http://www.vfocus.net/art/index.html 安全文章 zh-cn CopyRight&nbsp;&copy;&nbsp;2002-2008 <a href="/" target=_blank title=":::VITTERSAFE危特网安:::">VFocuS.Net</a> All Rights Reserved webmaster@mail.securitycn.net http://www.vfocus.net/art/20081121/4145.html Discuz! Reset User Password Vulnerabilityauthor: 80vul-A/80vul-Bteam:http://www.80vul.com由于Discuz! 的随机数使用的播种缺陷,在找会用户密码时可以暴力得到id的随机hash,从而导致容易修改用户密码的严重漏洞.一 分析暂缺[将在pstzine3上详细介绍这个问题,有兴趣 2008-11-21 Exploits 80vul-A http://www.80vul.com http://www.vfocus.net/art/20081121/4144.html /* * original release: http://vnull.pcnet.com.pl/blog/?p=92 * * ora_dv_mem_off.c version 0x1 * ORACLE Database Vault runtime disabler (x86_32 Linux only) * AKA give_back_the_freedom * by Jakub 'vnull' Wartak jakub.wartak@gmail.com 26.02.2008 * 0-day 2008-11-21 Exploits Jakub jakub.wartak@gmail.com http://www.vfocus.net/art/20081121/4143.html /* ----------------------------- * Author = Mx * Title = vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm * Software = vBulletin * Addon = Visitor Messages * Version = 3.7.3 * Attack = XSS/XSRF - Description = A critical vulnerability exists in the n 2008-11-21 Exploits Mx www.vfcocus.net http://www.vfocus.net/art/20081121/4142.html ?php /*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit requires magic_quotes == off coded by irk4z[at]yahoo.pl homepage: http://irk4z.wordpress.com greets: all 2008-11-21 Exploits irk4z http://irk4z.wordpress.com http://www.vfocus.net/art/20081121/4141.html ?php /* ============================================================================== _ _ _ _ _ _ / | | | | / | | | | / _ | | | | / _ | |_| | / ___ | |___ | |___ / ___ | _ | IN THE NAME OF /_/ _ |_____| |_____| /_/ _ |_| |_| ======== 2008-11-21 Exploits G4N0K mail.ganok[at]gmail.com http://www.vfocus.net/art/20081121/4140.html #!/usr/bin/perl =about PunBB (PunPortal 0.1) Local File Inclusion Exploit -------------------------------------------------- by athos - staker[at]hotmail[dot]it download mod http://www.punres.org/download.php?id=1108 download cms http://punbb.org reg 2008-11-21 Exploits athos staker[at]hotmail[dot]it http://www.vfocus.net/art/20081121/4139.html !-- Exodus v0.10 remote code execution exploit by Nine:Situations:Group::strawdog This uses the -l argument to overwrite a file inside Microsoft Help and Support Center folders (oh rgod...) Firstly run netcat in listen mode to drop the vbscript shell 2008-11-21 Exploits strawdog Nine:Situations:Group::strawdog http://www.vfocus.net/art/20081120/4138.html #!/usr/bin/perl # Name: wPortfolio = 0.3 Arbitrary File Upload Exploit # Script Name: wPortfolio 0.3 # Download: http://sourceforge.net/project/downloading.php?group_id=244834use_mirror=kentfilename=wPortfolio.zip80791070 # Vulnerability: Arbitrary F 2008-11-20 Exploits Osirys osirys[at]live[dot]it http://www.vfocus.net/art/20081120/4137.html #define _WIN32_WINNT 0x0600#define WIN32_LEAN_AND_MEAN#include windows.h#include winsock2.h#include ws2ipdef.h#include iphlpapi.h#include stdio.h#include stdlib.hint main(int argc, char** argv){ DWORD dwStatus; MIB_IPFORWARD_ROW2 route; if (argc != 2008-11-20 Exploits Unterleitner t.unterleitner_(at)_phion.com http://www.vfocus.net/art/20081120/4136.html #!