text/html","href":"https:\/\/blog.carnal0wnage.com\/2012\/05\/from-low-to-pwned-8-honorable-mention.html","title":"From LOW to PWNED [8] Honorable Mention: Log File Injection"}],"author":[{"name":{"$t":"Unknown"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/img.youtube.com\/vi\/EE6SNPgeOps\/default.jpg","height":"72","width":"72"},"thr$total":{"$t":"1"}}]}});