PHPFusion = 6.01.4 extract()/_SERVER[REMOTE_ADDR] sql injection exploit

#!/usr/bin/php -q -d short_open_tag=on ? print_r(' PHPFusion = 6.01.4 extract()/_SERVER[REMOTE_ADDR] sql injection exploit by rgod [EMAIL PROTECTED] site: http://retrogod.altervista.org

DokuWiki = 2006-03-09brel /bin/dwpage.php remote commands execution

#!/usr/bin/php -q -d short_open_tag=on ? print_r(' DokuWiki = 2006-03-09b release /bin/dwpage.php remote commands execution xploit by rgod [EMAIL PROTECTED] site: http://retrogod.altervista.org dork: Driven

e107 = 0.75 GLOBALS[] overwrite/Zend_Hash_Del_Key_Or_Index remote commands execution

#!/usr/bin/php -q -d short_open_tag=on ? print_r(' e107 = 0.75 GLOBALS[] overwrite/Zend_Hash_Del_Key_Or_Index remote commands execution exploit by rgod [EMAIL PROTECTED] site: http://retrogod.altervista.org

Simple Machines Forum =1.1RC2 unset() vulnerabilities

/zend_hash_del_key_or_index_vulnerability.html SMF team released 1.0.8 and 1.1.rc3 versions to patch theese issues rgod site: http://retrogod.altervista.org mail: rgod at autistici.org

CubeCart = 3.0.11 SQL injection cross site scripting

rgod 17/08/20067.15.36 site: http://retrogod.altervista.org mail: rgod at autistici.org original advisory: http://retrogod.altervista.org/cubecart_3011_adv.html

XMB = 1.9.6 Final basename()/'langfilenew' arbitrary local inclusion / remote commands execution

#!/usr/bin/php -q -d short_open_tag=on ? echo XMB = 1.9.6 Final basename() 'langfilenew' arbitrary local inclusion / remote commands xctn\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\n;; echo dork: \Powered by XMB\\n\n; /* works regardless of php.ini

SendCard = 3.4.0 unauthorized administrative access / remote commands execution

#!/usr/bin/php -q -d short_open_tag=on ? echo SendCard = 3.4.0 unauthorized administrative access / remote commands\n; echo execution exploit\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\n;; echo dork: \Powered by sendcard - an advanced PHP e-card program\\n\n

ATutor = 1.5.3.1 'links' blind SQL injection / admin credentials disclosure

#!/usr/bin/php -q -d short_open_tag=on ? echo ATutor = 1.5.3.1 'links' blind SQL injection / admin credentials disclosure\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\n;; echo dork, version specific: \Web site engine's code is copyright\ \2001-2006 ATutor

PHP ip2long() function circumvention

mysql_error(); if($res and mysql_num_rows($res)0) return TRUE; else return FALSE; } 1.05 29/07/2006 rgod http://retrogod.altervista.org/php_ip2long.htm

Etomite CMS = 0.6.1 'rfiles.php' remote command execution

#!/usr/bin/php -q -d short_open_tag=on ? echo Etomite CMS = 0.6.1 'rfiles.php' remote command execution\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n;; echo google dork: \Content managed by the Etomite Content Management System\\r\n\r\n; /* works

LoudBlog =0.5 Sql injection

#!/usr/bin/php -q -d short_open_tag=on ? echo LoudBlog = 0.5 'id' SQL injection / admin credentials disclosure\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n;; echo a dork: \Powered by LoudBlog\\r\n\r\n; /* works regardless of magic_quotes_gpc settings

ToendaCMS = 1.0.0 arbitrary file upload

just modified the geeklog one to works against toenda, poc: http://retrogod.altervista.org/toenda_100_shizouka_xpl.html

MyBulletinBoard (MyBB) 1.1.5 'CLIENT-IP' sql injection

#!/usr/bin/php -q -d short_open_tag=on ? echo MyBulletinBoard (MyBB) = 1.1.5 'CLIENT-IP' SQL injection / create new admin exploit\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\n;; echo dork, version specific: \Powered By MyBB\ \2006 MyBB Group\\n\n; /* works

flatnuke = 2.5.7 arbitrary php file upload

rgod site: http://rgod.altervista.org mail: rgod @ autistici.org original url: http://retrogod.altervista.org/flatnuke257_adv.html

