ajdumanhug

<html>
  <head>
    <title>Tabnabbing</title>
  </head>
  <body>
    <a href="http://tabnabbing.herokuapp.com/phishing_page.html"  target="_blank">Click Me</a>
  </body>
</html>

ajdumanhug

<html>
  <head>
    <title>Gotcha!</title>
    <script>
      window.opener.location.replace("http://tabnabbing.herokuapp.com/pony.svg");
    </script>
  </head>
  <body>
    <h1>Why don’t you go back to the previous tab and watch the running pony. :)</h1>
  </body>

ajdumanhug

<a href="https://example.com" target="_blank" rel="noopener noreferrer">https://example.com</a>

ajdumanhug

// Turn on core major versions
add_filter( 'allow_major_auto_core_updates', '__return_true' );

// Turn on core minor versions
add_filter( 'allow_minor_auto_core_updates', '__return_true' );

ajdumanhug

// Turn on plugins updates
add_filter( 'auto_update_plugin', '__return_true' );

// Turn on themes updates
add_filter( 'auto_update_theme', '__return_true' );

ajdumanhug

Options All -Indexes

ajdumanhug

<files wp-config.php>
order allow,deny
deny from all
</files>

ajdumanhug

error_reporting(0);
@ini_set(‘display_errors’, 0);

ajdumanhug

exploit/osx/mdns/upnp_location: RPORT 0
exploit/windows/dcerpc/ms07_029_msdns_zonename: RPORT 0
exploit/windows/scada/igss9_misc: RPORT 0
exploit/windows/firewall/blackice_pam_icq: RPORT 1
exploit/windows/http/altn_webadmin: RPORT 1000
exploit/unix/webapp/webmin_show_cgi_exec: RPORT 10000
exploit/windows/backupexec/remote_agent: RPORT 10000
exploit/windows/oracle/osb_ndmp_auth: RPORT 10000
exploit/multi/misc/zend_java_bridge: RPORT 10001
exploit/windows/misc/gimp_script_fu: RPORT 10008

ajdumanhug

Keybase proof

I hereby claim:

• I am ajdumanhug on github.
• I am ajdumanhug (https://keybase.io/ajdumanhug) on keybase.
• I have a public key whose fingerprint is F9DA 5646 FBC7 67D1 AEA2 7208 2F96 461D C299 283E

To claim this, I am signing this object: