β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ DOM XSS
A) WHAT IS DOM XSS ?
> The full name of DOM is Document Object Model , which is the document object model. DOM is usually used to represent objects in HTML , XHTML and XML . Using DOM allows programs and scripts to dynamically access and update the content, structure, and style of documents.
> The entire HTML page can be reconstructed through JavaScript , and to reconstruct a page or an object in the page, JavaScript needs to know the "position" of all elements in the HTML document. The DOM provides a structured representation of the document and defines how to access the document structure through scripts. According to DOM regulations, each component in an HTML document is a node.
π¦ The DOM regulations are as follows:
> The entire document is a document node
> Each HTML tag is an element node
>The text contained in the HTML element is a text node
>Each HTML attribute is an attribute node
> There is a hierarchical relationship between nodes
1) Traditional types of XSS vulnerabilities (reflective or storage) generally appear in server-side code, and DOM XSS is a vulnerability based on the DOM document object model, so it is affected by the script code of the client browser. DOM XSS depends on the output location and does not depend on the output environment, so it can also be said that DOM XSS may be either reflective or storage, and it is simple to understand because its output point is in DOM .
π¦We can look at this script:
<?php
error_reporting(0);
$name = $_GET["name"];
?>
<input id="text" type="text" value="<?php echo $name;?>" />
<div id="print"></div>
<script type="text/javascript">
var text = document.getElementById("text");
var print = document.getElementById("print");
print.innerHTML = text.value;
</script>
We can see that this string of scripts submits the value of a name through GET. Our input input is in the value attribute. If we still enter the script as before, it will not be executed. Then we need to change our thinking .
<input id = "text" type = "text" value = "<script> alert (' xss ') </ script>" />
Close the input tag so that he is not in the value attribute. "/> After closing
<input id = "text" type = "text" value = "" /> <script> alert ('xss ') </ script> "/>
π¦We can see that this string of scripts submits the value of a name through GET. Our input input is in the value attribute. If we still enter the script as before, it will not be executed. Then we need to change our thinking .
<input id = "text" type = "text" value = "<script> alert (' xss ') </ script>" />
Close the input tag so that he is not in the value attribute. "/> After closing
<input id = "text" type = "text" value = "" /> <script> alert ('xss ') </ script> "/>
WRITTEN BY UNDERCODERS
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ DOM XSS
A) WHAT IS DOM XSS ?
> The full name of DOM is Document Object Model , which is the document object model. DOM is usually used to represent objects in HTML , XHTML and XML . Using DOM allows programs and scripts to dynamically access and update the content, structure, and style of documents.
> The entire HTML page can be reconstructed through JavaScript , and to reconstruct a page or an object in the page, JavaScript needs to know the "position" of all elements in the HTML document. The DOM provides a structured representation of the document and defines how to access the document structure through scripts. According to DOM regulations, each component in an HTML document is a node.
π¦ The DOM regulations are as follows:
> The entire document is a document node
> Each HTML tag is an element node
>The text contained in the HTML element is a text node
>Each HTML attribute is an attribute node
> There is a hierarchical relationship between nodes
1) Traditional types of XSS vulnerabilities (reflective or storage) generally appear in server-side code, and DOM XSS is a vulnerability based on the DOM document object model, so it is affected by the script code of the client browser. DOM XSS depends on the output location and does not depend on the output environment, so it can also be said that DOM XSS may be either reflective or storage, and it is simple to understand because its output point is in DOM .
π¦We can look at this script:
<?php
error_reporting(0);
$name = $_GET["name"];
?>
<input id="text" type="text" value="<?php echo $name;?>" />
<div id="print"></div>
<script type="text/javascript">
var text = document.getElementById("text");
var print = document.getElementById("print");
print.innerHTML = text.value;
</script>
We can see that this string of scripts submits the value of a name through GET. Our input input is in the value attribute. If we still enter the script as before, it will not be executed. Then we need to change our thinking .
<input id = "text" type = "text" value = "<script> alert (' xss ') </ script>" />
Close the input tag so that he is not in the value attribute. "/> After closing
<input id = "text" type = "text" value = "" /> <script> alert ('xss ') </ script> "/>
π¦We can see that this string of scripts submits the value of a name through GET. Our input input is in the value attribute. If we still enter the script as before, it will not be executed. Then we need to change our thinking .
