The document discusses vulnerabilities in random number generation in PHP. It summarizes several vulnerabilities discovered between 2008-2012 related to predictable random numbers generated by PHP functions like mt_rand(). It also discusses how PHP developers have been slow to address these issues. The document then provides step-by-step explanations of how to exploit vulnerabilities in four different CMS platforms - OpenCart, DataLife Engine, UMI.CMS, and OpenCart again - by predicting random values used for tasks like password resets and session IDs.
This is the part 1 of the series on exploit research and development given as part of the null humla at Singapore. More details at www.meetup.com/Null-Singapore-The-Open-Security-Community/events/230268953/
This is the part 1 of the series on exploit research and development given as part of the null humla at Singapore. More details at www.meetup.com/Null-Singapore-The-Open-Security-Community/events/230268953/
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance.
About the Presenter:
Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight.
Experience Level: Intermediate
New MITM Framework Bettercap A complete, modular, portable and easily extensible MITM framework. Bettercap is a complete, modular,
portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could
need in order to perform a man in the middle attack.
This document contains various methods to hack or pentest the web-server and web-applications.
1. A person can use it as hand book for hacking websites.
2. All contents of these hand book is searched and taken out from various other websites & blogs...
3. Use these knowledge for education purpose only.
Topic: Art of Web Backdoor
Speaker: Pichaya Morimoto
Event: 2600 Thailand Meeting #5
Date: September 6, 2013
Video: https://www.youtube.com/watch?v=QIXTPPBfLyI
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)Ericom Software
WebSockets couples the performance and flexibility of TCP with the reach of HTTP Prediction: WebSockets will replace simple TCP as preferred underlying protocol.
To see how Websockets are used in a popular HTML5-based remote access solution, by visiting the following URL: http://j.mp/1luquBQ
Alex Matrosov, Cylance
This presentation is meant to serve as an alarum for hardware vendors; BIOS-level security researchers and defenders; and sophisticated stakeholders who want to know the current state of UEFI exposure and threats. The situation is serious but, with the right tools and knowledge, we can prevail.
Hardware vendors such as Intel have introduced new protection technologies like Intel Boot Guard (since Haswell) and BIOS Guard (since Skylake). Boot Guard protects Secure Boot's "Root of Trust" from firmware-based attacks by verifying that a trusted UEFI firmware is booting the platform. When BIOS Guard is active, only guarded modules can modify SPI flash memory; this can protect from persistent implants. Both technologies run on a separate CPU known as the "Authenticated Code Module" (ACM), which isolates them from attackers and also protects from race condition attacks. Those "Guard" technologies are sometimes referred to as UEFI rootkit killers.
Not many details are publicly available regarding these technologies. In this presentation, I will discuss particular implementations on hardware with the most recent Intel CPUs such as Skylake and Kaby Lake. Most of the information has been extracted from UEFI firmware modules by reverse engineering. This DXE and PEI modules cooperated with ACM-code for enabling, configuration and initialization. This talk will also cover some weaknesses of those guards. Where are the BIOS guardians failing? How difficult is it to bypass these protections and install a persistent rootkit from the operating system?
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
Durante questo intervento verrà illustrato come si possono installare software di analisi in tempo reale dei log del server (ELK pattern: ElasticSearch, Logstash, Kibana) in modo da ottenere tutte le informazioni su Googlebot e per scoprire i punti di debolezza e gli eventi relativi ai nostri siti che non potremmo altrimenti conoscere.
Finding and fixing bugs is a major chunk of any developers time. This talk describes the basic rules for effective debugging in any language, but shows how the tools available in PHP can be used to find and fix even the most elusive error
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance.
About the Presenter:
Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight.
Experience Level: Intermediate
New MITM Framework Bettercap A complete, modular, portable and easily extensible MITM framework. Bettercap is a complete, modular,
portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could
need in order to perform a man in the middle attack.
This document contains various methods to hack or pentest the web-server and web-applications.
