4/15/2014
From SQLi to Shell [PDF]
Heartbleed Tools (OpenSSL CVE-2014-0160)
- A checker (site and tool) for CVE-2014-0160: https://github.com/FiloSottile/Heartbleed
- ssltest.py: Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford http://pastebin.com/WmxzjkXJ
- SSL Server Test https://www.ssllabs.com/ssltest/index.html
- Metasploit Module: https://github.com/rapid7/metasploit-framework/pull/3206/files
- Nmap NSE script: Detects whether a server is vulnerable to the OpenSSL Heartbleed: https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse
- Nmap NSE script: Quick'n'Dirty OpenVAS nasl wrapper for ssl_heartbleed based on ssl_cert_expiry.nas https://gist.github.com/RealRancor/10140249
- Heartbleeder: Tests your servers for OpenSSL: https://github.com/titanous/heartbleeder?files=1
- Heartbleed Attack POC and Mass Scanner: https://bitbucket.org/fb1h2s/cve-2014-0160
- Heartbleed Honeypot Script: http://packetstormsecurity.com/files/126068/hb_honeypot.pl.txt
Open SSL - Zero Day Bug [Heartblood]
Security researcher တစ္ေယာက္ျဖစ္တဲ့ Robert Graham ရဲ႕ေတြ႕ရွိခ်က္အရ website ေပါင္း 600,000 ေက်ာ္ဟာ vulnerable ျဖစ္တဲ့စာရင္းထဲမွာပါဝင္ပါသတဲ့။ ဒီထဲမွာ Yahoo Mail, Lastpass နဲ႔ FBI ေတြေတာင္ပါဝင္ပါတယ္။ Heartblood ေၾကာင့္ users 800 million ရွိတဲ့ Yahoo ဟာ data exposed ခံရပါတယ္။
ကုိယ္အသုံးျပဳတဲ့ we server ဟာ Vulnerable ျဖစ္/မျဖစ္ဆုိတာ filippo.io/Heartbleed မွာစစ္ေဆးၾကည့္ႏုိင္ပါတယ္။ ဒီ vulnerable flaw မွာ affected မျဖစ္တဲ့ Open SSL version ေတြကေတာ့ ဗားရွင္းအနိမ့္ေတြျဖစ္တဲ့ 1.0.0, 0.9.8 တုိ႔ျဖစ္ပါတယ္။
Video Explain
Ref: http://thehackernews.com/2014/04/heartbleed-openssl-zero-day-bug-leaves.html
http://heartbleed.com/
Subscribe to:
Posts (Atom)
![[MSF]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhirDSlE-BtL225zcwELV-uPG7ShLpQFgYa1B0UAdhebnIIaTM_0_rOPHwId-npaYzO06muISuLmBsRyp5MX83eBBYyDEKmSt-fT-E7WgkrKLn1TKeY5bb2gRuof1vQlhx5MHDUDjgwOko/s1600/4sec.png){kind=small}