<input id = "text" type = "text" value = "<script> alert (' xss ') </ script>" />
Close the input tag so that he is not in the value attribute. "/> After closing
<input id = "text" type = "text" value = "" /> <script> alert ('xss ') </ script> "/>
WRITTEN BY UNDERCODERS
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Fast subdomains enumeration tool for penetration testers
t.me/UndercodeTesting
π¦πβπππΈπππππΈπππβ & βπβ :
1) git clone git clone https://github.com/aboul3la/Sublist3r.git
2) cd Sublist3r
3) Installation on Windows:
> c:\python27\python.exe -m pip install -r requirements.txt
Installation on Linux
> sudo pip install -r requirements.txt
Install for Windows:
> c:\python27\python.exe -m pip install requests
Install for Ubuntu/Debian:
> sudo apt-get install python-requests
Install for Centos/Redhat:
> sudo yum install python-requests
Install using pip on Linux :
> sudo pip install requests
π¦argparse Module
Install for Ubuntu/Debian:
> sudo apt-get install python-argparse
> Install for Centos/Redhat:
sudo yum install python-argparse
> Install using pip:
sudo pip install argparse
for coloring in windows install the following libraries
c:\python27\python.exe -m pip install win_unicode_console colorama
π¦Short Form Long Form Description
-d --domain Domain name to enumerate subdomains of
-b --bruteforce Enable the subbrute bruteforce module
-p --ports Scan the found subdomains against specific tcp ports
-v --verbose Enable the verbose mode and display results in realtime
-t --threads Number of threads to use for subbrute bruteforce
-e --engines Specify a comma-separated list of search engines
-o --output Save the results to text file
-h --help show the help message and exit
@UndercodeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Fast subdomains enumeration tool for penetration testers
t.me/UndercodeTesting
π¦πβπππΈπππππΈπππβ & βπβ :
1) git clone git clone https://github.com/aboul3la/Sublist3r.git
2) cd Sublist3r
3) Installation on Windows:
> c:\python27\python.exe -m pip install -r requirements.txt
Installation on Linux
> sudo pip install -r requirements.txt
Install for Windows:
> c:\python27\python.exe -m pip install requests
Install for Ubuntu/Debian:
> sudo apt-get install python-requests
Install for Centos/Redhat:
> sudo yum install python-requests
Install using pip on Linux :
> sudo pip install requests
π¦argparse Module
Install for Ubuntu/Debian:
> sudo apt-get install python-argparse
> Install for Centos/Redhat:
sudo yum install python-argparse
> Install using pip:
sudo pip install argparse
for coloring in windows install the following libraries
c:\python27\python.exe -m pip install win_unicode_console colorama
π¦Short Form Long Form Description
-d --domain Domain name to enumerate subdomains of
-b --bruteforce Enable the subbrute bruteforce module
-p --ports Scan the found subdomains against specific tcp ports
-v --verbose Enable the verbose mode and display results in realtime
-t --threads Number of threads to use for subbrute bruteforce
-e --engines Specify a comma-separated list of search engines
-o --output Save the results to text file
-h --help show the help message and exit
@UndercodeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Dangerous Vuln since few days :
"8220" mining Trojans invade the server to mine, set up a "tsunami" botnet, ready to launch DDoS attacks
twitter.com/undercodeNews
π¦ππΌπ'π πππΈβπ :
> Tencent Security Threat Intelligence Center detected the "8220" mining Trojan variant attack. The "8220" mining gang is good at exploiting WebLogic, JBoss deserialization vulnerabilities, Redis, Hadoop unauthorized access vulnerabilities and other web vulnerabilities to attack server mining. Recently, we found that the gang Trojans spreading through Apache Struts remote code execution vulnerability (CVE-2017-5638) and Tomcat weak password blasting in the attack activities have increased significantly.
> In the horizontal movement stage, the Trojan will use the Redis unauthorized vulnerability access vulnerability implemented by Python to scan about 160,000 randomly generated IPs, and use the implanted shell script hehe.sh to continue to use the machine with the public key authentication record to establish The SSH connection spreads on the intranet, and eventually a variety of Monero mining trojans and Tsunami botnet Trojans are implanted in the trapped machine. The latter is used by the gang to conduct DDoS attacks.
> The attack targets of the "8220" mining Trojan gang include Windows and Linux servers. On the FTP servers it uses, attack modules targeting different operating systems can be found. When the gang releases the mining trojan, it will check whether there are other mining trojans running on the server, and end all competing mining trojans to monopolize server resources.
