#!/usr/bin/php -q -d short_open_tag=on
?
print_r('
PHPFusion = 6.01.4 extract()/_SERVER[REMOTE_ADDR] sql injection exploit
by rgod [EMAIL PROTECTED]
site: http://retrogod.altervista.org
#!/usr/bin/php -q -d short_open_tag=on
?
print_r('
DokuWiki = 2006-03-09b release /bin/dwpage.php remote commands execution xploit
by rgod [EMAIL PROTECTED]
site: http://retrogod.altervista.org
dork: Driven
#!/usr/bin/php -q -d short_open_tag=on
?
print_r('
e107 = 0.75 GLOBALS[] overwrite/Zend_Hash_Del_Key_Or_Index remote commands
execution exploit
by rgod [EMAIL PROTECTED]
site: http://retrogod.altervista.org
/zend_hash_del_key_or_index_vulnerability.html
SMF team released 1.0.8 and 1.1.rc3 versions to patch theese issues
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici.org
rgod 17/08/20067.15.36
site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/cubecart_3011_adv.html
#!/usr/bin/php -q -d short_open_tag=on
?
echo XMB = 1.9.6 Final basename() 'langfilenew' arbitrary local inclusion /
remote commands xctn\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\n;;
echo dork: \Powered by XMB\\n\n;
/*
works regardless of php.ini
#!/usr/bin/php -q -d short_open_tag=on
?
echo SendCard = 3.4.0 unauthorized administrative access / remote commands\n;
echo execution exploit\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\n;;
echo dork: \Powered by sendcard - an advanced PHP e-card program\\n\n
#!/usr/bin/php -q -d short_open_tag=on
?
echo ATutor = 1.5.3.1 'links' blind SQL injection / admin credentials
disclosure\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\n;;
echo dork, version specific: \Web site engine's code is copyright\
\2001-2006 ATutor
mysql_error();
if($res and mysql_num_rows($res)0) return TRUE; else return FALSE;
}
1.05 29/07/2006
rgod
http://retrogod.altervista.org/php_ip2long.htm
#!/usr/bin/php -q -d short_open_tag=on
?
echo Etomite CMS = 0.6.1 'rfiles.php' remote command execution\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n;;
echo google dork: \Content managed by the Etomite Content Management
System\\r\n\r\n;
/*
works
#!/usr/bin/php -q -d short_open_tag=on
?
echo LoudBlog = 0.5 'id' SQL injection / admin credentials disclosure\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n;;
echo a dork: \Powered by LoudBlog\\r\n\r\n;
/*
works regardless of magic_quotes_gpc settings
just modified the geeklog one to works against toenda, poc:
http://retrogod.altervista.org/toenda_100_shizouka_xpl.html
#!/usr/bin/php -q -d short_open_tag=on
?
echo MyBulletinBoard (MyBB) = 1.1.5 'CLIENT-IP' SQL injection / create new
admin exploit\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\n;;
echo dork, version specific: \Powered By MyBB\ \2006 MyBB Group\\n\n;
/*
works
rgod
site: http://rgod.altervista.org
mail: rgod @ autistici.org
original url: http://retrogod.altervista.org/flatnuke257_adv.html
#!/usr/bin/php -q -d short_open_tag=on
?
echo PHORUM 5 arbitrary local inclusion exploit\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\n;;
echo dork: \This forum powered by Phorum.\\n\n;
/*
works with:
register_globals=On
magic_quotes_gpc=Off
*/
if ($argc6
#!/usr/bin/php -q -d short_open_tag=on
?
echo PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials
disclosure\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\n;;
echo dork, version specific: \Powered by phpBB * 2002, 2006 phpBB
Group\\n\n
#!/usr/bin/php -q -d short_open_tag=on
?
echo PAPOO = 3_RC3 SQL injection / admin credentials disclosure\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\n;;
echo dork: \Help * Contact * Imprint * Sitemap\ | \powered by papoo\ |
\powered by cms papoo\\n\n
#!/usr/bin/php -q -d short_open_tag=on
?
echo Pivot = 1.30 RC2 privileges escalation / remote commands execution
exploit\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\n;;
echo dorks: \Powered byPivot\\n;
echo version specific: \Powered byPivot - 1.30 RC2
#!/usr/bin/php -q -d short_open_tag=on
?