PHORUM 5 arbitrary local inclusion

#!/usr/bin/php -q -d short_open_tag=on ? echo PHORUM 5 arbitrary local inclusion exploit\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\n;; echo dork: \This forum powered by Phorum.\\n\n; /* works with: register_globals=On magic_quotes_gpc=Off */ if ($argc6

phpbb 3.x sql injection (with global moderator rights)

#!/usr/bin/php -q -d short_open_tag=on ? echo PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosure\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\n;; echo dork, version specific: \Powered by phpBB * 2002, 2006 phpBB Group\\n\n

PAPOO =3RC3 sql injection / admin credentials disclosure

#!/usr/bin/php -q -d short_open_tag=on ? echo PAPOO = 3_RC3 SQL injection / admin credentials disclosure\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\n;; echo dork: \Help * Contact * Imprint * Sitemap\ | \powered by papoo\ | \powered by cms papoo\\n\n

Pivot =1.30rc2 privilege escalation / remote commands execution

#!/usr/bin/php -q -d short_open_tag=on ? echo Pivot = 1.30 RC2 privileges escalation / remote commands execution exploit\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\n;; echo dorks: \Powered byPivot\\n; echo version specific: \Powered byPivot - 1.30 RC2

BLOG:CMS = 4.0.0k sql injection

#!/usr/bin/php -q -d short_open_tag=on ? echo BLOG:CMS = 4.0.0k sql injection/admin credentials disclosure exploit\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\n;; echo dork: \Powered by BLOG:CMS\|\Powered by blogcms.com\|\2003-2004, Radek Hulán\\n\n

Jaws = 0.6.2 'Search gadget' SQL injection

#!/usr/bin/php -q -d short_open_tag=on ? echo Jaws = 0.6.2 'Search gadget' SQL injection / admin credentials disclosure\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n;; echo dork: \powered by jaws\ | \powered by the jaws project\ | inurl:?gadget=search\r

bitweaver = v1.3 multiple vulnerabilities

#!/usr/bin/php -q -d short_open_tag=on ? echo bitweaver = v1.3 'tmpImagePath' attachment mod_mime exploit\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n;; echo dork: \powered by bitweaver\\r\n\r\n; if ($argc4) { echo Usage: php .$argv[0]. host path cmd

Mambo = 4.6rc1 sql injection

#!/usr/bin/php -q -d short_open_tag=on ? echo Mambo = 4.6rc1 'Weblinks' blind SQL injection / admin credentials\r\n; echo disclosure exploit (benchmark() vesion)\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n;; echo this is called the Sun-Tzu

blur6ex = 0.3.462 'ID' blind sql injection

#!/usr/bin/php -q -d short_open_tag=on ? echo blur6ex = 0.3.462 'ID' blind SQL injection / admin credentials disclosure\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n;; echo dork: \powered by blur6ex\\r\n\r\n; /* works regardless of php.ini settings

Pixelpost = 1-5rc1-2 multiple vulnerabilities

#!/usr/bin/php -q -d short_open_tag=on ? echo Pixelpost = 1-5rc1-2 privilege escalation exploit\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n;; echo dork: pixelpost \RSS 2.0\ \ATOM feed\ \Valid xHTML / Valid CSS\\r\n\r\n; /* works

DotClear = 1.2.4 'blog_dc_path' (php5) arbitrary remote inclusion

#!/usr/bin/php -q -d short_open_tag=on ? echo DotClear = 1.2.4 prepend.php/'blog_dc_path' arbitrary remote inclusion\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n\r\n;; echo dork: \propulsé par DotClear\ \fil atom\ \fil rss\ +commentaires\r\n\r\n

LifeType =1.0.4 'articleId' SQL injection

#!/usr/bin/php -q -d short_open_tag=on ? echo LifeType = 1.0.4_r3270 SQL injection / admin credentials disclosure\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n;; echo dork: \Powered by LifeType\ \RSS 0.90\ \RSS 1.0\ \RSS 2.0\ \Valid XHTML 1.0 Strict

Re: # MHG Security Team --- PHP NUKE All version Remote File Inc.