> According to the similarity of codes, C2 correlation, the same Monero wallet used in mining, decryption method of configuration files, and similar FTP servers, Tencent security experts believe that the StartMiner that appeared in early 2020 is the same as the "8220" mining Trojan Gang. The gang's current version of the malicious program communicates with the C2 server no longer uses the "8220" port. According to the recently captured samples, it summarizes the file names used in its attack preferences and finds that it has a variety of scripts including VBS, PHP, Python , Powershell, Shell features combined attacks.
@UndercodeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Dangerous Vuln since few days :
"8220" mining Trojans invade the server to mine, set up a "tsunami" botnet, ready to launch DDoS attacks
twitter.com/undercodeNews
π¦ππΌπ'π πππΈβπ :
> Tencent Security Threat Intelligence Center detected the "8220" mining Trojan variant attack. The "8220" mining gang is good at exploiting WebLogic, JBoss deserialization vulnerabilities, Redis, Hadoop unauthorized access vulnerabilities and other web vulnerabilities to attack server mining. Recently, we found that the gang Trojans spreading through Apache Struts remote code execution vulnerability (CVE-2017-5638) and Tomcat weak password blasting in the attack activities have increased significantly.
> In the horizontal movement stage, the Trojan will use the Redis unauthorized vulnerability access vulnerability implemented by Python to scan about 160,000 randomly generated IPs, and use the implanted shell script hehe.sh to continue to use the machine with the public key authentication record to establish The SSH connection spreads on the intranet, and eventually a variety of Monero mining trojans and Tsunami botnet Trojans are implanted in the trapped machine. The latter is used by the gang to conduct DDoS attacks.
> The attack targets of the "8220" mining Trojan gang include Windows and Linux servers. On the FTP servers it uses, attack modules targeting different operating systems can be found. When the gang releases the mining trojan, it will check whether there are other mining trojans running on the server, and end all competing mining trojans to monopolize server resources.
> According to the similarity of codes, C2 correlation, the same Monero wallet used in mining, decryption method of configuration files, and similar FTP servers, Tencent security experts believe that the StartMiner that appeared in early 2020 is the same as the "8220" mining Trojan Gang. The gang's current version of the malicious program communicates with the C2 server no longer uses the "8220" port. According to the recently captured samples, it summarizes the file names used in its attack preferences and finds that it has a variety of scripts including VBS, PHP, Python , Powershell, Shell features combined attacks.
@UndercodeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Twitter
UNDERCODE NEWS (@UndercodeNews) | Twitter
The latest Tweets from UNDERCODE NEWS (@UndercodeNews). We provides you daily hacking News & Security Warning & Technologies news & Bugs reports & Analysis... @UndercodeNews @UndercodeUpdate @iUndercode @DailyCve. Aus/Leb
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦SOLUTION AGAINST THIS NEW MINING VULNERABILITY FOR LINUX :
>the solution
E nterprise operation and maintenance personnel can refer to the following methods to manually remove mining Trojans infected by Linux and Windows systems, and refer to security recommendations to improve server security.
Linux system
a. Kill process / tmp / sh, / tmp / x32b, / tmp / x64b
b. Delete Files
/ tmp / i686 (md5: D4AE941C505EE53E344FB4D4C2E102B7),
/ tmp / x86_64 (md5: 9FE932AC3055045A46D44997A4C6D481)
/ tmp / x32b (md5: EE48AA6068988649E41FEBFA0E3B2169),
/ tmp / x64b (md5: C4D44EED4916675DD408FF0B3562FB1F)
c. Delete crontab scheduled tasks containing "www.jukesxdbrxd.xyz" and "107.189.11.170"
Security recommendations:
a. Do not expose Redis to the public network if necessary. Use a strong Redis password
b. Tomcat server is configured with high-strength password authentication
c. Set ssh non-interactive login StrictHostKeyChecking = ask or StrictHostKeyChecking = yes
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦SOLUTION AGAINST THIS NEW MINING VULNERABILITY FOR LINUX :
>the solution
E nterprise operation and maintenance personnel can refer to the following methods to manually remove mining Trojans infected by Linux and Windows systems, and refer to security recommendations to improve server security.