1. A person can use it as hand book for hacking websites.
2. All contents of these hand book is searched and taken out from various other websites & blogs...
3. Use these knowledge for education purpose only.
Topic: Art of Web Backdoor
Speaker: Pichaya Morimoto
Event: 2600 Thailand Meeting #5
Date: September 6, 2013
Video: https://www.youtube.com/watch?v=QIXTPPBfLyI
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)Ericom Software
WebSockets couples the performance and flexibility of TCP with the reach of HTTP Prediction: WebSockets will replace simple TCP as preferred underlying protocol.
To see how Websockets are used in a popular HTML5-based remote access solution, by visiting the following URL: http://j.mp/1luquBQ
Alex Matrosov, Cylance
This presentation is meant to serve as an alarum for hardware vendors; BIOS-level security researchers and defenders; and sophisticated stakeholders who want to know the current state of UEFI exposure and threats. The situation is serious but, with the right tools and knowledge, we can prevail.
Hardware vendors such as Intel have introduced new protection technologies like Intel Boot Guard (since Haswell) and BIOS Guard (since Skylake). Boot Guard protects Secure Boot's "Root of Trust" from firmware-based attacks by verifying that a trusted UEFI firmware is booting the platform. When BIOS Guard is active, only guarded modules can modify SPI flash memory; this can protect from persistent implants. Both technologies run on a separate CPU known as the "Authenticated Code Module" (ACM), which isolates them from attackers and also protects from race condition attacks. Those "Guard" technologies are sometimes referred to as UEFI rootkit killers.
Not many details are publicly available regarding these technologies. In this presentation, I will discuss particular implementations on hardware with the most recent Intel CPUs such as Skylake and Kaby Lake. Most of the information has been extracted from UEFI firmware modules by reverse engineering. This DXE and PEI modules cooperated with ACM-code for enabling, configuration and initialization. This talk will also cover some weaknesses of those guards. Where are the BIOS guardians failing? How difficult is it to bypass these protections and install a persistent rootkit from the operating system?
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
Durante questo intervento verrà illustrato come si possono installare software di analisi in tempo reale dei log del server (ELK pattern: ElasticSearch, Logstash, Kibana) in modo da ottenere tutte le informazioni su Googlebot e per scoprire i punti di debolezza e gli eventi relativi ai nostri siti che non potremmo altrimenti conoscere.
Finding and fixing bugs is a major chunk of any developers time. This talk describes the basic rules for effective debugging in any language, but shows how the tools available in PHP can be used to find and fix even the most elusive error
Slides from a presentation that David Lopez (@lopezator) and me made for the students of the University of the Basque Country (UPV/EHU) where we talk about current technologies and methodologies used in professional web development.
CSS3, jQuery, Composer, MVC, Clean Code, Git, etc. are different items we talked about.
Some examples shown in the presentation available at:
http://ojoven.es/labs/ehu2014/
The why and how of moving to PHP 5.4/5.5Wim Godden
With PHP 5.5 out and many production environments still running 5.2 (or older), it's time to paint a clear picture on why everyone should move to 5.4 and 5.5 and how to get code ready for the latest version of PHP. In this talk, we'll migrate an old piece of code using some standard and some very non-standard tools and techniques.
node.js - Eventful JavaScript on the ServerDavid Ruiz
Presentation made on January 2011 about node.js. This technology was used to be the main technology behind the API on "Guia VIVO TV" (codename TVSTAR) with MongoDB.
The why and how of moving to PHP 5.5/5.6Wim Godden
With PHP 5.6 out and many production environments still running 5.2 or 5.3, it's time to paint a clear picture on why everyone should move to 5.5 and 5.6 and how to get code ready for the latest version of PHP. In this talk, we'll look at some handy tools and techniques to ease the migration.