/usr/bin/perl =about MauryCMS = 0.53.2 Remote Shell Upload Exploit ---------------------------------------------- by athos - staker[at]hotmail[dot]it download on http://cms.maury91.org thnx Osirys =cut use strict; use warnings; use LWP::UserAgent; 2008-11-20 Exploits athos staker[at]hotmail[dot]it http://www.vfocus.net/art/20081120/4135.html ?php /** * * MyTopix = 1.3.0 (notes send) Remote SQL Injection Exploit * Bug discovered exploited by cOndemned * * Desc : *In order to exploit this vulnerability user have to *be logged on the forum, so I'd decided to write this *exploit x] * * Greet 2008-11-20 Exploits cOndemned www.vfcocus.net http://www.vfocus.net/art/20081120/4134.html ?php error_reporting(0); ini_set(default_socket_timeout,5); /* PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit ----------------------------------------------------------- by athos - staker[at]hotmail[dot]it download mod http://www.punres. 2008-11-20 Exploits athos staker[at]hotmail[dot]it http://www.vfocus.net/art/20081118/4133.html html titleChilkatSocket.DLL Arbitrary File Creation/titlebrbr body Company Name : Chilkat Software, Inc.brbr Vulnerable DLL : ChilkatSocket.DLLbrbr DLL's version : 2,3,1,1brbr Object Safety Report : br Report for Clsid: {474FCCCD-1B89-4D34-9E09-45807 2008-11-18 Exploits Underz0ne http://www.underz0ne.org http://www.vfocus.net/art/20081118/4132.html ?php /** * FREEze Greetings 1.0 Remote Password Retrieve Exploit * Exploit by cOndemned * * Greetz : suN8Hclf, 0in, m4r1usz, str0ke, rtgn, doctor, sid.psycho [...] * Special thx to ZaBeaTy for developing such a sexy regexp ;) Thx m8 */ echo Header [~ 2008-11-18 Exploits cOndemned www.vfcocus.net http://www.vfocus.net/art/20081118/4131.html html headtitleuh?/title/head body script // k`sOSe 11/15/2008 // tested on Windows XP SP3, opera 9.62 international version // vulnerability found by send9 // there are many ways to achieve code execution, tons of function pointers to overwrite. // m 2008-11-18 Exploits k`sOSe www.vfcocus.net http://www.vfocus.net/art/20081117/4130.html ==Ph4nt0m Security Team== Issue 0x02, Phile #0x04 of 0x0A |=---------------------------------------------------------------------------=| |=-----------------------=[ 浅析浏览器的跨域安全问题 ]=----------------------=| |=----------------------------- 2008-11-17 漏洞资料 ayh4c rayh4c_at_80sec.com http://www.vfocus.net/art/20081117/4129.html #!/usr/bin/env python ############################################################################# # MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled) # www.hackingspirits.com # www.coffeeandsecurity.com # Email: d3basis.m0hanty @ gmail.com ### 2008-11-17 Exploits Mohanty www.hackingspirits.com http://www.vfocus.net/art/20081117/4128.html ?php set_time_limit(0); function find_pass($data){ $pass = explode('$adminpass = ',$data); if($pass[1]!=){ echo(Vuln exploited enjoy !n); sleep(1); echo(Admin hash == [.substr($pass[1],0,32).]n); } else{ echo(Exploit failed!!!!); } } function __sen 2008-11-17 Exploits Luja www.vfcocus.net http://www.vfocus.net/art/20081117/4127.html #!/bin/sh #* Sudo = 1.6.9p18 local r00t exploit #* by Kingcope/2008/www.com-winner.com # # Most lame exploit EVER! # # Needs a special configuration in the sudoers file: # --- Defaults setenv so environ vars are preserved :) --- # # May also need the 2008-11-17 Exploits Kingcope www.com-winner.com http://www.vfocus.net/art/20081117/4126.html !-- VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow Discovered Written By: r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au) Advisory: http://www.bmgsec.com.au/advisory/39/ --------------------------------------------------- Tested on: WinXP Pro S 2008-11-17 Exploits r0ut3r www.bmgsec.com.au http://www.vfocus.net/art/20081115/4124.html #!/usr/bin/perl =starting -------------------------------------------------------- SlimCMS = 1.0.0 (edit.php) Remote SQL Injection Exploit -------------------------------------------------------- by athos - staker[at]hotmail[dot]it download on source 2008-11-15 Exploits athos staker[at]hotmail[dot]it http://www.vfocus.net/art/20081115/4123.html #!/usr/bin/php?php/** * Discuz! 6.x/7.x SODB-2008-13 Exp * By www.80vul.com * 文件中注释的变量值请自行修改 */$host = 'www.80vul.com';// 服务器域名或IP$path = '/discuz/';// 程序所在的路径$key = 0;// 上面的变量编辑好后，请将此处的值改为1if (strpos($ho 2008-11-15 Exploits 80vul www.80vul.com http://www.vfocus.net/art/20081115/4122.html -----------[ C Source Code ]----------- /* Smallest GNU/Linux x86 setuid(0) execve(/bin/sh,0,0) Shellcode without NULLs Coded by Chema Garcia (aka sch3m4) + sch3m4@opensec.es + http://opensec.es Shellcode Size: 27 bytes Date: 13/11/2008 */ #include 2008-11-15 Exploits sch3m4 http://opensec.es http://www.vfocus.net/art/20081114/4121.html #!/usr/bin/perl =about MemHT 4.0.1 Perl exploit AUTHOR discovered written by Ams ax330d [doggy] gmail [dot] com VULN. DESCRIPTION: Due to weak params filtering we are able to make SQL-Injection. So, 1. Look at 'inc/ajax/ajax_rating.php', line ~ 29. I 2008-11-14 Exploits Ams ax330d [doggy] gmail [dot] com http://www.vfocus.net/art/20081113/4119.html /* MS08-067 Remote Stack Overflow Vulnerability Exploit Author: Polymorphours Email: Polymorphours@whitecell.org Homepage:http://www.whitecell.org Date: 2008-10-28 */ #include stdafx.h #include winsock2.h #include Rpc.h #include stdio.h #include stdl 2008-11-13 Exploits Polymorphours http://www.whitecell.org http://www.vfocus.net/art/20081113/4118.html #!usr/bin/perl -w ################################################################################################################ # Buffer overflow in the __snprint_value function in snmp_get in Net-SNMP 5.1.4, 5.2.4, and 5.4.1, # as used in SNMP.xs 2008-11-13 Exploits praveen praveen[underscore]recker[at]sify.com http://www.vfocus.net/art/20081113/4117.html #!usr/bin/perl -w ################################################################################################################ # Stack-based buffer overflow in the Network Manager in Castle Rock Computing SNMPc 7.1 and # earlier allows remote att 2008-11-13 Exploits praveen praveen[underscore]recker[at]sify.com http://www.vfocus.net/art/20081112/4116.html #include sys/socket.h #include sys/un.h #include unistd.h #include assert.h #include err.h #include stdlib.h static int own_child(int *us) { int pid; int s[2]; struct msghdr mh; char crap[1024]; struct iovec iov; struct cmsghdr *c; int *fd; int rc; p 2008-11-12 Exploits Bittau www.vfcocus.net http://www.vfocus.net/art/20081112/4115.html vnsecurity.net ADVISORY 2008-11 =============================== :Title: Buffer overflows in smcFanControl 2.1.2 for OSX :Severity: Critical :Reporter: KaiJern, Lau ( kjlau at vnsecurity.net) :Products: smcFanControl 2.1.2 :OS: OSX :Fixed in: to be re 2008-11-12 Exploits kjlau kjlau at vnsecurity.net http://www.vfocus.net/art/20081112/4114.html ?php /* ooVoo 1.7.1.35 (URL Protocol) remote unicode buffer overflow poc by Nine:Situations:Group::bruiser tested against IE8b/xp sp3 9sg site: http://retrogod.altervista.org/ software site: http://www.oovoo.com/ description: ooVoo is a startup video 2008-11-12 Exploits retrogod http://retrogod.altervista.org/ http://www.vfocus.net/art/20081111/4113.html 我的一个朋友告诉我，说他们在访问自己公司网站时，出来一大堆东西，而且杀毒软件还提示网页存在病毒， 我的第一感觉就是公司服务器被人入侵了。 （一）网站挂马检测和清除 1.使用软件嗅探被挂马页面 朋友将远程终端和公司网站名称告诉我后，我首先在虚拟机中使用URLSno 2008-11-11 网络安全 陈小兵 51CTO.com http://www.vfocus.net/art/20081110/4112.html ? print_r ( ' -------------------------------------------------------------------------------- Phpcms2007(wenba)blindSQLinjection/admincredentialsdisclosureexploit BYoldjun[S.U.S](http://www.oldjun.com) ---------------------------------------------- 2008-11-10 Exploits oldjun http://www.oldjun.com http://www.vfocus.net/art/20081110/4111.html Discuz! ___FCKpd___0 DCACHE数组变量覆盖漏洞author: ryat_at_www.wolvez.orgteam:http://www.80vul.com由于Discuz! 的wapindex.php调用Chinese类里Convert方法在处理post数据时不当忽视对数组的处理,可使数组被覆盖为NULL.当覆盖 ___FCKpd___0 DCACHE时导致导致xss 2008-11-10 漏洞资料 ryat www.wolvez.org http://www.vfocus.net/art/20081110/4110.html 一个月前看了看了dedecms代码（只看了plus下的文件），发现有些变量人为控制没有过滤，但是在php的魔法引号这道天然屏障面前利用几率不好 但是联想到gbk的宽字符，突破方法就有了 漏洞文件：plus/infosearch.php 测试版本：5.1 gbk 描述：$q变量没有过滤直接进入查询， 2008-11-10 漏洞资料 tojen www.tojen.cn http://www.vfocus.net/art/20081110/4109.html Author : sudami [ sudami@163.com ] Time : 01-11-2008 Links : http://hi.baidu.com/sudami 内核注入 ，技术古老但很实用。现在部分 RK 趋向无进程 , 玩的是 SYS+DLL ，有的无文件，全部存在于内存中。可能有部分人会说：都进内核了 . 什么不能干？。是啊，要是内核 2008-11-10 入侵实例 sudami http://hi.baidu.com/sudami http://www.vfocus.net/art/20081110/4108.html 文章作者：a1pass [E.S.T] 信息来源：邪恶八进制信息安全团队（ www.eviloctal.com ） 原始出处： http://a1pass.blog.163.com/ 文章备注：本文发表于《黑客X档案》08年第5期，与原文有少许出入。 现在的黑客攻击手法中，跨站挂马似乎正在逐渐成为攻击的主流话题，鉴于 2008-11-10 入侵实例 a1pass www.eviloctal.com http://www.vfocus.net/art/20081110/4107.html #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { system(Title Kosova Hackers Group by boom3rang); print n; print #######################################################################n; print # Mambo Component n-form(form_id) 2008-11-10 Exploits boom3rang www.khg-crew.ws http://www.vfocus.net/art/20081110/4106.html #!/usr/bin/perl =about MemHT Portal = 4.0 Perl exploit AUTHOR: Discovered and written by Ams ax330d [doggy] gmail [dot] com DESCRIPTION: Here we are able to make SQL-injection due to weak filtering. So, look at inc/inc_header.php lines ~ 74, where hi 2008-11-10 Exploits Ams ax330d [doggy] gmail [dot] com http://www.vfocus.net/art/20081110/4105.html ## # $Id: rtipsniff.rb ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http 2008-11-10 Exploits hdm http://metasploit.com http://www.vfocus.net/art/20081110/4104.html #!/usr/bin/perl # VLC Media Player 0.9.6 .RT File Buffer Overflow (Stack Based) # --------------------------------------------------------------- # Exploit by SkD skdrat@hotmail.com # # This should work on a fully up-to-date Windows XP SP3. If you wa 2008-11-10 Exploits SkD skdrat@hotmail.com http://www.vfocus.net/art/20081107/4103.html ?php error_reporting(0); ini_set(default_socket_timeout,5); /* e-Vision = 2.0.2 Multiple Local File Inclusion Exploit ------------------------------------------------------- by athos - download http://sourceforge.net --------------------------------- 2008-11-07 Exploits StAkeR StAkeR[at]hotmail[dot]it http://www.vfocus.net/art/20081106/4102.html #!/usr/bin/perl # # @title: Simple Machines Forum Code Execution # @versn: * = 1.1.6 # @authr: ~elmysterio ( a.k.a us ) # @stats: DROPPED!!!!!!! # @descp: In loving memory of the rare bone marrow disease that killed rgod. # We can't thank you enough 2008-11-06 Exploits elmysterio www.vfcocus.net http://www.vfocus.net/art/20081106/4101.html Adobe Reader Javascript Printf Buffer Overflow Exploit =========================================================== Reference: http://www.coresecurity.com/content/adobe-reader-buffer-overflow CVE-2008-2992 Thanks to coresecurity for the technical back 2008-11-06 Exploits Mohanty www.hackingspirits.com http://www.vfocus.net/art/20081106/4100.html ?php error_reporting(0); ini_set(default_socket_timeout,5); set_time_limit(0); /* --------------------------------------------------- PHP X 3.5.16 (news_id) Remote SQL Injection Exploit --------------------------------------------------- By StAkeR[at 2008-11-06 Exploits StAkeR StAkeR[at]hotmail[dot]it http://www.vfocus.net/art/20081105/4099.html Discuz! 路径信息泄露 bugauthor: 80vul-Ateam:http://www.80vul.com一 分析目录uc_clientdatacache,forumdatacache等下面的文件里对如: ___FCKpd___0 CACHE['settings'] = array ( 'accessemail' = '', 'censoremail' = '', 'censorusername' = '', 'dateformat 2008-11-05 漏洞资料 80vul-A www.80vul.com http://www.vfocus.net/art/20081105/4098.html Discuz! member.php xss bugauthor: 80vul-Bteam:http://www.80vul.com一 分析member.php代码:if(!empty($listgid) ($listgid == intval( ___FCKpd___0 GET['listgid']))) {//这里用的等于[==]而不是全等[===]进行的比较,且$listgid并没有初始化:)$type = $adminid == 2008-11-05 漏洞资料 80vul-B www.80vul.com http://www.vfocus.net/art/20081105/4097.html ?php # # Simple Machines Forum (SMF) 1.1.6 Remote Code Execution Exploit # Credits: Charles FOL charlesfol[at]hotmail.fr # URL: http://real.olympe-network.com/ # # Note: other versions are maybe vulnerable, not tested. # # SMF suffers from multiples 2008-11-05 Exploits Charles charlesfol[at]hotmail.fr http://www.vfocus.net/art/20081105/4096.html ?php error_reporting(0); /* ------------------------------------------------------ TR News = 2.1 (login.php) Remote Login ByPass Exploit ------------------------------------------------------ By StAkeR[at]hotmail[dot]it http://www.easy-script.com/scr 2008-11-05 Exploits StAkeR StAkeR[at]hotmail[dot]it http://www.vfocus.net/art/20081104/4095.html Discuz! adminrunwizard.inc.php get-webshell bugauthor: 80vul-Ateam:http://www.80vul.com由于Discuz!的adminrunwizard.inc.php里saverunwizardhistory()写文件操作没有限制导致执行代码漏洞.一 分析在文件adminrunwizard.inc.php里代码:$runwizardhistory = arr 2008-11-04 漏洞资料 80vul-A www.80vul.com http://www.vfocus.net/art/20081104/4094.html Discuz! modcp/moderate.inc.php 数据库注射bugauthor: 80vul-Bteam:http://www.80vul.com一 分析在文件modcpmoderate.inc.php里代码:require_once DISCUZ_ROOT.'./include/discuzcode.func.php';require_once DISCUZ_ROOT.'./include/attachment.func.php';$ppp = 10 2008-11-04 漏洞资料 80vul-B www.80vul.com