in all mentioned files we have: ... $phpbb_root_path = ./../; require($phpbb_root_path . 'extension.inc'); ... so I would like to see how this can work...

pppBlog = 0.3.8 administrative credentials/system disclosure

#!/usr/bin/php -q -d short_open_tag=on ? echo pppBlog = 0.3.8 system disclosure exploit\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n\r\n;; echo dork: intext:\Powered by pppblog\\r\n\r\n; /* works with: register_globals=On */ if ($argc4) { echo

Drupal = 4.7 attachment/mod_mime remote code execution

#!/usr/bin/php -q -d short_open_tag=on ? echo Drupal = 4.7 attachment mod_mime poc exploit\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n\r\n;; /* this works with a user account with upload rights and with permissions to modify stories, however

Wordpress =2.0.2 'cache' shell injection

#!/usr/bin/php -q -d short_open_tag=on ? echo \r\n; echo | WordPress = 2.0.2 'cache' shell injection exploit |\r\n; echo | by rgod [EMAIL PROTECTED] |\r\n; echo | site: http

Nucleus CMS = 3.22 arbitrary remote inclusion

#!/usr/bin/php -q -d short_open_tag=on ? echo Nucleus = 3.22 arbitrary remote inclusion exploit\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n\r\n;; echo this is called the \deadly eyes of Sun-tzu\\r\n; echo dork: Copyright . Nucleus CMS v3.22 . Valid

XOOPS = 2.0.13.2 'xoopsOption[nocommon]' exploit

#!/usr/bin/php -q -d short_open_tag=on ? echo XOOPS = 2.0.13.2 'xoopsOption[nocommon]' exploit\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n\r\n;; /* works with: magic_quotes_gpc = Off register_globals = On */ if ($argc4) { echo Usage: php

PHP-Fusion = 6.00.306 srch_where SQL injection / admin credentials disclosure

#!/usr/bin/php -q -d short_open_tag=on ? echo PHP-Fusion = v6.00.306 \srch_where\ SQL Injection/Admin credentials disclosure\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n\r\n;; if ($argc5) { echo Usage: php .$argv[0]. host path user pass OPTIONS\r\n

DeluxeBB = v1.06 attachment mod_mime exploit

#!/usr/bin/php -q -d short_open_tag=on ? echo DeluxeBB = v1.06 attachment mod_mime exploit\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n;; echo tested working against a fresh deluxebb installation\r\n\r\n; if ($argc4) { echo Usage: php .$argv[0]. host

PhpBB = 2.0.20 Admin/Restore Database remote cmmnds xctn (works with admin sid)

an admin or whoever succeed to find admin sid is able to launch commands, advisory/poc exploit: http://retrogod.altervista.org/phpbb_2020_admin_xpl.html

Sugar Suite Open Source = 4.2 OptimisticLock! arbitrary remote inclusion exploit

#!/usr/bin/php -q -d short_open_tag=on ? echo Sugar Suite Open Source = 4.2 \OptimisticLock!\ arbitrary remote inclusion exploit\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n\r\n;; echo this is called the \five claws of Sun-tzu\\r\n\r\n; if ($argc5

Unclassified NewsBoard = 1.6.1 patch 1 ABBC[Config][smileset] arbitrary local inclusion

#!/usr/bin/php -q -d short_open_tag=on ? echo Unclassified NewsBoard = 1.6.1 patch 1 ABBC[Config][smileset] arbitrary\r\n; echo local inclusion\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n\r\n;; echo works with register_globals = On magic_quotes_gpc

PHPFusion = v6.00.306 avatar mod_mime arbitrary file upload local inclusion vulnerabilities

#!/usr/bin/php -q -d short_open_tag=on ? echo PHPFusion = v6.00.306 avatar mod_mime arbitrary file upload \r\n; echo local inclusion vulnerabilities\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n\r\n;; if ($argc6) { echo Usage: php .$argv[0]. host path

PHPSurveyor = 0.995 'save.php/surveyid' remote cmmnds xctn

#!/usr/bin/php -q -d short_open_tag=on ? echo \r\n; echo * PHPSurveyor = 0.995 'save.php/surveyid' remote cmmnds xctn *\r\n; echo * by rgod [EMAIL PROTECTED] site: http://retrogod.altervista.org *\r\n; echo * a special tnX