Caching and tuning fun for high scalabilityWim Godden
Caching has been a 'hot' topic for a few years. But caching takes more than merely taking data and putting it in a cache : the right caching techniques can improve performance and reduce load significantly. But we'll also look at some major pitfalls, showing that caching the wrong way can bring down your site. If you're looking for a clear explanation about various caching techniques and tools like Memcached, Nginx and Varnish, as well as ways to deploy them in an efficient way, this talk is for you.
Let's look at ways how to make PHP applications remember what your user did on the last web page.
The first half will be about the classic PHP sessions, what the SessionHandlerInterface is about and why all of it's methods are important for a successful alternative implementation.
The second half will explore alternatives to the problems created using PHP sessions, including alternatives to sessions: Splitting the problem on the server or moving the data to the client.
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was presented at the OWASP Belgium Chapter Meeting in May 2017.
The why and how of moving to php 5.4/5.5Wim Godden
With PHP 5.5 out and many production environments still running 5.2 (or older), it's time to paint a clear picture on why everyone should move to 5.4 and 5.5 and how to get code ready for the latest version of PHP. In this talk, we'll look at some handy tools and techniques to ease the migration.
Mathilde Lemée & Romain Maton
La théorie, c’est bien, la pratique … aussi !
Venez nous rejoindre pour découvrir les profondeurs de Node.js !
Nous nous servirons d’un exemple pratique pour vous permettre d’avoir une premiere experience complete autour de Node.js et de vous permettre de vous forger un avis sur ce serveur Javascript qui fait parler de lui !
http://soft-shake.ch/2011/conference/sessions/incubator/2011/09/01/hands-on-nodejs.html
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
1. Основные понятия и определения: продукт, пакет, связи между ними.
2. Как узнать, какие изменения произошли в продукте?
3. Проблемы changelog и release note.
4. Решение: инструмент ChangelogBuilder для автоматической подготовки Release Notes
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
1. Обзор Windows Docker (кратко)
2. Как мы построили систему билда приложений в Docker (Visual Studio\Mongo\Posgresql\etc)
3. Примеры Dockerfile (выложенные на github)
4. Отличия процессов DockerWindows от DockerLinux (Долгий билд, баги, remote-регистр.)
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
1. Проблемы в построении CI процессов в компании
2. Структура типовой сборки
3. Пример реализации типовой сборки
4. Плюсы и минусы от использования типовой сборки
1. Что такое BI. Зачем он нужен.
2. Что такое Qlik View / Sense
3. Способ интеграции. Как это работает.
4. Метрики, KPI, планирование ресурсов команд, ретроспектива релиза продукта, тренды.
5. Подключение внешних источников данных (Excel, БД СКУД, переговорные комнаты).
Approof — статический анализатор кода для проверки веб-приложений на наличие уязвимых компонентов. В своей работе анализатор основывается на правилах, хранящих сигнатуры искомых компонентов. В докладе рассматривается базовая структура правила для Approof и процесс автоматизации его создания.
Задумывались ли вы когда-нибудь о том, как устроены современные механизмы защиты приложений? Какая теория стоит за реализацией WAF и SAST? Каковы пределы их возможностей? Насколько их можно подвинуть за счет более широкого взгляда на проблематику безопасности приложений?
На мастер-классе будут рассмотрены основные методы и алгоритмы двух основополагающих технологий защиты приложений — межсетевого экранирования уровня приложения и статического анализа кода. На примерах конкретных инструментов с открытым исходным кодом, разработанных специально для этого мастер-класса, будут рассмотрены проблемы, возникающие на пути у разработчиков средств защиты приложений, и возможные пути их решения, а также даны ответы на все упомянутые вопросы.
