⭐️ SDK ⭐️dpi
- Supports library-based deduplication
- Supports mixing multiple APP order submissions
- Various industries, can capture any APP
- Option to capture active users within 3 days
- Data available the day after order submission
SDK DPi is recruiting agents and direct clients, prices can be as low as freezing point for large volumes, real clients can be exempt from testing
@feijinhsa
- Supports library-based deduplication
- Supports mixing multiple APP order submissions
- Various industries, can capture any APP
- Option to capture active users within 3 days
- Data available the day after order submission
SDK DPi is recruiting agents and direct clients, prices can be as low as freezing point for large volumes, real clients can be exempt from testing
@feijinhsa
trojan.generic is the name of a computer trojan. After activation, it releases virus files from its internal resources. Some trojan programs under WINDOWS bind a file, bundling the virus program and a normal application into one program, releasing both the virus and the normal program, using the normal program to cover the virus. The virus runs in the background of the computer and sends data to us. Besides the usual harm, the virus can cause mainstream antivirus software and personal firewalls to fail to open, and even cause system "blue screen", automatic restart, or crash during virus scanning.
The core module "UpdateServer.exe" registers itself as a system service upon startup, first checking the current system environment to prevent running in a virtual machine, packet capture detection, or debugging analysis. It then checks the core files in the update directory: "UpData.db", "Notify.exe", and "info.db". It decrypts (RC4+ZLib) the "UpData.db" module and loads it into memory, calling its exported function "update_init".
Penetrate backend permissions, databases, servers.
Crack and customize scripts for domestic and overseas sites and apps, target specific sites, penetrate, attack and paralyze, modify orders, change data, listen, monitor, and various other services.
Server intrusion, penetration testing, database deletion, data removal.
Taking orders.
@feijinhsa
The core module "UpdateServer.exe" registers itself as a system service upon startup, first checking the current system environment to prevent running in a virtual machine, packet capture detection, or debugging analysis. It then checks the core files in the update directory: "UpData.db", "Notify.exe", and "info.db". It decrypts (RC4+ZLib) the "UpData.db" module and loads it into memory, calling its exported function "update_init".
Penetrate backend permissions, databases, servers.
Crack and customize scripts for domestic and overseas sites and apps, target specific sites, penetrate, attack and paralyze, modify orders, change data, listen, monitor, and various other services.
Server intrusion, penetration testing, database deletion, data removal.
Taking orders.
@feijinhsa
After the file, the specific filename follows. Directory traversal issues must be considered.
Usually, the backend writes like this by directly concatenating with os.path.join, which can lead to arbitrary file read.
Try to directly read the startup command of the current program to check the absolute path of the current Web application.
Directly read app.py.
Found that there is a /shell route that can achieve Jinja2 template rendering.
Examine common SSTI injection.
Testing found that the environment is offline and cannot write files.
PS: Actually, if online, you can reverse shell via python. The environment lacks curl and ping commands, so the judgment was wrong, sob sob.
User permission is nobody, and the tmp directory also has permission restrictions,
which shattered our fantasy of writing echo commands.
Here we need to consider looking again for a WSGI-based memory shell or carrying it in the Response request header.
Usually, the backend writes like this by directly concatenating with os.path.join, which can lead to arbitrary file read.
Try to directly read the startup command of the current program to check the absolute path of the current Web application.
Directly read app.py.
Found that there is a /shell route that can achieve Jinja2 template rendering.
Examine common SSTI injection.
Testing found that the environment is offline and cannot write files.
PS: Actually, if online, you can reverse shell via python. The environment lacks curl and ping commands, so the judgment was wrong, sob sob.
User permission is nobody, and the tmp directory also has permission restrictions,
which shattered our fantasy of writing echo commands.
Here we need to consider looking again for a WSGI-based memory shell or carrying it in the Response request header.
Write to Server
Blacklist filtering
blacklist_patterns = [r'.*length.*', r'.*count.*', r'.*[0-9].*', r'.*\..*', r'.*soft.*', r'.*%.*']
Here, "soft" is filtered, but direct concatenation is filtered.
For accessing attributes and methods, use [] and the |attr() filter instead.