PCPIN Chat = 5.0.4 login/language remote cmmnds xctn

#!/usr/bin/php -q -d short_open_tag=on ? echo PCPIN Chat = 5.0.4 \login/language\ remote cmmnds xctn\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n\r\n;; echo - works with magic_quotes_gpc = Off\r\n; echo dork: \powered by PCPIN.com\\r\n\r\n; if ($argc4) { echo

- PHPGraphy = 0.9.11 editwelcome unauthorized access / cross site scripting -

temporary patch - replace this line: ... if ($updwelcome isset($welcomedata) check_welcome($dir)) { ... with: ... if ($admin $updwelcome isset($welcomedata) check_welcome($dir)) { ... rgod site: http

osCommerce extras/ information/source code disclosure

intext:mysql.php -display rgod site: http://retrogod.altervista.org mail: rgod at autistici.org original advisory: http://retrogod.altervista.org/oscommerce_22_adv.html

Simplog =0.9.2 multiple vulnerabilities

#!/usr/bin/php -q -d short_open_tag=on ? echo Simplog = 0.9.2 \s\ remote cmmnds xctn\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n\r\n;; echo dork: intext:\Powered by simplog\\r\n\r\n; if ($argc5) { echo Usage: php .$argv[0]. host path location cmd OPTIONS\r\n

PHPMyChat 0.15.0dev SYS enter remote commands xctn (not properly patched from previous versions)

#!/usr/bin/php -q -d short_open_tag=on ? echo PHPMyChat 0.15.0dev \SYS enter\ remote cmmnds xctn 0day (again)\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n\r\n;; echo - works with magic_quotes_gpc=Off\r\n\r\n; echo dork: intext:\2000-2001 The phpHeaven Team

ReloadCMS = 1.2.5stable Cross site scripting / remote command execution

statistics through the administration panel, javascript will run Once grab.php script captures admin cookie, the script itself can upload a shell trough file manager, launch commands and write output to a logfile also, inside cookies, there is admin MD5 password hash rgod mail: [EMAIL PROTECTED] site

PHP-Stats = 0.1.9.1 remote commands execution

database table_prefix, making easier the exploitation process... rgod site: http://retrogod.altervista.org mail: rgod at autistici.org original advisory: http://retrogod.altervista.org/php_stats_0191_adv.html

4images =1.7.1 remote code execution

rgod site: http://retrogod.altervista.org mail: rgod at autistici.org original advisory: http://retrogod.altervista.org/4images_171_adv.html

NOCC Webmail = 1.0 multiple vulnerabilities

# # # # coded by rgod # # site: http://retrogod.altervista.org

Coppermine Photo Gallery =1.4.3 remote code execution

settings full proof of concept exploit for i) at this url: http://retrogod.altervista.org/cpg_143_incl_xpl.html rgod site: http

PHPKIT = 1.6.1r2 arbitrary local/remote inclusion (unproperly patched in previous versions)

# # coded by rgod # #site: http://retrogod.altervista.org # # # # - works with allow_url_fopen

DocMGR = 0.54.2 arbitrary remote inclusion

# # # # DocMGR = 0.54.2 remote commands execution exploit # # coded by rgod # # site: http://retrogod.altervista.org

EGS Enterprise Groupware System 1.0 rc4 remote commands execution FlySpray 0.9.7 remote commands execution

# # coded by rgod # # site: http://retrogod.altervista.org # # # # - works against PHP5

Linpha = 1.0 multiple arbitrary local inclusion

scripts...) rgod site: http://retrogod.altervista.org mail: rgod at autistici org original adivsory: http://retrogod.altervista.org/linpha_10_local.html

runCMS = 1.3a2 possible remote code execution through the integrated FCKEditor package

) -- rgod site: http://retrogod.altervista.org mail: rgod at autistici org --

CPGNuke Dragonfly 9.0.6.1 remote commands execution through arbitrary local inclusion

) - # # coded by rgod # #site: http://retrogod.altervista.org # # # # - this works regardless

LoudBlog = 0.4 arbitrary remote inclusion

# # # # LoudBlog 0.4 remote commands execution # # coded by rgod # #site: http://rgod.altervista.org