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
Разработка наукоемкого программного обеспечения отличается тем, что нет ни четкой постановки задачи, ни понимания, что получится в результате. Однако даже этом надо программировать то, что надо, и как надо. Докладчик расскажет о том, как ее команда успешно разработала и вывела в промышленную эксплуатацию несколько наукоемких продуктов, пройдя непростой путь от эксперимента, результатом которого был прототип, до промышленных версий, которые успешно продаются как на российском, так и на зарубежном рынках. Этот путь был насыщен сложностями и качественными управленческими решениями, которыми поделится докладчик
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
Немногие разработчики закладывают безопасность в архитектуру приложения на этапе проектирования. Часто для этого нет ни денег, ни времени. Еще меньше — понимания моделей нарушителя и моделей угроз. Защита приложения выходит на передний план, когда уязвимости начинают стоить денег. К этому времени приложение уже работает и внесение существенных изменений в код становится нелегкой задачей.
К счастью, разработчики тоже люди, и в коде разных приложений можно встретить однотипные недостатки. В докладе речь пойдет об опасных ошибках, которые чаще всего допускают разработчики Android-приложений. Затрагиваются особенности ОС Android, приводятся примеры реальных приложений и уязвимостей в них, описываются способы устранения.
Разработка любого софта так или иначе базируется на требованиях. Полный перечень составляют бизнес-цели приложения, различные ограничения и ожидания по качеству (их еще называют NFR). Требования к безопасности ПО относятся к последнему пункту. В ходе доклада будут рассматриваться появление этих требований, управление ими и выбор наиболее важных.
Отдельно будут освещены принципы построения архитектуры приложения, при наличии таких требований и без, и продемонстрировано, как современные (и хорошо известные) подходы к проектированию приложения помогают лучше строить архитектуру приложения для минимизации ландшафта угроз.
Доклад посвящен разработке корректного программного обеспечения с применением одного из видов статического анализа кода. Будут освещены вопросы применения подобных методов, их слабые стороны и ограничения, а также рассмотрены результаты, которые они могут дать. На конкретных примерах будет продемонстрировано, как выглядят разработка спецификаций для кода на языке Си и доказательство соответствия кода спецификациям.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. Timeline of PHP problems with random numbers
2008: “mt_srand and not so random numbers” by Stefan
Esser
Early 2010: “Abusing weak PRNGs in PHP applications” by
gat3way
July 2010: “How I Met Your Girlfriend” by Samy Kamkar
July 2012: “I Forgot Your Password: Randomness Attacks
Against PHP” by George Argyros and Aggelos Kiayias
August 2012: “Random Numbers. Take Two”
3. PHP Developers: meh, so what?
Documentation still lacks security warnings
except for uniqid()
PHP developers refuse to use external
crypto providers in GENERATE_SEED
Seeds in LCG and Mersenne Twister are
interdependent (if you know one seed you
will know the other)
4. PHP Developers: meh, so what?
Make seeding
more secure?
Nope, fix the
documentation
instead.*
* didn’t do even this.
5. What we are going to hack today
OpenCart 1.5.3.1
DataLife Engine 9.5
UMI.CMS 2.8.5.3
OpenCart 1.5.4.1
6. Basics (1)
Apache: mpm-prefork (separate
processes) or mpm-worker (threads