{{lipsum['globals']['builtins']['setattr']((((lipsum|attr('spec'))|attr('init')|attr('globals'))['sys']|attr('modules'))['wsgiref']|attr('simple_server')|attr('ServerHandler'),'server_so''ftware',lipsum['globals']['builtins']['import']('os')['popen']('/readflag')[ 'read']())}}
Write to http_version
It can be known that the ServerHandler class is based on SimpleHandler, and the parent class of SimpleHandler is BaseHandler.
A simple check shows that the response header writing is implemented in send_preamble.
Therefore, we can control not only server_software but also http_version, and we have implemented echoing the result in http_version.
@feijinhsa
Blacklist filtering
blacklist_patterns = [r'.*length.*', r'.*count.*', r'.*[0-9].*', r'.*\..*', r'.*soft.*', r'.*%.*']
Here, "soft" is filtered, but direct concatenation is filtered.
For accessing attributes and methods, use [] and the |attr() filter instead.
{{lipsum['globals']['builtins']['setattr']((((lipsum|attr('spec'))|attr('init')|attr('globals'))['sys']|attr('modules'))['wsgiref']|attr('simple_server')|attr('ServerHandler'),'server_so''ftware',lipsum['globals']['builtins']['import']('os')['popen']('/readflag')[ 'read']())}}
Write to http_version
It can be known that the ServerHandler class is based on SimpleHandler, and the parent class of SimpleHandler is BaseHandler.
A simple check shows that the response header writing is implemented in send_preamble.
Therefore, we can control not only server_software but also http_version, and we have implemented echoing the result in http_version.
@feijinhsa
Drag 010Editor.exe into x64dbg, press F9 to reach the main program entry, and find many jmp instructions. Press Shift+D to search for the string "Evaluation" (as shown in the screenshot above), and find 4 lines that might be registration success prompts.
Double-click any one of the registration success addresses to enter the code, and find that they are located in the same subroutine. Scroll up to find the first sentence of the subroutine (the 4th sentence is selected in the picture, but it doesn't really matter), set a breakpoint, then run. The registration information prompt indeed does not pop up, which indicates that this part of the program is verifying whether the software is registered. Select the cmp ebx,DB instruction, press Shift+C to copy the opcode, then in the current module, use "Match Features" to search, and paste the hexadecimal opcode.
@feijinhsa
Double-click any one of the registration success addresses to enter the code, and find that they are located in the same subroutine. Scroll up to find the first sentence of the subroutine (the 4th sentence is selected in the picture, but it doesn't really matter), set a breakpoint, then run. The registration information prompt indeed does not pop up, which indicates that this part of the program is verifying whether the software is registered. Select the cmp ebx,DB instruction, press Shift+C to copy the opcode, then in the current module, use "Match Features" to search, and paste the hexadecimal opcode.
@feijinhsa
By impersonating a domain name server and setting the queried IP address to the attacker's IP address, the user can only see the attacker's homepage when browsing the internet, instead of the homepage of the website the user wants to access.
The NavigationLink type has added new data-driven capabilities. A brand new initializer allows us to create a link bound to a specific value. This is a refactoring of a previous example using the new data-driven navigation API. We use the new value-based navigation links to guide users through the app. See how we associate each item in the list with a specific value. Remember, the value must conform to the Hashable protocol. Next, we use the navigationDestination view modifier to define the destination view for a specific value. In the current example, we have only one type of destination, but you can have any number of destinations by applying multiple navigationDestination view modifiers.
Swift with Majid
Master NavigationStack in SwiftUI. Navigation patterns.
SwiftUI is a declarative data-driven framework that allows us to build complex user interfaces.
Swift with Majid
Master NavigationStack in SwiftUI. Navigation patterns.
SwiftUI is a declarative data-driven framework that allows us to build complex user interfaces.
This PIN code can also be found in the HostAP configuration and can be located through information leakage in the router's HTTP API.
Station infiltration, including well-known sites such as banking sites, social sites, online shopping sites, BC gambling sites, financial sites, stock sites, investor sites, etc. Small, medium, and large sites can consult hacker technology groups.