For this hack to work, I think the subprocess library must be already imported in the server's python code. So it is not possible to execute random remote scripts unless the library used in the script was already present in the server. So in the reduce method, the first line should be import `the_lib_you_need_for_the_script` followed by the script you would like to run. Only this will work if you like to run every script in the server. correct me if I'm wrong :)
Bhai meinai ye bug bahut pele find kiya tha, par bahut try karne ke baad bhi exploit nahi kar pata, It's bug name is "Serialised Data In HTTP Message" Whenever i tried to inject any malicious code, i get 500 server error.
This is prove of that, after trying for 1-2 weeks, I asked a question in this forum also hackersploit.org/t/need-help-how-to-exploit-serialized-object-in-http-message-vulnerability/2722
@@CyberAcademyHindi I read the forum. You did exploit it but was unable to capture the secret key, because you were using os.system() You need to use subprocess.check_output() so that the output is actually returned. os.system() executes the command but doesn't return the output. That's why you were getting Server Error. So close, well done!
I forgot to mention in my previous comment. You can even solve it by os.system() by getting a reverse shell. Harshit Luthra has written a write-up about it here, check out : hackmd.io/JKI5fglISfG9cEvDR6F6sg
tech raj your videos are very clear and just amazing if I coul I would not just subscribe to your channel once but I would subscribe a million times. You always have great content please make more videos.
This situation can only happen if the secret key is not protected i.e if it was left exposed during deployment of a website that was a good challenge though 😁
I am looking for a solution : I have a team of 6 members. I am the head of the team. I basically works on freelancing projects in some freelancing website. So that's why sometimes I have to give them (team member) access of website for work purpose. But I don't want to share my website username & password with them for security purpose. I want to give them access of this website without sharing my username & password. For the solution of this problem I have done quite research on internet. I saw people's are suggesting password manager. Then I bought a password manager (Lastpass premium) account for 1 year. But it doesn't work well. There is a loophole. After filling website log in form(username & password) by the password manager saved username & password, they can still see my website password by using inspect element in any browser. I have researched a lot on this topic in internet but didn't get any suitable solution. I think you can give me a solution of this problem. Bro please help me.
Bro how to learn programming which is related to computers ..in our clg they are just saying about creating class and object .. but where can we learn about computer coding.. I know you are not going to reply bro . Please try to reply bro
creating classes and objects is very important in programming lol, try to attentively learn that because it 'is' computer coding, eventually you will get good enough where you'll be able to design things by your own
ভাই প্লিজ হেপ মি Facebook এর message gmail এর মধ্যে যায়। এগুলা কি এফ বি মেসেঞ্জার ছারা কেউ কি gmail থেকে দেখতে পারবে কি টেক্স আসছে। please tel me bro.....
![Haunt a Computer Using SSH [Tutorial]](http://i.ytimg.com/vi/M0eEwqUpKDc/mqdefault.jpg)
For this hack to work, I think the subprocess library must be already imported in the server's python code. So it is not possible to execute random remote scripts unless the library used in the script was already present in the server.
So in the reduce method, the first line should be import `the_lib_you_need_for_the_script` followed by the script you would like to run. Only this will work if you like to run every script in the server.
correct me if I'm wrong :)
Bhai meinai ye bug bahut pele find kiya tha, par bahut try karne ke baad bhi exploit nahi kar pata,
It's bug name is "Serialised Data In HTTP Message"
Whenever i tried to inject any malicious code, i get 500 server error.
This is prove of that, after trying for 1-2 weeks, I asked a question in this forum also
hackersploit.org/t/need-help-how-to-exploit-serialized-object-in-http-message-vulnerability/2722
@@CyberAcademyHindi I read the forum. You did exploit it but was unable to capture the secret key, because you were using os.system()
You need to use subprocess.check_output() so that the output is actually returned.
os.system() executes the command but doesn't return the output. That's why you were getting Server Error.
So close, well done!