within a process)
PHP: non-thread safe (used with mpm-
prefork) or thread safe (used with mpm-
worker)
Apache+PHP: mod_php (same process on
keep-alive requests) or CGI/FastCGI
(different processes on keep-alive
requests)
7. Basics (2)
In a fresh process PHP
automatically seeds its PRNGs
Same seed for rand and mt_rand
(max value 2^32)
Two different seeds for LCG (max
value 2^32 each)
10. OpenCart 1.5.3.1
Fresh Process Spawning on mpm-prefork Apache
Initiate a number of keep-alive requests that is >
MaxSpareServers (10 by default)
Fill the pool
Make target request on freshly seeded process
11. OpenCart 1.5.3.1
php exploits/opencart/1.5.3.1.php
php exploits/opencart/md5crack.php <md5> or
./tools/hashcat/hashcat <md5> on obtained
token
At Amazon run “mt_seed.exe” or
./tools/php_mt_seed/php_mt_seed <num> on
obtained random number
php exploits/opencart/genlinks.php seeds.txt
13. OpenCart 1.5.3.1
php exploits/opencart/1.5.3.1.php
php exploits/opencart/md5crack.php <md5> or
./tools/hashcat/hashcat <md5> on obtained
token
At Amazon run “mt_seed.exe” or
./tools/php_mt_seed/php_mt_seed <num> on
obtained random number
php exploits/opencart/genlinks.php seeds.txt
14. OpenCart 1.5.3.1
php exploits/opencart/1.5.3.1.php
php exploits/opencart/md5crack.php <md5> or
./tools/hashcat/hashcat <md5> on obtained
token
At Amazon run “mt_seed.exe” or
./tools/php_mt_seed/php_mt_seed <num> on
obtained random number
php exploits/opencart/genlinks.php seeds.txt
15. OpenCart 1.5.3.1
php exploits/opencart/1.5.3.1.php
php exploits/opencart/md5crack.php <md5> or
./tools/hashcat/hashcat <md5> on obtained
token
At Amazon run “mt_seed.exe” or
./tools/php_mt_seed/php_mt_seed <num> on
obtained random number
php exploits/opencart/genlinks.php seeds.txt
20. DataLife 9.6
Log on as test:123456 at http://datalife
Copy PHPSESSID (View Page Info -> Details ->
View Cookies)
Delete cookies, go to
http://datalife/?do=lostpassword
Copy PHPSESSID and symbols on captcha
php exploits/dle/dle.php <PHPSESSID 1>
<PHPSESSID captcha> <captcha>
21. DataLife 9.6
Log on as test:123456 at http://datalife
Copy PHPSESSID (View Page Info -> Details ->
View Cookies)
Delete cookies, go to
http://datalife/?do=lostpassword
Copy PHPSESSID and symbols on captcha
php exploits/dle/dle.php <PHPSESSID 1>
<PHPSESSID captcha> <captcha>
23. DataLife 9.6
Log on as test:123456 at http://datalife
Copy PHPSESSID (View Page Info -> Details ->
View Cookies)
Delete cookies, go to
http://datalife/?do=lostpassword
Copy PHPSESSID and symbols on captcha
php exploits/dle/dle.php <PHPSESSID 1>
<PHPSESSID captcha> <captcha>
24. DataLife 9.6
Log on as test:123456 at http://datalife
Copy PHPSESSID (View Page Info -> Details ->
View Cookies)
Delete cookies, go to
http://datalife/?do=lostpassword
Copy PHPSESSID and symbols on captcha
php exploits/dle/dle.php <PHPSESSID 1>
<PHPSESSID captcha> <captcha>
25. DataLife 9.6
Log on as test:123456 at http://datalife
Copy PHPSESSID (View Page Info -> Details ->
View Cookies)
Delete cookies, go to
http://datalife/?do=lostpassword
Copy PHPSESSID and symbols on captcha
php exploits/dle/dle.php <PHPSESSID 1>
<PHPSESSID captcha> <captcha>
31. UMI.CMS 2.8.5.3
PHPSESSID:
md5(127.0.0.11351346648192088.00206033)
IP (known)
timestamp (known)
microtime0 (need to bruteforce)
LCG (need to find two seeds)
36. UMI.CMS 2.8.5.3
Edit exploits/umi/umi.php, add your login
php exploits/umi/umi.php [offset=0] [delay1=10000-
100000] [delay2=10000]
Run phpsessid_cuda with PHPSESSID, timestamp and
your ip