echo BLOG:CMS = 4.0.0k sql injection/admin credentials disclosure exploit\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\n;;
echo dork: \Powered by BLOG:CMS\|\Powered by blogcms.com\|\2003-2004,
Radek Hulán\\n\n
#!/usr/bin/php -q -d short_open_tag=on
?
echo Jaws = 0.6.2 'Search gadget' SQL injection / admin credentials
disclosure\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n;;
echo dork: \powered by jaws\ | \powered by the jaws project\ |
inurl:?gadget=search\r
#!/usr/bin/php -q -d short_open_tag=on
?
echo bitweaver = v1.3 'tmpImagePath' attachment mod_mime exploit\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n;;
echo dork: \powered by bitweaver\\r\n\r\n;
if ($argc4) {
echo Usage: php .$argv[0]. host path cmd
#!/usr/bin/php -q -d short_open_tag=on
?
echo Mambo = 4.6rc1 'Weblinks' blind SQL injection / admin credentials\r\n;
echo disclosure exploit (benchmark() vesion)\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n;;
echo this is called the Sun-Tzu
#!/usr/bin/php -q -d short_open_tag=on
?
echo blur6ex = 0.3.462 'ID' blind SQL injection / admin credentials
disclosure\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n;;
echo dork: \powered by blur6ex\\r\n\r\n;
/*
works regardless of php.ini settings
#!/usr/bin/php -q -d short_open_tag=on
?
echo Pixelpost = 1-5rc1-2 privilege escalation exploit\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n;;
echo dork: pixelpost \RSS 2.0\ \ATOM feed\ \Valid xHTML / Valid
CSS\\r\n\r\n;
/*
works
#!/usr/bin/php -q -d short_open_tag=on
?
echo DotClear = 1.2.4 prepend.php/'blog_dc_path' arbitrary remote
inclusion\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n\r\n;;
echo dork: \propulsé par DotClear\ \fil atom\ \fil rss\
+commentaires\r\n\r\n
#!/usr/bin/php -q -d short_open_tag=on
?
echo LifeType = 1.0.4_r3270 SQL injection / admin credentials disclosure\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n;;
echo dork: \Powered by LifeType\ \RSS 0.90\ \RSS 1.0\ \RSS 2.0\
\Valid XHTML 1.0 Strict
in all mentioned files we have:
...
$phpbb_root_path = ./../;
require($phpbb_root_path . 'extension.inc');
...
so I would like to see how this can work...
#!/usr/bin/php -q -d short_open_tag=on
?
echo pppBlog = 0.3.8 system disclosure exploit\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n\r\n;;
echo dork: intext:\Powered by pppblog\\r\n\r\n;
/*
works with:
register_globals=On
*/
if ($argc4) {
echo
#!/usr/bin/php -q -d short_open_tag=on
?
echo Drupal = 4.7 attachment mod_mime poc exploit\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n\r\n;;
/*
this works with a user account with upload rights and with permissions to modify
stories, however
#!/usr/bin/php -q -d short_open_tag=on
?
echo \r\n;
echo | WordPress = 2.0.2 'cache' shell injection exploit |\r\n;
echo | by rgod [EMAIL PROTECTED] |\r\n;
echo | site: http
#!/usr/bin/php -q -d short_open_tag=on
?
echo Nucleus = 3.22 arbitrary remote inclusion exploit\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n\r\n;;
echo this is called the \deadly eyes of Sun-tzu\\r\n;
echo dork: Copyright . Nucleus CMS v3.22 . Valid
#!/usr/bin/php -q -d short_open_tag=on
?
echo XOOPS = 2.0.13.2 'xoopsOption[nocommon]' exploit\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n\r\n;;
/*
works with:
magic_quotes_gpc = Off
register_globals = On
*/
if ($argc4) {
echo Usage: php
#!/usr/bin/php -q -d short_open_tag=on
?
echo PHP-Fusion = v6.00.306 \srch_where\ SQL Injection/Admin credentials
disclosure\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n\r\n;;
if ($argc5) {
echo Usage: php .$argv[0]. host path user pass OPTIONS\r\n
#!/usr/bin/php -q -d short_open_tag=on
?