I forgot to mention in my previous comment. You can even solve it by os.system() by getting a reverse shell. Harshit Luthra has written a write-up about it here, check out : hackmd.io/JKI5fglISfG9cEvDR6F6sg
@@TechRaj156 Thanks 😊, Please make more CTFs, I am really interested in to participate
Which os do u use bruh..??
We want more challenges like this. Waiting for next challenge.
RCE via insecure deserialization....NICE!
Bro how to start hacking i mean what course to do first
Start doing CTFs like this goto CTF Times and find low weighted ctfs.
@@jayarajnr965 yeah sure.... Actually have veen doing CTF challenges for more than 3yrs and have advanced more on field of hacking 👽👽
Where and what r u studying bro...😍😘
l
@@PlanetComputer what i...
tech raj your videos are very clear and just amazing if I coul I would not just subscribe to your channel once but I would subscribe a million times. You always have great content please make more videos.
Are you doing software engineering or computer engineering what are you learning in VIT
U have copied from hackthebox
I just watched a 6min video of a guy saying pickle in a Indian accent 😂
This situation can only happen if the secret key is not protected i.e if it was left exposed during deployment of a website
that was a good challenge though 😁
how do i keep session ON for 24/7 (onworks)..can u help me
Hi bro.. if you don't mind.. can I get your source code?
How to get the page were you write the malicious code
cookie ka konsa extension tha ye
So basically you are starting a ctf ?
How can i do participate on your challenges?
Python tutorial full in 1 week pls sir..🙏🙏
why not to just read the documentation?
I am looking for a solution :
I have a team of 6 members. I am the head of the team. I basically works on freelancing projects in some freelancing website. So that's why sometimes I have to give them (team member) access of website for work purpose. But I don't want to share my website username & password with them for security purpose. I want to give them access of this website without sharing my username & password. For the solution of this problem I have done quite research on internet. I saw people's are suggesting password manager. Then I bought a password manager (Lastpass premium) account for 1 year. But it doesn't work well. There is a loophole. After filling website log in form(username & password) by the password manager saved username & password, they can still see my website password by using inspect element in any browser.
I have researched a lot on this topic in internet but didn't get any suitable solution.
I think you can give me a solution of this problem.
Bro please help me.
Try chrome extensions like ShareAccount.
@@TechRaj156 Thanks bro for your suggestion.
Is it safe to use share Account extension?
@@RakibulHasan-pz7ro ya it is safe
Omar Farukh, Shall I work with you on freelance projects?
sir python in hash sha256 convert string sha 256. give me string value sir
You can't reverse engineer the hash, its only used for verification of the data. its essentially a digital signature.
How we can hack whatapp plzz
That was a Good Video...Thank You Tech Raj
Bro how to learn programming which is related to computers ..in our clg they are just saying about creating class and object .. but where can we learn about computer coding..
I know you are not going to reply bro . Please try to reply bro
creating classes and objects is very important in programming lol, try to attentively learn that because it 'is' computer coding, eventually you will get good enough where you'll be able to design things by your own
Thanks bruh! :D
This guy is one of the reasons I still live india
Please make a challenge with php code...
Actually I don't know python but I known php
Hey can u tell me how you created the web app
it's just a simple HTML web app that is running a Django Python backend
ভাই প্লিজ হেপ মি Facebook এর message gmail এর মধ্যে যায়। এগুলা কি এফ বি মেসেঞ্জার ছারা কেউ কি gmail থেকে দেখতে পারবে কি টেক্স আসছে। please tel me bro.....
Nah
Hi bro
Tech bro osm 😍
I want to be your permanent student
I haven't heard so much pickle in my whole life as I heard in this video!!😂
btw great vid man
Nice method...well sqli and ddos would have been easier...but I really loved this one
Now these kind of videos with proper explanation I was talking about👍👍👍
You make apache struct deserilezed exploite i am waiting same pikal
Thank you for the explanation. I was messing up the payload. smh.
Awesome
👍🏻
Informative video. Thank you
thanks, such a nice video
You're amazing