php exploits/umi/pass_gen.php <sec> <pid> <s1>
<s2>
37. UMI.CMS 2.8.5.3
Edit exploits/umi/umi.php, add your login
php exploits/umi/umi.php [offset=0] [delay1=10000-
100000] [delay2=10000]
Run phpsessid_cuda with PHPSESSID, timestamp and
your ip
php exploits/umi/pass_gen.php <sec> <pid> <s1>
<s2>
39. UMI.CMS 2.8.5.3
Edit exploits/umi/umi.php, add your login
php exploits/umi/umi.php [offset=0] [delay1=10000-
100000] [delay2=10000]
Run phpsessid_cuda with PHPSESSID, timestamp and
your ip
php exploits/umi/pass_gen.php <sec> <pid> <s1>
<s2>
40. PHPSESSID Bruteforcer
1,170 billion seeds/sec on a single Amazon EC2
GPU Instance
Supports multiple GPUs
Covers the whole search space within 7,5 minutes
Supports distributed computing based on sockets
So fast that we don’t need microtime
synchronization with remote server any more
42. UMI.CMS 2.8.5.3
Edit exploits/umi/umi.php, add your login
php exploits/umi/umi.php [offset=0] [delay1=10000-
100000] [delay2=10000]
Run phpsessid_cuda with PHPSESSID, timestamp and
your ip
php exploits/umi/pass_gen.php <sec> <pid> <s1>
<s2>
50. OpenCart 1.5.4.1
Send 3 requests in keep-alive (get token, user
reset, admin reset)
Find MT seeds (some collisions are present)
Bruteforce LCG seeds (also collisions) given MT
seeds
Bruteforce our sha1 -> find out proper MT seed,
LCG seed; also microseconds to start from
Calculate admin mt_rand(), admin LCG
Bruteforce microseconds given starting point from
our sha1 (Request Twins approach)
51. OpenCart 1.5.4.1
php exploits/opencart/1.5.4.1.php, get hash in
local mail
php exploits/opencart/md5crack.php <md5> or
./tools/hashcat/hashcat <md5> on obtained
token
At Amazon run “mt_rand.exe” to get seeds
At Amazon run “lcg_sha1.exe” with seeds file,
timestamp and sha1 hash
Get back to exploit, specify mt_rand, admin LCG
and microsecs to start from
52.
53. OpenCart 1.5.4.1
php exploits/opencart/1.5.4.1.php, get hash in
local mail
php exploits/opencart/md5crack.php <md5> or
./tools/hashcat/hashcat <md5> on obtained
token
At Amazon run “mt_rand.exe” to get seeds
At Amazon run “lcg_sha1.exe” with seeds file,
timestamp and sha1 hash
Get back to exploit, specify mt_rand, admin LCG
and microsecs to start from
54. OpenCart 1.5.4.1
php exploits/opencart/1.5.4.1.php, get hash in
local mail
php exploits/opencart/md5crack.php <md5> or
./tools/hashcat/hashcat <md5> on obtained
token
At Amazon run “mt_rand.exe” to get seeds
At Amazon run “lcg_sha1.exe” with seeds file,
timestamp and sha1 hash
Get back to exploit, specify mt_rand, admin LCG
and microsecs to start from
55. OpenCart 1.5.4.1
php exploits/opencart/1.5.4.1.php, get hash in
local mail
php exploits/opencart/md5crack.php <md5> or
./tools/hashcat/hashcat <md5> on obtained
token
At Amazon run “mt_rand.exe” to get seeds
At Amazon run “lcg_sha1.exe” with seeds file,
timestamp and sha1 hash
Get back to exploit, specify mt_rand, admin LCG
and microsecs to start from
56. LCG via mt_rand Seed Bruteforcer
Allows to find LCG seeds (some collision are
present) given mt_rand seed
GPU-based
16 billion seeds/sec on a single Amazon EC2 GPU
Instance
Covers the whole search space within 1 minute
61. OpenCart 1.5.4.1
php exploits/opencart/1.5.4.1.php, get hash in
local mail
php exploits/opencart/md5crack.php <md5> or
./tools/hashcat/hashcat <md5> on obtained
token
At Amazon run “mt_rand.exe” to get seeds
At Amazon run “lcg_sha1.exe” with seeds file,
timestamp and sha1 hash
Get back to exploit, specify mt_rand, admin LCG
and microsecs to start from