echo DeluxeBB = v1.06 attachment mod_mime exploit\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n;;
echo tested working against a fresh deluxebb installation\r\n\r\n;
if ($argc4) {
echo Usage: php .$argv[0]. host
an admin or whoever succeed to find admin sid is able to launch commands,
advisory/poc exploit:
http://retrogod.altervista.org/phpbb_2020_admin_xpl.html
#!/usr/bin/php -q -d short_open_tag=on
?
echo Sugar Suite Open Source = 4.2 \OptimisticLock!\ arbitrary remote
inclusion exploit\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n\r\n;;
echo this is called the \five claws of Sun-tzu\\r\n\r\n;
if ($argc5
#!/usr/bin/php -q -d short_open_tag=on
?
echo Unclassified NewsBoard = 1.6.1 patch 1 ABBC[Config][smileset]
arbitrary\r\n;
echo local inclusion\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n\r\n;;
echo works with register_globals = On magic_quotes_gpc
#!/usr/bin/php -q -d short_open_tag=on
?
echo PHPFusion = v6.00.306 avatar mod_mime arbitrary file upload \r\n;
echo local inclusion vulnerabilities\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n\r\n;;
if ($argc6) {
echo Usage: php .$argv[0]. host path
#!/usr/bin/php -q -d short_open_tag=on
?
echo \r\n;
echo * PHPSurveyor = 0.995 'save.php/surveyid' remote cmmnds xctn *\r\n;
echo * by rgod [EMAIL PROTECTED] site: http://retrogod.altervista.org *\r\n;
echo * a special tnX
#!/usr/bin/php -q -d short_open_tag=on
?
echo PCPIN Chat = 5.0.4 \login/language\ remote cmmnds xctn\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n\r\n;;
echo - works with magic_quotes_gpc = Off\r\n;
echo dork: \powered by PCPIN.com\\r\n\r\n;
if ($argc4) {
echo
temporary patch - replace this line:
...
if ($updwelcome isset($welcomedata) check_welcome($dir)) {
...
with:
...
if ($admin $updwelcome isset($welcomedata) check_welcome($dir)) {
...
rgod
site: http
intext:mysql.php -display
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/oscommerce_22_adv.html
#!/usr/bin/php -q -d short_open_tag=on
?
echo Simplog = 0.9.2 \s\ remote cmmnds xctn\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n\r\n;;
echo dork: intext:\Powered by simplog\\r\n\r\n;
if ($argc5) {
echo Usage: php .$argv[0]. host path location cmd OPTIONS\r\n
#!/usr/bin/php -q -d short_open_tag=on
?
echo PHPMyChat 0.15.0dev \SYS enter\ remote cmmnds xctn 0day (again)\r\n;
echo by rgod [EMAIL PROTECTED];
echo site: http://retrogod.altervista.org\r\n\r\n;;
echo - works with magic_quotes_gpc=Off\r\n\r\n;
echo dork: intext:\2000-2001 The phpHeaven Team
statistics through the administration panel, javascript
will run
Once grab.php script captures admin cookie, the script itself can upload a shell
trough file manager, launch commands and write output to a logfile also, inside
cookies, there is admin MD5 password hash
rgod
mail: [EMAIL PROTECTED]
site
database table_prefix, making easier the exploitation
process...
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/php_stats_0191_adv.html
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/4images_171_adv.html
#
# #
# coded by rgod #
# site: http://retrogod.altervista.org
settings
full proof of concept exploit for i) at this url:
http://retrogod.altervista.org/cpg_143_incl_xpl.html
rgod
site: http
#
# coded by rgod #
#site: http://retrogod.altervista.org #
# #
# - works with allow_url_fopen
#
# #
# DocMGR = 0.54.2 remote commands execution exploit #
# coded by rgod #
# site: http://retrogod.altervista.org
#
# coded by rgod #
# site: http://retrogod.altervista.org #
# #
# - works against PHP5
scripts...)
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici org
original adivsory: http://retrogod.altervista.org/linpha_10_local.html
)
--
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici org
--
) - #
# coded by rgod #
#site: http://retrogod.altervista.org #
# #
# - this works regardless
#
# #
# LoudBlog 0.4 remote commands execution #
# coded by rgod #
#site: http://rgod.altervista.org
56 matches
Mail list logo