kapsobor

hamburgian local news

iso — 2009-12-16T19:12:04+01:00

just had the idea to share top local news w/ the world,
so here you go.. :

(if this results in a 403, try reloading the whole page)

snoopy german google users

iso — 2009-11-19T23:45:03+01:00

Just stumbled upon this, german Google users seem to be highly interested in other peoples secret documents - google.com search suggestions do not include these..: ("vertraulich" = confidential, "nur für den internen gebrauch" = for internal use only)

By the way, there are 1,030,000 Googlehits for filetype:pdf "for internal use only" :)

wordpress xss for <=2.8.1

iso — 2009-08-11T11:06:53+01:00

The other day another wordpress exploit went public at milw0rm - it's just an XSS bug, though.
The input value in wordpress's comment Url-field turned out to be not escaped too well - they chose to let ' go through..
The injection is limited to a maximum length of, I don't remember it right now, about 200 characters I guess, and since wordpress secured the sessioncookie to httponly some versions ago, cookie stealing would be a bit more complicated.
So I chose to create a defacement link via onmouseover for the PoC. As soon as an admin would mouseover the name of the comment-creator, i.e. when moderating the comment, a blogpost is published with the message sent by the attacker thanks to the very convenient "quickpress"-form, hence the name.

In this very simple exploit you can choose whether to post as 'title' or 'content', also, you could move the $MESSAGE to be sent as comment instead of the author's name, because that is limited in length, too. When using comment as input field you can create very long posts, with some small adjustments you could even post html and javascript to the blog. Of couse, you could execute javascript to do lots of other things with to admin's browser, too.
Thankfully, this bug among others is fixed in Wordpress 2.8.2 and above.

quick antispam script

iso — 2009-04-21T23:10:54+01:00

the concecpt of "this link kills spam" is nice, but has an obvious disadvantage: any sophisticated spammer will quickly blacklist the site. Inclusion from a publicly known site will therefore not work for long, which is sad, since the original idea is rather intriguing.
N.b.: any harvester will lookup mx records and quickly find out about the inexistence of these random addresses before even trying to send anything. But, still, if there are enough addresses fed this will take quite some processing time.

You'll need to generate the list on your own to really make it work for realworld harvesters. Here's some quick public domain php source you could use which produces more or less the same content:

# very quick antispam by iso from kapsobor $phrases = array( "contact us at ", "please write to us via ", "my email address is ", "contact: ", "mailto:", "email address is", "please write to", "send mail to", "NOSPAM.", "STOP.SPAM.", ); for($i=0;$i $email = ""; for($j=0;$j<10;$j++) { $email .= chr(97+rand(0,25)); } $email .= "@"; for($j=0;$j<14+rand(0,4);$j++) { $email .= chr(97+rand(0,25)); } print $phrases[rand(0,sizeof($phrases))]. "$email.com\n"; } ?>

for moar pieces of information consult one of the following email adresses .. ;)
contact: tituopzeki@kwiqzlbxivcgrwh.com
send mail toberjgiygxj@yhvotpkmsptcaaj.com
xybtpqcjjr@tmvpxijzchhmwdme.com
NOSPAM.guvwasfisp@seokbrprcidodgyoc.com
send mail toidlkpdpeag@cxikdopdmaepsetmq.com
email address iskbgnsvciff@spgkmbwvdkphefic.com
wtlhqykrhg@dhjxqzfbpdyunp.com
STOP.SPAM.jcwqlfzibq@boleimgsiygbmwje.com
contact: zjydxhqkmw@flujsidjintaunu.com
send mail toftdzkmvdse@voqactsnwfdakyf.com
[..]

tgtpd - a telegraph transfer protocol daemon

iso — 2009-03-12T13:46:38+01:00

Closing a gap that has existed for far too long, I hereby announce the existence of tgtpd, a telegraph transfer protocol daemon.

You can transfer text and even binary data by using morse-code.

The source code is available at tgtp://blog.kapsobor.de/tgtpd.pl - in case your lame browser does not support tgtp yet, you might make use of a small tgtp-client called tget [download tget]

You should try f.e. calling chmod +x tget ./tget tgtp://blog.kapsobor.de/ > index.html
and even
./tget tgtp://blog.kapsobor.de/logo.png > logo.png will or should work.

Running your own tgtpd is pretty straight forward:
just put tgtpd.pl into any directory, create a directory called tgtpdocs in there, then run for example
perl tgtpd.pl >> tgtpd.log 2>&1 &
- and everything in the tgtpdocs-directory will be accessible via tgtp (port 7070 by the way) - as long as its filename is all lowercase and has no characters not available in common morse code :).

The morse code is only slightly extended to be able to transfer binary data. The protocol might come in handy in case you can only transfer two different bytes (or, in the current implementation, three..) and still want to comfortably serve files.
And, of course, you could always connect it to a real telegraph and use that to serve some html...

find last.fm very-far-away-neighbours

iso — 2009-03-07T20:56:27+01:00

interesting option to waste some time is listening to last.fm-libraries of users having more or less an opposite taste than yourself. sadly, while last.fm's so called neighbour finding options are quite great, it lacks a decent search for users who do not share your taste at all.

this gap is now closed, just enter your last.fm username below and you should be able to find several more or less randomly selected users which all have one thing in common: they listen to almost completely different music than you do :)

twitter client in less than 140 characters

iso — 2009-03-04T19:31:12+01:00

just for fun since I actually registered at twitter, and while I'm at it: here's a quick and highly useful twitter client in way less than 140 characters - with features such as error detection + explanation, sending over an encrypted connection and storing your username/password for convenience :)


#!/bin/sh

#iso_ 09

U=

P=

T=$@

E= curl -sd"status=$T" -u$U:$P "https://twitter.com/statuses/update.json" |grep -i error

echo "k.$E"

just drop it into a file, f.e. 'twit', add your username after U= and your password after P=, chmod +x twit it and off you go by f.e. by ./twit eeeoo world.

list secret irc channels

iso — 2009-02-24T17:28:56+01:00

Sometimes /list-ing channels is a nice way to find irc channels, but the more interesting ones always have +s mode set - and the ircds don't usually support listing so called "secret" channels for non ircops.. :)

Yet, this naming scheme is quite confusing, since the only thing +s really changes - at least on ircds run by popular networks such as efnet and ircnet - is not listing the channel in /who and /list and commands alike.
Direct requests to the channelname on the other hand will reveal the info inspite of any +s oder +p modes.

Since I thought about publishing one or another irc script from my stash anyway, here is a small irc bot which will join to a specified channel and list all secret channels it finds by iterating a given wordlist - which can be quite a lot..

Download

toomanysecrets.pl [perl bot for listing +s channels]

Required

You'll need to have Net::IRC installed, either via cpan or via package manager, on debian/ubuntu this is libnet-irc-perl.

Config

You should edit the skript and set irc server and port as well as a channel in which the bot will list all the found channels. You can remove the channel and it will just save the channellist to disk.
Crawling through huge wordlists, you might want to decrease the request-delay of the bot since it's quite high to avoid being klined.

Usage

just run perl toomanysecrets.pl and wait for the bot in the designated channel.

License

BSD License - just do not use it for illegal purposes and stuff.

those annoying inconsistencies

iso — 2009-02-12T16:41:42+01:00

Just a very short addition to my unexpected mysql timestamp behaviour: Once again I was fooled by the following:

mysql> select datediff(now(), '2009-01-01'); +-------------------------------+ | datediff(now(), '2009-01-01') | +-------------------------------+ | 42 | +-------------------------------+ 1 row in set (0.00 sec)

which is fine. But on the other hand:

mysql> select timestampdiff(day, now(), '2009-01-01'); +-----------------------------------------+ | timestampdiff(day, now(), '2009-01-01') | +-----------------------------------------+ | -42 | +-----------------------------------------+ 1 row in set (0.00 sec)

This is more or less just as bad as all those inconsistencies among php functions with their always surprising naming and parameter order..

deactivating openssl renegotiation

iso — 2009-02-12T16:22:09+01:00

This happened way too often, so I'll write it down as a quick reminder:

Openssl in s_client mode will renegotiate a connection whenever a line starts with the letter R - which is an especially bad choice when you're using it to connect to an smtp server.

For example:


~# openssl s_client -host smtp.hushmail.com -port 465

CONNECTED(00000003)

[certificate..]

---

220 smtp.hushmail.com ESMTP Postfix

HELO checko

250 smtp.hushmail.com

MAIL FROM: supergeek@uberfreak.net

250 2.1.0 Ok

RCPT TO: lostgeek@hushmail.com

RENEGOTIATING

depth=2 /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority

verify error:num=19:self signed certificate in certificate chain

verify return:0

So every time you try to enter RCPT the connection will be renegotiated, rendering it useless for sending mail - as a sidenote Q should also be avoided..

Since I always look it up, here it is once and for all:

openssl s_client -ign_eof -crlf -host $host -port $port

would be the correct way to go.