Linux system
a. Kill process / tmp / sh, / tmp / x32b, / tmp / x64b
b. Delete Files
/ tmp / i686 (md5: D4AE941C505EE53E344FB4D4C2E102B7),
/ tmp / x86_64 (md5: 9FE932AC3055045A46D44997A4C6D481)
/ tmp / x32b (md5: EE48AA6068988649E41FEBFA0E3B2169),
/ tmp / x64b (md5: C4D44EED4916675DD408FF0B3562FB1F)
c. Delete crontab scheduled tasks containing "www.jukesxdbrxd.xyz" and "107.189.11.170"
Security recommendations:
a. Do not expose Redis to the public network if necessary. Use a strong Redis password
b. Tomcat server is configured with high-strength password authentication
c. Set ssh non-interactive login StrictHostKeyChecking = ask or StrictHostKeyChecking = yes
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦SOLUTION AGAINST THIS NEW MINING VULNERABILITY FOR windows :
Windows system
a. Kill process isassx.exe, steamhuby.exe, issaasss, isasss.exe, ready.exe, oity.exe, kkw2.exe, 12.exe, 13.exe, mess.exe
b. Delete Files:
c: \ windows \ temp \ app.vbs
c: \ windows \ temp \ apps.vbs
C: \ Windows \ Temp \ ready.exe
C: \ ProgramData \ guvpgnkpwv \ steamhuby.exe
C: \ ProgramData \ tumtkffywq \ issaasss
C: \ Windows \ temp \ 12.exe
C: \ Windows \ temp \ 12.exe
C: \ Windows \ Temp \ mess.exe
% HOMEPATH% \ why.ps1
% HOMEPATH% \ schtasks.ps1
c. Delete scheduled tasks that include "why.ps1, why2.ps1, why3.ps1, kkmswx.ps1"
Security recommendations:
Timely fix Apache Struts high-risk vulnerabilities;
The Tomcat server is configured with high-strength password authentication.
It is recommended that government agencies, large and medium-sized enterprises, and scientific research units adopt Tencent security complete solutions to comprehensively improve the security of information systems.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦SOLUTION AGAINST THIS NEW MINING VULNERABILITY FOR windows :
Windows system
a. Kill process isassx.exe, steamhuby.exe, issaasss, isasss.exe, ready.exe, oity.exe, kkw2.exe, 12.exe, 13.exe, mess.exe
b. Delete Files:
c: \ windows \ temp \ app.vbs
c: \ windows \ temp \ apps.vbs
C: \ Windows \ Temp \ ready.exe
C: \ ProgramData \ guvpgnkpwv \ steamhuby.exe
C: \ ProgramData \ tumtkffywq \ issaasss
C: \ Windows \ temp \ 12.exe
C: \ Windows \ temp \ 12.exe
C: \ Windows \ Temp \ mess.exe
% HOMEPATH% \ why.ps1
% HOMEPATH% \ schtasks.ps1
c. Delete scheduled tasks that include "why.ps1, why2.ps1, why3.ps1, kkmswx.ps1"
Security recommendations:
Timely fix Apache Struts high-risk vulnerabilities;
The Tomcat server is configured with high-strength password authentication.
It is recommended that government agencies, large and medium-sized enterprises, and scientific research units adopt Tencent security complete solutions to comprehensively improve the security of information systems.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Lenovo Premium Serial Keys
PF1MJJQD ? Product: S145-15IWL Laptop (ideapad)
PF0ZFNFH ? Product: X1 Carbon 5th Gen - Kabylake (Type 20HR, 20HQ) Laptop (ThinkPad)
PF1MJVUX ? Product: 330S-15IKB Laptop (ideapad)
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Lenovo Premium Serial Keys
PF1MJJQD ? Product: S145-15IWL Laptop (ideapad)
PF0ZFNFH ? Product: X1 Carbon 5th Gen - Kabylake (Type 20HR, 20HQ) Laptop (ThinkPad)
PF1MJVUX ? Product: 330S-15IKB Laptop (ideapad)
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
thwethweaung@ucsm.edu.mm:Thwe.031560
bot127@uowmail.edu.au:Brooke98958
claudia.montenegro@fup.edu.co:UNIVERSIDAD-2011123456789123456789
devoss@kilvington.vic.edu.au:sgj9d2
hjyhjony@hrbeu.edu.cn:hjy19811022
iaquishpeq@utn.edu.ec:08041995Ivandress9
bot127@uowmail.edu.au:Brooke98958
claudia.montenegro@fup.edu.co:UNIVERSIDAD-2011123456789123456789
devoss@kilvington.vic.edu.au:sgj9d2
hjyhjony@hrbeu.edu.cn:hjy19811022
iaquishpeq@utn.edu.ec:08041995Ivandress9